CN101521885B - Authority control method, system and equipment - Google Patents
Authority control method, system and equipment Download PDFInfo
- Publication number
- CN101521885B CN101521885B CN2008100078693A CN200810007869A CN101521885B CN 101521885 B CN101521885 B CN 101521885B CN 2008100078693 A CN2008100078693 A CN 2008100078693A CN 200810007869 A CN200810007869 A CN 200810007869A CN 101521885 B CN101521885 B CN 101521885B
- Authority
- CN
- China
- Prior art keywords
- network
- roaming terminal
- safe condition
- terminal
- request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
- Storage Device Security (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the invention discloses an authority control method, comprising the following steps: a first network receives an access request sent by a roaming terminal, wherein the request comprises the identity information of the roaming terminal; the first network obtains the safety state evaluation result of the roaming terminal according to the identity information; and the first network carries out role mapping to the roaming terminal according to the safe state evaluation result. The embodiment of the invention also discloses an authority control system and equipment. The invention carries out role mapping on the basis of the safe state evaluation result of the terminal, thus realizing authority control; the invention can maps the role of the roaming terminal as the role in the visited network, thus leading safe inter-operation to be carried out between the networks; furthermore, the invention can ensure that the resources are not visited lawlessly when resources are shared among a plurality of networks.
Description
Technical field
The present invention relates to communication technical field, relate in particular to a kind of authority control method, system and equipment.
Background technology
Along with develop rapidly and the widespread usage of Internet, virus technology also develops rapidly.When viral large-scale outbreak; The mass data flow of transmission through network is the junk data that produced by virus and detection, attack traffic; Cause the wasting of resources, had a strong impact on the network efficiency and the safety of operator, also to user terminal and professional adverse influence and the security threat of producing.
Applied business is greatly abundant, and third party ASP (Application Service Provider, application service provider) increases gradually, value-added service of professional trend and fine management.The user is when obtaining more diversified service, and the security risk that self and network are brought also increases greatly.For example: because user identity is stolen, the internal resource of enterprise possibly be exposed to unauthorized user, causes application system to suffer the destruction or the abuse of unauthorized user, and it is even not available that application service quality is descended.
Though the security threat from the inside of carrier network is controlled easily; But for far-ranging Miniature Terminals that distributes such as user terminals; Because resource-constrained causes protective capacities lower, and can't guarantee that these terminals all are equipped with antivirus software or fire compartment wall, make virus invade easily.Even the Secure Application software client is all installed at these terminals, because unified control, user terminal can not in time carry out security update, causes potential safety hazards such as system vulnerability or virus base be expired.And; Development along with the network integration; Will there be a large amount of cross-domain resource-sharing and information exchanges; Internet resources not only can also can be visited by the roaming terminal in other territories by the access in this territory, and the security risk that dangerous user terminal (comprising this terminal, territory or roaming terminal) brings also significantly improves.Therefore, the control that conducts interviews is to guarantee important means of network security to user terminal.
Control technology to user right can be used the control of authority based on user role; Promptly according to user's identity information; The user is divided into different groups or role; Each group or role can visit different resources, then according to the group under the user to subscriber authorisation, be also referred to as static the mandate.Yet visited network generally carries out control of authority according to identity authentication result and association attributes to roaming terminal, is not to carry out control of authority according to the safety state information at terminal, and this will cause dangerous accessing terminal to network and illegal accessing network resources.
In order to overcome static defective of authorizing, also can use mandate to the control technology of user right based on terminal security property, promptly use the safe condition of equipment to give subscriber authorisation according to the user, be also referred to as dynamic authorization.Detailed process is: when the access rights control system was wanted at the terminal, authority control system detected the fail safe at Sequence Detection terminal earlier according to predefined login, pass through if detect, and then allows the terminal login, otherwise, the login of refusal terminal; After the logon rights control system of terminal, in the time of visiting a certain concrete resource, authority control system also needs the current safety detection condition that whether satisfies predefined this resource of visit of sense terminals.
In realizing process of the present invention, the inventor finds that there is following shortcoming in prior art:
In the dynamic authorization of prior art, only satisfying all logins during testing conditions, the terminal just can the logon rights control system, has reduced the success rate of terminal logon rights control system.For example: if the terminal will visit when certain login is the lower resource of level of security, only needs to satisfy and partly login testing conditions and get final product, prior art is not then considered the personalized demand for security of terminal access.
Summary of the invention
The embodiment of the invention provides a kind of authority control method, system and equipment, realizes the control of authority of terminal when cross-domain visit, thereby when guaranteeing that Internet resources are shared, the safety of network.
The embodiment of the invention provides a kind of authority control method, may further comprise the steps:
First network receives the access request that roaming terminal sends, and comprises the identity information of said roaming terminal in the described request;
The said first network based said identity information obtains the state evaluating result to said roaming terminal;
The said first network based said state evaluating result; Said roaming terminal is carried out role-map; Said roaming terminal is mapped as a certain terminal of visiting the correspondence in said first network, allows said roaming terminal to visit the corresponding Internet resources of said role in said first network;
The state evaluating result that the said first network based said identity information obtains said roaming terminal specifically comprises:
Said first network is to all corresponding safe condition policy configurations information of the said roaming terminal of said second network requests;
Said first network receives all corresponding safe condition policy configurations information of said roaming terminal that said second network returns, and according to said safe condition policy configurations information said roaming terminal is carried out security state evaluation, obtains assessment result.
The embodiment of the invention provides a kind of authority control system, comprising:
Roaming terminal is used for sending the request of access to first network, comprises the identity information of said roaming terminal in the described request;
First network; Be used to receive the access request that said roaming terminal sends; According to the second network requests said roaming terminal corresponding safe condition policy configurations information of said identity information to the said professional corresponding safe condition policy configurations of preserving said roaming terminal; And said roaming terminal is carried out the collection of safety state information and the assessment of safe condition according to said safe condition policy configurations information; Result according to assessment carries out role-map with said roaming terminal; Said roaming terminal is mapped as a certain terminal of visiting the correspondence in said first network, allows said roaming terminal to visit the corresponding Internet resources of said role in said first network;
Second network is used to receive the request of obtaining the safe condition policy configurations that said first network sends, and said safe condition policy configurations is returned to said first network.
The embodiment of the invention provides a kind of visited network, comprising:
Insert the request receiving element, be used to receive the access request that said roaming terminal sends, comprise the identity information of said roaming terminal in the described request;
Safe condition policy configurations information acquisition unit is used for according to the safe condition policy configurations information of said identity information to the said roaming terminal correspondence of home network request, and receives the safe condition policy configurations information that said home network returns;
Assessment unit is used for according to said safe condition policy configurations information said roaming terminal being carried out security state evaluation;
Map unit; Be used for said roaming terminal being carried out role-map according to the result of assessment; Said roaming terminal is mapped as a certain terminal of visiting the correspondence in said first network, allows said roaming terminal to visit the corresponding Internet resources of said role in the said visited network.
The embodiment of the invention provides a kind of home network, comprising:
The request receiving element is used to receive the request of obtaining the safe condition policy configurations that said visited network sends;
Safe condition policy configurations transmitting element is used for said safe condition policy configurations is returned to said visited network.
The embodiment of the invention provides a kind of authority control system, comprising:
Roaming terminal is used for sending the request of access to first network, comprises the identity information of said roaming terminal in the described request;
First network; Be used to receive the access request that said roaming terminal sends; Send the security state evaluation request according to said identity information to second network of the said professional corresponding safe condition policy configurations of preserving said roaming terminal; Reception is by the result of said second network to said roaming terminal security state evaluation; Result according to assessment carries out role-map with said roaming terminal, and said roaming terminal is mapped as a certain terminal of visiting the correspondence in said first network, allows said roaming terminal to visit the corresponding Internet resources of said role in said first network;
Second network is used to receive the security state evaluation request that said first network sends, and said roaming terminal is carried out security state evaluation and the result that will assess returns to said first network.
The embodiment of the invention provides a kind of visited network, comprising:
Insert the request receiving element, be used to receive the access request that said roaming terminal sends, comprise the identity information of said roaming terminal in the described request;
The state evaluating result acquiring unit is used for sending the security state evaluation request according to said identity information to home network, and receives by said home network said roaming terminal state evaluating result;
Map unit; Be used for said roaming terminal being carried out role-map according to the result of assessment; Said roaming terminal is mapped as a certain terminal of visiting the correspondence in said first network, allows said roaming terminal to visit the corresponding Internet resources of said role in the said visited network.
The embodiment of the invention provides a kind of home network, comprising:
Receiving element is used to receive the security state evaluation request that said visited network sends;
Assessment unit is used for said roaming terminal is carried out security state evaluation;
Feedback unit is used for the result of assessment is returned to said visited network.
In the embodiments of the invention; Different demands for security to Internet resources; Can make the terminal of different level of securitys have the right to visit the Internet resources of different safety class, the terminal can be visited and the corresponding Internet resources of the level of security at this terminal striding when roaming between the heterogeneous networks.
Description of drawings
Fig. 1 is an authority control method flow chart in the embodiment of the invention one;
Fig. 2 is an authority control method flow chart in the embodiment of the invention two;
Fig. 3 is an authority control method flow chart in the embodiment of the invention three;
Fig. 4 is a kind of authority control system structure chart in the embodiment of the invention;
Fig. 5 is a kind of visited network structure chart in the embodiment of the invention;
Fig. 6 is a kind of home network structure chart in the embodiment of the invention;
Fig. 7 is an another kind of authority control system structure chart in the embodiment of the invention;
Fig. 8 is an another kind of visited network structure chart in the embodiment of the invention;
Fig. 9 is an another kind of home network structure chart in the embodiment of the invention.
Embodiment
The embodiment of the invention provides a kind of authority control method, may further comprise the steps:
1, the first network receives the access request that roaming terminal sends, and comprises the identity information of said roaming terminal in this request, and the identity information of first network based this roaming terminal obtains the state evaluating result to this roaming terminal.The mode of wherein obtaining state evaluating result comprises two kinds; A kind of is the assessment of first network local: first network is to all corresponding safe condition policy configurations information of this roaming terminal of second network requests; And receive all corresponding safe condition policy configurations information of this roaming terminal that second network returns; And this roaming terminal is carried out security state evaluation according to said safe condition policy configurations information, obtain assessment result; Another kind is to be assessed by second network, and assessment result is issued first network: first network sends the security state evaluation request to second network, and receives by the assessment result of second network to this roaming terminal safe condition.
In addition; First network can also comprise the business of said roaming terminal request from the access request that roaming terminal receives; Make first network can be, and this service security state is assessed to the corresponding safe condition policy configurations of this business of second this roaming terminal of network requests of the said professional corresponding safe condition policy configurations of preserving said roaming terminal.
2, the first network based said state evaluating result are carried out role-map with this roaming terminal.
Wherein, said role-map comprises: the corresponding relation between the state evaluating result of roaming terminal, corresponding role and the addressable Internet resources.Said first network is visited network or service server, and said second network is home network or service server.
In the embodiment of the invention one, when the roaming terminal request inserted visited network, visited network carried out security state evaluation to the terminal then to all corresponding safe condition policy configurations information of this roaming terminal of home network request; According to state evaluating result, will ask the access roaming terminal to carry out role-map, thereby allow the corresponding all-network resource of this role in this this visited network of roaming terminal visit.This authority control method is as shown in Figure 1, may further comprise the steps:
Step 101 when terminal roaming arrives visited network, initiates to insert request to the visited network at current place, in this access request, comprises the identity information of roaming terminal.Certainly, the visited network in the present embodiment also can be used the professional provider's of third party (for example, telco provider etc.) service server replacement.
Step 102; After visited network received the access request that roaming terminal sends, the home network initiation request to this roaming terminal place required this home network that this roaming terminal is carried out authentication; After authentication was accomplished, home network was issued visited network with authentication result.
Step 103, the safe condition policy configurations that visited network is corresponding to the home network request of this roaming terminal; In order to guarantee the safety of visited network, need carry out authentication to the roaming terminal that request inserts.Wherein, identity authentication result is the prerequisite of assessment, if authentication is not passed through, then need not assess.
Step 104, home network is issued the visited network at current place, terminal with all safe condition policy configurations information at this terminal through safe condition policy configurations response message.Wherein, safe condition policy configurations information is the foundation that roaming terminal is assessed.
Step 105, visited network sends the terminal security status information supplying request to roaming terminal.
Step 106, roaming terminal sends the terminal security status information supplying response to visited network, which attribute of the concrete assessment of indication roaming terminal, for example version number etc.
Step 107, visited network receives the safe condition policy configurations information that home network is sent, and serves as that foundation is assessed the safe condition of the attribute of concrete assessment roaming terminal with this safe condition policy configurations.In the present embodiment, need carry out security state evaluation, have only whole assessment results to meet the demands, just can carry out roaming terminal and insert all professional corresponding safe condition policy configurations information of this roaming terminal.
Step 108; Visited network is according to the result to the assessment of roaming terminal safety state information; This roaming terminal is carried out role-map; This roaming terminal is mapped as a certain terminal of the correspondence in this territory of visited network, makes this roaming terminal can directly enjoy the all-network resource in the corresponding visited network territory of this role.Wherein, specifically as shown in table 1 according to the role-map of security state of terminal:
Table 1:
| The safety state information at terminal | Corresponding role | Addressable Internet resources |
| Operating system patch be up-to-date, | A | Level of security is below A and the A |
| Anti-virus software latest edition, firewall version are up-to-date | ? | The all-network resource |
| Operating system patch is that up-to-date, anti-virus software latest edition, firewall version are lower | B | Level of security is the all-network resource below B and the B, but can not access level be the resource of A |
| Operating system patch is that up-to-date, anti-virus software lowest version, firewall version are lower | C | Level of security is the all-network resource below C and the C, but can not access level be the resource of A or B |
| Operating system patch is that low, anti-virus software lowest version, firewall version are lower | D | Can only the access security rank be the resource of D |
Step 109, visited network are sent to roaming terminal and are inserted response, realize when roaming terminal is carried out access control control of authority preventing roaming terminal unauthorized access Internet resources.
In the embodiment of the invention two, visited network is only asked the professional corresponding safe condition policy configurations of roaming terminal, when roaming terminal sends when inserting request to visited network, comprises the business of this roaming terminal request; Visited network only needs the corresponding safe condition policy configurations of this business to corresponding this roaming terminal of home network request of this roaming terminal; According to this strategy roaming terminal is carried out security state evaluation then; According to the result of safety state information assessment, the roaming terminal that request is inserted carries out role-map, allows the corresponding all-network resource of this role in this roaming terminal visit visited network, has realized access control and control of authority to roaming terminal.This authority control method is as shown in Figure 2, may further comprise the steps:
Step 201 when terminal roaming arrives visited network, initiates to insert request to the visited network at current place, in this access request, comprises the identity information of roaming terminal and the service identification of this roaming terminal request.
Step 202; After visited network received the access request that roaming terminal sends, the home network initiation request to this roaming terminal place required this home network that this roaming terminal is carried out authentication; After authentication was accomplished, home network was issued visited network with authentication result.
Step 203, in order to guarantee the safety of visited network, authentication is carried out at the terminal that can not only insert request, and visited network also will should the corresponding safe condition policy configurations of business to the home network request of this roaming terminal.
Step 204, home network will insert the corresponding safe condition policy configurations information of service identification of this roaming terminal that carries in the request and issue the visited network at current place, terminal through safe condition policy configurations response message.
Step 205, visited network sends the terminal security status information supplying request to roaming terminal.
Step 206, roaming terminal sends the terminal security status information supplying response to visited network, which attribute of the concrete assessment of indication roaming terminal, for example version number etc.
Step 207, visited network receives the safe condition policy configurations information that home network is sent, and serves as according to the attribute of concrete assessment roaming terminal is assessed the safe condition of roaming terminal with this safe condition policy configurations.
Step 208; Visited network is according to the result to the roaming terminal security state evaluation; This roaming terminal is carried out role-map; This roaming terminal is mapped as a certain terminal of the correspondence in this territory of visited network, makes this roaming terminal can directly enjoy the all-network resource in the corresponding visited network territory of this role.Wherein, specifically as shown in table 1 according to the role-map of security state of terminal.In the present embodiment, need carry out security state evaluation,, just can carry out roaming terminal and insert, have the advantages that to insert flexible configuration as long as these professional corresponding assessment results satisfy according to the corresponding safe condition policy configurations information of the partial service of this roaming terminal.
Step 209, visited network are sent to roaming terminal and are inserted response, realize when roaming terminal is carried out access control control of authority preventing roaming terminal unauthorized access Internet resources.
In the embodiment of the invention three,, need assess this roaming terminal safety state information by home network when visited network does not possess when self is directly carried out the security state evaluation function to the terminal; Home network is issued current visited network with this assessment result; Visited network will carry out the role-map of roaming terminal according to this result, thereby realize the control of authority to this roaming terminal.This authority control method is as shown in Figure 3, may further comprise the steps:
Step 301 when terminal roaming arrives visited network, initiates to insert request to the visited network at current place, in this access request, comprises the identity information of roaming terminal.
Step 302; After visited network received the access request that roaming terminal sends, the home network initiation request to this roaming terminal place required this home network that this roaming terminal is carried out authentication; After authentication was accomplished, home network was issued visited network with authentication result.
Step 303, visited network request home network carries out security state evaluation to this roaming terminal.
Step 304, home network is assessed this roaming terminal safety state information, and this assessment result is issued current visited network.The safety state information that wherein can comprise the terminal of collecting in the assessment result.
Step 305; Visited network is according to the assessment result that receives; This roaming terminal is carried out role-map, this roaming terminal is mapped as a certain terminal of the correspondence in this territory of visited network, make this roaming terminal can directly enjoy the all-network resource in the corresponding visited network territory of this role.Wherein, specifically as shown in table 1 according to the role-map of security state of terminal.
Step 306, visited network are sent to roaming terminal and are inserted response, realize when roaming terminal is carried out access control control of authority preventing roaming terminal unauthorized access Internet resources.
The embodiment of the invention provides a kind of authority control system, and is as shown in Figure 4, comprising: roaming terminal 100, be used for sending the request of access to first network, and comprise the identity information of said roaming terminal in the described request; First network 200; Be used to receive the access request that said roaming terminal sends; According to the second network requests said roaming terminal corresponding safe condition policy configurations information of said identity information to the said professional corresponding safe condition policy configurations of preserving said roaming terminal; And said roaming terminal is carried out the collection of safety state information and the assessment of safe condition according to said safe condition policy configurations information; Result according to assessment carries out role-map with said roaming terminal, allows said roaming terminal to visit the corresponding Internet resources of said role in said first network; Second network 300 is used to receive the request of obtaining the safe condition policy configurations that said first network sends, and said safe condition policy configurations is returned to said first network.
First network 200 specifically comprises, inserts request receiving element 210, is used to receive the access request that said roaming terminal sends, and comprises the identity information of said roaming terminal in the described request; Safe condition policy configurations information acquisition unit 220; Be used for according to the second network requests said roaming terminal corresponding safe condition policy configurations information of said identity information, and receive the safe condition policy configurations information that said second network returns to the said professional corresponding safe condition policy configurations of preserving said roaming terminal; Assessment unit 230 is used for according to said safe condition policy configurations said roaming terminal being carried out the assessment of safe condition; Map unit 240 is used for according to the result of assessment said roaming terminal being carried out role-map, allows said roaming terminal to visit the corresponding Internet resources of said role in said first network.
Second network 300 specifically comprises: request receiving element 310 is used to receive the request of obtaining the safe condition policy configurations that said first network sends; Safe condition policy configurations transmitting element 320 is used for said safe condition policy configurations is returned to said first network.
The business that also comprises said roaming terminal request in the said access request,
Safe condition policy configurations information acquisition unit 220 also is used for, a said professional corresponding safe condition policy configurations to the said roaming terminal of said second network requests.
The embodiment of the invention provides a kind of visited network equipment of control of authority, and is as shown in Figure 5, comprising: insert request receiving element 10, be used to receive the access request that said roaming terminal sends, comprise the identity information of said roaming terminal in the described request; Safe condition policy configurations information acquisition unit 20 is used for according to the safe condition policy configurations information of said identity information to the said roaming terminal correspondence of home network request, and receives the safe condition policy configurations information that said home network returns; Assessment unit 30 is used for according to said safe condition policy configurations information said roaming terminal being carried out security state evaluation; Map unit 40 is used for according to the result of assessment said roaming terminal being carried out role-map, allows said roaming terminal to visit the corresponding Internet resources of said role in the said visited network.
The embodiment of the invention provides a kind of home network equipment of control of authority, and is as shown in Figure 6, comprising: request receiving element 50 is used to receive the request of obtaining the safe condition policy configurations that said visited network sends; Safe condition policy configurations transmitting element 60 is used for said safe condition policy configurations is returned to said visited network.
The embodiment of the invention provides a kind of authority control system, and is as shown in Figure 7, comprising: roaming terminal 400, be used for sending the request of access to first network, and comprise the identity information of said roaming terminal in the described request; First network 500; Be used to receive the access request that said roaming terminal sends; Send the security state evaluation request according to said identity information to second network of the said professional corresponding safe condition policy configurations of preserving said roaming terminal; Reception is carried out role-map according to the result who assesses with said roaming terminal by the result of said second network to said roaming terminal security state evaluation, allows said roaming terminal to visit the corresponding Internet resources of said role in said first network; Second network 600 is used to receive the security state evaluation request that said first network sends, and said roaming terminal is carried out the safety state information assessment and the result that will assess returns to said first network.
Said first network 500 specifically comprises: insert request receiving element 510, be used to receive the access request that said roaming terminal sends, comprise the identity information of said roaming terminal in the described request; Safe condition policy configurations information acquisition unit 520; Be used for sending the security state evaluation request to second network of the said professional corresponding safe condition policy configurations of preserving said roaming terminal, receive by the result of said second network to said roaming terminal security state evaluation according to said identity information; Map unit 530 is used for according to the result of assessment said roaming terminal being carried out role-map, allows said roaming terminal to visit the corresponding Internet resources of said role in said first network.
Said second network 600 specifically comprises: receiving element 610 is used to receive the security state evaluation request that said first network sends; Assessment unit 620 is used for said roaming terminal is carried out security state evaluation; Feedback unit 630 is used for the result of assessment is returned to said first network.
The embodiment of the invention provides a kind of visited network equipment of control of authority, and is as shown in Figure 8, comprising: insert request receiving element 51, be used to receive the access request that said roaming terminal sends; State evaluating result acquiring unit 52 is used for to said transmission security state evaluation request, receives by said home network said roaming terminal state evaluating result; Map unit 53 is used for according to the result of assessment said roaming terminal being carried out role-map, allows said roaming terminal to visit the corresponding Internet resources of said role in the said visited network.
The embodiment of the invention provides a kind of home network equipment of control of authority, and is as shown in Figure 9, comprising: receiving element 61 is used to receive the security state evaluation request that said visited network sends; Assessment unit 62 is used for said roaming terminal is carried out security state evaluation; Feedback unit 63 is used for the result of assessment is returned to said visited network.
In the embodiments of the invention, carrying out role-map based on terminal security status information supplying, thereby realize control of authority, can be the role in the visited network with the role-map of roaming terminal, can carry out safe interoperability thereby make between network; When guaranteeing to carry out resource-sharing between a plurality of networks, resource does not receive illegal visit.That is,, can make the terminal of different level of securitys have the right to visit the Internet resources of different safety class to the different demands for security of Internet resources; The terminal can be visited and the corresponding Internet resources of the level of security at this terminal striding when roaming between the heterogeneous networks.
Description through above execution mode; Those skilled in the art can be well understood to the present invention and can realize by the mode that software adds essential general hardware platform; Can certainly pass through hardware, but the former is better execution mode under a lot of situation.Based on such understanding; The part that technical scheme of the present invention contributes to prior art in essence in other words can be come out with the embodied of software product; This computer software product is stored in the storage medium; Comprise some instructions with so that computer equipment (can be personal computer, server, the perhaps network equipment etc.) carry out the described method of each embodiment of the present invention.
More than disclosedly be merely several specific embodiment of the present invention, still, the present invention is not limited thereto, any those skilled in the art can think variation all should fall into protection scope of the present invention.
Claims (12)
1. an authority control method is characterized in that, may further comprise the steps:
First network receives the access request that roaming terminal sends, and comprises the identity information of said roaming terminal in the described request;
The said first network based said identity information obtains the state evaluating result to said roaming terminal;
The said first network based said state evaluating result; Said roaming terminal is carried out role-map; Said roaming terminal is mapped as a certain terminal of visiting the correspondence in said first network, allows said roaming terminal to visit the corresponding Internet resources of said role in said first network;
The state evaluating result that the said first network based said identity information obtains said roaming terminal specifically comprises:
Said first network is to all corresponding safe condition policy configurations information of the said roaming terminal of second network requests;
Said first network receives all corresponding safe condition policy configurations information of said roaming terminal that said second network returns, and according to said safe condition policy configurations information said roaming terminal is carried out security state evaluation, obtains assessment result; Or
The state evaluating result that the said first network based said identity information obtains said roaming terminal specifically comprises:
Said first network sends the security state evaluation request to said second network;
Said first network receives by the assessment result of said second network to said roaming terminal safe condition.
2. authority control method according to claim 1 is characterized in that, also comprises the business of said roaming terminal request in the said access request,
Said first network is to the said professional corresponding safe condition policy configurations of the said roaming terminal of second network requests of the said professional corresponding safe condition policy configurations of preserving said roaming terminal.
3. authority control method according to claim 1 or claim 2 is characterized in that said role-map comprises: the corresponding relation between the state evaluating result of roaming terminal, corresponding role and the addressable Internet resources.
4. authority control method according to claim 1 or claim 2 is characterized in that,
Said first network is visited network or service server, and said second network is home network or service server.
5. an authority control system is characterized in that, comprising:
Roaming terminal is used for sending the request of access to first network, comprises the identity information of said roaming terminal in the described request;
First network; Be used to receive the access request that said roaming terminal sends; According to the second network requests said roaming terminal corresponding safe condition policy configurations information of said identity information to the professional corresponding safe condition policy configurations of preserving said roaming terminal; And said roaming terminal is carried out the collection of safety state information and the assessment of safe condition according to said safe condition policy configurations information; Result according to assessment carries out role-map with said roaming terminal; Said roaming terminal is mapped as a certain terminal of visiting the correspondence in said first network, allows said roaming terminal to visit the corresponding Internet resources of said role in said first network;
Second network is used to receive the request of obtaining the safe condition policy configurations that said first network sends, and said safe condition policy configurations is returned to said first network.
6. like the said authority control system of claim 5, it is characterized in that said first network specifically comprises:
Insert the request receiving element, be used to receive the access request that said roaming terminal sends, comprise the identity information of said roaming terminal in the described request;
Safe condition policy configurations information acquisition unit; Be used for according to the second network requests said roaming terminal corresponding safe condition policy configurations information of said identity information, and receive the safe condition policy configurations information that said second network returns to the said professional corresponding safe condition policy configurations of preserving said roaming terminal;
Assessment unit is used for according to said safe condition policy configurations said roaming terminal being carried out security state evaluation;
Map unit is used for according to the result of assessment said roaming terminal being carried out role-map, allows said roaming terminal to visit the corresponding Internet resources of said role in said first network.
7. like the said authority control system of claim 5, it is characterized in that said second network specifically comprises:
The request receiving element is used to receive the request of obtaining the safe condition policy configurations that said first network sends;
Safe condition policy configurations transmitting element is used for said safe condition policy configurations is returned to said first network.
8. a visited network is characterized in that, comprising:
Insert the request receiving element, be used to receive the access request that said roaming terminal sends, comprise the identity information of said roaming terminal in the described request;
Safe condition policy configurations information acquisition unit is used for according to the safe condition policy configurations information of said identity information to the said roaming terminal correspondence of home network request, and receives the safe condition policy configurations information that said home network returns;
Assessment unit is used for according to said safe condition policy configurations information said roaming terminal being carried out security state evaluation;
Map unit; Be used for said roaming terminal being carried out role-map according to the result of assessment; Said roaming terminal is mapped as a certain terminal of visiting the correspondence in said first network, allows said roaming terminal to visit the corresponding Internet resources of said role in the said visited network.
9. an authority control system is characterized in that, comprising:
Roaming terminal is used for sending the request of access to first network, comprises the identity information of said roaming terminal in the described request;
First network; Be used to receive the access request that said roaming terminal sends; Send the security state evaluation request according to said identity information to second network of the professional corresponding safe condition policy configurations of preserving said roaming terminal; Reception is by the result of said second network to said roaming terminal security state evaluation; Result according to assessment carries out role-map with said roaming terminal, and said roaming terminal is mapped as a certain terminal of visiting the correspondence in said first network, allows said roaming terminal to visit the corresponding Internet resources of said role in said first network;
Second network is used to receive the security state evaluation request that said first network sends, and said roaming terminal is carried out security state evaluation and the result that will assess returns to said first network.
10. like the said authority control system of claim 9, it is characterized in that said first network specifically comprises:
Insert the request receiving element, be used to receive the access request that said roaming terminal sends, comprise the identity information of said roaming terminal in the described request;
Safe condition policy configurations information acquisition unit; Be used for sending the security state evaluation request to second network of the said professional corresponding safe condition policy configurations of preserving said roaming terminal, receive by the result of said second network to said roaming terminal security state evaluation according to said identity information;
Map unit; Be used for said roaming terminal being carried out role-map according to the result of assessment; Said roaming terminal is mapped as a certain terminal of visiting the correspondence in said first network, allows said roaming terminal to visit the corresponding Internet resources of said role in said first network.
11., it is characterized in that said second network specifically comprises like the said authority control system of claim 9:
Receiving element is used to receive the security state evaluation request that said first network sends;
Assessment unit is used for said roaming terminal is carried out security state evaluation;
Feedback unit is used for the result of assessment is returned to said first network.
12. a visited network is characterized in that, comprising:
Insert the request receiving element, be used to receive the access request that roaming terminal sends, comprise the identity information of said roaming terminal in the described request;
The state evaluating result acquiring unit is used for sending the security state evaluation request according to said identity information to home network, and receives by said home network said roaming terminal state evaluating result;
Map unit; Be used for said roaming terminal being carried out role-map according to the result of assessment; Said roaming terminal is mapped as a certain terminal of visiting the correspondence in said first network, allows said roaming terminal to visit the corresponding Internet resources of said role in the said visited network.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008100078693A CN101521885B (en) | 2008-02-26 | 2008-02-26 | Authority control method, system and equipment |
| PCT/CN2009/070395 WO2009105976A1 (en) | 2008-02-26 | 2009-02-11 | Method, system and device for permission control |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008100078693A CN101521885B (en) | 2008-02-26 | 2008-02-26 | Authority control method, system and equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101521885A CN101521885A (en) | 2009-09-02 |
| CN101521885B true CN101521885B (en) | 2012-01-11 |
Family
ID=41015523
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2008100078693A Expired - Fee Related CN101521885B (en) | 2008-02-26 | 2008-02-26 | Authority control method, system and equipment |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN101521885B (en) |
| WO (1) | WO2009105976A1 (en) |
Families Citing this family (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103260161B (en) * | 2008-02-29 | 2016-01-27 | 华为技术有限公司 | A kind of method for evaluating security state of terminal, the network equipment and system |
| US8412769B2 (en) * | 2010-09-13 | 2013-04-02 | Microsoft Corporation | Scalably imaging clients over a network |
| CN105991576B (en) * | 2015-02-10 | 2019-07-09 | 新华三技术有限公司 | A kind of delivery method and equipment of security strategy |
| CN108874078A (en) * | 2018-09-04 | 2018-11-23 | 江苏警官学院 | A kind of intelligent emergency program management system |
| CN109543412A (en) * | 2019-01-07 | 2019-03-29 | 何小钟 | A kind of internet information based on big data analysis uses safely antivirus system |
| JP2020140431A (en) * | 2019-02-28 | 2020-09-03 | 富士ゼロックス株式会社 | Information processing device, information processing system, and information processing program |
| CN112672348A (en) * | 2019-09-27 | 2021-04-16 | 华为技术有限公司 | Security control method, device, equipment, system and storage medium |
| CN112351005B (en) * | 2020-10-23 | 2022-11-15 | 杭州安恒信息技术股份有限公司 | Internet of things communication method and device, readable storage medium and computer equipment |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1913701A (en) * | 2005-08-08 | 2007-02-14 | 北京三星通信技术研究有限公司 | Method for providing different safety class service to different user in mobile communication system |
| CN101039322A (en) * | 2007-04-20 | 2007-09-19 | 华中师范大学 | Dynamic access control method of pervasive computing |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8230480B2 (en) * | 2004-04-26 | 2012-07-24 | Avaya Inc. | Method and apparatus for network security based on device security status |
-
2008
- 2008-02-26 CN CN2008100078693A patent/CN101521885B/en not_active Expired - Fee Related
-
2009
- 2009-02-11 WO PCT/CN2009/070395 patent/WO2009105976A1/en active Application Filing
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1913701A (en) * | 2005-08-08 | 2007-02-14 | 北京三星通信技术研究有限公司 | Method for providing different safety class service to different user in mobile communication system |
| CN101039322A (en) * | 2007-04-20 | 2007-09-19 | 华中师范大学 | Dynamic access control method of pervasive computing |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2009105976A1 (en) | 2009-09-03 |
| CN101521885A (en) | 2009-09-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101521885B (en) | Authority control method, system and equipment | |
| US8280373B2 (en) | Terminal device control server and method for controlling access to a mobile communication network | |
| JP4880699B2 (en) | Method, system, and apparatus for protecting a service account | |
| CN102415119B (en) | Managing undesired service requests in a network | |
| US20120166803A1 (en) | Verification method, apparatus, and system for resource access control | |
| EP2316093B1 (en) | System, method and apparatus for security management of an electronic device | |
| CN101621380B (en) | Method for evaluating security state of terminal, network equipment and system | |
| CN104519020A (en) | Method, server and system for managing wireless network login password sharing function | |
| CN103491056A (en) | Control method and device for permission of application | |
| CN101156411A (en) | Generic key-decision mechanism for gaa | |
| CN112469044B (en) | Edge access control method and controller for heterogeneous terminal | |
| CN111865993B (en) | Identity authentication management method, distributed system and readable storage medium | |
| EP4335080A1 (en) | Methods, systems, and computer readable media for hiding network function instance identifiers | |
| CN102263793A (en) | Method, system and device for verifying and controlling permission of MTC (machine type communication) server | |
| CN103069767B (en) | Consigning authentication method | |
| CN113872933A (en) | Method, system, device, equipment and storage medium for hiding source station | |
| KR100478535B1 (en) | System and method for preventing non-certified users from connecting to the internet and network, by using DHCP | |
| CN104935557A (en) | Method and device for controlling local network access | |
| CN114697945B (en) | Method and device for generating discovery response message and method for processing discovery message | |
| WO2017192131A1 (en) | Simulating unauthorized use of a cellular communication network | |
| EP2721859B1 (en) | Handling of operator connection offers in a communication network | |
| CN102264070B (en) | Method and equipment for providing service data and executing access service | |
| CN112217770B (en) | Security detection method, security detection device, computer equipment and storage medium | |
| KR101160903B1 (en) | Blacklist extracting system and method thereof | |
| CN114710302A (en) | Internet access control method and control device thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20120111 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |