Summary of the invention
The embodiment of the invention provides a kind of resource access method and system of multiple service platform, to solve the unauthorized access that exists in the prior art, the technical problem that influences user experience.
For solving the problems of the technologies described above, embodiments of the invention provide a kind of resource access method of multiple service platform, and described multiple service platform includes service server and certificate server, and this method comprises:
The resource access request that service server interception user sends comprises the level by resource, the resource code information that subordinate relation is unified layout in this request;
Certificate server is concentrated user's identity is discerned, and obtains recognition result;
If described recognition result is a validated user for the user, then service server obtains this user's resource access control information according to the identity identification information of this validated user;
Service server judges according to resource hierarchy and subordinate relation whether the resource code information that comprises in resource code information in this user's the resource access control information and the described request mates, and in the operation of the match is successful the back carries out user capture respective resources.
Wherein, certificate server is concentrated user's identity is discerned, and the acquisition recognition result comprises:
Certificate server obtains the billing information that is associated with user identity in the described resource access request;
Certificate server mates the user identification information may that described billing information and this server obtain from database, if the match is successful, then described user is a validated user, otherwise is the disabled user.
Wherein, the certificate server step of obtaining the billing information that is associated with user identity in the described resource access request comprises:
Whether comprise the billing information that is associated with user identity in the described service server judging resource access request;
If judged result is then obtained billing information in this request by certificate server for comprising described billing information in the request from described service server;
If judged result is not for comprising described billing information in the request, then after certificate server receives the information that described user successfully logins, produce billing information at random and this billing information added to by certificate server and send to service server in the resource access request, from described service server, obtain billing information in this request by certificate server again.
Wherein, the described resource code information Action number that comprises resource number and resource is operated;
Described service server is judged according to resource hierarchy and subordinate relation whether the resource code information that comprises in resource code information in this user's the resource access control information and the described request mates and is comprised:
Service server is searched resource number and the Action number that whether comprises in the described resource access control information in the described request, if lookup result is for comprising described resource number and Action number, then judged result is that the match is successful, otherwise, be judged as and do not match.
Wherein, the resource code information in the described request only comprises resource number;
Described service server is judged according to resource hierarchy and subordinate relation whether the resource code information that comprises in resource code information in this user's the resource access control information and the described request mates and is comprised:
Search the resource number that whether comprises in the described resource access control information in the described request, if lookup result is for comprising described resource number, then judged result is incorrect for this request form, do not match, otherwise, the son numbering that whether comprises the resource number in the described request in the described resource access control information further searched, if lookup result is for comprising described son numbering, then judged result is that the match is successful, otherwise judged result is not for matching.
Wherein, at the identity identification information of service server according to this validated user, the step of obtaining this user's resource access control information also comprises afterwards:
Service server is preserved this user's resource access control information, so that in that this user is follow-up when carrying out resource access, can directly utilize the described resource access control information control that conducts interviews.
Correspondingly, the present invention also provides a kind of resource access treatment system of multiple service platform, and it includes: service server, certificate server and database; Wherein
Database is used for each user's of centralized stores identity identification information;
Certificate server is used to visit described database, concentrates user's identity is discerned, and obtains recognition result, and with described recognition result informing business server;
Service server is used to tackle the resource access request that each service-user sends, comprise by resource hierarchy in this request, subordinate relation is unified the resource code information of layout, and the notification authentication server is discerned user identity, if the recognition result of certificate server is a validated user for the user, then according to the identity identification information of this validated user, obtain this user's resource access control information, judge according to resource hierarchy and subordinate relation whether the resource code information that comprises in resource code information in this user's the resource access control information and the described request mates then, and in the operation of the match is successful the back carries out described user capture respective resources.
Wherein, described service server can comprise:
The access request blocker is used to tackle the resource access request that each service-user sends, and comprises the resource code information of unifying layout by resource hierarchy, subordinate relation in this request;
The access control processor, being used for the notification authentication server discerns user identity, if the recognition result of certificate server is a validated user for the user, then according to the identity identification information of this validated user, obtain this user's resource access control information, judge according to resource hierarchy and subordinate relation whether the resource code information that comprises in resource code information in this user's the resource access control information and the described request mates then, and in the operation of the match is successful the back carries out described user capture respective resources.
The prior art of comparing, the technical scheme that the embodiment of the invention provides has following beneficial effect:
Multiple service platform resource access control method provided by the invention and system, can be based on centralized authentication service, make user's (as browser end, cell-phone customer terminal) in various sources to enter in the platform by same inlet, and have unified identify label, for multi-service integration provides support.The centralized authentication service business that makes itself need not considered the logic relevant with access control simultaneously, and user-dependent like this security information just can be deposited separately, and Operational Visit can not be passed through in these information outsides;
In addition, make hierarchical relationship, subordinate relation between the resource be easy to identification, obtain and judge by the level of resource, the resource code information that subordinate relation is unified layout, the system that makes just can realize access control to high-rise resource according to the visit information of underlying resource;
Once more, by interception mode towards request, feasible any visit to resource can both be verified and control, prevented to guess the appearance of path situation, when effectively avoiding unauthorized access, do not influence user experience, and be suitable for the resource notion extensively, management and use the information system such as the mobile value-added service platform of laying equal stress on.
Embodiment
Referring to Fig. 1, Fig. 1 is the flow chart of the resource access method of multiple service platform among the present invention, and described multiple service platform includes service server and certificate server, and this method can may further comprise the steps:
The resource access request that step 101, service server interception user send, comprise resource code information in this request, as, this resource code information comprises the resource number of user's request resource, has perhaps not only comprised resource number, but also has comprised the Action number that request resource is operated.In the practical application, can also comprise the billing information relevant in the described request with subscriber identity information.
Step 102, certificate server are discerned described user's identity, and obtain recognition result, if recognition result is that described user is illegal user, then execution in step 104; If described user is a validated user, then execution in step 103.
Step 103, service server are according to the identity identification information of described validated user, obtain the resource access control information of validated user, judge according to resource hierarchy and subordinate relation whether the resource code information that comprises in resource code information in the resource access control information and the described request mates, if coupling, then allow the described resource of described user capture, otherwise, execution in step 104.
The access request of step 104, refusing user's.
With reference to figure 2, this figure is the resource access treatment system of corresponding above-mentioned resource access method in the multiple service platform of the present invention, and is concrete, and the resource access treatment system of multiple service platform can comprise in the present embodiment: service server 1, certificate server 2 and database 3; Wherein
Database 3 is mainly used in each user's of centralized stores identity identification information;
Certificate server 2 is mainly used in to concentrate user's identity is discerned, obtain recognition result, and with described recognition result informing business server 1, during specific implementation, the request that it is intercepted based on service server 1, obtain user related information from database 3, user related information is offered service server 1;
Service server 1 is mainly used in the resource access request that each service-user of interception sends, comprise by resource hierarchy in this request, subordinate relation is unified the resource code information of layout, and 2 pairs of user identity of notification authentication server are discerned, if the recognition result of certificate server 2 is a validated user for the user, then according to the identity identification information of this validated user, obtain this user's resource access control information, judge according to resource hierarchy and subordinate relation whether the resource code information that comprises in resource code information in this user's the resource access control information and the described request mates then, and in the operation of the match is successful the back carries out described user capture respective resources, during specific implementation, as a specific embodiment, described service server 1 can comprise: the access request blocker, be used to tackle the resource access request that each service-user sends, comprise by resource hierarchy in this request, subordinate relation is unified the resource code information of layout;
The access control processor, being used for the notification authentication server discerns user identity, if the recognition result of certificate server is a validated user for the user, then according to the identity identification information of this validated user, obtain this user's resource access control information, judge according to resource hierarchy and subordinate relation whether the resource code information that comprises in resource code information in this user's the resource access control information and the described request mates then, and in the operation of the match is successful the back carries out described user capture respective resources.Because on service layer, service server 1 is accessing database 3 directly, make and professional itself need not consider the logic relevant, thereby when realization is verified user identity and access rights, effectively guarantee safety of data in the database with access control.
Referring to Fig. 3, Fig. 3 is a resource access process chart in the embodiment of the invention one, and this flow process can may further comprise the steps:
Step 201, service server are received the request of the customer requirements access resources that client sends, comprise resource code information in this request, judge in the request not comprise the billing information that is associated with user identity, require the user to provide log-on message to certificate server.
In the present embodiment, do not comprise the user identity billing information in the request, the concrete processing for comprising the situation of user identity billing information in the request sees specifying of subsequent embodiment two for details.
Step 202, user send to certificate server by client with log-on message.
After step 203, certificate server are received log-on message, obtain user identification information may from database.
Step 204, certificate server are done coupling with the user identification information may and the log-on message that get access to, and the match is successful, execution in step 205; Otherwise, execution in step 211.
Step 205, certificate server produce this user's billing information at random, and this billing information is returned to service server by request.As, described billing information can be the code relevant with described user identity.
Step 206, service server are preserved billing information, and by coded communication billing information are sent to certificate server.
Step 207, certificate server mate identity identification information and billing information, if the match is successful, and execution in step 208; Otherwise, execution in step 211.
Step 208, service server continue this request of interception according to the result that the match is successful, if judge the resource access control information of self not storing this user, then require certificate server that checking is done in visit.
Step 209, certificate server offer service server from the resource access control information that database obtains this user with the resource access control information.
The resource access control information that step 210, service server storage are received is done coupling with resource access control information and resource code information, if the match is successful, then allows this resource of user capture, carries out the operation of access resources, otherwise, execution in step 211.
Step 211, service server are according to the certificate server result that it fails to match, the request of refusing user's.
In the specific implementation of the present invention, the resource access control information specifically can be Access Control List (ACL) (ACL, Access Control List), the list items of this tabulation Action number that can carry out by a plurality of resource numbers that comprise user-accessible and to this resource is formed.The resource access control information is that the user uses in the process of business platform and produces, and as in the value-added service platform that has, when the user registers certain data service, must determine that it wants the business tine of obtaining by customization.Each user is no matter which kind of platform of use used in the time of all must producing the resource access control information for access control by similar mode.Service server is preserved it after certificate server obtains this tabulation first, and the access control at this user after making does not need access registrar server once more, to quicken the proof procedure of access control.
Need to prove, carry out above-mentioned compare operation, in the specific implementation of the present invention, adopt the resource code information and the resource access control information of identical coded format for making things convenient for service server.For example, content of consumption and management functions all in the multiple service platform system are all encoded according to a kind of tree structure, the basic skills of this number form structured coding is that the numeral of employing one location number is come the resource in the expression system, resource in the system is distributed the not field of isotopic number according to level distribution big-endian, like this for the resource of a certain level, can know its parent resource numbering by high order field, reach the purpose of access path information stores in this resource that will arrive this resource.
In addition, the resource number in resource number in the resource access request and the resource access control information is not only handled according to correspondence one by one, also considers that their set membership (or being called subordinate relation) handles simultaneously.Be specially, whether when comprising resource number and Action number in the request, looking into ACL has the list items that comprises this resource number and Action number, visit if any then allowing, otherwise denied access; Whether when only comprising resource number in the request, looking into ACL has the resource number of list items corresponding with it, and if any representing that then this request form is incorrect, coupling is unsuccessful, does not allow visit; Whether resource number is arranged in the ACL table is the list items of the son numbering of resource number in the request otherwise further search, and if any representing that then requested resource is the path that this child resource must pass through among the visit ACL, agrees this access request, otherwise denied access.In this way, as long as according to coding rule,, carry out effective access control to being in the high-rise resource on the access path and the underlying resource of expression actual content and function point no matter be that content of consumption or management function can both be according to tree structures.
Referring to Fig. 4, Fig. 4 is a resource access process chart in the embodiment of the invention two, and this flow process can may further comprise the steps:
Step 301, service server are received the request of the customer requirements access resources that client sends, and comprise resource code information in this request.
Step 302, service server judging self store user's billing information, by coded communication billing information are sent to certificate server.
Step 303, certificate server obtain user identification information may from database, and user identification information may that gets access to and the billing information of receiving are done coupling, if the match is successful, and execution in step 304; Otherwise, execution in step 306.
Step 304, service server continue this request of interception according to the result that the match is successful.
Step 305, service server judging self store this user's resource access control information, then resource access control information and resource code information are compared, if both unanimities, then allow this resource of user capture, carry out the operation of access resources, otherwise, execution in step 306.
The request of step 306, service server refusing user's.
To sum up, the resource access method of multiple service platform provided by the invention and system, based on centralized authentication service, make user's (as browser end, cell-phone customer terminal) in various sources to enter in the platform by same inlet, and have unified identify label, for multi-service integration provides support.The centralized authentication service business that makes itself need not considered the logic relevant with access control simultaneously, and user-dependent like this security information just can be deposited separately, and Operational Visit can not be passed through in these information outsides; Adopt the resource Unified coding to make hierarchical relationship, subordinate relation between the resource be easy to identification, obtain and judge, the system that makes just can realize access control to high-rise resource according to the visit information of underlying resource; By the interception mode towards request, feasible any visit to resource can both be verified and control, and has prevented the above-mentioned appearance of guessing the path situation.
The above only is a preferred implementation of the present invention; should be pointed out that for those skilled in the art, under the prerequisite that does not break away from the principle of the invention; can also make some improvements and modifications, these improvements and modifications also should be considered as protection scope of the present invention.