CN101631116B - Distributed dual-license and access control method and system - Google Patents
Distributed dual-license and access control method and system Download PDFInfo
- Publication number
- CN101631116B CN101631116B CN200910090837A CN200910090837A CN101631116B CN 101631116 B CN101631116 B CN 101631116B CN 200910090837 A CN200910090837 A CN 200910090837A CN 200910090837 A CN200910090837 A CN 200910090837A CN 101631116 B CN101631116 B CN 101631116B
- Authority
- CN
- China
- Prior art keywords
- user
- information
- grouping
- access control
- access
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 238000000034 method Methods 0.000 title claims abstract description 45
- 238000013475 authorization Methods 0.000 claims description 92
- 230000009977 dual effect Effects 0.000 claims description 27
- 238000012795 verification Methods 0.000 claims description 5
- 238000007726 management method Methods 0.000 description 20
- 230000006870 function Effects 0.000 description 17
- 235000019580 granularity Nutrition 0.000 description 17
- 238000010586 diagram Methods 0.000 description 5
- 238000013461 design Methods 0.000 description 4
- 230000010354 integration Effects 0.000 description 4
- 230000009286 beneficial effect Effects 0.000 description 3
- 230000007246 mechanism Effects 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 230000008859 change Effects 0.000 description 2
- 230000008878 coupling Effects 0.000 description 2
- 238000010168 coupling process Methods 0.000 description 2
- 238000005859 coupling reaction Methods 0.000 description 2
- 238000012217 deletion Methods 0.000 description 2
- 230000037430 deletion Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 238000012790 confirmation Methods 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 239000012634 fragment Substances 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000010200 validation analysis Methods 0.000 description 1
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention discloses a distributed dual-license and access control method and a system, the method is applied in the control system including a universal certificate licensing sensor and a plurality of different types of application systems, and the method comprises the grade authority control step which is used for setting the grade of a user through the universal certificate licensing sensor, transferring grade information of the user to the application systems and deciding the access authority of the user to resources or services by verifying the matching relationship between the grade of the user and the grade of coarse-grained resources or services of the application systems; and the group authority control step which is used for respectively carrying out grouping setting on the user and the resources/services through the application systems and deciding the access authority of the user to the coarse-grained resources or the services by verifying the intersection relationship between user grouping and data service grouping.
Description
Technical Field
The invention relates to a technology for authorizing and accessing distributed resources or services by a user in a distributed network environment, in particular to a distributed hierarchical grouping double-authorization and access control method and a system.
Background
Information facilities inside enterprises are often composed of heterogeneous distributed application systems, the realization of integration of the application systems is a future development trend, and moreover, the self composition of a large application system has the characteristic of distributed integration, and the purpose of certain application is achieved by integrating different modules. The integration of different information systems, in particular Web application systems, requires the implementation of a unified management and authentication of users, on which basis, in order to further control the access to the information systems and resources, authorization and access control of resources or services for users need to be implemented.
The function realized by authorization and access control is the authority control for accessing the resources or services in the application system, which is an important component of the network information facility, and prevents the intrusion of illegal users or the damage caused by the careless operation of legal users by limiting the resource access, thereby ensuring the legal use of the system resources or services. The core of access control is an authorization policy and method, i.e., a set of rules for determining whether a subject has access to an object, where in a distributed network environment, the subject is a registered user and the object is a resource or service of different granularities and classes in a distributed system.
For example, patent document No. 00129495.4 discloses a role-based authorization method among enterprises, and role-based access control has advantages and an applicable range, but most of information systems inside enterprises are distributed at present, and the construction of the information systems often adopts an open Service Oriented Architecture (SOA), and Web services are mostly adopted for loose integration, and the XML technology becomes a main technical method of the information systems. And the resource type of the information system is complex, the flow is complex, and the role-based access control model cannot meet the requirements, so that the information system becomes one of the bottlenecks restricting information flow. In particular, the conventional role-based privilege control model has limited data access control capabilities and lacks flexibility. On one hand, the authority is excessively centralized and cannot meet the requirement, on the other hand, the complexity of authorization logic is improved, the workload of a system administrator is greatly increased, the granularity of an authorization object is often considered less, therefore, different application requirements need to be considered for the authority control in a distributed network environment, and the authority control is realized from different angles.
The single user hierarchical authorization can solve the authorization and access control problem of general resources, but because it belongs to a one-dimensional authorization mode, it is not careful about complex situations, when the resources or services exist in multiple layers and thus need multiple limiting factors, the one-dimensional authorization mode can not meet the requirements, that is, if the authority control granularity is set to a certain category or a coarser granularity, it can not control more detailed resources or services.
Disclosure of Invention
The invention aims to provide a distributed dual authorization and access control method and system.
In order to achieve the above object, the present invention provides a distributed dual authorization and access control method, which is applied to a control system including a universal authentication authorization server and a plurality of different types of application systems, and is characterized in that the method includes:
a step of hierarchical authority control, which is used for setting user levels through the universal authentication authorization server, transmitting user hierarchical information to the application system, and determining the access authority of the user to coarse-grained resources or services through verifying the level matching relationship between the user levels and the resources or services of the application system;
and a grouping authority control step, which is used for respectively grouping and setting the user and the resource/service through the application system, and determining the access authority of the user to the fine-grained resource or service through verifying the intersection relationship between the user group and the resource/service group.
The distributed dual authorization and access control method is characterized in that the hierarchical access control step further comprises:
step S101, setting user grade through the general authentication and authorization server, and transmitting user grading information to an application system after the user completes unified login authentication;
step S102, the application system analyzes the user grading information to obtain a user name and user grade information;
step S103, the user accesses the limited resource, and the local application system determines the access authority of the user according to the comparison between the level of the resource or service agreed in advance and the level of the user; when the user level is higher than or equal to the level of the data resource, access is enabled; otherwise, the access is refused and relevant prompt information is sent out.
The distributed dual authorization and access control method is characterized in that the packet access control step further comprises:
step S201, grouping and setting users and resources/services in a local application system in advance;
step S202, when the user passes the level verification and needs to access the fine-grained resource controlled by the grouping authority, the grouping access control logic deployed in the application system detects the relation between the user grouping and the fine-grained data resource grouping to determine the access authority of the user, if the user grouping is intersected, the user can access the fine-grained data resource grouping, otherwise, the user is denied access and relevant prompt information is sent out.
The distributed dual authorization and access control method is characterized in that, in the step S101, when the user classification information is transmitted, the user level information and the user name information are transmitted through an XML document, and in the step S102, an SAX-based parser is used to parse the XML document.
Further, the present invention provides a distributed dual authorization and access control system, which includes a general authentication authorization server and a plurality of different types of application systems, and is characterized in that the system includes: wherein,
the universal authentication and authorization server is used for providing a unified login authentication function, a user grading setting function and a user information publishing function of the user, and transmitting user grading information to the application system after the user completes the unified login authentication;
the application system is used for deploying the hierarchical and grouping access control logic, determining the access authority of the user to the coarse-grained resources or services by verifying the matching relation between the user level and the level of the data services of the application system, and determining the access authority of the user to the fine-grained resources or services by verifying the intersection relation between the user group and the resources or service group.
The distributed dual authorization and access control system is characterized in that the general authentication authorization server is further provided with:
the user grading setting module is used for setting the grading related information of the user and returning the grading related information of the user to the application system according to the set format file after the user finishes the unified login authentication;
and the user information publishing module is used for providing the user information publishing Web service based on the information in the user library.
The distributed dual authorization and access control system is characterized in that the application system is further provided with:
the resource hierarchical access control module is used for analyzing the user name information and the user level information from the format file and providing access control for related resources or services according to the level of the user according to the convention;
the user grouping setting module is used for providing a management interface and providing a grouping setting function for a specific user for local management;
-a resource grouping setting module for providing a grouping setting function of locally managing resources or services in the application system;
the resource grouping access control module is used for dynamically detecting locally set user and resource/service grouping aiming at the access of the user and realizing the access control function according to the relation between the user and the resource grouping.
The distributed dual authorization and access control system is characterized in that a USER LEVEL field for controlling the USER LEVEL is added in a USER information database table in the USER hierarchical setting module to identify the LEVEL of the USER.
The distributed dual authorization and access control system is characterized in that in the user hierarchical setting module, if more detailed user hierarchical authority distribution is needed, an authority control table is independently set and is specially used for authority role management of users.
The distributed dual authorization and access control system is characterized in that the resource grading access control module comprises an SAX-based parser for parsing a user grading information grading XML file returned to the application system by the user grading setting module to obtain a user name and user grade information therein.
Compared with the prior art, in the distributed hierarchical grouping dual authorization and access control method and system provided by the invention, the authentication authorization server is independent of each application system, which means that each application system cannot directly read the user database, and the access control logic of the data must be deployed in each application system, and a separated design is adopted. Through distributed user authorization and access control, the flexibility of an authorization system and an access control system is improved, the coupling degree between application systems is reduced, the mutual dependence is small, and the user authorization efficiency and the resource safety are improved.
The invention respectively controls the authority of resources or services with coarse granularity and fine granularity by double user authorization and access control. The coarse granularity can correspond to some global applications, and the grouping method can not only expand the control granularity of the resources to the resources with any granularity, but also provide user information in an application domain through Web service, and put grouping control logic into a specific data storage place, thereby being beneficial to flexible combination and autonomy of a platform, conforming to the idea of software multiplexing and being beneficial to the expansion of a system.
Drawings
FIG. 1 is a flow chart of a distributed dual authorization and access control method of the present invention;
FIG. 2 is a schematic diagram of a user and resource grouping management setting interface in the method of the present invention;
FIG. 3 is a schematic diagram of a data protection period setting interface in the method of the present invention;
fig. 4 is a schematic block diagram of a distributed dual authorization and access control system of the present invention.
Detailed Description
The technical solutions of the present invention are further described below with reference to the drawings and the specific embodiments, but the present invention is not limited to the following embodiments.
The distributed double authorization and access control method provided by the invention is applied to a control system comprising a general authentication authorization server and a plurality of application systems of different types, and the main idea is as follows: the double authorization scheme respectively controls the authority of resources or services with coarse granularity and fine granularity, and the authority of the resources with coarse granularity is controlled according to the convention of grading corresponding users by grading the users; in the double authority control method, a user can determine whether coarse-grained resources or services have access or other operation authority according to corresponding levels so as to determine whether the user has authority of a certain type of application, and when finer operations are achieved, such as access to an operation method of the user, whether the user has further access authority can be determined by looking at a grouping mapping. The grouping method of the invention can not only expand the control granularity of the resource or service to any granularity, but also provide the user information in the application domain through the Web service and put the grouping control logic into the local application system, thereby being beneficial to the flexible combination and autonomy of the platform.
Fig. 1 shows an implementation flow of the distributed dual authorization and access control method of the present invention, and referring to fig. 1, the distributed dual authorization and access control method provided by the present invention includes:
a step of hierarchical authority control, which is used for setting a user level through a general authentication and Authorization Server (CA), transmitting user hierarchical information to the application system through the CA, and determining the access authority of the user to coarse-grained resources or services through verifying the matching relationship between the user level and the resources or service levels of the application system;
and a grouping authority control step, which is used for respectively grouping and setting the user and the resource/service through the application system, and determining the access authority of the user to the fine-grained resource or service through verifying the intersection relationship between the user group and the resource or service group.
The step of controlling the hierarchical authority further comprises:
and step S101, setting user levels through a CA (certificate Authority), and transmitting user grading information to an application system after the user completes unified login authentication.
When accessing the corresponding resources or services in the distributed application system, the user needs to perform global login authentication, then reads the user level information, and returns the user level information to the application system. In order to maintain the cross-platform performance of the system, the level information of the user is transmitted together with the user name information after being packaged by an XML document. In the implementation using the Java platform, the user name and level information are written in a structured XML document in the Servlet authenticated by the user and directly transmitted to the client. Wherein, Servlet is a server-side program written in Java, which is independent of protocol and platform. Servlets run in Java-enabled servers, can dynamically extend the capabilities of the servers, and provide Web services in a request-response mode.
The following code segments show codes of user names and level information output by the authentication and authorization server after the user successfully logs in, and the codes are returned to the client application through an XML document, wherein the expandability and flexibility of the platform are enhanced in the mode of the XML document, wherein a user is a user name variable, and a level is a level variable of the user.
Step S102, the XML document obtained by the application system obtains the user name and the user level information.
The above step S101 returns an XML document to the application system, and the format of the XML document is shown in the following code fragment. The hierarchical access control module deployed in an application system has the function of analyzing the XML document, works in the form of an interceptor, can be realized by using a filter mechanism in an application server in a Java environment, and analyzes the returned XML document through an analyzer based on SAX to acquire the user name and the level information of the user. SAX refers to Simple API for XML (SAX), which is a widely recognized API for handling XML event-driven "push" model. In this example, the acquired username is "lrd" with a rating of "2".
Step S103, after the application system obtains the user level, when the user accesses the limited resource or service, the local application system determines whether the user can access according to the comparison between the level of the resource or service agreed in advance and the level of the user; access is enabled when the user level is higher than or equal to the level of the resource or service; otherwise, the access is refused and relevant prompt information is sent out.
For each application system added to the authorization and access control system, the access control logic can utilize the Session object to improve the access efficiency after acquiring the level information of the user. The identification information such as the user name, the user level and the like is stored in the Session object, so that when the user accesses the next resource or service, the CA does not need to be accessed by starting a new level acquisition process, and the response of the system is improved. The Session object is realized by an application server and is used for recording the private data variable of the user to be used as confirmation when the user requests the server again, the variable in the Session object does not disappear before one Session of the user is ended, and the variable in the Session can be stored in various ways according to different implementation modes.
In the above process, the module for implementing authentication and authorization in the CA may be disposed and operated together with the relevant modules for user management and the like, or may be operated as an independent system. The distributed hierarchical authorization and access control object is a resource or service with a relatively coarse granularity, that is, the authorization control can be performed in a hierarchical manner for a certain class of resource or service belonging to a certain domain, for example, for a specific application module or a certain class of information entry, and for more detailed resource authorization control, for example, for access to a specific different data resource under a certain entry, the resource belongs to a content requiring further authorization. The flow of implementing the grouping right control step is further described below.
The above grouping right control step further comprises:
step S201, grouping and setting users and resources/services in the local application system in advance.
On one hand, the application system stores user information acquired from a user information release Web service deployed in a general authentication authorization server in a warehouse according to the requirement of grouping setting and realizes multi-grouping setting, and on the other hand, multi-grouping is carried out on fine-grained resources or services in the application system. The group name can be freely set and added from each application system management interface, the group and the distribution items (including users and resources/services) are in a many-to-many relationship, one user can belong to a plurality of groups, one resource can belong to a plurality of groups, and a plurality of users or resources/services can be in one group. Users and resources/services with intersecting groupings have access and access rights.
Step S202, when the user passes the verification of the hierarchical access control and accesses the fine-grained resources or services, the access authority of the user is determined by detecting the matching relation between the user group and the fine-grained resources or service group through the group access control logic deployed in the application system, if the user is matched with the fine-grained resources or service group, the user can access the fine-grained resources or service group, otherwise, the user is denied access and relevant prompt information is sent out.
A user accesses fine-grained resources or services needing access control in a distributed system, and a packet access control logic deployed in an application system operates to detect whether the user and the resources or services have an intersecting packet to judge whether the resources or services can be accessed, which is equivalent to adding a lock to the resources or services.
Fig. 2 is a schematic diagram of a group management interface of a background resource/service and a user, which respectively shows a group of a user and a group of a resource/service, and since they do not have overlapping groups, the user cannot access the resource/service numbered "100101-0-361". To simplify implementation, a resource or service is open and accessible to any user if the resource or service does not have an assigned group.
Besides the permission setting, the scheme can allow various extensions, such as adding the access protection period function at two levels of classification and grouping, realizing the setting by adding a protection period management interface, and only adding proper verification conditions for respective access control logics. As shown in fig. 3, fig. 3 shows a data protection period management interface schematic, if for some reason, a type or a certain resource or service is not allowed to be accessed currently, a time point of unprotection can be added to the resource or service in a background setting, and a resource or service which does not reach the time point of unprotection is called to be within a protection period, so that when a user accesses the data, an access control module automatically detects whether the data has passed the protection period and meets an access condition, and if the current time is still within the protection period, the user is prompted that the resource or service cannot be accessed.
The method of the invention authorizes users and resources/services in the local application system, and the access control logic is also positioned in each distributed application system. The method realizes a management mode of resource or service extension, and deploys a user information publishing Web service in a CA (central access) in order to group and uniformly manage the authority of resources or services in different application systems, and aims to enable other application systems to inquire and acquire user simple information required to be set. When an application system needs to carry out authority grouping on a certain user, the user information of an authentication and authorization server is called to issue Web service to obtain the user information, then the user needing to be given to the user grouping is resident in a local database, and only logged-in users, namely effective users, can use the user grouping access control of the application system finally, so that the user obtained by the application system through the Web service is not influenced by the deletion or the change of the user on a CA, and the application system obtains the required user information through the Web service.
Further, the present invention also provides a system for implementing the above method, fig. 4 shows a schematic block diagram of a system model of the present invention, and referring to fig. 4, the system includes a general authentication and authorization server 10 and a plurality of different types of application systems 20, wherein the general authentication and authorization server is used for providing a unified login authentication function of a user, a user hierarchical setting function and a database for storing user information, and implementing a function of issuing user information by using a Web service. After the user completes the unified login authentication, the CA transmits the user grading information to the application system, and the grouping setting module performs grouping setting on the user and the resource/service respectively. The access control logic deployed on the application system determines the access authority of the user to the coarse-grained resources or services by verifying the matching relationship between the user level and the level of the resources or services of the application system, and determines the access authority of the user to the fine-grained resources or services by verifying the intersection relationship between the user group and the data service group.
The above-mentioned general authentication authorization server 10 further includes a user hierarchical setting module 101, a user information issuing module 102; each application system comprises a resource hierarchical access control module 201, a user grouping setting module 202, a resource grouping setting module 203 and a resource grouping access control module 204.
To implement a resource or service-extensible management model, the present invention requires that the group authorization for users and resources/services be in a distributed application system, as well as the privilege validation logic. In order to group and uniformly manage the authority of resources or services in different application systems, a user information publishing Web service is deployed in an authentication and authorization server, and the purpose of the user information publishing Web service is to enable other application systems to inquire and acquire required simple user information. When an application system needs to carry out authority grouping on a certain user, the authority can be obtained by calling the Web service of the authentication and authorization server, then the user needing to be given to the user grouping is resident in a local database, and because only logged-in users, namely valid users, can use the user grouping access control of the application system finally, the application system obtains the user through the Web service without being influenced by user deletion or change, and the application system obtains the required user information only through the Web service. The following describes the core function module for authorization and access control of the present invention in detail:
user level setting module 101: the system has the function of setting relevant information such as user classification, the classification of the user becomes an attribute of the user information, and the user can return to an application system through a file in an appointed format after finishing unified login authentication; such as may be encapsulated by an XML file and returned to the application system. The CA has a database table for storing USER information, realizes LEVEL setting by a USER, can add a field USER LEVEL in the USER information database table for identifying the LEVEL of the USER, and the field type is a digital type. Under the condition that the user level is complex, an Access Control List (ACL) and the like can be independently set and is specially used for the authority role management of the user, the user level can provide a setting inlet in a background management interface, and a system administrator sets the level of a registered user through the management interface.
The user information issuing module 102: the method is mainly used for user information publishing Web service so as to facilitate a distributed application system to inquire and download user information. It is possible to decide which users are provided to the outside through the management interface, and the degree of detail of the information provided to the outside. The grouping setting of the users is deployed in a specific application system, so that the self-control of the authority of each application system is facilitated. The Web service issued by the authentication and authorization server and used for accessing the user information is as follows: listusersvrs, the associated operations (methods) are getsimplexesinfolist: list for obtaining user information class, getCount: for obtaining the user's entry obtained by one search, getTotal: and the index of the returned user is obtained. In the design of the Web service, a simple SimpleUserInfo class is constructed that describes the user type, where the stored information includes the user ID, the user's real name, the email address, and the user entity. The service can be accessed when a user grouping setting module deployed in an application system operates, all returned SimpleUserInfo classes are closed by a fixed-length class array through searching the obtained information of a series of users (realized by a method getSimpleUserInfoList), and related index information is provided, such as the total number of users meeting the conditions (realized by a method getCount) in one-time query, the number of the returned users (realized by a method getTotal) at this time, and the returned values of getCount and getTotal realize user searching and paging display. Then according to the set requirement, the information of the user is input into the local library and the grouping setting is realized. A certain security mechanism should be used in the user information publishing Web service to prevent the user information from being stolen by a third party, and a password verification method and an XML encryption method can be generally adopted. On the other hand, the authentication and authorization server is added with a management control function which is open to user information, so that some users can be set not to be accessed and grouped, and the authentication and authorization server can be open to the outside for some users, but detailed information is not provided. While other users may be searched for more detailed information and used. This involves an extension to the SimpleUserInfo class and an enhancement to the ListUserSVR.
Resource hierarchical access control module 201: the user level setting module 101 may return the application system with the user hierarchical format file parsing capability, for example, the XML file parsing capability may be provided to parse the user name information and the user level information from the XML file, and provide access control for coarse granularity, a certain type of resource, or a resource or service in a certain domain according to the user level according to the convention.
The user group setting module 202: the system provides a management interface, can acquire user information to be put in a warehouse by accessing a user information publishing Web service of the user information publishing module 102, and provides a multi-group authorization function aiming at resources or services in a system of a specific user through the local management interface.
The resource grouping setting module 203: a local management interface is provided for group authorization of resources or services in an application system. The resource grouping setting module 203 can perform multi-grouping on fine-grained resources or services in the application system. A group is a many-to-many relationship with its allocation entries, a resource or service may belong to multiple groups, and there may be multiple resources or services in a group.
Resource grouping access control module 204: for the access of the user, the grouping access control logic dynamically detects the grouping of the locally set user and resource/service, and the access control function is realized according to the corresponding relation between the grouping of the user and the resource.
The control logic is deployed in the application system and used for detecting whether the user intersects with the group where the resource or the service is located or not to perform access control on the user.
The distributed authorization and access control of the invention are carried out on the basis of uniform authentication, after the uniform authentication is completed, one-level authorization or two-level authorization can be selected according to the authority requirements of resources or services, the hierarchical authorization level spreads resources with coarser granularity, the user hierarchy divides registered users according to a certain standard, the resource service in the application system gives different access authorities corresponding to different users according to the convention, and the high-level users have higher authority, thereby realizing the authorization of the resources in the information system. By adopting the method and the system, the CA is accessed to obtain the level information of the user, the hierarchical access control module in the application system judges whether the user has the access authority of coarse-grained resources or services according to convention, if the access authority exists, the corresponding resources can be accessed, otherwise if the fine-grained authority control is needed, the resource grouping access control module in the application system can complete the access control through the results set by the user grouping setting module and the resource grouping setting module in the application system, and the authorization and access control process is simple, flexible and safe.
The distributed hierarchical grouping double authorization and access control method and system provided by the invention are a lightweight solution, the authentication authorization server can be used as an independent network application, the authority setting and control client software can be deployed in each information system needing to be added with unified authentication and authority control, and the mechanism is flexible and simple and has strong implementability; in addition, computer codes for realizing the operation of the invention can be written by a plurality of network programming languages, different parts of codes can be taken as independent modules to be deployed in different application systems and authentication authorization servers, and the interaction under the network environment is realized, and the modularized design scheme ensures that the application system can realize the authority control almost without involving too many interactive codes, simplifies the design of the system, reduces the logic coupling degree of the authority control and the service application system, and has stronger usability.
Although the present invention has been described with respect to a preferred embodiment, it will be understood by those skilled in the art that various changes and modifications may be made without departing from the spirit and scope of the invention as defined in the appended claims.
Claims (10)
1. A distributed dual authorization and access control method is applied to a control system comprising a general authentication authorization server and a plurality of application systems of different types, and is characterized by comprising the following steps:
a step of hierarchical authority control, which is used for setting user levels through the universal authentication authorization server, transmitting user hierarchical information to the application system, and determining the access authority of the user to coarse-grained resources or services through verifying the level matching relationship between the user levels and the resources or services of the application system;
and a grouping authority control step, which is used for respectively grouping and setting the user and the resource/service through the application system, and determining the access authority of the user to the fine-grained resource or service through verifying the intersection relationship between the user group and the resource/service group.
2. The distributed dual authorization and access control method according to claim 1, wherein the hierarchical rights control step further comprises:
step S101, setting user grade through the general authentication and authorization server, and transmitting user grading information to an application system after the user completes unified login authentication;
step S102, the application system analyzes the user grading information to obtain a user name and user grade information;
step S103, the user accesses the limited resource, and the local application system determines the access authority of the user according to the comparison between the level of the resource or service agreed in advance and the level of the user; when the user level is higher than or equal to the level of the data resource, access is enabled; otherwise, the access is refused and relevant prompt information is sent out.
3. The distributed dual authorization and access control method according to claim 1 or 2, wherein the packet right control step further comprises:
step S201, grouping and setting users and resources/services in a local application system in advance;
step S202, when the user passes the level verification and needs to access the fine-grained resource controlled by the grouping authority, the grouping access control logic deployed in the application system detects the relation between the user grouping and the fine-grained data resource grouping to determine the access authority of the user, if the user grouping is intersected, the user can access the fine-grained data resource grouping, otherwise, the user is denied access and relevant prompt information is sent out.
4. The distributed dual authorization and access control method according to claim 2, wherein in step S101, when the user rating information is transmitted, the user rating information and the user name information are transmitted through an XML document, and in step S102, the XML document is parsed by using a SAX-based parser.
5. A distributed dual authorization and access control system, comprising a generic authentication authorization server and a plurality of different types of application systems, comprising: wherein,
the universal authentication and authorization server is used for providing a unified login authentication function, a user grading setting function and a user information publishing function of the user, and transmitting user grading information to the application system after the user completes the unified login authentication;
the application system is used for deploying the hierarchical and grouping access control logic, determining the access authority of the user to the coarse-grained resources or services by verifying the matching relation between the user level and the level of the data services of the application system, and determining the access authority of the user to the fine-grained resources or services by verifying the intersection relation between the user group and the resources or service group.
6. The distributed dual authorization and access control system according to claim 5, wherein the general authentication authorization server further comprises:
the user grading setting module is used for setting the grading related information of the user and returning the grading related information of the user to the application system according to a set format file after the user completes the unified login authentication;
a user information publishing module providing a user information publishing Web service based on information in the user repository.
7. The distributed dual authorization and access control system according to claim 6, wherein the application system further comprises:
-a resource hierarchical access control module for parsing out user name information and user level information from the format file and providing access control to relevant resources or services according to the user level according to an appointment;
-a user group setting module for providing a management interface providing a group setting function for a specific user for local management;
-a resource grouping setting module for providing a grouping setting function of locally managing resources or services in the application system;
the resource grouping access control module is used for dynamically detecting locally set grouping of the users and the resources/services aiming at the access of the users, and realizing the access control function according to the relation between the users and the grouping of the resources.
8. The distributed dual authorization and access control system according to claim 6, wherein the USER information database table in the USER hierarchy setting module adds USER _ LEVEL field for controlling USER LEVEL for identifying USER LEVEL.
9. The distributed dual authorization and access control system according to claim 6, wherein the user hierarchy setting module separately sets an authorization control table for user's authorization role management if more detailed user hierarchy authorization allocation is required.
10. The distributed dual authorization and access control system according to claim 7, wherein the resource hierarchical access control module includes an SAX-based parser for parsing the hierarchical XML file containing user hierarchical information returned to the application system by the user hierarchical setting module to obtain the user name and user level information therein.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910090837A CN101631116B (en) | 2009-08-10 | 2009-08-10 | Distributed dual-license and access control method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910090837A CN101631116B (en) | 2009-08-10 | 2009-08-10 | Distributed dual-license and access control method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101631116A CN101631116A (en) | 2010-01-20 |
| CN101631116B true CN101631116B (en) | 2012-10-17 |
Family
ID=41576062
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200910090837A Expired - Fee Related CN101631116B (en) | 2009-08-10 | 2009-08-10 | Distributed dual-license and access control method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101631116B (en) |
Families Citing this family (31)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8898318B2 (en) * | 2010-06-03 | 2014-11-25 | Microsoft Corporation | Distributed services authorization management |
| CN102083068B (en) * | 2010-12-27 | 2015-04-01 | 中国电信股份有限公司 | Information sharing method and system |
| CN102238088A (en) * | 2011-06-23 | 2011-11-09 | 苏州阔地网络科技有限公司 | Priority-based module assess control method and server |
| CN102238181A (en) * | 2011-06-23 | 2011-11-09 | 苏州阔地网络科技有限公司 | Method for controlling component access by setting priorities and server |
| US20150143470A1 (en) * | 2012-07-31 | 2015-05-21 | Bryan Stiekes | Managing an interface between an application and a network |
| CN103634271B (en) * | 2012-08-21 | 2018-07-06 | 腾讯科技(深圳)有限公司 | A kind of authority control method of authority control system, device and network request |
| CN104754560B (en) | 2013-12-30 | 2018-11-30 | 华为终端(东莞)有限公司 | A kind of location privacy protection method, apparatus and system |
| CN104169938B (en) * | 2013-12-30 | 2017-10-17 | 华为终端有限公司 | Right management method and device |
| CN103810441A (en) * | 2014-01-28 | 2014-05-21 | 浙江大学 | Multi-granularity remote sensing data access method based on rules |
| CN104917793A (en) * | 2014-03-13 | 2015-09-16 | 中国移动通信集团河北有限公司 | Access control method, device and system |
| CN105191227B (en) * | 2014-04-16 | 2018-09-21 | 华为技术有限公司 | A kind of flow table item management method and equipment |
| CN104038501B (en) * | 2014-06-20 | 2017-05-31 | 西安诺瓦电子科技有限公司 | Display terminal cluster management system and display terminal cluster management method |
| CN105307130A (en) * | 2014-06-30 | 2016-02-03 | 中兴通讯股份有限公司 | Resource allocation method and resource allocation system |
| CN107426134A (en) * | 2016-05-23 | 2017-12-01 | 上海神计信息系统工程有限公司 | A kind of access control method based on relation |
| CN107465653B (en) * | 2016-06-02 | 2021-03-30 | 北京京东尚科信息技术有限公司 | Authority management system, device and method, computer readable storage medium |
| CN106127547A (en) * | 2016-06-20 | 2016-11-16 | 上海斐讯数据通信技术有限公司 | A kind of vehicle management system and vehicles management method |
| CN106126706B (en) * | 2016-06-30 | 2019-05-21 | 国云科技股份有限公司 | A kind of scope of resource control method of based role |
| CN106230603B (en) * | 2016-09-19 | 2019-08-16 | 中国传媒大学 | A kind of authentication authority method |
| CN106850623A (en) * | 2017-02-07 | 2017-06-13 | 浪潮通用软件有限公司 | A kind of general information issue right management method |
| WO2018161292A1 (en) * | 2017-03-09 | 2018-09-13 | 深圳峰创智诚科技有限公司 | Intellectual property management method and system |
| CN109376508B (en) * | 2018-09-26 | 2024-08-23 | 中国平安人寿保险股份有限公司 | Service unit management method, computer readable storage medium and terminal device |
| CN110413671A (en) * | 2019-06-28 | 2019-11-05 | 万翼科技有限公司 | Data query method and device |
| CN110620782A (en) * | 2019-09-29 | 2019-12-27 | 深圳市珍爱云信息技术有限公司 | Account authentication method and device, computer equipment and storage medium |
| CN112883362A (en) * | 2019-11-29 | 2021-06-01 | 上海淘票儿信息科技有限公司 | Service processing system and request processing method |
| CN113328971B (en) * | 2020-02-28 | 2023-07-11 | 中国移动通信集团福建有限公司 | Access resource authentication method and device and electronic equipment |
| CN111783076A (en) * | 2020-08-05 | 2020-10-16 | 绵阳市智慧城市产业发展有限责任公司 | Multi-scenario normalization processing model for construction, right establishment, authorization and verification of authority resources |
| CN112000968A (en) * | 2020-08-13 | 2020-11-27 | 青岛海尔科技有限公司 | Access control method and device, storage medium and electronic device |
| CN114553484B (en) * | 2022-01-18 | 2024-05-24 | 国电南瑞科技股份有限公司 | Dual access right control method and system based on two-dimensional security mark |
| CN114462069B (en) * | 2022-04-12 | 2022-07-22 | 北京天维信通科技有限公司 | Multi-level tenant resource access management method, system, intelligent terminal and storage medium |
| CN115098843A (en) * | 2022-05-09 | 2022-09-23 | 武汉华中数控股份有限公司 | Authority management system and method of numerical control system based on face recognition |
| CN116599777B (en) * | 2023-07-18 | 2023-09-26 | 北京睿芯高通量科技有限公司 | Multi-terminal multi-stage authentication method |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101478536A (en) * | 2008-12-08 | 2009-07-08 | 山东浪潮齐鲁软件产业股份有限公司 | Method for solving access control in authority management |
| CN101499906A (en) * | 2008-02-02 | 2009-08-05 | 厦门雅迅网络股份有限公司 | Method for implementing subscriber authority management based on role function mapping table |
-
2009
- 2009-08-10 CN CN200910090837A patent/CN101631116B/en not_active Expired - Fee Related
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101499906A (en) * | 2008-02-02 | 2009-08-05 | 厦门雅迅网络股份有限公司 | Method for implementing subscriber authority management based on role function mapping table |
| CN101478536A (en) * | 2008-12-08 | 2009-07-08 | 山东浪潮齐鲁软件产业股份有限公司 | Method for solving access control in authority management |
Non-Patent Citations (2)
| Title |
|---|
| 刘强等.复杂资源的小粒度分级授权机制的研究.《计算机工程》.2005,第31卷(第13期),82. * |
| 刘润达等.一种简单跨域单点登录系统的实现.《计算机应用》.2007,第27卷(第2期),289-290. * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101631116A (en) | 2010-01-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101631116B (en) | Distributed dual-license and access control method and system | |
| US7546640B2 (en) | Fine-grained authorization by authorization table associated with a resource | |
| EP1309906B1 (en) | Evidence-based security policy manager | |
| US8239954B2 (en) | Access control based on program properties | |
| US6138238A (en) | Stack-based access control using code and executor identifiers | |
| Wonohoesodo et al. | A role based access control for web services | |
| Hu et al. | Guidelines for access control system evaluation metrics | |
| Pan et al. | Semantic access control for information interoperation | |
| US20080222719A1 (en) | Fine-Grained Authorization by Traversing Generational Relationships | |
| EP2021935A1 (en) | Translating role-based access control policy to resource authorization policy | |
| Bierman et al. | Network Configuration Protocol (NETCONF) Access Control Model | |
| WO2011162750A1 (en) | Authorization control | |
| WO2011062973A2 (en) | System and methods of resource usage using an interoperable management framework | |
| Mazzoleni et al. | XACML policy integration algorithms: not to be confused with XACML policy combination algorithms! | |
| US20070198522A1 (en) | Virtual roles | |
| WO2016026320A1 (en) | Access control method and apparatus | |
| Karjoth et al. | Implementing ACL-based policies in XACML | |
| CN107566375B (en) | Access control method and device | |
| KR20070076342A (en) | User Group Role / Permission Management System and Access Control Methods in a Grid Environment | |
| CN115422526B (en) | Role authority management method, device and storage medium | |
| Delessy et al. | Patterns for access control in distributed systems | |
| Sladić et al. | Flexible access control framework for MARC records | |
| Ali et al. | A provenance-aware policy language (cprovl) and a data traceability model (cprov) for the cloud | |
| Kudo et al. | Access control model with provisional actions | |
| Mazzocca et al. | Evaluating Tangle Distributed Ledger for Access Control Policy Distribution in Multi-region Cloud Environments |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20121017 Termination date: 20210810 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |