CN102088351B - Authorization management system and implementation method thereof - Google Patents
Authorization management system and implementation method thereof Download PDFInfo
- Publication number
- CN102088351B CN102088351B CN200910217966.XA CN200910217966A CN102088351B CN 102088351 B CN102088351 B CN 102088351B CN 200910217966 A CN200910217966 A CN 200910217966A CN 102088351 B CN102088351 B CN 102088351B
- Authority
- CN
- China
- Prior art keywords
- rights management
- platform
- management sub
- attribute certificate
- sub
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Storage Device Security (AREA)
Abstract
The invention discloses a distributed authorization management system, which comprises an authority management main platform, at least one authority management sub-platform, at least one middleware device, at least one application device and at least one user device which are connected with one another through a network. In the invention, the distributed authorization management system and the implementation method of the system can be provided, a plurality of authority management sub-platforms are arranged, each authority management sub-platform is used for releasing authorization information between a user group which belongs to a governing region and an application role in the form of an attribute certificate, user authorization information is provided for a plurality of application systems in the governing region, and the authorization information is uniformly monitored and shared through the authority management main platform. Support can be provided for a large number of users who do not register in the system, and a plurality of authority management sub-platforms can be added according to a practical requirement, so that the system can be flexibly extended, and the requirement on different volumes of the system is met.
Description
Technical field
The present invention relates to field of information security technology, particularly, relate to a kind of authentication management system and its implementation.
Background technology
Along with the raising of government, IT application in enterprises degree, application system quantity progressively increases.Very large at number of users, region substep is relatively wider, application system quantity is many in the situation that, the mandate of application system becomes a very stubborn problem.In a large government or enterprises and institutions, often there will be following situation: a certain employee leaves office, can also normally access some very important application systems; The change of some employee's positions, corresponding old authority still in application system; Due to interim service needed, in certain application system for other places someone registered account and opened application permission, but forget timely withdrawal cause key message reveal; Although all application all in the machine room of oneself, really cannot be taken easily each application system authority and authorize situation can be responsible for informationalized policymaker.How can unify to solve effectively the sharing of resource, how in time, the access rights of leading subscriber fast and effectively, become a difficult problem of pendulum in face of policymaker, the service management person of application system development.
For user's unified certification mandate and safe access control, very many solutions are also proposed at present:
(1), the patent application CN 200710191525.8 (applying date: 2007.12.12, title: the Unified Identity management based under digital certificate and multilevel field and authentication method) in a kind of Unified Identity management and authentication method based under digital certificate and multilevel field disclosed, first carry out user identity maintenance; Adopting timing to carry out subscriber identity information with human resources system synchronizes; By manual maintenance mode, the management of completing user data message; Subscriber identity information is synchronized to territory; Subscriber identity information, by the ldap protocol of standard, is synchronized in corresponding AD subdomain according to user affiliated unit; Realizing user authenticates.The present invention can realize the access to multiple operation systems by user's single-sign-on, but can not solve the unified rights management problem of user in multiple operation systems.
(2), the patent application CN 200610076491.3 (applying date: 2006.04.26, title: the security protection system of information system or equipment and method of work thereof), CN 200810040672.X (the applying date: 2008.07.17, title: the system user access management system based on digital certificate technique and method), CN 200810040674.9 (the applying date: 2008.07.17, title: a kind of access control method of the information system based on digital certificate technique and device), CN 200620100455.1 (the applying date: 2006.01.18, title: a kind of network security certification authoring system) and the CN 200710147233.4 (applying date: 2007.08.30, title: the implementation method of distributed business operation support system and distributed service) all disclose and a kind of login user has been carried out to authentication, and obtain the technical scheme of its corresponding access rights after by certification, but in these technical schemes, lack the safety management of user right information, can not effectively avoid people is the possibility of distorting, and the number of users of supporting is limited, can not solve a large number of users (particularly One's name is legion and the user's that do not register) uniform authorization and safe access control problem in system.
In the patent application CN 200810062264.4 (applying date: 2008.06.17, title: the Web service controling mechanism based on PKI and PMI) of Zhejiang University, a kind of Web service controling mechanism based on PKI and PMI is disclosed.It comprises PKI, PMI and Web service safety system, user is by PKI system application letter of identity, remove PMI system application Attribute certificate according to letter of identity again, Attribute certificate is associated with user's identity on one or more roles, the predefined plan system of PMI system application Attribute certificate, Attribute certificate is associated with user's identity on one or more roles, the predefined tactful certificate of PMI system goes role bindings to one or more Web services, when user uses Web service, Web safety system helps the legitimacy of PKI systems inspection letter of identity, help again PMI systems inspection user whether to have authority to call this Web service, in the time that all inspections are all passed through, allow user to access Web service, call to realize safe Web service.In the present invention, user uses letter of identity application Attribute certificate, and specify the role that applies for, audit the corresponding Attribute certificate of rear acquisition by keeper, authority, role give the individual application mainly for user, can not define the user's of colony authority and role, the number of users of supporting is limited, can not support One's name is legion and the user who does not register in system.
The shortcoming that above technical scheme all exists is, can not authorize a large amount of user groups (particularly One's name is legion and the user group that do not register in system), and described authorization message is issued with the reliable form of Attribute certificate, thereby realize unification user empowerment management and the safe access control of multiple application systems.
The patent that our company declares simultaneously: authentication management system and its implementation, a kind of authentication management system and its implementation are invented, user group is authorized, and described authorization message is issued with the form of Attribute certificate, thereby can provide unified authorized user message and safe access control for several application systems.The present invention has done further improvement on its basis, several rights management sub-platforms are set, each rights management sub-platform is issued the authorization message between the user group in affiliated administration field and application role with the form of Attribute certificate, for several application systems in administration field provide user's authorization message, and pass through the total platform unified monitoring of empowerment management and shared authorization message.The present invention can effectively reduce the load that a large number of users causes system when concurrent, and expansion flexibly, can meet the needs of different capabilities.
Patent has also been declared simultaneously by our company: the authentication management system based on catalogue and its implementation, invent a kind of authentication management system and its implementation based on catalogue, by Current Authorization Management Platform unification, application system and user are carried out to rights management and safe access control, authorization message between user group and application role is issued with the form of Attribute certificate, and the corresponding PMI of several region divisions this locality of concentrating in user distribution is from LIST SERVER, PMI copies to this locality according to strategy by the Attribute certificate that belongs to local application apparatus from LIST SERVER, thereby fast for the local application system in one's respective area provides authorized user message.The present invention is managed separately the authorization message between the user group in affiliated administration field and application role by rights management sub-platform, and by the total platform of rights management, all rights management sub-platforms are unified to control and data sharing, can be according to practical application needs, set up at any time multiple rights management sub-platforms, thereby expand more flexible, to meet different capabilities needs.
Summary of the invention
Technical problem to be solved by this invention is: a kind of distributed authorization management system and its implementation are provided, adopt PKI and PMI technology, several rights management sub-platforms are set, each rights management sub-platform is issued the authorization message between the user group and the application role that belong in administration field with the form of Attribute certificate, for several application systems in administration field provide user's authorization message, and pass through the total platform unified monitoring of empowerment management and shared authorization message.
A kind of distributed authorization management system is provided in the present invention, comprises the total platform of rights management, at least one rights management sub-platform, at least one middleware device, at least one application apparatus and at least one user's set,
The total platform of described rights management, for all rights management sub-platforms are registered, for it provides the directory service of customer digital certificate, and the authorization message that rights management sub-platform is sent signs and issues into Attribute certificate, gathers the distributing data of preserving all rights management sub-platforms;
Described rights management sub-platform, include the mandate relation of user group to application role for setting up system, send described authorization message to the total platform of rights management, and the Attribute certificate directory service of signing and issuing through the total platform of rights management is provided to middleware device, also carry out data with the total platform of rights management simultaneously and synchronize;
Described middleware device, the user's logging request forwarding for receiving application apparatus, according to the operating state of rights management sub-platform and the list of rights management sub-platform, be connected with suitable rights management sub-platform, and search the Attribute certificate of described user corresponding to described application apparatus from it, the Role Information obtaining in dependency certificate is returned to application apparatus;
The total platform of described rights management, rights management sub-platform, middleware device, application apparatus are connected by network with user's set.
The present invention also provides a kind of implementation method of distributed authorization management system, and the total platform of described rights management, rights management sub-platform, middleware device, application apparatus are connected by network with user's set, comprise the following steps:
Step 1: rights management sub-platform sends registration request to the total platform of rights management;
Step 2: the total platform of rights management is verified the identity of rights management sub-platform;
Step 3: the total platform of rights management judges that whether the identity of rights management sub-platform is by checking?
If 1 by checking, the total platform of rights management, to rights management sub-platform return authentication failed message, turns to step 4;
If 2 by authentication,
(1), the total platform of rights management records the authentication information of rights management sub-platform;
(2), the total platform of rights management sends the list of a rights management sub-platform to rights management sub-platform;
(3), rights management sub-platform forwards the list of described rights management sub-platform to coupled middleware device;
(4), middleware device is preserved rights management sub-platform list information;
Step 4: this flow process finishes.
Compared with prior art, the invention has the beneficial effects as follows:
Extract user's identity and attribute information by digital certificate, can guarantee the authenticity of subscriber identity information; User group is authorized in regular colony, working group and individual's mode, to One's name is legion and the use of not registering in system can provide support per family; Authorization message use attribute certificate is issued, and can effectively avoid people is the possibility of distorting; By rights management sub-platform to user group in administration field and application role's authorization message administer and maintain separately, application apparatus can obtain authorized user message from rights management sub-platform fast; By the total platform of rights management, all rights management sub-platforms are unified to control and data sharing, can be according to practical application needs, set up at any time multiple rights management sub-platforms, expansion flexibly, can meet the needs of system different capabilities; All rights management sub-platforms share the Attribute certificate issue apparatus of the total platform of rights management, can reduce cost of investment; In the time there is operation irregularity in certain rights management sub-platform, can be connected to by middleware device other rights management sub-platform, continue to provide authorization message by other rights management sub-platforms, thereby improve system availability, reduction maintenance cost.
Brief description of the drawings
Fig. 1 is system deployment diagram.
Fig. 2 is distributed authorization management system structure chart.
Fig. 3 is the total platform structure figure of rights management.
Fig. 4 is rights management sub-platform structure chart.
Fig. 5 is the register flow path figure of rights management sub-platform.
Fig. 6 is that Attribute certificate is signed and issued flow chart.
Fig. 7 is the flow chart of amendment authorization message.
Fig. 8 is the flow chart that user logins application apparatus.
Embodiment
As shown in Figure 1, for the physics deployment diagram of distributed authorization management system, system is by the total platform 1 of rights management, at least one rights management sub-platform 2, at least one middleware device 3, at least one application apparatus 4 and at least one user's set 5 form, wherein, the total platform 1 of rights management, rights management sub-platform 2, middleware device 3, application apparatus 4 are connected by network with user's set 5.Described user sends logging request by user's set 5 to application apparatus 4, accesses described application resource information.Described user's set 5 can be subscriber computer, mobile phone etc.
As shown in Figure 2, distributed authorization management system includes the total platform 1 of rights management, rights management sub-platform 2, middleware device 3.
The total platform 1 of rights management, for all rights management sub-platforms 2 are registered, for it provides the directory service of customer digital certificate, and the authorization message that rights management sub-platform 2 is sent signs and issues into Attribute certificate, gather the distributing data of the PMI LIST SERVER 23 of preserving all rights management sub-platforms 2.
Rights management sub-platform 2, include the mandate relation of user group to application role for setting up system, Attribute certificate issue apparatus 11 to the total platform 1 of rights management sends described authorization message, and provide the Attribute certificate of signing and issuing through Attribute certificate issue apparatus 11 directory service to middleware device 3, also carry out data with the total platform 1 of rights management simultaneously and synchronize.
Middleware device 3, for receiving user's logging request that application apparatus 4 forwards, according to the operating state of rights management sub-platform 2 and 2 lists of rights management sub-platform, be connected with suitable rights management sub-platform 2, and search the Attribute certificate of described user corresponding to described application apparatus 4 from its PMI LIST SERVER 23, the Role Information obtaining in dependency certificate is returned to application apparatus 4.Described user property certificate includes regular colony, working group or individual's Attribute certificate, and described Role Information includes regular colony, working group or individual Role Information.
As shown in Figure 3, the total platform 1 of rights management, includes Attribute certificate issue apparatus 11, CA LIST SERVER 12, master control device 13 and PMI catalogue server 14.
Attribute certificate issue apparatus 11, for setting up attribute authority (aa) source, receives the authorization message that rights management sub-platform 2 sends, and returns to rights management sub-platform 2 after described information is signed and issued into Attribute certificate.Attribute certificate issue apparatus 11 reads the message of the specified format that rights management sub-platform 2 sends, resolve, obtain the authorization message between user group and application role, described authorization message is signed and issued into the Attribute certificate that meets RFC3281V4 reference format, and described Attribute certificate is returned to rights management sub-platform 2.Allow if need to abolish to authorize, sign and issue an Attribute Certificate Revocation List (ACRL).
CA LIST SERVER 12, provides the directory service of customer digital certificate for following LDAP standard for rights management sub-platform 2.Described digital certificate information includes user and institutional framework information.
Master control device 13, the registration request sending for receiving rights management sub-platform 2, and after its authentication is passed through, to 2 sending permission management sub-platform 2 lists of rights management sub-platform.
PMI catalogue server 14, for gathering, preserve the distributing data of PMI LIST SERVER 23 of all rights management sub-platforms 2, and provides the directory service of Attribute certificate to each rights management sub-platform 2.
As shown in Figure 4, rights management sub-platform 2, includes PMS manager 21, rights management device 22 and PMI LIST SERVER 23.
PMS manager 21, mutual for keeper and system, can take the management mode based on web browser, and keeper can proceed as follows:
1, add, revise the log-on message of application apparatus 4
2, check personal information and relevant institutional framework information, add, revise user group's information, as regular colony expression formula, working group and member
3, set up, amendment, logging off users colony, mandate relation between individual subscriber and application role and corresponding Attribute certificate rights management device 22, for system is included to user group, application role's mandate key element is safeguarded, set up the mandate relation of user group to application role, Attribute certificate issue apparatus 11 to the total platform 1 of rights management sends described authorization message, and the Attribute certificate of being signed and issued is published on PMI LIST SERVER 23, also receive the request connection message that middleware device 3 sends simultaneously, download the Attribute certificate relevant to the application apparatus 4 comprising in described request connection message from the PMI catalogue server 14 of the total platform 1 of rights management, and described Attribute certificate is published on the PMI LIST SERVER 23 of self.Described user group includes three types:
1, regular colony: the attribute information having according to the user colony's expression formula that establishes relevant regulations, utilize described regular colony expression formula to create regular colony, described regular colony is applicable to the scene that customer group is large, distributional region is wide, whole users cannot be registered in application apparatus 4.
2, working group: because the business development of application apparatus 4 needs, several users need to have identical role, but cannot or inconvenience create regular colony by regular colony expression formula, get final product building work group, described several users are divided into a working group.
3, individual: scattered personal user.
PMI LIST SERVER 23, provide the directory service of Attribute certificate for middleware device 3, and uploading data is to the PMI catalogue server 14 of the total platform 1 of rights management for following LDAP standard.For middleware device 3 provides the directory service of regular group property certificate, working group's Attribute certificate and personal attribute's certificate, and the Attribute Certificate Revocation List sending by rights management device 22 is deleted corresponding Attribute certificate.Described Attribute certificate includes following several:
1, regular group property certificate, definition rule colony and the mandate relation of application between role, include the definition of regular colony XML coding, local application apparatus 43, apply the information such as role, valid expiration date.
2, working group's Attribute certificate, the mandate relation between definition working group and application role, includes the information such as workgroup name, work group member, local application apparatus 43, application role, valid expiration date.
3, personal attribute's certificate, the mandate relation between definition individual subscriber and application role, includes the information such as individual subscriber, local application apparatus 43, application role, valid expiration date.
In the time that system newly increases a rights management sub-platform 2, described rights management sub-platform 2 need be registered to the total platform 1 of rights management, and as shown in Figure 5, the register flow path of rights management sub-platform 2 is specific as follows:
Step 1: the rights management device 22 of rights management sub-platform 2 sends registration request (step S1001) to the total platform 1 of rights management, includes the information such as the position of rights management sub-platform 2 in described registration request;
Step 2: the master control device 13 of the total platform 1 of rights management is verified (step S1002) to the identity of rights management sub-platform 2;
Step 3: the master control device 13 of the total platform 1 of rights management judges that whether the identity of rights management sub-platform 2 is by checking (step S1003)? the digital certificate that master control device 13 can provide according to rights management sub-platform 2, carries out authentication to it;
If 1 by checking, master control device 13, to rights management sub-platform 2 return authentication failed messages (step S1004), turns to step 4 (step S1009);
If 2 by authentication,
(1), master control device 13 records the authentication information (step S1005) of rights management sub-platform 2;
(2), master control device 13 sends rights management sub-platform 2 lists (step S1006) to rights management sub-platform 2; Described rights management sub-platform 2 lists include the positional information of all rights management sub-platforms 2, and arrange according to certain priority order, in the time that middleware device 3 monitors coupled rights management sub-platform 2 operation irregularity, according to priority order is connected with other rights management sub-platforms 2 in list successively, thereby guarantee system can work on normally;
(3), rights management sub-platform 2 forwards described rights management sub-platform 2 lists (step S1007) to coupled middleware device 3;
(4), middleware device 3 is preserved rights management sub-platform 2 list informations (step S1008);
Step 4: this flow process finishes (step S1009).
Rights management sub-platform 2 completes after registration, user group in compass of competency is sent to the total platform 1 of rights management with application role's authorization message, and the Attribute certificate after signing and issuing via the total platform 1 of rights management is published on PMI LIST SERVER 23, keep data to synchronize with the total platform 1 of rights management simultaneously, as shown in Figure 6, concrete steps are as follows:
Step 1: the rights management device 22 of rights management sub-platform 2 obtains digital certificate from the CA LIST SERVER 12 of the total platform 1 of rights management, reads personnel and corresponding agency information (step S2001);
Step 2: rights management device 22 generates user group (step S2002);
Wherein the generative process of regular colony is as follows: keeper is by PMS manager 21 definition rule colony expression formulas, and rights management device 22, according to regular colony expression formula, reads the customer attribute information in digital certificate, creates corresponding regular colony.For example, keeper's definition rule colony expression formula:
((& & mechanism=parent company of city=Beijing)) & & (department=research and development centre) & & ((tenure=principal) || (tenure=position of a deputy))
Rights management device 22 reads the attribute informations such as city under user in digital certificate, mechanism, department, post, creates corresponding regular colony: the leader of research and development centre of parent company of Beijing.
The generative process of working group is as follows: keeper checks personal information and relevant institutional framework information by PMS manager 21, and select the some personnel on organization tree to define working group, rights management device 22 reads the work item information of keeper's definition, creates corresponding working group.
Step 3: rights management device 22 reads application apparatus 4 and corresponding application Role Information (step S2003) thereof; As shown in table 1, as shown in table 1, can be divided into multiple application roles according to the city under user, mechanism, department, post, the corresponding unique role's coding of each application role.
Table 1 is applied role and the role mapping table of encoding
Step 4: rights management device 22 is set up the mandate relation (step S2004) between user group and application role;
Keeper can define the mandate relation between user group and application role by PMS manager 21, and rights management device 22 reads and set up corresponding mandate relation, as shown in table 2, is regular colony and application role's mapping table.
Table 2 is applied the mapping table of role, role's coding and regular colony expression formula
Step 5: rights management device 22 sends to described authorization message the Attribute certificate issue apparatus 11 (step S2005) of the total platform 1 of rights management;
Step 6: Attribute certificate issue apparatus 11 is signed and issued Attribute certificate, and described Attribute certificate is returned to the rights management device 22 (step S2006) of rights management sub-platform 2;
Step 7: described Attribute certificate is distributed to (step S2007) on PMI LIST SERVER 23 by rights management device 22;
Step 8:PMI LIST SERVER 23 uploading datas are to the PMI catalogue server 14 (step S2008) of the total platform 1 of rights management.
If the user group in 2 compasss of competency of rights management sub-platform and application role's authorization message has produced variation, for example keeper revises the mandate relation between user group and application role, rights management sub-platform 2 can be according to the changing content of authorization message, cancel old Attribute certificate and produce new Attribute certificate, keep data to synchronize with the total platform 1 of rights management simultaneously, as shown in Figure 7, its concrete steps are as follows:
Step 1: the keeper of rights management sub-platform 2 is by PMS management devices amendment authorization message (step S3001);
The request of described amendment authorization message is transmitted to rights management device 22 (step S3002) by step 2:PMS management devices;
Step 3: rights management device 22 reads described message, and in database, search the Attribute certificate relevant to amendment information (step S3003);
Step 4: described Attribute certificate is added into Attribute Certificate Revocation List by rights management device 22, and Attribute Certificate Revocation List and the new mandate relation producing are sent to the Attribute certificate issue apparatus 11 (step S3004) of the total platform 1 of rights management;
Step 5: Attribute certificate issue apparatus 11 is signed and issued new Attribute certificate and Attribute Certificate Revocation List, and return to the rights management device 22 (step S3005) of rights management sub-platform 2;
Step 6: described new Attribute certificate and Attribute Certificate Revocation List are sent to PMI LIST SERVER 23 (step S3006) by rights management device 22;
Step 7:PMI LIST SERVER 23 is deleted corresponding Attribute certificate by Attribute Certificate Revocation List, and issues new Attribute certificate (step S3007);
Step 8:PMI LIST SERVER 23 uploading datas are to the PMI catalogue server 14 (step S3008) of the total platform 1 of rights management.
As shown in Figure 8, user uses digital certificate login application apparatus 4, and application apparatus 4 obtains application role corresponding to described user by middleware device 3, and authorizes user corresponding access rights, and its concrete steps are as follows:
Step 1: user uses digital certificate login application apparatus 4 (step S4001);
Step 2: application apparatus 4 forwards user's logging request (step S4002) to middleware device 3;
Step 3: middleware device 3 is verified (step S4003) to user's digital certificate information;
Step 4: middleware device 3 judges that whether user's digital certificate is by checking (step S4004)? if, by checking, do not turn to step 7 (step S4012), this flow process finishes.
Step 5: middleware device 3 judges rights management sub-platform 2 (step S4005) whether working properly?
If 1 is undesired, middleware device 3 obtains the Attribute certificate of described user corresponding to described application apparatus 4 from the PMI LIST SERVER 23 of rights management sub-platform 2, and corresponding application Role Information is returned to application apparatus 4 (step S4006);
If 2 is normal:
(1), middleware device 3 is by rights management sub-platform 2 lists of preserving, send request connection message (step S4007) with other rights management sub-platforms 2 in list, described request connection message includes all application apparatus 4 information that described middleware is connected;
(2), the rights management device 22 of other rights management sub-platforms 2 reads described request connection message, download the Attribute certificate relevant to the application apparatus 4 comprising in described request connection message from the PMI catalogue server 14 of the total platform 1 of rights management, and described Attribute certificate is published on self PMI LIST SERVER 23 (step S4008);
(3), the rights management device 22 of other rights management sub-platforms 2 returns to successful connection message (step S4009) to described middleware device 3;
(4), middleware device 3 obtains the Attribute certificate of described user corresponding to described application apparatus 4 from the PMI LIST SERVER 23 of other rights management sub-platforms 2, and corresponding application Role Information is returned to application apparatus 4 (step S4010);
Step 6: application apparatus 4, according to described application Role Information, is authorized the corresponding access rights of user (step S4011);
Step 7: this flow process finishes (step S4012).
It should be noted last that, above embodiment is only in order to explanation and unrestricted technical scheme described in the invention; Therefore, although this specification has been described in detail the present invention with reference to the above embodiments,, those of ordinary skill in the art should be appreciated that still and can the present invention be modified or be replaced equally; And all do not depart from technical scheme and the improvement thereof of the spirit and scope of the present invention, it all should be encompassed in the middle of claim scope of the present invention.
Claims (7)
1. a distributed authorization management system, comprises the total platform of rights management, at least one rights management sub-platform, at least one middleware device, and at least one application apparatus and at least one user's set, is characterized in that,
The total platform of described rights management, for all rights management sub-platforms are registered, for it provides the directory service of customer digital certificate, and the authorization message that rights management sub-platform is sent signs and issues into Attribute certificate, gathers the distributing data of preserving all rights management sub-platforms;
Described rights management sub-platform, include the mandate relation of user group to application role for setting up system, send described authorization message to the total platform of rights management, and the Attribute certificate directory service of signing and issuing through the total platform of rights management is provided to middleware device, also carry out data with the total platform of rights management simultaneously and synchronize;
Described middleware device, the user's logging request forwarding for receiving application apparatus, according to the operating state of rights management sub-platform and the list of rights management sub-platform, be connected with suitable rights management sub-platform, and search the Attribute certificate of described user corresponding to described application apparatus from it, the Role Information obtaining in dependency certificate is returned to application apparatus;
The total platform of described rights management, rights management sub-platform, middleware device, application apparatus are connected by network with user's set.
2. a kind of distributed authorization management system according to claim 1, is characterized in that, the total platform of described rights management includes:
Attribute certificate issue apparatus, for setting up attribute authority (aa) source, receives the authorization message that rights management sub-platform sends, and returns to rights management sub-platform after described information is signed and issued into Attribute certificate;
CA LIST SERVER, provides the directory service of customer digital certificate for following LDAP standard for rights management sub-platform;
Master control device, the registration request sending for receiving rights management sub-platform, and after its authentication is passed through, to the list of rights management sub-platform sending permission management sub-platform;
PMI catalogue server, for gathering, preserve the distributing data of all rights management sub-platforms, and provides the directory service of Attribute certificate to each rights management sub-platform.
3. a kind of distributed authorization management system according to claim 1, is characterized in that, described rights management sub-platform includes:
PMS manager, mutual for keeper and system;
Rights management device, for system is included to user group, application role's mandate key element is safeguarded, set up the mandate relation of user group to application role, Attribute certificate issue apparatus to the total platform of rights management sends described authorization message, and the Attribute certificate of being signed and issued is published on PMI LIST SERVER, also receive the request connection message that middleware device sends simultaneously, download the Attribute certificate relevant to the application apparatus comprising in described request connection message from the PMI catalogue server of the total platform of rights management, and described Attribute certificate is published on the PMI LIST SERVER of self,
PMI LIST SERVER, provide the directory service of Attribute certificate for middleware device, and uploading data is to the PMI catalogue server of the total platform of rights management for following LDAP standard.
4. an implementation method for distributed authorization management system as claimed in claim 1, is characterized in that, comprises the following steps:
Step 1: rights management sub-platform sends registration request to the total platform of rights management;
Step 2: the total platform of rights management is verified the identity of rights management sub-platform;
Step 3: the total platform of rights management judges that whether the identity of rights management sub-platform is by checking;
If 1 by checking, the total platform of rights management, to rights management sub-platform return authentication failed message, turns to step 4;
If 2 by authentication,
(1), the total platform of rights management records the authentication information of rights management sub-platform;
(2), the total platform of rights management sends the list of a rights management sub-platform to rights management sub-platform;
(3), rights management sub-platform forwards the list of described rights management sub-platform to coupled middleware device;
(4), middleware device is preserved rights management sub-platform list information;
Step 4: this flow process finishes.
5. method according to claim 4, is characterized in that, also includes following steps:
Step 1: rights management sub-platform obtains digital certificate from the total platform of rights management, reads personnel and corresponding agency information;
Step 2: rights management sub-platform generates user group;
Step 3: rights management sub-platform reads application apparatus and corresponding application Role Information thereof;
Step 4: rights management sub-platform is set up the mandate relation between user group and application role;
Step 5: described authorization message is sent to the total platform of rights management by rights management sub-platform;
Step 6: the total platform of rights management is signed and issued Attribute certificate, and described Attribute certificate is returned to rights management sub-platform;
Step 7: rights management sub-platform is issued described Attribute certificate;
Step 8: rights management sub-platform uploading data is to the total platform of rights management.
6. method according to claim 5, is characterized in that, also includes following steps:
Step 1: keeper is by rights management sub-platform amendment authorization message;
Step 2: rights management sub-platform is searched the Attribute certificate relevant to amendment information;
Step 3: described Attribute certificate is added into Attribute Certificate Revocation List by rights management sub-platform, and Attribute Certificate Revocation List and the new mandate relation producing are sent to the total platform of rights management;
Step 4: the total platform of rights management is signed and issued new Attribute certificate and Attribute Certificate Revocation List, and return to rights management sub-platform;
Step 5: rights management sub-platform is deleted corresponding Attribute certificate by Attribute Certificate Revocation List, and issue new Attribute certificate;
Step 6: rights management sub-platform uploading data is to the total platform of rights management.
7. method according to claim 5, is characterized in that, also includes following steps:
Step 1: user uses digital certificate login application apparatus;
Step 2: application apparatus forwards user's logging request to middleware device;
Step 3: middleware device is verified user's digital certificate information;
Step 4: middleware device judges that whether user's digital certificate is by checking; If, by checking, do not turn to step 7, this flow process finishes;
Step 5: middleware device judges that whether rights management sub-platform is working properly;
If 1 is undesired, middleware device obtains the Attribute certificate of described user corresponding to described application apparatus from the PMI LIST SERVER of rights management sub-platform, and corresponding application Role Information is returned to application apparatus;
If 2 is normal:
(1), middleware device by preserve the list of rights management sub-platform, send request connection message with other rights management sub-platforms in list;
(2), other rights management sub-platforms read described request connection message, download the Attribute certificate relevant to the application apparatus comprising in described request connection message from the total platform of rights management, and described Attribute certificate issued;
(3), other rights management sub-platforms return to successful connection message to described middleware device;
(4), middleware device obtains the Attribute certificate of described user corresponding to described application apparatus from other rights management sub-platforms, and corresponding application Role Information is returned to application apparatus;
Step 6: application apparatus, according to described application Role Information, is authorized user corresponding access rights;
Step 7: this flow process finishes.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910217966.XA CN102088351B (en) | 2009-12-08 | 2009-12-08 | Authorization management system and implementation method thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910217966.XA CN102088351B (en) | 2009-12-08 | 2009-12-08 | Authorization management system and implementation method thereof |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102088351A CN102088351A (en) | 2011-06-08 |
| CN102088351B true CN102088351B (en) | 2014-10-08 |
Family
ID=44099974
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200910217966.XA Active CN102088351B (en) | 2009-12-08 | 2009-12-08 | Authorization management system and implementation method thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102088351B (en) |
Families Citing this family (23)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103166911B (en) * | 2011-12-09 | 2017-06-13 | 阿里巴巴集团控股有限公司 | A kind of version management server right management method and equipment |
| CN103490886B (en) * | 2012-06-12 | 2017-04-05 | 阿里巴巴集团控股有限公司 | The verification method of permissions data, apparatus and system |
| CN102843261B (en) * | 2012-09-18 | 2015-11-18 | 平顶山中选自控系统有限公司 | A kind of distributed right management method of coal preparation plant MES based role |
| CN103870727B (en) * | 2012-12-17 | 2018-02-02 | 百度在线网络技术(北京)有限公司 | A kind of method and system for being managed collectively authority |
| CN103067463B (en) * | 2012-12-19 | 2016-05-11 | 新浪网技术(中国)有限公司 | user root authority centralized management system and management method |
| CN103220172B (en) * | 2013-04-08 | 2017-06-30 | 新华三技术有限公司 | A kind of apparatus and method based on LDAP user authority managements |
| CN103281313B (en) * | 2013-05-14 | 2016-03-02 | 成都交大光芒科技股份有限公司 | Based on distributed right management method in track traffic synthetic monitoring system |
| CN104301149A (en) * | 2014-10-27 | 2015-01-21 | 浪潮(北京)电子信息产业有限公司 | Multi-data-center permission management method and system |
| CN105656642A (en) * | 2014-11-03 | 2016-06-08 | 北京确安科技股份有限公司 | Method for realizing authority management of integrated circuit test management system with INI |
| CN105357197A (en) * | 2015-11-03 | 2016-02-24 | 浪潮集团有限公司 | Identity authentication and authority management system and method for cloud computing platform |
| CN106681999B (en) * | 2015-11-05 | 2021-01-26 | 阿里巴巴集团控股有限公司 | Data table query method and device |
| CN105787317B (en) * | 2016-03-23 | 2021-07-13 | 中国电力科学研究院 | Authority control method based on multi-layer grading system |
| CN107276965B (en) * | 2016-04-07 | 2021-05-14 | 阿里巴巴集团控股有限公司 | Authority control method and device of service discovery component |
| CN106847116A (en) * | 2016-12-28 | 2017-06-13 | 重庆金鑫科技产业发展有限公司 | A kind of Intelligent electronic table tablet and a kind of conference system |
| CN107145777A (en) * | 2017-05-09 | 2017-09-08 | 郑州云海信息技术有限公司 | The authorization management method of virtual management system client |
| CN107332840B (en) * | 2017-06-28 | 2020-04-21 | 中国南方电网有限责任公司超高压输电公司检修试验中心 | Intelligent authority management system and method |
| CN107770190B (en) * | 2017-11-02 | 2020-06-23 | 浪潮通用软件有限公司 | Authority management method and device |
| CN108282480B (en) * | 2018-01-29 | 2021-08-13 | 龙凯 | User authorization multi-party monitoring sharing method and system |
| CN108616508A (en) * | 2018-03-29 | 2018-10-02 | 北京信安世纪科技股份有限公司 | Based on the role of application system in unification authentication platform reverse authorization method and system |
| CN109061352A (en) * | 2018-08-31 | 2018-12-21 | 浙江宏森科技有限公司 | Security protection event looks into the self-service clearing system and method for mechanism |
| CN113542288B (en) * | 2019-10-11 | 2023-06-30 | 支付宝(杭州)信息技术有限公司 | Service authorization method, device, equipment and system |
| CN111914296A (en) * | 2020-08-06 | 2020-11-10 | 平安科技(深圳)有限公司 | Multi-platform authority unified management method, device, terminal and storage medium |
| CN114928539B (en) * | 2022-05-13 | 2023-08-15 | 中国广电广州网络股份有限公司 | Broadcast television coaxial network data management method |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080120302A1 (en) * | 2006-11-17 | 2008-05-22 | Thompson Timothy J | Resource level role based access control for storage management |
-
2009
- 2009-12-08 CN CN200910217966.XA patent/CN102088351B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080120302A1 (en) * | 2006-11-17 | 2008-05-22 | Thompson Timothy J | Resource level role based access control for storage management |
Non-Patent Citations (2)
| Title |
|---|
| 基于角色的权限管理系统;李兴唐;《硕士学位论文》;20041231;全文 * |
| 李兴唐.基于角色的权限管理系统.《硕士学位论文》.2004,全文. |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102088351A (en) | 2011-06-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102088351B (en) | Authorization management system and implementation method thereof | |
| CN102088360B (en) | Distributed authorization management system and implementation method thereof | |
| AU2012252388B2 (en) | Method for handling privacy data | |
| CN111400749B (en) | Government affair financial data sharing platform based on block chain and implementation method thereof | |
| CN109643242A (en) | Safe design and framework for multi-tenant HADOOP cluster | |
| WO2018213519A1 (en) | Secure electronic transaction authentication | |
| CN110957025A (en) | Medical health information safety management system | |
| CN109670768A (en) | Right management method, device, platform and the readable storage medium storing program for executing in multi-service domain | |
| AU2012315674B9 (en) | Parameter based key derivation | |
| CN103095720B (en) | A kind of method for managing security of cloud storage system of dialogue-based management server | |
| CN101707594A (en) | Single sign on based grid authentication trust model | |
| CN106992988A (en) | A kind of cross-domain anonymous resource sharing platform and its implementation | |
| CN102487377A (en) | Authentication and authority management system | |
| CN108269061A (en) | A kind of social cooperative system of public and private mixing | |
| CN105610780A (en) | Interoperation platform among clouds used for education mechanism and method thereof | |
| Peng et al. | A peer-to-peer file storage and sharing system based on consortium blockchain | |
| Bai et al. | Decentralized and self-sovereign identity in the era of blockchain: a survey | |
| US20030130960A1 (en) | Bridging service for security validation within enterprises | |
| CN106921481A (en) | A kind of system and method for tenant's division and purview certification based on PKI | |
| CN113986865A (en) | Cross-department service collaboration system and method based on block chain | |
| CN109951530A (en) | A kind of Implementation Technology of multi-tenant mode | |
| CN102088350B (en) | Directory service-based authorization management system and implementation method thereof | |
| KR20020046136A (en) | Apparatus and method for login authentication | |
| CN202004786U (en) | Authentication and authority management server | |
| JP2003271782A (en) | Personal information management system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |