CN101247395A - ISAPI access control system for Session ID fully transparent transmission - Google Patents
ISAPI access control system for Session ID fully transparent transmission Download PDFInfo
- Publication number
- CN101247395A CN101247395A CNA2008100470552A CN200810047055A CN101247395A CN 101247395 A CN101247395 A CN 101247395A CN A2008100470552 A CNA2008100470552 A CN A2008100470552A CN 200810047055 A CN200810047055 A CN 200810047055A CN 101247395 A CN101247395 A CN 101247395A
- Authority
- CN
- China
- Prior art keywords
- session
- user
- isapi
- response message
- access
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Computer And Data Communications (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The present invention relates to ISAPI access control system with Session full transparent transfer, which can realize user Session maintenance and SessionID transfer without involving, modifying and using Cookie in Web system, and provides user identity identification and visiting control function for Web application on IIS server. It includes four components: ISAPI accessing control filter, Session maintenance engines, authorization decision engines, and identity and authority management system. The present invention resolves referred key technology problem about ISAPI visiting URL chaining adding SessionID information in control filter rewrite respond message successfully, such as transfering related information between filter call-back function, correctly modifying length indication in respond message data block, etc.
Description
Technical field
The invention belongs to the network information security technology field, it is a kind of access control system based on the ISAPI filter, it with a kind of to Web application system transparent way, use access control function is provided for being deployed in Web on the IIS server, especially do not relying on Web system (Web container or Web use) and do not using the transparent transmission of realization Session ID under the situation of cookie.
Background technology
For many Web application service systems of disposing on the internet, user identity is differentiated (Authentication) and access control (Access Control), and safety function is absolutely necessary.Identity is differentiated know promptly whom the other side is, is confirmed that the other side is its people who claims (or entity); And visit is controlled, and promptly whether online decision allows a certain resource of user capture and carry out relevant operation with access control policy according to user's authority, and these resources can be main frame, system directory, file, or a certain service function, as transaction, payment etc.Access control is called access authorization (Authorization) again, comprises rights management (Privilege Management), authorization decision (Authorization Decision) and authorizes enforcement (Authorization Enforcement) three parts.Identity is differentiated and access control is closely-related.
For existing many Web application systems of having disposed, may have such situation: do not consider access control function at the beginning of system development, the access control function imperfection of perhaps having implemented needs to add or improve its access control function at present.Add or improve required access control function and certainly realize by revising application system, but this way there are the following problems:
(1) modification amount may be very big, moving one and lead whole body, may relate to the modification whole system;
(2) modification, development cost height;
(3) original system exploitation document, developer can't find, and system is very complicated;
(4) for application system based on different Web technological development, as ASP, ASP.NET,, JSP/Servlet, CGI, PHP etc., need the different implementation methods that adopts;
(5) might need to end for a long time service, this is unallowed in many situations.
And, can under the situation of not revising the Web application system, add its required access control function, thereby be of very high actual application value based on the access control technology of ISAPI filter.
ISAPI (Internet Server Application Programming Interface) is an API standard on the IIS of Microsoft (the Internet Information Server) Web server, be loaded into oneself the process space and and address space of Web server program sharing based on the DLL of ISAPI by the Web server program.DLL based on ISAPI is divided into expansion (extension) and filter (filter) two classes again.
ISAPI filter (being called plug-in unit plug-in again), can be tackled and handle request with between the network of Web server is connected at client browser in the different phase of HTTP request.Different phase to the HTTP request, ISAPI is with different event identifiers, by registration events corresponding notice, as SF_NOTIFY_PREPROC_HEADERS (notice preliminary treatment topic head), SF_NOTIFY_SEND_RAW_DATA (notice sends former data) etc., Web server calls the event handling call back function of ISAPI filter in different phase, HTTP request or response are handled, as read data in the HTTP request, processing topic head (Header) is differentiated the user, carries out URL and revises, return data, log etc.
The ISAPI filter has two inlet call back functions, is respectively registration function GetFilterVersion () and filter process function HttpFilterProc (), and its interface definition is as follows,
BOOL?WINAPI?GetFilterVersion(PHTTP_FILTER_VERSION?pVer);
DWORD?WINAPI?HttpFilterProc(PHTTP_FILTER_CONTEXT?pfc,DWORDNotificationType,LPVOID?pvNotification);
PHTTP_FILTER_VERSION and PHTTP_FILTER_CONTEXT are defined by ISAPI.
These two entrance functions, the former calls during by the Web server initialization, and it returns the version number of the ISAPI that filter supports, and each event notice to be processed is registered; The latter is responsible for the event notice of a series of triggerings is handled.Usually, for each trigger event notice, HttpFilterProc () can call corresponding call back function again and handle, as being called call back function OnPreprocHeaders (), handles the SF_NOTIFY_PREPROC_HEADERS event notice, the SF_NOTIFY_SEND_RAW_DATA event notice is called OnSendRawData () call back function handle, the SF_NOTIFY_END_OF_NET_SESSION event notice is called call back function OnEndOfNetSession () handle etc.
Utilize the functional characteristics of ISAPI filter, can develop an ISAPI access-control filter, carry out that user identity is differentiated and access control, and expand other functional module (as Rights Management System etc.) on this basis, constitute a complete access control system based on the ISAPI filter.
Access control system based on the ISAPI filter will be realized its function, needs on-line maintenance state of user information, as information such as user's identity ID, group ID, access times, and can online sign, follow the tracks of the user and user and its state information associated.In the Web technology, the user's online state information is called Session, and each state of user information is generally held in the Session object; Simultaneously, each online user is assigned with an interim Session ID (Session sign), is used for sign, distinguishes different user, and the user is got up with its Session object association.Here, be the process that each online user produced and managed Session object and Session ID, be called Session and safeguard.
Want and to work based on the access control system of ISAPI filter, it is not enough only having Session to safeguard, also need user's Session ID to be sent to its client browser by certain way, and make user browser when submitting the HTTP service request at every turn, the Session ID that includes this user in the request, so that different user can be discerned, be distinguished to the ISAPI access-control filter, and the user is got up with its Session object association.This is sent to client with Session ID, and submits the process that comprises Session ID when asking to by browser at every turn, is called Session ID and transmits.
To realize that based on the access control system of ISAPI filter Session safeguards and Session ID transmits, there are two kinds of approach available, the one, depend on Web system (application system or Web container) and safeguard Session and transmit Session ID, go to manage to follow the tracks of, discern by the ISAPI access-control filter then; The 2nd, safeguard Session and transmit SessionID by access control system oneself.For preceding a kind of approach, in actual applications, need be based on the coupling of the access control system of ISAPI filter and application system, cooperate, this is being inconvenient in some cases, or even infeasible, promptly this approach can not be accomplished transparent mutually between Web system and access control system fully.For a kind of approach in back, the crucial Session ID that realizes how transmits.
The Session ID transfer machine of using always at present in the Web technology is shaped on cookie and URL rewrites two kinds.Cookie mechanism is simple, and Web system (application system or Web container) only needs to be set to cookie by set-cookie topic head (header) user Session ID when secondary response user HTTP request just and gets final product.The shortcoming of Cookie mechanism is, can't work when client browser forbidding cookie, and is promptly not exclusively transparent to client.It is to be rewritten pointing to local URL link in the http response content by the Web system that URL rewrites, in URL, increase or expand Querystring, make it to comprise? ... the information of SessionID=XXXXX... form, XXXXX is user's a Session ID value (just expanding when former URL has Query string) here.
Transmit based on the Session ID of the access control system of ISAPI filter and both can adopt cookie, also can adopt URL to rewrite, adopt cookie mechanism to have not exclusively transparent, disabled to client as previously mentioned problem; Adopt URL to rewrite, promptly rewrite, have some technological difficulties by of the URL link of ISAPI access-control filter interception response message to the sensing this locality in the response contents.But, adopt URL to rewrite and transmit the advantage that Session ID has uniqueness, it is transparent fully to Web application system and client that Here it is, both do not relied on the Web application system, also do not worry client browser forbidding Cookie.
Summary of the invention
The ISAPI access control system that the purpose of this invention is to provide the bright pass through mechanism of a kind of Session of having ID full impregnated, it is based on the ISAPI filter technology, can be with a kind of to Web application system and the complete transparent way of client browser, for the Web application that is deployed on the IIS server provides access control function.The invention solves by the ISAPI access-control filter and carry out the key technical problem that URL rewrites transmission Session ID existence.
ISAPI access control system of the present invention comprises following four parts:
ISAPI access-control filter (abbreviation filter): it is an ISAPI filter DLL who is loaded by the IIS server, be positioned between subscription client (browser) and the Web application system, be responsible for user identity discriminating and access control mandate and implement (access control execution).When the user was deployed in Web application system on the IIS server by browser access, filter interception user request by solicited message is analyzed and handled, realized user's identity is differentiated and access control.When Web server returned response results, filter was tackled response message once more, and added access customer Session ID by rewriteeing the URL link of pointing to this locality in the response message, realized the transparent transmission of user SessionID.
The Session maintenance engine: the user who is responsible for each online access Web service creates the Session object of a preservation state, produce corresponding Session ID, obtain subscriber identity information filling Session object from identity and Rights Management System, other state informations of user are saved in the Session object, the inquiry of Session information, identity information is provided, deletes overtime no Session object etc.;
The authorization decision engine: identity and authority information and resource access control strategy according to the user, carry out authorization decision to the request of user access resources;
Identity and Rights Management System: preservation and maintenance customer's identity information, set the access control policy of resource, and the inquiry service of subscriber identity information and access control policy information is provided.
In with top, the ISAPI access-control filter is a core of the present invention, and the SessionID transmission method is a key technology of the present invention.
The workflow of access control system of the present invention is as follows:
A1. the Web application system of user capture IIS server deploy;
A2.ISAPI access-control filter response SF_NOTIFY_PREPROC_HEADERS event notice, the head of interception HTTP request, according to whether comprising effective Session ID, identity authentication information and current URL in the request URL point to, class of subscriber is judged;
A3. to not differentiating the user, promptly login the user of Web application system for the first time, the ISAPI access-control filter changes user's login process over to;
A4. reciprocity user to be identified does not promptly differentiate but just by the user of login page submission identity authentication information, the ISAPI access-control filter changes user identity over to and differentiates processing;
A5. to differentiating the user, ISAPI access-control filter request authorization decision engine carries out authorization decision, user Session ID is arranged in the request, want accessed resources URL and access method;
A6. the authorization decision request of submitting to for the ISAPI access-control filter, whether the authorization decision engine has the Session object corresponding with Session ID from the inquiry of Session maintenance engine, if do not have, then return " refusal ", and to indicate Reason For Denial be " not differentiating the user "; If have, then whether the authorization decision engine further allows the relevant resource of user capture and carries out relevant operation according to the subscriber identity information that obtains from the Session maintenance engine and from the access control policy decision that identity and Rights Management System obtain, then result's " permission " or " refusal " were returned to the ISAPI access-control filter, if the authorization decision result is a refusal, then also indicate Reason For Denial, as grade " user to be identified ", " no corresponding authority ", or " resource is not deposited " waiting.
After the A7.ISAPI access-control filter receives the authorization decision result, user HTTP is asked further to handle according to the result.If Authorization result is to allow, then the ISAPI access-control filter is directly revised the URL in the HTTP request, removes the Session id information that wherein comprises, and withdraws from then; Otherwise the ISAPI access-control filter is for further processing according to the reason of refusal: if Reason For Denial is " not differentiating the user ", then change A3 over to; If Reason For Denial is " waiting user to be identified ", then the user is directed to login page; If the reason of refusal is that the user does not have authority etc., then the user is directed to the corresponding page of makeing mistakes, withdraw from then.
The Web application system is submitted in HTTP request after the A8.IIS server is handled the ISAPI access-control filter, and the Web application system is finished and returned response results after the user asks to handle.
A9. when the http response result returned, ISAPI access-control filter response SF_NOTIFY_SEND_RAW_DATA event notice was tackled response results, by rewriteeing pointing to local URL link in the response contents, added access customer Session id information.
A10. after application service system was finished the response results transmission, ISAPI access-control filter response SF_NOTIFY_END_OF_NET_SESSION event notice was left intact, and withdraws from immediately.
In above-mentioned A2 step, the ISAPI access-control filter is checked the SessionID information in the HTTP request, and judges that in view of the above the process of class of subscriber is as follows:
A21. check in the HTTP request whether comprise Session ID,
A22. if do not comprise Session ID in the HTTP request, then class of subscriber is not for differentiating the user;
A23. if comprise, judge further then whether the URL of this HTTP request points to login page (the login page),
If A24., judge that then the user such as is at user to be identified;
A25. if not, then (tentatively) judges that the user has differentiated the user.
The process of user's login process is as follows in the above-mentioned A3 step:
A31.ISAPI access-control filter request Session maintenance engine has the URL (if this URL is exactly login page URL, then URL is empty) of user's current accessed itself for the user creates a Session object in the request;
After the A32.Session maintenance engine receives and creates the Session object requests, create the Session object and produce corresponding Session ID, URL in the request is saved in the Session object as URL history (if URL is that sky is then preserved the default page), returns Session ID then;
The A33.ISAPI access-control filter is directed to login page with the user after receiving Session ID, withdraws from then.
To carry out the course of work that identity differentiate to handle as follows for the ISAPI access-control filter in the above-mentioned A4 step:
A41. check in the HTTP request whether comprise the identity authentication information,
A42. if do not comprise the identity authentication information in the request, then the user is guided login page, withdraw from then;
A43. if comprise the identity authentication information in the request, promptly user ID/password information then obtains to verify for information about from identity and Rights Management System whether correctly user ID and password (if differentiate based on the identity of dynamic password, then go checking to authentication server),
A44. if checking is not passed through, then the user is directed to the corresponding page of makeing mistakes, withdraws from then;
A45. if checking is passed through, then ask the Session maintenance engine to upgrade the Session object, Session ID, user ID are arranged in the request for the user;
After the A46.Session maintenance engine receives and upgrades the Session object requests, obtain user's relevant information (as user's group, role and other user properties) from identity and Rights Management System, information such as ID, user role that user ID, user are organized are filled into the Session object, the result who notifies the ISAPI access-control filter to upgrade then, " success " or " failure ", failure provides reason, as obtaining user profile etc.;
The A47.ISAPI access-control filter obtains to upgrade the result from the Session maintenance engine.
A48. if upgrade the success of Session object, then the ISAPI access-control filter further obtains the user URL history (obtaining from the Session object) of preservation from the Session maintenance engine, and the current URL in the user HTTP request is rewritten as historical URL, change A5 then over to;
A49. if upgrade the failure of Session object, then the ISAPI access-control filter is directed to the corresponding page of makeing mistakes with the user, withdraws from then.
In steps A 6, if the authorization decision engine can not inquire the Session object corresponding with Session ID the authorization decision request from the Session maintenance engine, Session ID during then explanation is asked, perhaps owing to the Session object of overtime correspondence is deleted, perhaps Session ID is the basic no corresponding Session object of forging, therefore, need differentiate user identity again.Further, even inquire corresponding Session object, Session to as if empty, do not fill for information about, though the non-first login of user then is described, but identity is differentiated and is not also finished.
May need that in the process of above filter process HTTP request the user is directed to identity and differentiate or the page of makeing mistakes, still, after the user finished the identity discriminating or clicks the page prompts of makeing mistakes, filter should be directed to the user page of its initial visit again.For this reason, the ISAPI access-control filter is the processing stage that HTTP asks among the present invention, when needs are directed to the user identity discriminating or make mistakes the page, ISAPI access-control filter request Session maintenance engine is earlier preserved the current URL of user, (as finish user identity and differentiate the back) afterwards in due course, obtain the URL history of preservation again from the Session maintenance engine, again the user is guided the page of initial visit.
See from the front introduction, the Session object is safeguarded with the generation of Session ID and is responsible for by Session maintenance engine independent process, and Session ID is delivered to client by ISAPI access-control filter interception http response, the URL link local to all sensings in the response contents rewrites, and the URL that the Session id information is joined in the response contents links.Carry out the transmission of Session ID in this way, avoided cookie mechanism and rewritten the problem (disabled, dependence) that URL mechanism exists, and be transparent fully, independently client browser and application by the Web system.
But the ISAPI access-control filter rewrites URL need solve following two key technical problems:
(C1) filter interception http response result, URL in the response is rewritten, need know this user's Session ID, and the filter call back function only knows that just this user's Session ID is (to non-first login user when handling the HTTP request, filter obtains Session ID from the URL of the HTTP request of interception, to first login user, filter obtains the new Session ID that produces for this user from the Session maintenance engine), and the filter call back function is called when HTTP request is handled and be called during in http response and be two and independently call, and can't directly transmit Session ID between calling for twice.
(C2) filter interception http response result, URL in the response message content is rewritten, need the transfer of data Length Indication (transfer-length) in the correct modification response message main body (message body), and on realizing, technology there is very big difficult point in this.
The present invention to the solution of above key technical problem (C1) is, utilize the IIS server to pass to a pointer pFilterContext who comprises in the HTTP_FILTER_CONTEXT structure parameter of ISAPI filter call back function, transmission information (including but not limited to the Session id information) between invoked call back function in a HTTP request process.Here, pFilterContext is a void type pointer, can point to any data structure by type conversion.PFilterContext points to a data structure variable that comprises following information in the present invention:
(1) Session id field;
(2) received the response message block record;
(3) response message is a chunked transfer encoding attribute field;
(4) data length field of response message main body;
(5) the response message body data length field that has totally received.
In view of the above, the concrete processing method of transmitting Session ID between call back function is as follows,
C11. when ISAPI access-control filter interception HTTP request, after finishing relevant the processing, before withdrawing from, the filter call back function leaves user Session ID in " SessionID " field of this structure variable, and other field is set, then with this structure variable of pFilterContext pointed.(explanation is seen below in other field purposes and setting)
C12. when ISAPI access-control filter interception http response message, the filter call back function takes out Session ID value from " Session ID " field of this structure variable of passing to it.
About above key technical problem (C2), need do stressing.There is generation, the transfer encoding mode of two kinds of response message main bodys (message body) in Web system (Web container or application), a kind ofly be disposable generation and encode the response message main body whole, Content-Length topic head (header) field is arranged in the response message head in this case, and 16 system numerical value of its correspondence are the transfer of data Length Indications of response message main body; Another kind is that piecemeal ground produces and coding response message main body, here each piece is called a chunk, this mode is called transfer encoding (chunked transfer-coding) mode of piecemeal, at this moment the head at response message has Transfer-Encoding:chunked topic head (header) field, indicating this response message main body is chunked transfer encoding mode, and each message blocks (chunk) all has an independently Length Indication, indicates the transmission length of this response message data block.Which kind of transfer encoding mode no matter, browser all needs to rely on relevant transfer of data Length Indication and correctly receives data.
Link rewrites the ISAPI access-control filter to the URL in the response message, has changed the byte number of source body (body) or source body piece (chunk), therefore, must correctly revise corresponding transmission Length Indication.To chunked transfer encoding mode, filter accomplishes that this point is relatively easy, because, ISAPI filter call back function response SF_NOTIFY_SEND_RAW_DATA event notice, each response message piece (chunk) is tackled in gradation, because each piece has oneself independently Length Indication, therefore, only need the Length Indication of modification relevant block to get final product (in fact this process is also pretty troublesome) if changed certain piece (chunk).But, transfer encoding mode for non-chunked, this problem is more complex, because at this moment even the response message main body is once produced by the Web system and encodes, but the IIS server still can transmit whole response message in piecemeal ground (block), ISAPI access-control filter call back function remains each response message data block (block) of gradation ground interception like this, and except first piece comprises the Content-Length Length Indication, the piece of back does not have the Length Indication of oneself, therefore, revised the content of back data block, must correspondingly revise the Content-Length Length Indication in first piece, but this is impossible, because at this moment first piece has transmitted.A solution to this is, to the response message under the non-chunked transfer encoding mode, the ISAPI filter gets up all response message data block (block) accumulations, after the modification of finishing all message body content, remodify the Content-Length Length Indication of whole message, then whole response message is returned to IIS Server Transport (before this, call back function stays data, returns the sky data).The shortcoming of doing like this is, implements very complexity on the one hand, considers especially and carry out relevant work under a multi-thread environment, does very consumes memory and computational resource on the other hand like this, has reduced response speed, influences systematic function.
The present invention to above key technical problem (C2) solution step is,
C21. for the response message of chunked transfer encoding mode, each response message main body block (chunk) is intercepted in the gradation of ISAPI access-control filter call back function, changed certain piece (chunk) if URL rewrites, then call back function is directly revised the Length Indication of this piece (chunk).
C22. for the response message of non-chunked transfer encoding mode, the response message data block (block) that ISAPI access-control filter call back function will be tackled at every turn changes the response message piece under the chunked transfer encoding mode into, and the concrete grammar step is as follows:
C221. if the response message data block that receives is first data block (this is a response message data block that only comprises head) of this response message, then, add a Transfer-Encoding:chunked topic field then with its Content-Length field deletion;
C222. for each subsequent data blocks (block) that receives, the filter call back function adds a Length Indication after finishing the URL rewriting in its front, make it to become the message blocks (chunk) under the chunked transfer encoding mode;
C223. for last the response message data block that receives, except completing steps C222, to add that also a chunk finishes sign (being null of character 0 heel) in the data block back.
Adopt above method to carry out URL and rewrite, revise transfer of data length, not only realize easily, and resource occupation is few, processing speed is fast, and performance is good.
Adopt the method among the present invention to carry out the URL rewriting, indication is made amendment to the transmission data length, also needs to solve several problems:
(D1) how to identify which response message data block be to comprise first data block (chunk or block) that responds head to the ISAPI filter call back function of interception response message, and which is not comprise the subsequent data blocks that responds head.
(D2) for follow-up, do not comprise the data block that responds head, how the ISAPI filter call back function of interception response knows that the transfer encoding mode of this data block correspondence is chunked, also right and wrong chunked.
(D3) for non-chunked transfer encoding mode, how ISAPI filter call back function judges that the response message data block of reception is last data block.
The present invention is that data structure variable above-mentioned by utilizing, transmit information between call back function is realized (being the structure variable of the pFilterContext indication introduced previously) to these three ways to solve the problem." having received a response message block count " field is arranged in this structure, record the number of the response data piece that this secondary response so far received; A Boolean type field " response message is a chunked transfer encoding sign ", being used for identifying this secondary response is chunked transfer encoding mode (TRUE), also right and wrong chunked (FALSE); " data length of a response message main body " field is used for depositing the transmission data length of response message main body under non-chunked transfer encoding mode, promptly deposits the corresponding Length Indication of Content-Length topic head; " the response message body data length that accumulative total has received " field is used under non-chunked transfer encoding mode the total length of the response message body data that up to the present this secondary response of bulk registration has received.
By the data structure of above transmission information, the present invention is as follows to the solution of problem (D1),
D11. the filter call back function interception HTTP request, finish relevant handle withdraw from before, " having received the response message block count " field of transmitting between call back function in the structure of information is changed to zero.
When D12. the filter call back function of execution in step A9 is tackled http response message, http response data block of every interception, earlier " having received the response message block count " field in the data structure variable of transmission information between call back function is added 1, if adding 1 back result is 1, then the http response message data piece of current interception is first data block that comprises the http response head, otherwise is subsequent data blocks.
The present invention for the solution of problem (D2) is,
D21. the ISAPI filter call back function of execution in step A9, if judging the response data piece of this interception by the described method of D12 is first data block, then next the filter call back function checks whether first response data piece of reception comprises a Transfer-Encoding:chunked topic field, if comprise then " response message the is a chunked transfer encoding sign " field in the data structure of transmission information between call back function is made as TRUE, otherwise is made as FALSE.
D22. the ISAPI filter call back function of execution in step A9, if judge the notebook data piece by the described method of D12 is not first response data piece, then the filter call back function can know that by " response message the is a chunked transfer encoding sign " field in the data structure of transmitting information between call back function the transfer encoding mode of current response message is chunked (if this attribute field is TRUE), also right and wrong chunked (if this attribute field is FALSE).
The present invention for the solution of problem (D3) is,
D31. work as the ISAPI filter of carrying out A9 and tackle first response message data block (promptly comprising the response header block of data), and after determining response message right and wrong chunked transfer encoding mode by D21, except " response message is a chunked transfer encoding sign " field is set is FALSE, also the Content-Length from the response message data block inscribes the Length Indication value of taking out the response message main body in the field further, and " data length of response message main body " field of transmitting between call back function in the structure of information is made as this Length Indication value, " the response message body data length that accumulative total has received " field is set to zero then.
D32. when the ISAPI filter of carrying out A9 is tackled follow-up response message data block (response message body data piece), as if " response message the is a chunked transfer encoding sign " field in the structure variable that is checked through the information of transmitting between call back function is FALSE, be that response message is non-chunked transfer encoding mode, then the length (URL rewrite preceding) of " accumulative total received the response message body data length " field value in this data structure variable with the current response message data block of reception is added up, upgrade, if add up, this field value equates that with " data length of response message main body " field value in the structure variable then current response data piece is last data block after the renewal.
It more than is content of the present invention.Access control system of the present invention has solved effectively in Web system (application system or Web container) and has not participated in and do not use under the situation of cookie, carry out the key technical problem that user Session ID transmits, as between the filter call back function of interception HTTP request and interception http response, transmitting user Session ID, after the response message data block being finished URL link rewriting adding Session ID, correctly revise the transmission data length indication of response message data block etc.The advantage of the Session ID pass through mechanism among the present invention is that it is transparent fully to application system, client.
Except transparent fully to Web application system, client, access control system of the present invention also has following advantage or characteristics:
(1) very of short duration to out-of-service, only need restart Web server, and this can carry out the user at night seldom the time, therefore, very little to the influence of service;
(2) be applicable to the application system that adopts different Web development technique, as ASP, ASP.NET,, JSP/Servlet, CGI, PHP etc.;
(3) method is simple, and it is convenient to implement, integrated with application seamless, is easy to maintenance update, and it is quick and convenient to upgrade.
Description of drawings
Fig. 1 is overall system structure figure of the present invention.
Fig. 2 is identity of the present invention and Rights Management System figure.
Embodiment
The present invention is described in further detail below in conjunction with drawings and Examples.
The overall structure of system involved in the present invention as shown in Figure 1, the part that wherein constitutes access control system of the present invention is: ISAPI access-control filter S11, Session maintenance engine S12, authorization decision engine S13, and identity and Rights Management System S14.Because the ISAPI access-control filter is core of the present invention, therefore, stresses applying in fact.In the following description, for simply, under the request that does not lead to misunderstanding, use ellipsis ... the transmission parameter of table function.
1) ISAPI access-control filter
The ISAPI access-control filter is a filter dynamic link libraries (DLL) based on ISAPI, its a kind of execution mode is to adopt the VC++ language compilation, the ISAPI of expansion MFC realizes class ChttpFilter, and the following Virtual Function of heavily loaded ChttpFilter is realized:
(1) GetFilterVersion (PHTTP_FILTER_VERSION pVer), the registered callbacks function;
(2) OnPreprocHeaders (CHttpFilterContext*pCtxt, PHTTP_FILTER_PREPROC_HEADERS pHeaderInfo) is to the call back function of SF_NOTIFY_PREPROC_HEADERS (notice preliminary treatment topic head) event response;
(3) OnSendRawData (CHttpFilterContext*pCtxt,, PHTTP_FILTER_RAW_DATA pRawData) is to the call back function of SF_NOTIFY_SEND_RAW_DATA (notice sends former data) event response;
(4) OnEndOfNetSession (CHttpFilterContext*pCtxt) is to the call back function of SF_NOTIFY_END_OF_NET_SESSION (notice finishes the session of these affairs) event response.
In fact these several call back functions are not directly called by the IIS server, but by a final ISAPI filter process call back function GetFilterVersion who generates, (...) and HttpFilterProc, call (...), (referring to background introduction), handle the relative trigger incident, wherein, PHTTP_FILTER_VERSION is the pointer that points to the HTTP_FILTER_VERSION structure, PHTTP_FILTER_PREPROC_HEADERS is the pointer that points to the HTTP_FILTER_PREPROC_HEADERS structure
PHTTP_FILTER_RAW_DATA is the pointer that points to the PHTTP_FILTER_RAW_DATA structure,
ChttpFilterContext is a structured fingers of transmitting filter Context,
SF_NOTIFY_PREPROC_HEADERS,
SF_NOTIFY_SEND_RAW_DATA,
SF_NOTIFY_END_OF_NET_SESSION is a constant.
Above structure, structured fingers and constant are by the ISAPI associated class definition of MFC.
The ISAPI access-control filter DLL that comprises above call back function, the configurator by the IIS server is configured in the IIS server, loads this DLL during the IIS startup of server.In the present invention, filter is to interception, the processing of HTTP request, and therefore the head of only need interception HTTP request, handling, has only registered preliminary treatment request head event notice.
Concrete enforcement with regard to above several call back functions of ISAPI access-control filter (being Virtual Function corresponding in the ChttpFilter class) is described below.
A.GetFilterVersion(PHTTP_FILTER_VERSION?pVer)
The realization of GetFilterVersion (...) is simpler, loads DLL during the IIS startup of server, carries out GetFilterVersion (...) call back function then, is achieved as follows function (can referring to the ISAPI standard) by it:
(1) returns version number;
(2) registration SF_NOTIFY_PREPROC_HEADERS, SF_NOTIFY_SEND_RAW_DATA, SF_NOTIFY_END_OF_NET_SESSION event notice.
B.OnPreprocHeaders (CHttpFilterContext*pCtxt, PHTTP_FILTER_PREPROC_HEADERS pHeaderInfo) OnPreprocHeaders (...) is triggered when IIS server preliminary treatment HTTP request head and calls, and it is achieved as follows function:
(1) class of subscriber is judged;
(2) initiating user Session creates;
(3) preserve, obtain user URL history;
(4) user identity is differentiated;
(5) initiating user Session upgrades;
(6) initiate the authorization decision request;
(7) authorize enforcement;
(8) the HTTP request URL is redirected;
(9) call back function to the processing response result transmits information such as user Session ID.
OnPreprocHeader (...) has realized workflow step A2-A5 and the A7 in the summary of the invention, A21-A25, A31 and A33, A41-A45 and A47-A49, and key technical problem (C1) (step C11), (D1) (step D11).Concrete enforcement is described below:
OnPreprocHeader (...) obtains HTTP request header information from the IIS server is passed to its structure of pointer pHeaderInfo indication, by the URL that resolves in the HTTP request head class of subscriber is judged then.If do not comprise among the URL? ... the Query string of SessionID=XXXXX... pattern, assert that then the user does not differentiate the user, wherein word string SessionID (available other word string symbols) represents user Session id information, and word string XXXXX represents the value of Session ID; If comprise, judge further whether this URL points to a login page, if assert that then the user is first-class user to be identified, otherwise assert that the user has differentiated user's (personation and the Session ID that lost efficacy determine) when authorization decision.(A2 and A21-A25 in the corresponding workflow of this implementation process)
Next, for not differentiating the user, OnPreprocHeaders (...) request Session maintenance engine is created the Session object for the user, comprises the current URL of user (if current URL is a login page, then URL is empty) in the request; The Session maintenance engine is finished return results behind the Session Object Creation, and the Session ID value of user Session object correspondence is arranged among the result.After OnPreprocHeaders (...) receives Session ID, by calling pHeaderInfo-〉SetHeader (...) function directly revises the URL of HTTP request head, makes it to point to login page (the login page), withdraw from then.(A3, A31 and A33 in the corresponding workflow of this implementation process)
For etc. user to be identified, OnPreprocHeaders (...) further judges in the request whether the identity authentication information is arranged, is concrete grammar to judge among the URL that HTTP asks to comprise? ... User ID=YYYYY﹠amp; Password=ZZZZZ... the Query string of pattern, word string YYYYY and ZZZZZ are respectively the values of UserID (user ID) and Password (password).It should be noted that the concrete name of the Name of Name/Value centering is inessential, can be selected arbitrarily as the case may be.
As comprising the identity authentication information in the request, OnPreprocHeaders (...) carries out identity to the user and differentiates.For the identity identification method based on user name/password, OnPreprocHeaders (...) obtains user related information to identity and Rights Management System and finishes password authentication; For the identity identification method based on dynamic password, OnPreprocHeaders (...) is to verifying dynamic password service verification user's validity.
Differentiate the user of failure for identity, OnPreprocHeaders (...) is by calling pHeaderInfo-〉SetHeader (...) directly revises the URL in the HTTP request, and the user is directed to the page of makeing mistakes, return then.For the user that discriminating is passed through, OnPreprocHeaders request Session maintenance engine user upgrades the Session object, and user ID (UserID) is arranged in the request; The Session maintenance engine obtains subscriber identity information from identity and permission system, upgrades the Session object, returns the renewal result, " success " or " failure ".If upgrade failure, OnPreprocHeaders (...) passes through pHeaderInfo-〉SetHeader (...) directly revises the URL in the HTTP request, and the user is directed to the page of makeing mistakes, withdraw from then; If upgrade successfully, OnPreprocHeaders (...) request Session maintenance engine is returned user URL history, user Session ID is arranged in the request, after having obtained user that the Session maintenance engine returns and logining URL for the first time, OnPreprocHeaders (...) passes through pHeaderInfo-〉URL that directly revises in the HTTP request of SetHeader (...) makes it to point to the URL that returns.
(A4, A41-A45 and A47-A49 in the corresponding workflow of above implementation process)
Next, for finishing user's (no matter being to have finished the user of discriminating or the user who has just finished discriminating before submission is asked) that identity is differentiated, OnPreprocHeaders (...) request authorization decision engine carries out authorization decision to user's visit, comprises user Session ID, the URL that will visit and access method (as GET, POST) in the request.The authorization decision engine returns to OnPreprocHeaders (...) with the authorization decision result.
OnPreprocHeaders (...) further processes after receiving the authorization decision result who returns.If the result is a refusal, and reason is not differentiate the user, then be transferred to the not discriminating user login process of front; If the result is a refusal, and Reason For Denial user to be identified such as is, then by calling pHeaderInfo-〉SetHeader (...) directly revises the URL in the HTTP request, makes it to point to login page, withdraw from then; If the result is a refusal, and Reason For Denial is lack of competence, then by calling pHeaderInfo-〉SetHeader (...) directly revises the URL in the HTTP request, makes it to point to the corresponding page of makeing mistakes, withdraw from then.If the authorization decision result allows, then by calling pHeaderInfo-〉SetHeader (...) directly revises the URL in the HTTP request, removes the Session id information that wherein comprises, return then.(A5, A7 in the corresponding workflow of this implementation process)
No matter which kind of situation is finished relevant the processing at OnPreprocHeaders (...), before withdrawing from, all will transmit to the call back function OnSendRawData (...) of interception response message and the relevant control information of Session ID transmission.Concrete steps are as follows:
OnPreprocHeaders (...) at first takes out pointer pCtxt-from the structure pCtxt that passes to it〉m_pFC-〉pFilterContext (type of pFilterContext is void*, and its initial value is NULL); Use pCtxt-then〉m_pFC-〉pFilterContext=(void*) pCtxt-〉AllocMem (sizeof (SessionContext), 0), for pFilterContext distributes a memory headroom, wherein structure SessionContext is: Struct SessionContext
{
Char SessionID[MAX_SESSION_ID_LEN]; //Session id field
Int RespBlockCnt; // received the response message block record
Bool RespChunkedFlag; // response message is a chunked transfer encoding attribute field
Long RespContentLength; The data length field of // response message main body
Long RespAccMsgLen; The response message body data length field that // accumulative total has received
};
Next, OnPreprocHeaders (...) is with user's Session ID value XXXXX, compose to the SessionID field among the pFilterContext indication SessionContext structure variable, the RespBlockCnt field is changed to zero, OnPreprocHeaders (...) withdraws from afterwards.(above implementation process is corresponding to the C11 of key technical problem (C1), the D11 of (D1))
Be pointed out that pCtxt-〉m_pFC-〉pFilterContext passes to the pointer pFilterContext in the HTTP_FI LTER_CONTEXT structure variable of filter call back function HttpFilterProc (...) corresponding to the IIS server.
C.OnSendRawData(CHttpFilterContext*pCtxt,
PHTTP_FILTER_RAW_DATA?pRawData)
OnSendRawData (...) is triggered when the IIS server sends the http response data and calls, its function is to carry out URL to rewrite, in pointing to local URL link, preserve active user's Session ID, promptly realize related key technology (C1) (step C12), (C2) of workflow A9 in the summary of the invention, key technical problem (D1) (step D12), (D2), (D3), it specifically implements as follows.
OnSendRawData (...) at first passes to its structure pCtxt-from the IIS server〉m_pFC-〉take out the pFilterContext pointer the pFilterContext, if pFilterContext be a sky, then directly return; If be not empty, then the SessionID field from pFilterContext pointer indication SessionContext structure is taken out user SessionID value XXXXX.Before using pFilterContext indication structure, earlier pFilterContext is forced to be converted to sensing SessionContext structure.(this is corresponding to the C12 of key technical problem (C1))
OnSendRawData (...) can obtain http response message data piece from its structure of pRawData pointer indication is passed in IIS service, press the described method of D12 in the summary of the invention, pass through pCtxt-〉m_pFC-〉RespBlockCnt field in the pFilterContext indication SessionContext structure, judge whether the data block that receives is first message response data block.(this is corresponding to the D12 of key technical problem (D1))
If the data block of interception is first message response data block, then carry out following processing:
(1) presses the described method of D21, judge whether response message is chunked transfer encoding mode, and set the pCtxt-pass to it according to this〉m_pFC-〉RespChunkedFlag field in the pFilterContext indication structure, if chunked, then be made as TRUE, otherwise, be made as FALSE, withdraw from then;
(2) if response message right and wrong chunked transfer encoding pattern is then further pressed the described method of D21, take out the Length Indication value of response message main body in the Content-Length field from the response data piece,
(21) if the Length Indication value is zero, then OnSendRawData (...) withdraws from;
(22) if Length Indication value non-zero, then OnSendRawData (...) is made as this length value by D31 is described with the RespContentLength field in the structure of transmission information between call back function, the RespAccMsgLen field is set to zero then, next with the field deletion of the topic of the Content-Length in the response data piece, add a Transfer-Encoding:chunked topic field, withdraw from then.(C221 of corresponding C22)
If the data block of interception is not first message response data block, then carry out following processing:
(1) press the described method of D22, pass through pCtxt-m_pFC-RespChunkedFlag field in the pFilterContext indication structure judges that the transfer encoding pattern of response message is chunked or non-chunked;
(2) if chunked (RespChunkedFlag is TRUE), then the local effective URL link of all sensings in the response contents is rewritten, add? ... the Query string of SessionID=XXXXX... pattern, wherein word string SessionID (available other word string symbols) represents user Session id information, word string XXXXX represents the value of session ID, withdraws from then; (corresponding C21 is to the processing of chunked response data piece)
(3) if non-chunked (RespChunkedFlag is FALSE), then the local effective URL link of all sensings in the response contents is rewritten, add? ... the Query string of SessionID=XXXXX... pattern, add a corresponding Length Indication by the C222 of C22 is described in response data piece front then, make it to become the message blocks (chunk) under the chunked transfer encoding mode; Next carry out following processing:
(31) judge by the described method of D32. whether current response data piece is last data block (before rewriteeing URL, the big I of current response data piece obtains) from the pRawData pointer indication structure that passes to it, if not, then withdraw from;
(32) if then add in response data piece back that by the C223 of C22 is described a chunk finishes sign (being null of character 0 heel).
During URL in rewriteeing the response message data block, be not all to be pointed to local URL rewrite, and just rewrite effective URL link (link), the URL link of the redirect of promptly can clicking the mouse in the page.
OnSendRawData (...) makes amendment to the response data that is kept in the pRawData indication structure, carry out correct data block memory management, specific practice is, before the response contents in revising data block, the estimation message content is revised the required data buffer area size in back earlier, these modifications may be to increase head topic head, in URL, increase the Session id information, revise or increase the Length Indication of each data block, add chunk end data piece etc., then, calling pCtxt-〉AllocMem (...) distributes the cache blocks of corresponding size, the content of revising is left in the new cache blocks, at last with the new response data piece that produces, replace original response data piece in the pRawData indication structure, and correspondingly revise the relevant data Length Indication variable in the pRawData indication structure.
More than the HTTP1.1 standard is deferred in the modification of response data piece.
D.OnEndOfNetSession(CHttpFilterContext*pCtxt)
OnEndOfNetSession (CHttpFilterContext*pCtxt) is triggered when the IIS server is finished the processing of a HTTP request and calls, it what do not do promptly and return.Its effect is to allow the IIS server discharge the internal memory that is distributed by AllocMem (...).
2) Session maintenance engine
The Session maintenance engine realizes safeguarding function associated with Session among workflow A6, A32, A46, the A48, mainly contains:
(1) creates user Session object according to the request of ISAPI access-control filter, produce Session ID, and return Session ID;
(2) it is historical to the Session object to preserve user URL according to the request of ISAPI access-control filter, or returns the user URL history of preserving in the Session object;
(3) according to the request of ISAPI access-control filter, upgrade the Session object, obtain user profile (as subscriber group information, Role Information etc.) and fill the Session object from identity and Rights Management System;
(4) provide the inquiry of user Session state information (Session ID, identity information, authority information etc.);
(6) the overtime no Session object of deletion.
As long as realize function of the present invention, the Session maintenance engine has multiple execution mode.A kind of mode is that the Session maintenance engine is realized as a program module, together loads with the ISAPI access-control filter and is directly called by the ISAPI access-control filter.In this embodiment, Session maintenance engine module is come maintenance customer Session information by an overall Session Object table that leaves in the internal memory, this global table or establishment initialization when the initialization of ISAPI access-control filter, as creating initialization, create initialization when perhaps using for the first time by GetFilterVersion (PHTTP_FILTER_VERSIONpVer).
Another kind of mode is that the Session maintenance engine is realized as an independent process that operates on the IIS server, (Inter-processcommunications IPC) safeguards that with Session independent process carries out information interaction to the ISAPI access-control filter by interprocess communication.With respect to preceding a kind of mode, the slightly inferior properties of this mode, but exploitation, debugging and maintenance are wanted easily.Such as, develop a Session with the Java technology and safeguard that independent process is very simple.
In a word, as long as realize required function, the Session maintenance engine has multiple execution mode, and does not have technology barrier.
3) authorization decision engine
The authorization decision engine is mainly realized among the workflow A6 function associated with it, promptly makes a policy according to the authorization decision request of the ISAPI resource access to the user.Similar with the Session maintenance engine, as long as realize function of the present invention, it has multiple execution mode and method.Similar with the Session maintenance engine, it both can be used as a module and had realized, together loaded with the ISAPI access-control filter and was directly called by the ISAPI filter, also can be used as an independent process that operates on the IIS server and realized.
The realization of authorization decision engine is directly, does not have technology barrier.
4) identity and Rights Management System
Function associated with it among identity and Rights Management System performing step A43, the A46.As long as realize function of the present invention, it has multiple execution mode, and wherein a kind of execution mode is described below.
Identity and Rights Management System comprise three parts (as shown in Figure 2): identity and permission server T11, identity and rights database T12 and identity and authority part manager T13.Identity and rights database can adopt the Database Systems of arbitrary support LDAP (Lightweight Directory Access Protocol), it deposits subscriber identity information (as user ID, user's group, role), access control policy etc., and the content and form of specifically depositing information is relevant with access control method (as ACL, RBAC etc.); Identity and permission server are service processes based on Java, and the service interface of identity and authority information establishment, renewal, deletion, inquiry etc. externally is provided, and the mode of service interface comprises RMI, Web Services; Identity and authority part manager provide the human-computer interaction interface of identity and rights management, can adopt JSP/Servlet and other Web technology to realize.
The content that is not described in detail in this specification belongs to this area professional and technical personnel's known prior art.
Claims (9)
1, the ISAPI access control system of the bright transmission of a kind of Session ID full impregnated, it comprises four parts:
The ISAPI access-control filter: the mandate of controlling of being responsible for conducting interviews is implemented, when the user is deployed in Web application system on the IIS server by browser access, the transmission of user identity discriminating, access control mandate enforcement and user Session ID (Session sign) is carried out in this access-control filter interception HTTP request and response;
Session maintenance engine: be responsible for each Web service calling party and create a Session object and produce corresponding Session ID, obtain subscriber identity information filling Session object from identity and Rights Management System, other state informations of user are saved in the Session object, and the inquiry that Session information, identity information are provided, delete overtime no Session object etc.;
The authorization decision engine: identity and authority information and resource access control strategy according to the user, carry out authorization decision to the request of user access resources;
Identity and Rights Management System: preservation, maintenance customer's identity information, the access control policy of resource, and the inquiry service of subscriber identity information and resource access control strategy is provided.
2, the ISAPI access control system of the bright transmission of a kind of Session ID full impregnated according to claim 1 is characterized in that: implement access control function as follows:
First step: the Web application system of user capture IIS server deploy;
Second step: ISAPI access-control filter response SF_NOTIFY_PREPROC_HEADERS event notice, interception HTTP request head, according to whether comprising effective SessionID, identity authentication information and current URL in the request URL point to, class of subscriber is judged, changed over to the 3rd, the 4th or the 5th step respectively according to the different user classification then;
Third step: to not differentiating the user, the user of promptly first login Web application system, the ISAPI access-control filter at first please the Session maintenance engine be created user's Session object and be returned Session ID, next user HTTP request is redirected to login page, ISAPI filter call back function to interception http response message data transmits and the relevant control information of Session ID transmission afterwards, withdraws from then;
The 4th step: reciprocity user to be identified, the user who does not promptly differentiate but just submit the identity authentication information to by login page, the ISAPI access-control filter changes user identity over to and differentiates processing, for differentiating unsanctioned user, then its HTTP request is redirected to login page, ISAPI filter call back function to interception http response message data transmits and the relevant control information of Session ID transmission afterwards, withdraws from then; User for discriminating is passed through continues subsequent step;
The 5th step: to differentiating the user, ISAPI access-control filter request authorization decision engine carries out authorization decision, user Session ID is arranged in the request, want accessed resources URL and access method;
The 6th step: for the authorization decision request of ISAPI access-control filter submission, whether the authorization decision engine is inquired about this user from the Session maintenance engine is effectively to have differentiated the user and obtained required user profile, then according to user identity, user right and corresponding access control policy, whether decision allows the relevant resource of user capture, afterwards the authorization decision result is returned to the ISAPI access-control filter;
The 7th step: the ISAPI access-control filter according to the authorization decision result of authorization decision engine to user HTTP the request control that conducts interviews authorize and implement, ISAPI filter call back function to interception http response message data transmits and the relevant control information of Session ID transmission afterwards, withdraws from then;
The 8th step: the Web application system is submitted in the HTTP request after the IIS server is handled the ISAPI access-control filter, and the Web application system is finished and returned response results after the user asks to handle;
The 9th step: the ISAPI access-control filter responds each SF_NOTIFY_SEND_RAW_DATA event notice, tackle each http response message data piece successively, if interception is first response message data block, the data block that promptly only comprises the response message head, then the ISAPI access-control filter is set with Session ID and is transmitted relevant control information; If interception is the subsequent response message data block, i.e. response message body data piece, the ISAPI access-control filter adds access customer Session id information to all point to local URL link and rewrite in the piece, withdraws from then;
The tenth step: after application service system was finished the response results transmission, ISAPI access-control filter response SF_NOTIFY_END_OF_NET_SESSION event notice was left intact, and withdraws from immediately.
3, the ISAPI access control system of the bright transmission of a kind of Session ID full impregnated according to claim 2, it is characterized in that: described third step is handled after transferring to user's login process as follows:
The first step: ISAPI access-control filter request Session maintenance engine has the URL of user's current accessed for the user creates a Session object in the request, if this URL logins URL, then URL is empty;
Second step: after the Session maintenance engine is received request, for this user creates the Session object and produces corresponding Session ID, URL in the request is saved in the Session object as URL history, returns Session ID then to the ISAPI access-control filter;
The 3rd step: after the ISAPI access-control filter receives the user Session ID that returns, directly revise the URL in the HTTP request head, make it to point to login page, filter call back function to interception http response message data transmits and the relevant control information of Session ID transmission afterwards, withdraws from then.
4, the ISAPI access control system of the bright transmission of a kind of Session ID full impregnated according to claim 2, it is characterized in that: described third and fourth, in seven, nine steps, handle and to utilize an IIS server to pass to pFilterContext pointer in the HTTP_FILTER_CONTEXT structural parameters of call back function between the ISAPI filter call back function of HTTP request, transmit a shared data structure variable that comprises following information field:
(1) Session id field;
(2) received response message block counter field;
(3) response message is a chunked transfer encoding attribute field;
(4) data length field of response message main body;
(5) the response message body data length field that has totally received.
And the ISAPI filter call back function of response SF_NOTIFY_PREPROC_HEADERS incident, after finishing the response processing at every turn, before withdrawing from, the value of " Session ID " field is set to active user's Session ID value, and the value of " having received the response message block counter " field is set to 0.
5, the ISAPI access control system of the bright transmission of a kind of Session ID full impregnated according to claim 2, it is characterized in that: when described the 9th step is tackled the response data piece at every turn, judge as follows earlier whether the data block that receives is first response message data block that only comprises the http response head:
Http response data block of every interception, " having received the response message block counter " field in the data structure variable of transmission information between call back function is added 1, if adding 1 back result is 1, then the http response data block of current interception is first response data piece that only comprises the http response head, otherwise is the subsequent response message data block.
6, the ISAPI access control system of the bright transmission of a kind of Session ID full impregnated according to claim 2, it is characterized in that: described the 9th step responds each SF_NOTIFY_SEND_RAW_DATA event notice, when the response message data block of interception be first when only comprising the data block of response message head, then set as follows and the relevant control information of Session ID transmission:
Step 1: check whether this response message data block comprises a Transfer-Encoding:chunked topic field, as comprise and then change step 2 over to, otherwise change step 3 over to
Step 2: " response message the is a chunked transfer encoding sign " field in the data structure of transmission information between call back function is made as TRUE, finishes to be provided with;
Step 3: carry out following information setting:
(1) " response message the is a chunked transfer encoding sign " field in the data structure of transmission information between call back function is made as FALSE;
(2) take out the Length Indication value of response message main body in the Content-Length field from this response message data block, and " data length of response message main body " field of transmitting between call back function in the structure of information is made as this length value;
(3) " the response message body data length that accumulative total has received " field wherein is set to zero;
(4) with the field deletion of the topic of the Content-Length in this response message header block of data, add a Transfer-Encoding:chunked topic field then, finish then to be provided with.
7, the ISAPI access control system of the bright transmission of a kind of Session ID full impregnated according to claim 2, it is characterized in that: when described the 9th step responded the SF_NOTIFY_SEND_RAW_DATA event notice, link rewrote to the URL in the response message body data piece of each interception as follows:
The first step: ISAPI access-control filter call back function passes to the Session ID value that " Session ID " field in the pFilterContext pointer indication structure variable its HTTP_FILTER_CONTEXT structural parameters obtains the user from the IIS server;
Second step: ISAPI access-control filter call back function rewrites the local URL link of all sensings in the http response data block, make it to add? ... the Query string of SessionID=XXXXX... pattern, wherein the user Session ID value of XXXXX for obtaining by the first step;
The 3rd step:, then revise the Length Indication of response message data block if the URL rewriting has taken place.
8, the ISAPI access control system of the bright transmission of a kind of Session ID full impregnated according to claim 7 is characterized in that: after link rewrites to the URL in the response message body data piece, revise the Length Indication of response message data block as follows:
Step 1: " response message the is a chunked transfer encoding sign " field between the inspection call back function in the data structure of transmission information, if its value is TRUE, then change step 2 over to, otherwise, change step 3 over to;
Step 2: directly revise the chunk Length Indication in the response message body data piece of this chunked transfer encoding mode, finish to revise;
Step 3: add a chunk Length Indication in this response message body data piece front, make it to become a response message data block under the transfer encoding mode of chunked, judge further then whether this data block is last response response source body data block, if then also will add a chunk and finish sign in the data block back.
9, the ISAPI access control system of the bright transmission of a kind of Session ID full impregnated according to claim 8, it is characterized in that: whether when the method for described step 3 is revised the Length Indication of response message piece of non-chunked transfer encoding mode, determining to receive the response message data block as follows is last response message body data piece:
The length of transmitting " the response message body data length that accumulative total has received " field in the data structure of information and current response data piece between call back function is added up and upgrade its value, if should " accumulative total received response message body data length " field value after adding up, upgrading equate, determine that then current response data piece is last data block with the value of " data length of the response message main body " field of preserving in the data structure.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008100470552A CN101247395B (en) | 2008-03-13 | 2008-03-13 | ISAPI access control system for Session ID fully transparent transmission |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008100470552A CN101247395B (en) | 2008-03-13 | 2008-03-13 | ISAPI access control system for Session ID fully transparent transmission |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101247395A true CN101247395A (en) | 2008-08-20 |
| CN101247395B CN101247395B (en) | 2011-03-16 |
Family
ID=39947594
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2008100470552A Expired - Fee Related CN101247395B (en) | 2008-03-13 | 2008-03-13 | ISAPI access control system for Session ID fully transparent transmission |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101247395B (en) |
Cited By (21)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102480464A (en) * | 2010-11-24 | 2012-05-30 | 上海宝信软件股份有限公司 | Service calling system injected with context information and decoupled with web session and method |
| CN102624918A (en) * | 2012-03-30 | 2012-08-01 | 北京英富森信息技术有限公司 | Proxy access method based on URL (Uniform Resource Locator) rewriting technique |
| CN103020241A (en) * | 2012-12-18 | 2013-04-03 | 网宿科技股份有限公司 | Dynamic page cache method and system based on session |
| CN103618734A (en) * | 2013-12-06 | 2014-03-05 | 北京奇虎科技有限公司 | Website protection method, system and device |
| CN101902485B (en) * | 2009-05-27 | 2014-05-14 | 北京启明星辰信息技术股份有限公司 | Rewriting method of reversal Web agent link |
| CN103973797A (en) * | 2014-05-13 | 2014-08-06 | 公安部第一研究所 | Method for conducting requests through Session |
| CN104023033A (en) * | 2014-06-24 | 2014-09-03 | 浪潮电子信息产业股份有限公司 | Safety production method for cloud services |
| CN104866312A (en) * | 2015-05-22 | 2015-08-26 | 国云科技股份有限公司 | ASP.NET-based pseudo static page implementation method |
| CN105740656A (en) * | 2014-12-09 | 2016-07-06 | 航天信息股份有限公司 | Data authority management method and device |
| CN105787355A (en) * | 2016-03-18 | 2016-07-20 | 山东华软金盾软件股份有限公司 | Security software process permission management method and device |
| CN105791375A (en) * | 2014-12-26 | 2016-07-20 | 上海斐讯数据通信技术有限公司 | Page directing method for Web server |
| CN106161478A (en) * | 2016-09-19 | 2016-11-23 | 成都知道创宇信息技术有限公司 | Accurate attack recognition method based on the change of http response head |
| CN106357536A (en) * | 2016-09-13 | 2017-01-25 | 杭州迪普科技有限公司 | Message transmission method and device |
| CN106878311A (en) * | 2017-02-22 | 2017-06-20 | 杭州迪普科技股份有限公司 | The rewrite method and device of HTTP message |
| CN107770146A (en) * | 2016-08-23 | 2018-03-06 | 北京嘀嘀无限科技发展有限公司 | A kind of user data authority control method and device |
| CN107908973A (en) * | 2017-11-22 | 2018-04-13 | 中国南方电网有限责任公司超高压输电公司 | A kind of dynamic data authority control method based on AOP technologies |
| CN108011850A (en) * | 2017-12-18 | 2018-05-08 | 北京百度网讯科技有限公司 | The recombination method and device of data packet, computer equipment and computer-readable recording medium |
| CN110009267A (en) * | 2018-01-04 | 2019-07-12 | 中集冷云(北京)冷链科技有限公司 | Cold Chain Logistics transport power concocting method and Cold Chain Logistics transport power deployment device |
| CN110602115A (en) * | 2019-09-19 | 2019-12-20 | 郑明达 | Security decision method and system based on micro-service |
| CN110913011A (en) * | 2019-12-05 | 2020-03-24 | 东软集团股份有限公司 | Session keeping method, session keeping device, readable storage medium and electronic equipment |
| CN111800440A (en) * | 2020-09-08 | 2020-10-20 | 平安国际智慧城市科技股份有限公司 | Multi-policy access control login method and device, computer equipment and storage medium |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060264201A1 (en) * | 2003-03-10 | 2006-11-23 | Thomson Licensing S.A. | Identity mapping mechanism in wlan access control with public authentication servers |
| CN1553674A (en) * | 2003-05-26 | 2004-12-08 | 广东省电信有限公司科学技术研究院 | Method for wideband connection server to obtain port numbers of its uers |
| CN101126977A (en) * | 2007-08-28 | 2008-02-20 | 激动集团股份有限公司 | ISAPI based WEB static page generation method |
-
2008
- 2008-03-13 CN CN2008100470552A patent/CN101247395B/en not_active Expired - Fee Related
Cited By (28)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101902485B (en) * | 2009-05-27 | 2014-05-14 | 北京启明星辰信息技术股份有限公司 | Rewriting method of reversal Web agent link |
| CN102480464A (en) * | 2010-11-24 | 2012-05-30 | 上海宝信软件股份有限公司 | Service calling system injected with context information and decoupled with web session and method |
| CN102480464B (en) * | 2010-11-24 | 2016-08-17 | 上海宝信软件股份有限公司 | With service calling system and the method that contextual information is injected in web session decoupling |
| CN102624918A (en) * | 2012-03-30 | 2012-08-01 | 北京英富森信息技术有限公司 | Proxy access method based on URL (Uniform Resource Locator) rewriting technique |
| CN103020241A (en) * | 2012-12-18 | 2013-04-03 | 网宿科技股份有限公司 | Dynamic page cache method and system based on session |
| CN103618734B (en) * | 2013-12-06 | 2017-02-15 | 北京奇安信科技有限公司 | Website protection method, system and device |
| CN103618734A (en) * | 2013-12-06 | 2014-03-05 | 北京奇虎科技有限公司 | Website protection method, system and device |
| CN103973797A (en) * | 2014-05-13 | 2014-08-06 | 公安部第一研究所 | Method for conducting requests through Session |
| CN103973797B (en) * | 2014-05-13 | 2017-04-12 | 公安部第一研究所 | Method for conducting requests through Session |
| CN104023033A (en) * | 2014-06-24 | 2014-09-03 | 浪潮电子信息产业股份有限公司 | Safety production method for cloud services |
| CN105740656A (en) * | 2014-12-09 | 2016-07-06 | 航天信息股份有限公司 | Data authority management method and device |
| CN105791375A (en) * | 2014-12-26 | 2016-07-20 | 上海斐讯数据通信技术有限公司 | Page directing method for Web server |
| CN104866312A (en) * | 2015-05-22 | 2015-08-26 | 国云科技股份有限公司 | ASP.NET-based pseudo static page implementation method |
| CN105787355A (en) * | 2016-03-18 | 2016-07-20 | 山东华软金盾软件股份有限公司 | Security software process permission management method and device |
| CN107770146A (en) * | 2016-08-23 | 2018-03-06 | 北京嘀嘀无限科技发展有限公司 | A kind of user data authority control method and device |
| CN106357536B (en) * | 2016-09-13 | 2020-01-03 | 杭州迪普科技股份有限公司 | Message transmission method and device |
| CN106357536A (en) * | 2016-09-13 | 2017-01-25 | 杭州迪普科技有限公司 | Message transmission method and device |
| CN106161478A (en) * | 2016-09-19 | 2016-11-23 | 成都知道创宇信息技术有限公司 | Accurate attack recognition method based on the change of http response head |
| CN106161478B (en) * | 2016-09-19 | 2019-02-19 | 成都知道创宇信息技术有限公司 | Accurate attack recognition method based on the variation of http response head |
| CN106878311A (en) * | 2017-02-22 | 2017-06-20 | 杭州迪普科技股份有限公司 | The rewrite method and device of HTTP message |
| CN107908973A (en) * | 2017-11-22 | 2018-04-13 | 中国南方电网有限责任公司超高压输电公司 | A kind of dynamic data authority control method based on AOP technologies |
| CN108011850A (en) * | 2017-12-18 | 2018-05-08 | 北京百度网讯科技有限公司 | The recombination method and device of data packet, computer equipment and computer-readable recording medium |
| CN108011850B (en) * | 2017-12-18 | 2021-08-17 | 北京百度网讯科技有限公司 | Data packet reassembly method and apparatus, computer device, and readable medium |
| CN110009267A (en) * | 2018-01-04 | 2019-07-12 | 中集冷云(北京)冷链科技有限公司 | Cold Chain Logistics transport power concocting method and Cold Chain Logistics transport power deployment device |
| CN110602115A (en) * | 2019-09-19 | 2019-12-20 | 郑明达 | Security decision method and system based on micro-service |
| CN110602115B (en) * | 2019-09-19 | 2022-03-29 | 郑明达 | Security decision method and system based on micro-service |
| CN110913011A (en) * | 2019-12-05 | 2020-03-24 | 东软集团股份有限公司 | Session keeping method, session keeping device, readable storage medium and electronic equipment |
| CN111800440A (en) * | 2020-09-08 | 2020-10-20 | 平安国际智慧城市科技股份有限公司 | Multi-policy access control login method and device, computer equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101247395B (en) | 2011-03-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101247395B (en) | ISAPI access control system for Session ID fully transparent transmission | |
| CN108650262B (en) | Cloud platform expansion method and system based on micro-service architecture | |
| CN112073400B (en) | Access control method, system, device and computing equipment | |
| US8639950B2 (en) | Systems and methods for management of secure data in cloud-based network | |
| Harrison et al. | Mobile Agents: Are they a good idea? | |
| CN108200146B (en) | Method for realizing lightweight microservice architecture | |
| US8006289B2 (en) | Method and system for extending authentication methods | |
| CN101127108B (en) | Method for accessing a information source via a computer system | |
| US20050114226A1 (en) | Automated customer entitlement system for vendor services | |
| US9641535B2 (en) | Apparatus and data processing systems for accessing an object | |
| US20140344460A1 (en) | Brokering network resources | |
| US20040078604A1 (en) | Device independent authentication system and method | |
| CN105812480B (en) | A kind of intelligence bulk grain transportation vehicle long-distance management device and its management method | |
| CN101473628A (en) | Systems and methods for accelerating delivery of a computing environment to remote user | |
| CN101729541B (en) | Method and system for accessing resources of multi-service platform | |
| AU2016355205A1 (en) | Systems and methods for in-session refresh of entitlements associated with web applications | |
| CN114902612A (en) | Edge network based account protection service | |
| CN106550056B (en) | A kind of domain name analytic method and device | |
| CN108111334B (en) | Integration system and method of network application node | |
| US10192262B2 (en) | System for periodically updating backings for resource requests | |
| CN111416813A (en) | Data filtering system based on reverse proxy service and implementation method | |
| US10013237B2 (en) | Automated approval | |
| CN107770203B (en) | Service request forwarding method, device and system | |
| US8712786B2 (en) | Method and apparatus for controlling a multi-node process | |
| CN113472781B (en) | Service acquisition method, server and computer readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20110316 Termination date: 20150313 |
|
| EXPY | Termination of patent right or utility model |