CN102457509B - Cloud computing resources safety access method, Apparatus and system - Google Patents
Cloud computing resources safety access method, Apparatus and system Download PDFInfo
- Publication number
- CN102457509B CN102457509B CN201010530222.6A CN201010530222A CN102457509B CN 102457509 B CN102457509 B CN 102457509B CN 201010530222 A CN201010530222 A CN 201010530222A CN 102457509 B CN102457509 B CN 102457509B
- Authority
- CN
- China
- Prior art keywords
- resource
- information
- server
- visited
- access
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Computer And Data Communications (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a kind of cloud computing resources safety access method, comprising: resource information entrusts business server to provide the relevant information of resource for login user; After cloud computing service business server receives the resource access request of user's transmission, confirm the access credentials of whether carrying resource to be visited in resource access request, obtain the service provider's server info belonging to resource to be visited when not having, and send authentication request to the service provider's server belonging to resource to be visited; Carry the information such as identification information and resource information to be visited of user in authentication request, service provider's server carries out authentication and access control to user, issues the access control information of resource to be visited; The access control information that cloud computing service business server treats access resources carries out certification, and after certification is passed through, for user provides resource to be visited.The invention also discloses a kind of cloud computing resources secure access device.Invention increases user's access service resource access efficiency.
Description
Technical field
The present invention relates to resource access techniques, particularly relate to a kind of cloud computing resources safety access method, Apparatus and system.
Background technology
Cloud computing is the technology that distributed treatment, parallel processing and grid computing etc. combine.The core concept of cloud computing, is by a large amount of computational resource unified management of connecting with network and scheduling, forms a computational resource pond to user's on-demand service.
By using cloud computing service, service provider can reduce enterprise operation cost, provides reliable resource access service to user.Increasing service provider has been had to select cloud computing service to provide related service service to user.
Service provider rents the service of cloud computing service business, then service resources is stored in cloud computing service business.Current, service provider utilizes cloud computing service to provide the major way of business to be that first user wants registering service provider website to user, and obtain service resources by service provider to cloud computing service business, then, business is sent to user by service provider.
This mode has many shortcomings.First, service provider provides commercial system from business to user is limited.All business of service provider all will provide through service provider.Secondly, require that service provider has larger service provision capacity.Service provider needs for numerous users provides the service being equivalent to a resource relay station, which increase the load pressure of service provider, and under cloud environment, service provider wishes to utilize cloud, simplified deployment, reduce costs, this just and requirement disagree, add the burden of service provider.Finally, the mode that user flexibility uses service provider's service resources is limited.User only has by registering service provider, could obtain the resource that corresponding service provider rents cloud computing service business.
But, along with the development of cloud computing service application, service provider wishes to utilize various ways to provide resource to user, and user wishes can access cloud computing service business flexibly anywhere or anytime, and then the business that acquisition service provider is provided by cloud computing service business.But as the user resources that the main business of service provider supports, service provider wishes to forbid that user directly accesses cloud computing service business certainly, thus protection user resources portion can not reveal to cloud computing service business.So, a mode that business is conveniently provided should be provided for service provider, for user provides the mode of a flexible access resources, protect the user resources of service provider again, need the safety approach that a better cloud computing service application is provided.
Therefore, at present in the urgent need to a kind of resources technology scheme, both for user provides the mode of a flexible access resources, the user resources of service provider's server can have been protected again.Regrettably, because cloud computing technology is still in talking stage, there is no relevant technical scheme at present can be for reference.
Summary of the invention
In view of this, main purpose of the present invention is to provide a kind of cloud computing resources safety access method, Apparatus and system, while facilitating user's access service resource, protects the user resources of service provider.
For achieving the above object, technical scheme of the present invention is achieved in that
A kind of cloud computing resources safety access method, comprising:
Resource information entrusts business server to provide the relevant information of service provider's resource for login user;
After cloud computing service business server receives the resource access request of user's transmission, confirm the access control voucher whether carrying resource to be visited in described resource access request, obtain the service provider's server info belonging to resource to be visited according to the relevant information of the resource described to be visited of carrying in described resource access request when not having, and send resources accessing control request to the service provider's server belonging to resource to be visited; Described service provider's server carries out authentication and access control according to the identification information of described user to described user, issues the access control information of resource to be visited; Wherein, the identification information of described user and resource information to be visited is carried in described resources accessing control request; Described resources accessing control information to be visited comprises the authorization message of resource to be visited;
The access control information of described cloud computing service business server to the resource to be visited receiving described user or the transmission of service provider's server carries out certification, and after certification is passed through, provides resource to be visited to described user; Or the access control information of described cloud computing service business server to the resource to be visited receiving described user or the transmission of service provider's server carries out certification, and after certification is passed through, provides the access authority information of resource to be visited to described user; After described cloud computing service business server receives the access authority information of the resource to be visited that described user sends, for described user provides resource to be visited.
Preferably, resource information entrusts that business server is service provider's server, cloud computing service business server or the independently server that arranges of enterprise, for providing the resource information of service provider to user.
Preferably, the access control information issuing resource to be visited described in is specially:
The access control information of resource to be visited is presented to described user or described cloud computing service business server; Wherein, when resources accessing control information is presented to described user, described user sends the access control information of described resource to be visited to described cloud computing service business server.
Preferably, described resource information entrusts business's server for before login user provides the relevant information of resource, and described method also comprises:
Described service provider's server receives the registration request of described user, and provides sign-on ID and access code for described user;
Described resource information entrusts business's server to provide the relevant information of resource to be specially for login user:
Described resource information trust business server represents service provider and represents resource information to user;
Described service provider's server entrusts business's server to share sign-on ID and the access code information of described user to described resource information, described resource information entrust the sign-on ID of user's input described in business's server authentication and access code information correct time, for described user provides the relevant information of resource.
Preferably, described method also comprises:
Described resource information entrust the sign-on ID of user's input described in business's server authentication and access code correct after, represent the resource information of service provider to user.
Preferably, the relevant information of described resource comprises described service provider's server is Customs Assigned Number information, resource number information, the described service provider's server identification information that user is arranged.
Preferably, the relevant information of described resource also comprises information effective time of described resource;
Described service provider's server identification information comprises the IP address information of described service provider's server, and, the name information of described service provider's server or communication port identification information or hardware identifier information are provided.
Preferably, described access authorization comprises: service provider's server identification information, resource number, Resource Storage path, resource access constraint and the time restriction of access resources.
A kind of cloud computing resources secure access device, comprises the first providing unit, the first receiving element, determining unit, the first authentication ' unit, the second authentication ' unit and the second providing unit, wherein,
First providing unit, for providing the relevant information of resource for login user;
First receiving element, for receiving the resource access request that user sends; Wherein, the identification information of described user and resource information to be visited is carried in described resource access request;
Determining unit, for confirming the access control voucher whether carrying resource to be visited in described resource access request, triggers the first authentication ' unit when not having;
First authentication ' unit, for obtaining the service provider's server info belonging to resource to be visited according to the relevant information of the resource described to be visited of carrying in described resource access request, and send access control request to the service provider's server belonging to resource to be visited; The identification information of described user and resource information to be visited is carried in described access control request; Described service provider's server carries out authentication and access control according to the identification information of described user to described user, issues the access control information of resource to be visited;
Second authentication ' unit, for carrying out certification to the access control information of the resource to be visited receiving described user or service provider's transmission;
Second providing unit, for after the second authentication ' unit certification completes, for described user provides resource to be visited; Or after the second authentication ' unit certification completes, provide the access authority information of resource to be visited to described user, and after the access authority information receiving the resource to be visited that described user sends, for described user provides resource to be visited.
Preferably, the access control information of described access authorization comprises: service provider's server identification information, resource number, Resource Storage path, resource access constraint and the time restriction of access resources.
A kind of cloud computing resources security access system, comprises resource information and entrusts business's server, service provider's server and cloud computing service business server; Wherein,
Resource information entrusts business's server, for providing the relevant information of resource for login user;
Cloud computing service business server, for receive user send resource access request after, confirm the access control voucher whether carrying resource to be visited in described resource access request, obtain the service provider's server info belonging to resource to be visited according to the relevant information of the resource described to be visited of carrying in described resource access request when not having, and send resources accessing control request to the service provider's server belonging to resource to be visited; The identification information of described user and resource information to be visited is carried in described authentication request; And, certification is carried out to the access control information of the resource to be visited receiving described user or service provider's transmission, and after certification is passed through, for described user provides resource to be visited; Or, for carrying out certification to the access control information of the resource to be visited receiving described user or the transmission of service provider's server, and after certification is passed through, provide the access authority information of resource to be visited to described user; And after the access authority information receiving the resource to be visited that described user sends, for described user provides resource to be visited;
Described service provider's server, carries out authentication and access control for the identification information according to described user to described user, issues the access control information of resource to be visited.
Preferably, described resource information entrusts business's server for before login user provides the relevant information of resource, and described service provider's server receives the registration request of described user, for described user provides sign-on ID and access code;
Described service provider's server entrusts business's server to share sign-on ID and the access code information of described user to described resource information, described resource information entrust the sign-on ID of user's input described in business's server authentication and access code correct time, for described user provides the relevant information of resource.
Preferably, described access authorization comprises: service provider's server identification information, resource number, Resource Storage path, resource access constraint and the time restriction of access resources.
In the present invention, first user entrusts business's server to carry out registration by resource information and logs in, obtain the relevant information of resource to be visited, and realize by cloud computing service business server the access treating access resources according to the relevant information of resource to be visited, in access process, by service provider's server, certification and access control are carried out to the identity of user, thus ensure that the fail safe of resource access.The present invention can provide simple resource access means to user, reduces the cost of Operation system setting, and the present invention is conducive to user flexibility access resources, improves the efficiency of resource access.
Accompanying drawing explanation
Fig. 1 is the composition structural representation of cloud computing resources security access system of the present invention;
Fig. 2 is the flow chart of cloud computing resources safety access method of the present invention;
Fig. 3 is the composition structural representation of cloud computing resources secure access device of the present invention.
Embodiment
Basic thought of the present invention is, resource information entrusts business server to provide the relevant information of resource for login user; After cloud computing service business server receives the resource access request of user's transmission, confirm whether carry resources accessing control voucher to be visited in resource access request, obtain the service provider's server info belonging to resource to be visited according to the relevant information of the resource to be visited of carrying in resource access request when not having, and send authentication request to the service provider's server belonging to resource to be visited; Carry the identification information of user and resource information to be visited in authentication request, service provider's server carries out authentication and access control according to the identification information of user to user, issues resources accessing control information to be visited.Cloud computing service business server carries out certification to the resources accessing control information to be visited receiving service provider's transmission, and after certification is passed through, for user provides resource to be visited.
Fig. 1 is the composition structural representation of cloud computing resources security access system of the present invention, and as shown in Figure 1, cloud computing resources security access system of the present invention comprises resource information and entrusts business's server, service provider's server and cloud computing service business server; Wherein,
Resource information entrusts business's server, for providing the relevant information of resource for login user;
Cloud computing service business server, for receive user send resource access request after, confirm the access control voucher whether carrying resource to be visited in described resource access request, obtain the service provider's server info belonging to resource to be visited according to the relevant information of the resource described to be visited of carrying in described resource access request when not having, and send resources accessing control request to the service provider's server belonging to resource to be visited; The identification information of described user and resource information to be visited is carried in described authentication request; And, certification is carried out to the access control information of the resource to be visited receiving described user or service provider's transmission, and after certification is passed through, for described user provides resource to be visited; Or, for carrying out certification to the access control information of the resource to be visited receiving described user or the transmission of service provider's server, and after certification is passed through, provide the access authority information of resource to be visited to described user; And after the access authority information receiving the resource to be visited that described user sends, for described user provides resource to be visited;
Described service provider's server, carries out authentication and access control for the identification information according to described user to described user, issues the access control information of resource to be visited.
In the present invention, the information platform of the resource that resource information entrusts business to provide for service provider, represents service provider and provides resource information to user.Here service provider oneself can entrust business as resource information.Certainly, cloud computing service business can entrust business as resource information, and resource information entrusts business also can be independently third company.The resource service provided and resource information can be told that resource information entrusts business's server by service provider's server, resource information entrusts business's server just can represent resource information to user, also on the basis of the resource information obtained, the combination of some resource informations can be developed, represents to user.Here, resource information both can be some basic Resource Units, also can be the combination of some Resource Units, here resource comprises other resources such as business element, computational resource that service provider provides, in business, as telecommunications company can provide some business, provide again some service package.
User can entrust business (or service provider) server to obtain some resource informations from resource information, then, to cloud computing service business server access resource, or after user's Gains resources information, as required, resource information is assembled, form a combination of resources, thus reach the demand of the service of acquisition, then just cloud computing service business server is issued in resource information combination.
Service provider's server is according to the requirement of cloud computing service business server, and authenticated user identity, according to some application behavior outcomes of user, issues access control information.
After cloud computing service business server initiates authentication request to service provider's server, access control information can be issued cloud computing service business server by service provider's server, cloud computing service business server, according to access control information, provides the resource service such as business to user.
Described resource information entrusts business's server for before login user provides the relevant information of resource, and described service provider's server receives the registration request of described user, for described user provides sign-on ID and access code;
Described service provider's server entrusts business's server to share sign-on ID and the access code information of described user to described resource information, described resource information entrust the sign-on ID of user's input described in business's server authentication and access code information correct time, for described user provides the relevant information of resource.
Described service provider's server is the access control information that described user issues access resources, and sends to described cloud computing service business.
Described access authority information comprises: service provider's server identification information, resource number, Resource Storage path, resource access constraint and the time restriction of access resources.
It is Customs Assigned Number information, resource number information, the described service provider's server identification information that user is arranged that the relevant information of described resource comprises described service provider's server.
The relevant information of described resource also comprises information effective time of described resource; Described service provider's server identification information comprises the IP address information of described service provider's server, and, the name information of described service provider's server or communication port identification information or hardware identifier information are provided.
In the present invention, cloud computing resources comprises cloud storage resources etc.
Below illustrate user of the present invention and how be positioned at resource on service provider's server by cloud computing service business server access service provider.
Fig. 2 is the flow chart of cloud computing resources safety access method of the present invention, and as shown in Figure 2, cloud computing resources safety access method of the present invention specifically comprises the following steps:
Step 201, user obtains the relevant information of resource to be visited.
Concrete, in step 201, first, user entrusts business's server log at client input username and password in resource information.After resource information entrusts business's server authentication user identity, send resource information list to user, user selects resource information to be visited, and resource information entrusts business's server to send respective resources information to user.
Client and resource information entrust communication process between business's server as follows:
User starts client-side program and inputs user name and user cipher.Client-side program is with SSL (SSL, Secure Sockets Layer) protocol entry certificate server, and initiation session, then issues resource information user name and corresponding password and entrust business's server.
Login password can, by user when being registered to service provider's server, utilize md5 encryption algorithm to be encrypted by client.In this case, the password of MD5 process can be issued resource information and entrust business's server by client.Entrust business's server to use MD5 coupling in resource information, can not user password be revealed.
The user name of preserving when user registers by service provider's server and the MD5 value of password share to resource information and entrust business's server.Now, resource information entrusts the MD5 value of this username and password of business's server matches, if do not mated, returns miscue.If coupling, then return the resource information list resourcelist of service provider's server.
User selects resource information to be visited from the Resources list, sends to resource information to entrust business's server, and resource information entrusts business's server that corresponding resource information ticket is returned to user.Resource information ticket can be encrypted by system key.System key K
sfor resource information entrusts the shared key of business's server, service provider's server and cloud computing service business server.Resource information entrusts business's server also by cloud computing service business server ip
c, send to user.
Resource information ticket comprises Customs Assigned Number N
u, resource number N, service provider's server ID
s, the IP of service provider's server
s, and the time value time that user can use this bill access resources can be comprised.I.e. ticket={N
u, N, ID
s, IP
s, time}K
s.
Then, user receives resource information ticket, and is kept at local with the IP backing up access cloud computing service business server
c, the conversation end between them.
Client and resource information entrust session flow process between business's server as follows:
Client entrusts business's server to send { username+ [password] MD5}SSL to resource information;
Resource information entrusts business's server to send { resourcelist}SSL to client;
Client entrusts business's server to send { N}SSL to resource information;
Resource information entrusts business's server to send { IP to client
c, ticket}SSL; Wherein, ticket={N
u, N, ID
s, IP
s, time}K
s.
Above-mentioned username represents the login username of user, and password represents corresponding password, and [password] MD5 represents that this password is through MD5 process, and session is transmitted by ssl protocol.Resource number N can be a lot of resource information set.
Step 202, user obtains the mandate token of resource to be visited
v.
In step 202., user, after the relevant information obtaining resource to be visited, still directly can not treat access resources by these information and conduct interviews, need the access token obtaining resource to be visited.Below describe the mandate token how user obtains resource to be visited in detail
v.
User utilizes resource information to entrust the cloud computing service business server ip of business's server transmission
cinitiate resource access request, and send resource access ticket to cloud computing service business server.
Cloud computing service business server by utilizing system key (K
s) separate drawing of bill of exchange (ticket), obtain the ID of service provider's server
sand IP
s, and Customs Assigned Number N
u.Cloud computing service business server is to the ID of service provider's server
sand IP
scarry out certification, find out the log-on message of service provider's server.If by certification, issue undelegated token, send to user.Undelegated token can by system key (K
s) be encrypted.
Undelegated token
ecomprise the ID of cloud computing service business server
cand IP
c, access resources numbering N, and comprise the time value time that can use this token.I.e. unauthorized token={ID
c, IP
c, N, time}K
s.
Certainly, if user obtains authorize token
vtime, cloud computing service business server will send to obtain to user authorizes token
vrequest P
t.Token is authorized to confirm whether user obtained before sending resource access request to cloud computing service business server
v.If user's existing access token
v, just can perform the flow process of last access resources.
Below still do not obtain with user and authorize token
vprocessing procedure.
User is by unauthorized token
esend to cloud computing service business server, acquisition request mandate token
v.Cloud computing service business server sends request to service provider's server, requires that service provider's server provides the access control information of user access resources.Service provider's server lookup user access resources authority, issues cloud computing service business server by access resources authority credentials V.
Basic procedure between cloud computing service business server and service provider's server is as follows:
User is by unauthorized token
eissue cloud computing service business server;
Cloud computing service business server is to the IP of service provider's server
sinitiate access, send resource information N to be visited, resource access authority request P to service provider's server
vwith Customs Assigned Number N
u.This resource access rights request message can use system key (K
s) encryption.
Service provider's server uses system key (K
s) decoding resource access rights solicited message, obtain Customs Assigned Number N
u, the IP of user is obtained according to numbering inquiry
c, and to the IP of user
cinitiate access, require that user provides resource access authority application information.
Customer service provider server provides resource access authority application.Concrete, in the present invention, service provider's server sends page jump action to subscription client
i, user's registering service provider server website can be required.Now, client can jump to service provider's server site.User inputs user name username and password password, registering service server site.Service provider's server authentication user name username and password password, and contrast with the log-on message of database user, if unanimously, then allow user's access.Service provider's server sends page jump action to subscription client
e, jump to the authorization page of resource N to be visited, user can select the authority request action such as paying
v, requested service provider server allows its access resources N.
Service provider's server, according to application, issues access resources authority V, and authority credentials V is sent to cloud computing service business server.Process of transmitting system key (K
s) encryption.
Cloud computing service business server uses system key (K
s) deciphering Gains resources access right limit value V, and authority credentials V is encapsulated as mandate token
v, and will token be authorized
vsend to user.Send and authorize token
vtime can pass through system key (K
s) be encrypted.
Authorize token
vservice provider's server ID can be comprised
c, service provider's server ip
c, resource number N, authority credentials V and this mandate token can be used
vtime restriction time.Namely token is authorized
v={ ID
c, IP
c, N, time, V, } K
s.
Between cloud computing service business server, service provider's server, client, session flow process utilizes parameter to be expressed as follows:
User sends { ticket} by client to cloud computing service business server;
Cloud computing service business server sends { P to subscription client
t, token
e}
User sends { token by client to cloud computing service business server
esSL;
Cloud computing service business server sends { { N, N to service provider's server
u, P
vk
ssSL;
Service provider's service sends { action to device to subscription client
isSL;
User sends { username, password}SSL by client to service provider's server;
Service provider's service sends { action to device to subscription client
esSL;
User sends { { N, action by client to service provider's server
vk
csSL;
Service provider's server sends { { N, V}K to cloud computing service business server
ssSL;
Service provider's server sends { token to subscription client
vsSL;
token
v={ID
C,IP
C,N,time,V}K
S。
Step 203, user's Gains resources access token
a, access related resource to be visited.
In step 203, user utilizes access token
vsend request to cloud computing service business server, cloud computing service business server authentication access token
v, and send resource access token to user
a, user receives resource access token
aafter, just can use resource access token
awhereabouts cloud computing service business server extracts resource.
Basic procedure between user and cloud computing service business server is as follows:
Client will access token
vsend to cloud computing service business server, and to cloud computing service business server request resource access token
a.Access token
vcontent and above-mentioned token
vcontent is identical.
Cloud computing service business server uses system key deciphering access token
v, certification resource access authority information, certification is issued after passing through and is accessed token accordingly
a, and send access token to user
a.Access token
athe identification information ID of service provider's server can be comprised
c, resource number N, Resource Storage path D, resource access constraint L, and can the time restriction time of access resources.That is, access authorization token
a={ ID
c, N, D, L, time}Ks.
User receives access token
a, use access token
aresource access request is sent to cloud computing service business server.
Cloud computing service business server uses system key deciphering access token
a, check resource access constraint information L, if passed through, according to L locating resource, cloud computing service business server provides resource to be visited to user, and resource resource corresponding for resource number is sent to user.
Between cloud computing service business server, client, session flow process utilizes parameter to be expressed as follows:
User sends { { token by client to cloud computing service business server
vk
ssSL;
Cloud computing service business server sends { token to subscription client user
asSL;
User sends { token by client to cloud computing service business server
asSL;
Cloud computing service business server sends { resource}SSL to subscription client; Wherein, token
a={ ID
c, N, D, L, time}Ks.
Fig. 3 is the composition structural representation of cloud computing resources secure access device of the present invention, as shown in Figure 3, cloud computing resources secure access device of the present invention comprises the first providing unit 30, first receiving element 31, determining unit 32, first authentication ' unit 33, second authentication ' unit 34 and the second providing unit 35, wherein
First providing unit 30, for providing the relevant information of resource for login user;
First receiving element 31, for receiving the resource access request that user sends; Wherein, the identification information of described user and resource information to be visited is carried in described resource access request;
Determining unit 32, for confirming the access control voucher whether carrying resource to be visited in described resource access request, triggers the first authentication ' unit when not having;
First authentication ' unit 33, for obtaining the service provider's server info belonging to resource to be visited according to the relevant information of the resource described to be visited of carrying in described resource access request, and send access control request to the service provider's server belonging to resource to be visited; The identification information of described user and resource information to be visited is carried in described access control request; Described service provider's server carries out authentication and access control according to the identification information of described user to described user, issues the access control information of resource to be visited;
Second authentication ' unit 34, for carrying out certification to receiving the access control information of resource to be visited that described user sends, and certification by after the access authority information of resource to be visited is provided to described user;
Second providing unit 35, for after the second authentication ' unit 34 certification completes, for described user provides resource to be visited; Or after the second authentication ' unit 34 certification completes, provide the access authority information of resource to be visited to described user, and after the access authority information receiving the resource to be visited that described user sends, for described user provides resource to be visited.
It is Customs Assigned Number information, resource number information, the described service provider's server identification information that user is arranged that the relevant information of described resource comprises described service provider's server.The relevant information of described resource also comprises information effective time of described resource;
Described service provider's server identification information comprises the IP address information of described service provider's server, and, the name information of described service provider's server or communication port identification information or hardware identifier information are provided.
Described access authorization comprises: service provider's server identification information, resource number, Resource Storage path, resource access constraint and the time restriction of access resources.
Those skilled in the art are to be understood that, cloud computing resources secure access device shown in Fig. 3 of the present invention designs for realizing aforesaid cloud computing resources safety access method, and the practical function of above-mentioned each processing unit can refer to the associated description of preceding method and understands.The function of each processing unit in figure realizes by the program run on processor, also realizes by concrete logical circuit.
The above, be only preferred embodiment of the present invention, be not intended to limit protection scope of the present invention.
Claims (13)
1. a cloud computing resources safety access method, is characterized in that, described method comprises:
Resource information entrusts business server to provide the relevant information of service provider's resource for login user;
After cloud computing service business server receives the resource access request of user's transmission, confirm the access control voucher whether carrying resource to be visited in described resource access request, obtain the service provider's server info belonging to resource to be visited according to the relevant information of the resource described to be visited of carrying in described resource access request when not having, and send resources accessing control request to the service provider's server belonging to resource to be visited; Described service provider's server carries out authentication and access control according to the identification information of described user to described user, issues the access control information of resource to be visited; Wherein, the identification information of described user and resource information to be visited is carried in described resources accessing control request; Described resources accessing control information to be visited comprises the authorization message of resource to be visited;
The access control information of described cloud computing service business server to the resource to be visited receiving described user or the transmission of service provider's server carries out certification, and after certification is passed through, provides resource to be visited to described user; Or the access control information of described cloud computing service business server to the resource to be visited receiving described user or the transmission of service provider's server carries out certification, and after certification is passed through, provides the access authority information of resource to be visited to described user; After described cloud computing service business server receives the access authority information of the resource to be visited that described user sends, for described user provides resource to be visited.
2. method according to claim 1, is characterized in that, resource information entrusts business server to be service provider's server or cloud computing service business server or independently third-party server, for providing the resource information of service provider to user.
3. method according to claim 1, is characterized in that, described in issue resource to be visited access control information be specially:
The access control information of resource to be visited is presented to described user or described cloud computing service business server; Wherein, when resources accessing control information is presented to described user, described user sends the access control information of described resource to be visited to described cloud computing service business server.
4. method according to claim 1, is characterized in that, described resource information entrusts business's server for before login user provides the relevant information of resource, and described method also comprises:
Described service provider's server receives the registration request of described user, and provides sign-on ID and access code for described user;
Described resource information entrusts business's server to provide the relevant information of resource to be specially for login user:
Described resource information trust business server represents service provider and represents resource information to user;
Described service provider's server entrusts business's server to share sign-on ID and the access code information of described user to described resource information, described resource information entrust the sign-on ID of user's input described in business's server authentication and access code information correct time, for described user provides the relevant information of resource.
5. method according to claim 4, is characterized in that, described method also comprises:
Described resource information entrust the sign-on ID of user's input described in business's server authentication and access code correct after, represent the resource information of service provider to user.
6. method according to claim 1, is characterized in that, it is Customs Assigned Number information, resource number information, the described service provider's server identification information that user is arranged that the relevant information of described resource comprises described service provider's server.
7. method according to claim 6, is characterized in that, the relevant information of described resource also comprises information effective time of described resource;
Described service provider's server identification information comprises the IP address information of described service provider's server, and, the name information of described service provider's server or communication port identification information or hardware identifier information are provided.
8. method according to claim 1, is characterized in that, described access authority information comprises: service provider's server identification information, resource number, Resource Storage path, resource access constraint and the time restriction of access resources.
9. a cloud computing resources secure access device, is characterized in that, described device comprises the first providing unit, the first receiving element, determining unit, the first authentication ' unit, the second authentication ' unit and the second providing unit, wherein,
First providing unit, for providing the relevant information of resource for login user;
First receiving element, for receiving the resource access request that user sends; Wherein, the identification information of described user and resource information to be visited is carried in described resource access request;
Determining unit, for confirming the access control voucher whether carrying resource to be visited in described resource access request, triggers the first authentication ' unit when not having;
First authentication ' unit, for obtaining the service provider's server info belonging to resource to be visited according to the relevant information of the resource described to be visited of carrying in described resource access request, and send access control request to the service provider's server belonging to resource to be visited; The identification information of described user and resource information to be visited is carried in described access control request; Described service provider's server carries out authentication and access control according to the identification information of described user to described user, issues the access control information of resource to be visited;
Second authentication ' unit, for carrying out certification to the access control information of the resource to be visited receiving described user or service provider's transmission;
Second providing unit, for after the second authentication ' unit certification completes, for described user provides resource to be visited; Or after the second authentication ' unit certification completes, provide the access authority information of resource to be visited to described user, and after the access authority information receiving the resource to be visited that described user sends, for described user provides resource to be visited.
10. device according to claim 9, is characterized in that, described access authority information comprises: service provider's server identification information, resource number, Resource Storage path, resource access constraint and the time restriction of access resources.
11. 1 kinds of cloud computing resources security access systems, is characterized in that, described system comprises resource information and entrusts business's server, service provider's server and cloud computing service business server; Wherein,
Resource information entrusts business's server, for providing the relevant information of resource for login user;
Cloud computing service business server, for receive user send resource access request after, confirm the access control voucher whether carrying resource to be visited in described resource access request, obtain the service provider's server info belonging to resource to be visited according to the relevant information of the resource described to be visited of carrying in described resource access request when not having, and send resources accessing control request to the service provider's server belonging to resource to be visited; The identification information of described user and resource information to be visited is carried in described resources accessing control request; And, certification is carried out to the access control information of the resource to be visited receiving described user or service provider's transmission, and after certification is passed through, for described user provides resource to be visited; Or, for carrying out certification to the access control information of the resource to be visited receiving described user or the transmission of service provider's server, and after certification is passed through, provide the access authority information of resource to be visited to described user; And after the access authority information receiving the resource to be visited that described user sends, for described user provides resource to be visited;
Described service provider's server, carries out authentication and access control for the identification information according to described user to described user, issues the access control information of resource to be visited.
12. systems according to claim 11, it is characterized in that, described resource information entrusts business's server for before login user provides the relevant information of resource, and described service provider's server receives the registration request of described user, for described user provides sign-on ID and access code;
Described service provider's server entrusts business's server to share sign-on ID and the access code information of described user to described resource information, described resource information entrust the sign-on ID of user's input described in business's server authentication and access code correct time, for described user provides the relevant information of resource.
13. systems according to claim 11, is characterized in that, described access authority information comprises: service provider's server identification information, resource number, Resource Storage path, resource access constraint and the time restriction of access resources.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010530222.6A CN102457509B (en) | 2010-11-02 | 2010-11-02 | Cloud computing resources safety access method, Apparatus and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010530222.6A CN102457509B (en) | 2010-11-02 | 2010-11-02 | Cloud computing resources safety access method, Apparatus and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102457509A CN102457509A (en) | 2012-05-16 |
| CN102457509B true CN102457509B (en) | 2015-09-16 |
Family
ID=46040171
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201010530222.6A Active CN102457509B (en) | 2010-11-02 | 2010-11-02 | Cloud computing resources safety access method, Apparatus and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102457509B (en) |
Families Citing this family (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102750472B (en) * | 2012-05-31 | 2015-09-09 | 华为软件技术有限公司 | A kind of method for authenticating, Apparatus and system |
| CN102891856B (en) * | 2012-10-18 | 2015-03-11 | 中国科学院信息工程研究所 | Safe access method between plural entity and plural entity identity relaying party |
| CN103780580B (en) * | 2012-10-23 | 2017-05-10 | 中国电信股份有限公司 | Method, server and system for providing capability access strategy |
| CN103795690B (en) * | 2012-10-31 | 2017-08-11 | 华为技术有限公司 | A kind of method, proxy server and the system of cloud access control |
| CN103107985B (en) * | 2012-12-04 | 2016-01-20 | 百度在线网络技术(北京)有限公司 | A kind of cloud terminal authentication, system and device |
| CN103152425B (en) * | 2013-03-15 | 2016-03-23 | 苏州九光信息科技有限公司 | Based on the safety management system of the mobile device of cloud |
| CN104954330B (en) * | 2014-03-27 | 2018-03-16 | 华为软件技术有限公司 | A kind of methods, devices and systems to be conducted interviews to data resource |
| CN105099690A (en) * | 2014-05-19 | 2015-11-25 | 江苏博智软件科技有限公司 | OTP and user behavior-based certification and authorization method in mobile cloud computing environment |
| US9774682B2 (en) * | 2015-01-08 | 2017-09-26 | International Business Machines Corporation | Parallel data streaming between cloud-based applications and massively parallel systems |
| CN105025041B (en) * | 2015-08-25 | 2019-03-12 | 北京百度网讯科技有限公司 | The methods, devices and systems that file uploads |
| CN106330899A (en) * | 2016-08-22 | 2017-01-11 | 深圳市先河系统技术有限公司 | Private cloud device account management method and system, electronic device and server |
| US10990642B2 (en) * | 2016-12-21 | 2021-04-27 | Aon Global Operations Se, Singapore Branch | Methods and systems for securely embedding dashboards into a content management system |
| CN113553600B (en) * | 2020-04-23 | 2024-06-14 | 花瓣云科技有限公司 | Resource acquisition method, system, server and storage medium |
| CN112035810A (en) * | 2020-08-19 | 2020-12-04 | 绿盟科技集团股份有限公司 | Access control method, device, medium and equipment |
| CN112632508B (en) * | 2020-12-28 | 2023-10-20 | 中金数据(武汉)超算技术有限公司 | Identity recognition method and device based on cloud computing |
| CN114650183A (en) * | 2022-04-11 | 2022-06-21 | 远景智能国际私人投资有限公司 | Resource management method, device, server and storage medium |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101350710A (en) * | 2007-07-16 | 2009-01-21 | 华为技术有限公司 | Network system, authority issuing server, authority issuing and executing method |
| WO2010117587A2 (en) * | 2009-04-09 | 2010-10-14 | Alcatel-Lucent Usa Inc. | Identity management services provided by network operator |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8984505B2 (en) * | 2008-11-26 | 2015-03-17 | Red Hat, Inc. | Providing access control to user-controlled resources in a cloud computing environment |
-
2010
- 2010-11-02 CN CN201010530222.6A patent/CN102457509B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101350710A (en) * | 2007-07-16 | 2009-01-21 | 华为技术有限公司 | Network system, authority issuing server, authority issuing and executing method |
| WO2010117587A2 (en) * | 2009-04-09 | 2010-10-14 | Alcatel-Lucent Usa Inc. | Identity management services provided by network operator |
Non-Patent Citations (1)
| Title |
|---|
| 云计算安全关键技术分析;张云勇 等;《电信科学》;20100930(第9期);第64-69页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102457509A (en) | 2012-05-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102457509B (en) | Cloud computing resources safety access method, Apparatus and system | |
| CN102457507B (en) | Cloud computing resources secure sharing method, Apparatus and system | |
| EP2842258B1 (en) | Multi-factor certificate authority | |
| CN102479304B (en) | Method, client and system for software access control | |
| CN101647254B (en) | Method and system for the provision of services for terminal devices | |
| US8843415B2 (en) | Secure software service systems and methods | |
| US9699167B1 (en) | Distributed authentication | |
| CN104767731B (en) | A kind of Restful move transactions system identity certification means of defence | |
| US9203621B2 (en) | Policy-based data management | |
| CN103780580B (en) | Method, server and system for providing capability access strategy | |
| CN108833507B (en) | Authorization authentication system and method for shared product | |
| EP2973166A1 (en) | Systems and methods for identifying a secure application when connecting to a network | |
| US20110283106A1 (en) | Method for realizing authentication center and authentication system | |
| CN100365974C (en) | Device and method for controlling computer access | |
| US11811739B2 (en) | Web encryption for web messages and application programming interfaces | |
| CN114008968A (en) | System, method and storage medium for license authorization in a computing environment | |
| JP5452192B2 (en) | Access control system, access control method and program | |
| EP3062254B1 (en) | License management for device management system | |
| KR101824562B1 (en) | Gateway and method for authentication | |
| WO2014124782A1 (en) | Method of privacy-preserving proof of reliability between three communicating parties | |
| Chae et al. | A study on secure user authentication and authorization in OAuth protocol | |
| KR102058283B1 (en) | Secure Interoperability Framework between diverse IoT Service Platforms and Apparatus | |
| KR20120067105A (en) | Social verification login system being possible to verify user and providing method thereof | |
| Tiwari et al. | Design and Implementation of Enhanced Security Algorithm for Hybrid Cloud using Kerberos | |
| Fugkeaw et al. | Multi-Application Authentication based on Multi-Agent System. |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |