CN101350710B - Network system, authority issuing server, authority issuing and executing method - Google Patents

Network system, authority issuing server, authority issuing and executing method Download PDF

Info

Publication number
CN101350710B
CN101350710B CN2007100291755A CN200710029175A CN101350710B CN 101350710 B CN101350710 B CN 101350710B CN 2007100291755 A CN2007100291755 A CN 2007100291755A CN 200710029175 A CN200710029175 A CN 200710029175A CN 101350710 B CN101350710 B CN 101350710B
Authority
CN
China
Prior art keywords
resource
authority
described resource
rights
access person
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN2007100291755A
Other languages
Chinese (zh)
Other versions
CN101350710A (en
Inventor
杨杰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
XFusion Digital Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN2007100291755A priority Critical patent/CN101350710B/en
Publication of CN101350710A publication Critical patent/CN101350710A/en
Application granted granted Critical
Publication of CN101350710B publication Critical patent/CN101350710B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Storage Device Security (AREA)

Abstract

The present invention discloses a network system, and comprises an authority issuing server and a service providing node. In the network system, the authority issuing server is used for receiving the resource login request information of the resource owner, registering the resources owned by the resource owner, receiving the authority login request information of the resource visitor, and issuing the using authority of the resource to the resource visitor according to the authority login request information. The service providing node is used for receiving the resource using request of the resource visitor, inquiring about the information of the using authority according to the information of the user identity of the resource visitor, verifying the authority of the resource visitor according to the information of the using authority, and providing resource service for the resource visitor after the resource visitor passes the authority verification. The present invention also discloses a method of issuing and implementing the authority by the authority issuing server. The method reduces the burden of the service server which manages the authority.

Description

The method of a kind of network system, authority issuing server, authority issuing and execution
Technical field
The present invention relates to the communications field, the method that relates in particular to a kind of network system, authority issuing server, authority registration and carry out.
Background technology
Peer-to-peer network (P2P, Peer-to-Peer) network is such network, and the node in this network is generally being played the part of identical role, and they are service requester, are again the ISP simultaneously.That is to say node in the P2P network in request service, also be others' service.The ability of this network depends on all-network participant's (network node) computing capability and bandwidth, rather than depends on the server of only a few in the network.And under customer end/server mode, the node in the network is only played the part of ISP or service user's role, and the ISP does not generally use the service in the service network, and the user of service can not provide service for this network yet.The advantage of the relative customer end/server mode network of P2P network shows: the P2P network can be stored more resources, its can storage resources the quantity and the ability decision of quantity and all nodes that participate in network, the amount of the many more storages of node that participate in is big more, and is only determined by the quantity and the ability of server based on system's storage capacity of customer end/server mode.
Generally speaking, the user in the network system is graduate, and different users enjoys different resources use right limits, and different rights of using symbol users can visit different services, the perhaps service of different stage.In network system, issue authority for different users, and the use of supervision authority, be exactly the process of rights management.Rights management relates generally to 3 class roles: authority user: the entity of application and rights of using, authority user is played the part of by the service user.The authority issuing person: the entity to the authority user issues authority determines which kind of authority different authority envoys should have.Authority executor: the entity that the supervision authority is used.Authority issuing person and authority executor are played the part of by the ISP.Such as in a FTP service system, authority user is exactly the user who wishes to use this FTP service, it will use this service at first to need to apply for and obtain a FTP account number to ftp server, have account and show that promptly this user has the right to use the service on this ftp server, the ftp server of opening this account number for the user is exactly authority issuing person.The user goes file in download to ftp server, and ftp server can be verified user's account number, and the process of checking account number is exactly the process that the supervision authority is used, and ftp server is exactly the authority executor.
Rights management commonly used at present is based on Access Control List (ACL) mechanism (ACL, Access Control List) mechanism.ACL essence is a table, the mapping relations of recording user and authority.At present, the ACL table is created by the ISP and is safeguarded.If the user need use corresponding resource, at first must apply for corresponding authority to the ISP.The ISP issues corresponding authority for the user, creates ACL table storage user and permissions mapping relation.When the user when the ISP asks a certain resource, the ISP can inquire about ACL and show to determine whether the user has the authority of the described resource of visit.
Using ACL mechanism in the P2P network carries out the mode of rights management and is described below.With Fig. 1 is example, and system 100 is P2P networks, the 101,102,103,121, the 122nd, and the node in this P2P network, they have ISP and service user's function concurrently.For convenient narration, suppose that now 121,122 play the part of ISP's role, for the user provides file-sharing service; 101,102,103 roles that play the part of the service user need go to download the shared file that oneself needs to 121,122.101,102,103 be the authority user in this network like this, 121,122 persons that have the authority issuing simultaneously and authority executor's function.When the shared file in 101, the 102 or 103 needs uses 121, need be to 121 application authorities, ISP 121 creates reflection 101,102 or 103 and the ACL table of permissions mapping relation, and issue authority to 101,102 or 103, when 101,102 or 103 during to 121 request shared files, 121 inquiry ACL show to determine whether 101,102 or 103 have the authority of visit shared file, when definite 101,102 or 103 have the authority of visit shared file, provide corresponding shared file.Equally, when the shared file in 101, the 102 or 103 needs uses 122, need be to 122 application authorities, ISP 122 creates reflection 101,102 or 103 and the ACL table of permissions mapping relation, and issue authority to 101,102 or 103, when 101,102 or 103 during to 122 request shared files, 122 inquiry ACL show to determine whether 101,102 or 103 have the authority of visit shared file, when definite 101,102 or 103 have the authority of visit shared file, provide corresponding shared file.The rest may be inferred, want in whole P2P network, to provide the function of rights management, for the service user, in order to obtain the resource that oneself needs, just must go to apply for authority there to each ISP that described resource is provided, and each ISP all need for described user set up the ACL list item, issue authority and the supervision authority use, it is very heavy that the ISP carries out the burden of rights management.
Summary of the invention
Given this, the embodiment of the invention provides the method for a kind of network system, authority registrar, authority registration and execution.Can alleviate the burden that the ISP carries out rights management.
In order to solve the problems of the technologies described above, the embodiment of the invention provides a kind of authority issuing server, comprising:
The resource registering unit is used to receive the resource registering solicited message of resource owner, according to described resource registering solicited message the resource that described resource owner has is registered;
The authority issuing unit, the person that is used to receive the resource access is that described resource access person issues the rights of using of using described resource at the authority register requirement that the described resource of described resource registering unit registration sends according to described authority register requirement.
Accordingly, the embodiment of the invention provides a kind of network system, comprising:
The authority issuing server, be used to receive the resource registering solicited message of resource owner, according to described resource registering solicited message the resource that described resource owner has is registered, and receive the authority register requirement of resource access person at the described resource transmission of described registration, be that described resource access person issues the rights of using of using described resource according to described authority register requirement;
Service providing node, be used for when the person's that receives the resource access resource is used request, be presented to the rights of using of described resource access person's described resource by described authority issuing server according to described resource access person's user totem information inquiry, and the rights of using of the described resource that obtains according to inquiry are carried out Authority Verification to described resource access person, and after described resource access person passes through Authority Verification, for described resource access person provides resource service.
Accordingly, the embodiment of the invention provides a kind of method of authority issuing, comprising:
The authority issuing server receives the authority register requirement of resource access person at the resource transmission of described authority issuing server registers;
The authority issuing server is that described resource access person issues the rights of using of using described resource according to described authority register requirement.
Accordingly, the method that the embodiment of the invention provides a kind of authority to carry out comprises:
Service providing node receives the resource use request that the resource access person sends;
Service providing node is presented to the rights of using of described resource access person to the resource of described authority issuing server registers according to described resource access person's user totem information inquiry by the authority issuing server;
Service providing node is carried out Authority Verification according to the rights of using of the described resource that described inquiry obtains to described resource access person.
The embodiment of the invention provides unified authority register requirement and issues authority for the resource access person by the authority issuing server, and only need when resource access person request resource is used, verify that as ISP's service providing node described resource access person's user right can realize rights management, alleviated the burden that the ISP carries out rights management greatly.
Description of drawings
Fig. 1 is a topological rough schematic view of P2P network;
Fig. 2 is that an example structure of network system of the present invention is formed schematic diagram;
Fig. 3 is an embodiment schematic flow sheet that is applied to the authority issuing method of network system shown in Figure 2;
Fig. 4 is an embodiment schematic flow sheet that is applied to the authority manner of execution of network system shown in Figure 2;
Fig. 5 is that another example structure of network system of the present invention is formed schematic diagram;
Fig. 6 is an embodiment schematic flow sheet that is applied to the authority issuing method of network system shown in Figure 5;
Fig. 7 is an embodiment schematic flow sheet that is applied to the authority manner of execution of network system shown in Figure 5;
Fig. 8 is another topological rough schematic view of P2P network.
Embodiment
The present invention is described in further detail below in conjunction with drawings and Examples.
The embodiment of the invention provides a kind of network system, and Fig. 2 is that an embodiment of network system of the present invention forms schematic diagram.As shown in the figure, the network system of present embodiment comprises authority issuing server 3, service providing node 4 and user ID registrar 5, wherein, authority issuing server 3 is used to receive the resource registering solicited message of resource owner, according to described resource registering solicited message the resource that described resource owner has is registered, and receive the authority register requirement of resource access person at the described resource transmission of described registration, be that described resource access person issues the rights of using of using described resource according to described authority register requirement.Permission server 3 plays the part of the authority issuing in network privilege management person's role, all need provide the resource owner unification of access authorization for resource management to carry out resource registering in authority issuing server 3, resource owner is that authorization privilege is issued 3 pairs of access authorization for resource of server and unified authority issuing management behind the resource registering, all need user's unification of authority application to carry out authority application to authority issuing server 3 places, can obtain to use the specified permission of resource.Service providing node 4 is used for when the person's that receives the resource access resource is used request, be presented to the rights of using of described resource access person's described resource by described authority issuing server 3 according to described resource access person's user totem information inquiry, and the rights of using of the described resource that obtains according to inquiry are carried out Authority Verification to described resource access person, and after described resource access person passes through Authority Verification, for described resource access person provides resource service.Service providing node 4 is storage entity of the resource that has of resource owner, is the ISP, plays the part of authority executor's role in network privilege management.User ID registrar 5 is used to the user to issue (comprising resource owner and resource access person) user totem information of identifying user identity.User ID is to set up the prerequisite and the basis of rights management, if user identity is not clear, then rights management is not known where to begin, user ID registrar 5 can be CA server or kerberos server, can come the identifying user identity or come the identifying user identity by the mode of issuing account number/password for the user by issue digital certificate for the user.
Authority issuing server 3 further comprises resource registering unit 31, authority issuing unit 32 and identity authenticating unit 33, resource registering unit 31 further comprises first receiving element 310 and registration unit 311, authority issuing unit 32 further comprises second receiving element 320, authority determining unit 321, memory cell 322 and feedback unit 323, concrete
First receiving element 310 is used to receive the resource registering solicited message that resource owner sends.Described resource registering solicited message comprises the identification information of the user totem information of resource owner, resource that resource owner has or the resource owner information such as authority restriction to described resource.
Registration unit 311 is used for according to the described resource registering solicited message that described first receiving element 310 receives the resource that described resource owner has being registered.Such as, the resource registering solicited message that sends as resource owner A comprises user ID A, resource identification is a music, and the authority that limits described music is onlinely to listen to and download.Then 311 of registration units will generate the register information that user A has the music sources that can onlinely listen to and download.
Second receiving element 320, the authority register requirement that the person that is used to receive the resource access sends at the described resource of described registration unit 311 registrations.Described authority register requirement comprises resource access person's user totem information, resource access person are to the concrete power limit demand of resource.Described authority demand can or be cancelled the demand of authority for the demand of the demand of applying right limit, change authority.Such as, user B is online listening to the current authority of the mp3 file in the network, but forbid downloading, user B wishes that oneself can be listened to also and can download described mp3 file now, then needs to send the mp3 file authority is upgraded to the online authority change request of listening to and downloading by online listening to.
Authority determining unit 321 is used for determining the rights of using of described user to the described resource of described registration unit 311 registrations according to the described authority register requirement that described second receiving element 320 receives.
Memory cell 322 is used to store the rights of using of described authority determining unit 321 determined described resource access persons to the described resource of described registration unit 311 registrations.Memory cell 322 can be come the rights of using of storage resources visitor to the described resource of described registration unit 311 registrations by user ID and permissions mapping table.Described mapping table stored described resource access person to all can accessed resources rights of using, each the resource access person in the network has the rights of using of unique resource allocation like this.The rights of using of the resource by the user totem information person that can find the resource access.
Feedback unit 323 is used for described authority determining unit 321 determined described resource access persons are fed back to described resource access person to the rights of using of the described resource of described registration unit 311 registrations.
In order to prevent disabled user's illegal operation, the authority issuing server 3 of present embodiment also comprises identity authenticating unit 33, be used for when described first receiving element 310 receives the resource registering solicited message of resource owner transmission, or when the authority register requirement that described second receiving element 320 person that receives the resource access sends at the described resource of described registration unit 311 registrations, mutual with described user ID registrar 5, described resource owner or described resource access person are carried out authentication.Identity authenticating unit 33 can be by judging resource owner or resource access person user totem information whether be the identity that user ID that user ID registrar 5 is issued is verified them.The described resource registering solicited message that described registration unit 311 will receive according to described first receiving element 310 after the resource owner that receives described identity authenticating unit 33 transmissions is by the information of authentication is registered the resource that described resource owner has.The described authority register requirement that described authority determining unit 321 will receive according to described second receiving element 320 after the described resource access person who receives described identity authenticating unit 33 transmissions is by the information of authentication is determined the rights of using of described resource access person to the described resource of described registration unit 311 registrations.
Accordingly, described service providing node 4 further comprises receiving element 41, query unit 42, Authority Verification unit 43 and service unit 44, and is concrete,
Receiving element 41, the resource that the person that is used to receive the resource access sends is used request.
Query unit 42 is used for inquiring about the rights of using of the described resource access person's of storage described resource in the described memory cell 322 according to described resource access person's user totem information when described receiving element 41 receives resource use request;
Authority Verification unit 43, the rights of using that are used for the described resource that obtains according to described query unit 42 are carried out Authority Verification to described resource access person.The rights of using of resource reflected the user to all can accessed resources rights of using, Authority Verification unit 43 can judge by the rights of using of the resource of acquisition whether intra vires the resource that the user proposes uses request, if Authority Verification unit 43 uses request intra vires by the resource that the rights of using of the resource of acquisition are judged described resource access person proposition, then export described resource access person and give service unit 44 by the information of Authority Verification.
Service unit 44 is used for described resource access person by behind the Authority Verification of described Authority Verification unit 43, for described resource access person provides service.
In order to prevent disabled user's illegal operation, the service providing node 4 of present embodiment also comprises identity authenticating unit 45, when the resource that is used for sending receiving element 41 person that receives the resource access is used request, mutual with described user ID registrar 5, described resource access person is carried out authentication.Identity authenticating unit 45 can be by judging described resource access person user totem information whether be the identity that user ID that user ID registrar 5 is issued is verified it.Described query unit 42 will be inquired about the rights of using of the described resource access person's of storage described resource in the described memory cell 322 according to described resource access person's user totem information after the described resource access person who receives described identity authenticating unit 45 transmissions is by the information of authentication.
Accordingly, the embodiment of the invention provides a kind of method of authority issuing, and Fig. 3 is an embodiment schematic flow sheet that is applied to the authority issuing method of network system shown in Figure 2.As shown in the figure, the authority issuing method of present embodiment specifically comprises:
Step S400, the authority issuing server receives the resource registering request that resource owner sends.Described resource registering request comprises the identification information of the user totem information of resource owner, resource that resource owner has or the resource owner information such as authority restriction to described resource.
Step S401, authority issuing server and user ID registrar are mutual, and described resource owner is carried out authentication.User ID is to set up the prerequisite and the basis of rights management, if user identity is not clear, then rights management is not known where to begin, and can come the identifying user identity or come the identifying user identity by the mode of issuing account number/password for the user by issue digital certificate for the user.User identity is verified the illegal operation that is used to prevent the disabled user.
Step S402, after resource owner was by authentication, the authority issuing server was registered the resource that described resource owner has according to described resource registering solicited message.Such as, the resource registering solicited message that sends as resource owner A comprises user ID A, resource identification is a music, and the authority that limits described music is onlinely to listen to and download.Then 311 of registration units will generate the register information that user A has the music sources that can onlinely listen to and download.
Step S403, authority issuing server receive the authority register requirement of resource access person at the resource transmission of described registration.Described authority register requirement comprises resource access person's user totem information, resource access person are to the concrete power limit demand of resource.Described authority demand can or be cancelled the demand of authority for the demand of the demand of applying right limit, change authority.Such as, user B is online listening to the current authority of the mp3 file in the network, but forbid downloading, user B wishes that oneself can be listened to also and can download described mp3 file now, then needs to send the mp3 file authority is upgraded to the online authority change request of listening to and downloading by online listening to.
Step S404, authority issuing server and user ID registrar are mutual, and described resource access person is carried out authentication.
Step S405, the authority issuing server is determined the rights of using of described resource access person to described resource according to described authority register requirement.
Step S406, the determined described resource access person of authority issuing server stores is to the rights of using of described resource.Can come the rights of using of storage resources visitor by user ID and permissions mapping table to described resource.Described mapping table stored described resource access person to all can accessed resources rights of using, each the resource access person in the network has the rights of using of unique resource allocation like this.The rights of using of the resource by the user totem information person that can find the resource access.
Step S407, the authority issuing server feeds back to described resource access person with described definite described resource access person to the rights of using of described resource.
Accordingly, the method that the embodiment of the invention provides a kind of authority to carry out, Fig. 4 is an embodiment schematic flow sheet that is applied to the authority manner of execution of network system shown in Figure 2.As shown in the figure, the authority manner of execution of present embodiment specifically comprises:
Step S410, service providing node receives the resource use request that the resource access person sends.
Step S411, service providing node and user ID registrar are mutual, and described resource access person is carried out authentication.
Step S412, after described resource access person was by authentication, service providing node was issued the described resource access person that stores in the server rights of using to the resource of described authority issuing server registers according to described resource access person's identification information search access right.
Step S413 judges whether the identification information of the rights of using of described resource is the identification information of presetting, if the judgment is Yes, and execution in step S414; Otherwise, show that the rights of using of described resource make a mistake.
Step S414, service providing node is carried out Authority Verification according to the rights of using of the described resource that described inquiry obtains to described resource access person.The rights of using of resource reflected the user to all can accessed resources rights of using, can judge by the rights of using of the resource that obtains whether intra vires the resource that the user proposes uses request.
Fig. 5 is that another example structure of network system of the present invention is formed schematic diagram; Present embodiment and difference embodiment illustrated in fig. 2 are that authority issuing server 3 is assigned to authority determining unit 321 determined resource access persons in the storage networking that comprises a plurality of memory nodes to the rights of using of the resource of described registration unit 311 registrations by authority information allocation units 34 and store.The query unit 42 of service providing node 4 is by inquiring about the rights of using of the described resource of storing in the described storage networking.Because each memory node all has unique sign, the rights of using of each resource are also determined by each user ID is unique, then the rights of using of each user's resource can be mapped to the specific node storage in the storage networking, such as, with the rights of using of resource leave in node identification than the user ID of described rights of using correspondence big and with the immediate memory node of described user ID in.The confidentiality of consideration information can the rights of using to described resource be added special identifier when the rights of using of Resources allocation.When the rights of using of the described resource of inquiry is index with the user ID, the position of adopting the mode identical can find the rights of using of user's resource to store with described mapping mode, and then obtain described rights of using.The rights of using of resource are assigned to the benefit of storing in a plurality of nodes are, load that can efficient balance inquiry rights of using prevents the generation of network bottleneck.
Fig. 6 is an embodiment schematic flow sheet that is applied to the authority issuing method of network system shown in Figure 5.As shown in the figure, the authority issuing method of present embodiment specifically comprises:
Step S500, the authority issuing server receives the resource registering request that resource owner sends.
Step S501, authority issuing server and user ID registrar are mutual, and described resource owner is carried out authentication.
Step S502, after resource owner was by authentication, the authority issuing server was registered the resource that described resource owner has according to described resource registering solicited message.
Step S503, authority issuing server receive the authority register requirement of resource access person at the resource transmission of described registration.
Step S504, authority issuing server and user ID registrar are mutual, and described resource access person is carried out authentication.
Step S505, the authority issuing server is determined the rights of using of described resource access person to described resource according to described authority register requirement.
Step S506, authority issuing server are assigned to determined described resource access person in the storage networking that comprises a plurality of memory nodes to the rights of using of described resource and store;
Step S507, the authority issuing server feeds back to described resource access person with described definite described resource access person to the rights of using of described resource.
Fig. 7 is an embodiment schematic flow sheet that is applied to the authority manner of execution of network system shown in Figure 5.As shown in the figure, the method for the authority of present embodiment execution specifically comprises:
Step S510, service providing node receives the resource use request that the resource access person sends.
Step S511, service providing node and user ID registrar are mutual, and described resource access person is carried out authentication.
Step S512, after described resource access person was by authentication, the described resource access person who stores in the identification information inquiry storage networking of service providing node according to described resource access person was to the rights of using of the resource of described authority issuing server registers.
Step S513 judges whether the identification information of the rights of using of described resource is the identification information of presetting, if the judgment is Yes, and execution in step S514; Otherwise, show that the rights of using of described resource make a mistake.
Step S514, service providing node is carried out Authority Verification according to the rights of using of the described resource that described inquiry obtains to described resource access person.The rights of using of resource reflected the user to all can accessed resources rights of using, can judge by the rights of using of the resource that obtains whether intra vires the resource that the user proposes uses request.
The described network system of the embodiment of the invention can be the client/server network system, also can be the P2P network system, is that example describes with the P2P network system below.Fig. 8 is another topological rough schematic view of P2P network.As shown in the figure, system 200 comprises node 201, node 202, node 203, node 221, node 222, user ID registrar 210 and authority issuing server 220.According to the characteristics of P2P network as can be known, node 201, node 202, node 203, node 221, node 222 both can have been made the resource memory carrier of resource owner, the role who plays the part of the ISP, the person that also can be used as the resource access use the carrier of resource, play the part of service user's role.User ID registrar 210 is used to the user to issue (comprising resource owner and resource access person) user totem information of identifying user identity.Authority issuing server 3 is used to receive the resource registering solicited message of resource owner, according to described resource registering solicited message the resource that described resource owner has is registered, and receive the authority register requirement of resource access person at the described resource transmission of described registration, be that described resource access person issues the rights of using of using described resource according to described authority register requirement.Concrete, Fig. 8 is based on distributed hash algorithm (DHT, Distributed Hash Tale) P2P network reduction figure, each node is formed a unidirectional ring in the network, and each node and user ID registrar 210 and authority issuing server 220 are set up many-to-one annexation.
Be convenient narration, suppose that now node 221 and node 222 only play the part of ISP's role, be service providing node, the resource in this example in supposition node 221 and the node 222 is the MP3 shared file, and then node 221 and node 222 can be the resource access person provides the mp3 file share service; Node 201, node 202 and node 203 are only played the part of service user's role, and for node is used in service, promptly the resource access person can go to download the MP3 shared file that oneself needs to node 121 and node 122 by node 201, node 202 and node 203.User ID registrar 210 is issued (comprising resource owner and resource access person) user totem information of identifying user identity for each user of connecting system 200, so that each user has definite identity.Authority issuing server 220 is used to receive the resource registering solicited message of MP3 resource owner, according to described resource registering solicited message the MP3 resource that described resource owner has is registered, and receive the authority register requirement of resource access person at the described MP3 resource transmission of described registration, be that described resource access person issues the rights of using of using described MP3 resource according to described authority register requirement.When the resource access person passes through node 201, after node 202 or node 203 inserts the P2P networks and searches algorithm and find required MP3 shared resource to be stored in node 221 or node 222 by the P2P Internet resources, send the MP3 resource to service providing node 221 or 222 and use request, service providing node 221 or 222 need are inquired about the rights of using that are presented to described resource access person's described MP3 resource by described authority issuing server 220 according to described resource access person's user totem information, and the rights of using of the described resource that obtains according to inquiry are carried out Authority Verification to described resource access person, and after the resource access person passes through Authority Verification, for the resource access person provides MP3 resource service.It is consistent that described resource lookup algorithm and resource are mapped to the algorithm of storing in the service providing node in the network, because all nodes all have unique sign in the network, all resources in the network also all have unique sign, the uniqueness by resource and node identifier then, can be with unique certain node that is mapped in the network of resource, such as, resource can be stored in identifier and numerically differ in the node of minimum greatly and with described resource identifier than described resource identifier, the resource access person can find the position at the resource place that oneself needs by identical method.
For the rights of using of the resource that makes things convenient for the service providing node inquiring user, can store the rights of using of user by user ID and permissions mapping table to described resource.Described mapping table stored described user to all can accessed resources rights of using, each user in the network has the rights of using of unique resource allocation like this.Authority issuing server 220 can be stored described mapping table in book server, also can adopt resource is mapped in the P2P network mode in the node described mapping table is mapped in the P2P network stores.But user's rights of using are distributed in the P2P network storage efficient balance inquire about the load of the rights of using of described resource, prevent the generation of network bottleneck.
The embodiment of the invention provides unified authority register requirement and issues authority for the resource access person by the authority issuing server, and only need when resource access person request resource is used, verify that as ISP's service providing node described resource access person's user right can realize rights management, alleviated the burden that the ISP carries out rights management greatly.
Above disclosed is preferred embodiment of the present invention only, so can not limit the present invention's interest field with this, and therefore the equivalent variations of doing according to claim of the present invention still belongs to the scope that the present invention is contained.

Claims (16)

1. an authority issuing server is characterized in that, comprising:
The resource registering unit is used to receive the resource registering solicited message of resource owner, according to described resource registering solicited message the resource that described resource owner has is registered;
The authority issuing unit, the person that is used to receive the resource access is that described resource access person issues the rights of using of using described resource at the authority register requirement that the described resource of described resource registering unit registration sends according to described authority register requirement.
2. authority issuing server as claimed in claim 1 is characterized in that, described authority issuing unit further comprises:
Receiving element, the authority register requirement that the person that is used to receive the resource access sends at the described resource of described resource registering unit registration;
The authority determining unit is used for determining the rights of using of described resource access person to the described resource of described resource registering unit registration according to the described authority register requirement that described receiving element receives;
Memory cell is used to store the rights of using of the determined described resource access person of described authority determining unit to the described resource of described resource registering unit registration;
Feedback unit is used for the determined described resource access person of described authority determining unit is fed back to described resource access person to the rights of using of the described resource of described resource registering unit registration.
3. authority issuing server as claimed in claim 1 or 2 is characterized in that, also comprises:
The authority information allocation units are used for that the rights of using that described authority issuing unit is presented to described resource access person's described resource are assigned to the storage networking that comprises a plurality of memory nodes and store.
4. a network system is characterized in that, comprising:
The authority issuing server, be used to receive the resource registering solicited message of resource owner, according to described resource registering solicited message the resource that described resource owner has is registered, and receive the authority register requirement of resource access person at the described resource transmission of described registration, be that described resource access person issues the rights of using of using described resource according to described authority register requirement;
Service providing node, be used for when the person's that receives the resource access resource is used request, be presented to the rights of using of described resource access person's described resource by described authority issuing server according to described resource access person's user totem information inquiry, and the rights of using of the described resource that obtains according to inquiry are carried out Authority Verification to described resource access person, and after described resource access person passes through Authority Verification, for described resource access person provides resource service.
5. network system as claimed in claim 4 is characterized in that, described authority issuing server further comprises:
The resource registering unit is used to receive the resource registering solicited message of resource owner, according to described resource registering solicited message the resource that described resource owner has is registered;
The authority issuing unit, the person that is used to receive the resource access is that described resource access person issues the rights of using of using described resource at the authority register requirement that the described resource of described resource registering unit registration sends according to described authority register requirement;
Described service providing node further comprises:
Receiving element, the resource that the person that is used to receive the resource access sends is used request;
Query unit is used for inquiring about the rights of using of the described resource access person's who stores in the described authority issuing unit described resource according to described resource access person's user totem information when described receiving element receives resource use request;
The Authority Verification unit, the rights of using that are used for the described resource that obtains according to described query unit are carried out Authority Verification to described resource access person;
Service unit is used for described resource access person by behind the Authority Verification of described Authority Verification unit, for described resource access person provides resource service.
6. network system as claimed in claim 4 is characterized in that, described network system also comprises:
The storage networking that comprises a plurality of memory nodes is used to store the rights of using of user to resource;
Described authority issuing server further comprises:
The resource registering unit is used to receive the resource registering solicited message of resource owner, according to described resource registering solicited message the resource that described resource owner has is registered;
The authority issuing unit, the person that is used to receive the resource access is that described resource access person issues the rights of using of using described resource at the authority register requirement that the described resource of described resource registering unit registration sends according to described authority register requirement;
The authority information allocation units are used for that the rights of using that described authority issuing unit is presented to described resource access person's described resource are assigned to the storage networking that comprises a plurality of memory nodes and store;
Described service providing node further comprises:
Receiving element, the resource that the person that is used to receive the resource access sends is used request;
Query unit is used for inquiring about the rights of using of the described resource access person's who stores in the described storage networking described resource according to described resource access person's user totem information when described receiving element receives resource use request;
The Authority Verification unit, the rights of using that are used for the described resource that obtains according to described query unit are carried out Authority Verification to described resource access person;
Service unit is used for described resource access person by behind the Authority Verification of described Authority Verification unit, for described resource access person provides resource service.
7. as each described network system among the claim 4-6, it is characterized in that, also comprise:
The user ID registrar is used for issuing to resource owner and/or resource access person the user totem information of identifying user identity.
8. the method for an authority issuing is characterized in that, comprising:
The authority issuing server receives the authority register requirement of resource access person at the resource transmission of described authority issuing server registers;
The authority issuing server is that described resource access person issues the rights of using of using described resource according to described authority register requirement.
9. method as claimed in claim 8 is characterized in that, described authority issuing server is that the step that described resource access person issues the rights of using of using described resource further comprises according to described authority register requirement:
The authority issuing server is determined the rights of using of described resource access person to described resource according to the described described authority register requirement that receives;
The described definite described resource access person of authority issuing server stores is to the rights of using of the described resource of described resource;
The authority issuing server feeds back to described resource access person with described definite described resource access person to the rights of using of described resource.
10. method as claimed in claim 8 is characterized in that, described authority issuing server is that the step that described resource access person issues the rights of using of using described resource further comprises according to described authority register requirement:
The authority issuing server is determined the rights of using of described resource access person to described resource according to the described described authority register requirement that receives;
The authority issuing server is assigned to described definite described resource access person in the storage networking that comprises a plurality of memory nodes to the rights of using of the described resource of described resource and stores;
The authority issuing server feeds back to described resource access person with described definite described resource access person to the rights of using of described resource.
11. method as claimed in claim 8 is characterized in that, also comprises before authority issuing server sending permission register requirement at the resource of authority issuing server registers described resource access person:
The authority issuing server receives the resource registering solicited message that resource owner sends;
The authority issuing server is registered the resource that described resource owner has according to described resource registering solicited message.
12., it is characterized in that described authority register requirement comprises the request of the request of applying for authority, change authority or cancels the request of authority as each described method among the claim 8-11.
13. the method that authority is carried out is characterized in that, comprising:
Service providing node receives the resource use request that the resource access person sends;
Service providing node is presented to the rights of using of described resource access person to the resource of described authority issuing server registers according to described resource access person's user totem information inquiry by the authority issuing server;
Service providing node is carried out Authority Verification according to the rights of using of the described resource that described inquiry obtains to described resource access person.
14. method as claimed in claim 13, it is characterized in that, after described service providing node is presented to the rights of using step of described resource access person to the resource of described authority issuing server registers according to described resource access person's user totem information inquiry by the authority issuing server, also comprise:
Whether the identification information of judging the rights of using of described resource is the identification information of presetting, and if the judgment is Yes, service providing node is carried out Authority Verification according to the rights of using of the described resource that described inquiry obtains to described resource access person.
15. as claim 13 or 14 described methods, it is characterized in that described service providing node is presented to described resource access person according to the inquiry of described resource access person's user totem information by the authority issuing server rights of using step of the resource of described authority issuing server registers is specifically comprised:
Service providing node is issued the described resource access person that stores in the server rights of using to the resource of described authority issuing server registers according to described resource access person's user totem information search access right.
16. as claim 13 or 14 described methods, it is characterized in that described service providing node is presented to described resource access person according to the inquiry of described resource access person's user totem information by described authority issuing server the rights of using step of the resource of the information of described authority issuing server registers is specifically comprised:
The described resource access person who stores in the user totem information inquiry storage networking of service providing node according to described resource access person is to the rights of using of the resource of described authority issuing server registers.
CN2007100291755A 2007-07-16 2007-07-16 Network system, authority issuing server, authority issuing and executing method Active CN101350710B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2007100291755A CN101350710B (en) 2007-07-16 2007-07-16 Network system, authority issuing server, authority issuing and executing method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2007100291755A CN101350710B (en) 2007-07-16 2007-07-16 Network system, authority issuing server, authority issuing and executing method

Publications (2)

Publication Number Publication Date
CN101350710A CN101350710A (en) 2009-01-21
CN101350710B true CN101350710B (en) 2011-11-16

Family

ID=40269314

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2007100291755A Active CN101350710B (en) 2007-07-16 2007-07-16 Network system, authority issuing server, authority issuing and executing method

Country Status (1)

Country Link
CN (1) CN101350710B (en)

Families Citing this family (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102447677B (en) * 2010-09-30 2015-05-20 北大方正集团有限公司 Resource access control method, system and equipment
CN102457509B (en) * 2010-11-02 2015-09-16 中兴通讯股份有限公司 Cloud computing resources safety access method, Apparatus and system
CN102035849B (en) * 2010-12-23 2013-12-18 华为技术有限公司 Method, equipment and system for realizing resource management in cloud computing
CN102685086A (en) * 2011-04-14 2012-09-19 天脉聚源(北京)传媒科技有限公司 File access method and system
CN102354383A (en) * 2011-06-30 2012-02-15 珠海艾派克微电子有限公司 Right assignment method and right assignment system
CN102546636B (en) * 2012-01-10 2015-04-15 北京邮电大学 Protected resource monitoring method and device
CN102724200B (en) * 2012-06-21 2015-02-11 浙江宇视科技有限公司 Monitoring front-end resource sharing method and monitoring front-end resource sharing device
CN102868533B (en) * 2012-09-13 2016-05-25 中科华核电技术研究院有限公司 resource access authorization verification method and system
US20140258577A1 (en) * 2013-03-11 2014-09-11 Futurewei Technologies, Inc. Wire Level Virtualization Over PCI-Express
CN110460978B (en) * 2014-11-04 2021-12-14 华为技术有限公司 Resource access method and device
CN106685901B (en) * 2015-11-10 2020-06-02 华为技术有限公司 Method for processing cross-domain data, first server and second server
CN105657474B (en) * 2016-02-19 2019-04-26 微鲸科技有限公司 The anti-stealing link method and system of identity-based signature system are used in Video Applications
JP6771544B2 (en) 2016-04-12 2020-10-21 株式会社ヴァレオジャパン Blower
EP3454238B1 (en) * 2016-12-23 2022-02-09 CloudMinds (Shanghai) Robotics Co., Ltd. Registration and authorization method, device and system
CN110401680A (en) * 2019-08-28 2019-11-01 山东劳动职业技术学院(山东劳动技师学院) A kind of access management-control method and system based on distributed service framework
CN111241519B (en) * 2020-01-19 2022-07-26 北京工业大学 Certificate-based access control system and method
CN111343177B (en) * 2020-02-25 2022-11-29 百度在线网络技术(北京)有限公司 Method, device, equipment and medium for supervising lightweight node

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1299203A (en) * 2001-01-12 2001-06-13 北京北大天正科技发展有限公司 Shared data transmission method in computer network
CN1466323A (en) * 2002-09-12 2004-01-07 联想(北京)有限公司 Method for searching serivice in realizing dynamic network connection and sharing recource in home network
US20050193221A1 (en) * 2004-02-13 2005-09-01 Miki Yoneyama Information processing apparatus, information processing method, computer-readable medium having information processing program embodied therein, and resource management apparatus

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1299203A (en) * 2001-01-12 2001-06-13 北京北大天正科技发展有限公司 Shared data transmission method in computer network
CN1466323A (en) * 2002-09-12 2004-01-07 联想(北京)有限公司 Method for searching serivice in realizing dynamic network connection and sharing recource in home network
US20050193221A1 (en) * 2004-02-13 2005-09-01 Miki Yoneyama Information processing apparatus, information processing method, computer-readable medium having information processing program embodied therein, and resource management apparatus

Also Published As

Publication number Publication date
CN101350710A (en) 2009-01-21

Similar Documents

Publication Publication Date Title
CN101350710B (en) Network system, authority issuing server, authority issuing and executing method
CN110598394B (en) Authority verification method and device and storage medium
US10708070B2 (en) System and method for utilizing connected devices to enable secure and anonymous electronic interaction in a decentralized manner
KR102472230B1 (en) Methods and systems implemented in blockchain
CN101102257B (en) Method and device for transmitting data objects
CN101127606B (en) Method and device for transmitting data object
CN103621040B (en) The group to data object is facilitated in peer-to-peer overlay network to access control
US7581012B2 (en) Virtual communication channel and virtual private community, and agent collaboration system and agent collaboration method for controlling the same
US11907939B2 (en) Methods for user authentication using non-fungible digital assets
JP5215289B2 (en) Method, apparatus and system for distributed delegation and verification
JP4280036B2 (en) Access right control system
Fan et al. Diam-iot: A decentralized identity and access management framework for internet of things
CN107005582A (en) Public point is accessed using the voucher being stored in different directories
JPWO2009084601A1 (en) Access authority management system, access authority management method, and access authority management program
CN101341691A (en) Authorisation and authentication
CN103535007B (en) The administrative authentication of distributed network
JP4525609B2 (en) Authority management server, authority management method, authority management program
US11277396B2 (en) Method for authorization management in a community of connected objects
US10949556B2 (en) Method for encrypting data and a method for decrypting data
Chai et al. BHE-AC: A blockchain-based high-efficiency access control framework for Internet of Things
Banoun et al. IoT-BDMS: securing IoT devices with hyperledger fabric blockchain
CN114254383A (en) Intelligent networking automobile data safety management system and method based on block chain
JP7119797B2 (en) Information processing device and information processing program
Lampropoulos et al. Introducing a cross federation identity solution for converged network environments
EP1833216B1 (en) Method and system for mediation of authentication within a communication network

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20211220

Address after: 450046 Floor 9, building 1, Zhengshang Boya Plaza, Longzihu wisdom Island, Zhengdong New Area, Zhengzhou City, Henan Province

Patentee after: Super fusion Digital Technology Co.,Ltd.

Address before: 518129 Bantian HUAWEI headquarters office building, Longgang District, Guangdong, Shenzhen

Patentee before: HUAWEI TECHNOLOGIES Co.,Ltd.

TR01 Transfer of patent right