Resource access authorization verification method and system
Technical field
The present invention relates to the Internet resources security fields, more particularly, relate to a kind of resource access authorization verification method and system that can be used between at least two systems.
Background technology
Current network Development is more and more faster, and the propagation velocity of information increases day by day.Protect for the resource on the network, paid close attention to by vast IT enterprises.The resource here includes, but are not limited to: the electronic scanned document of invoice bill, pay sheet, reimbursement voucher, encrypt file transmission, charge video, audio frequency, various documents etc.If resource is not protected, very possible chain, the file event such as divulge a secret occurs to steal.
Generally browsing complete page of an important phenomenon is not once all to be sent to client.If the request be one with the page of many pictures and out of Memory, it is the text of this page that Http request so at first is transmitted what return, then by the browser of client the explanation of this section text is carried out, find wherein to also have picture, the browser of client can send a Http request more so, this picture file can be sent to client so after this request is processed, then browser can be placed to picture the tram of the page, and complete page perhaps will can be by complete demonstration through sending many Http requests like this.
Based on such mechanism, will produce a problem, that steals the chain problem exactly: if be exactly the said information in the page that do not rise in the website, pictorial information for example, it fully can be with other website that is connected to of this picture so.Like this without any the website use of resource the resource of other website show the viewer, improved the visit capacity of oneself, and most of viewer can not find at an easy rate, obvious like this, be inequitable for that website that has been utilized resource.Some objectionable websites expand own site contents in order not increase cost, often usurp the link of other websites.Damage on the one hand the legitimate interests of original web, increased the weight of again on the other hand the burden of server.
If steal the easily image resource of browser server of chain person, just there is the possibility of divulging a secret in the significant data that comprises in the image so, and steals the URL link that the chain person only need to know picture, can download, deposit this locality to picture, be forwarded to other websites.
Summary of the invention
The technical problem to be solved in the present invention is, a kind of resource access authorization verification method and system that can effectively guarantee resource security is provided.
The technical solution adopted for the present invention to solve the technical problems is: a kind of resource access authorization verification method is provided, is used for the resource access between client-requested system and the Resource Supply system, may further comprise the steps:
S1: the client-requested system sends the resource request instruction, includes authentication secret and customer parameter information in the described resource request instruction;
S2: the Resource Supply system receives described resource request instruction, and described authentication secret is verified, checking is by then entering step S3;
S3: the Resource Supply system carries out the request permissions checking according to customer parameter information, after the request permissions checking is passed through, returns the resource corresponding with described resource request instruction.
In resource access authorization verification method of the present invention, described client-requested system and Resource Supply system are the Web application system.
In resource access authorization verification method of the present invention, described method also comprises step S4: described client-requested system and Resource Supply system be common to consult privately owned shared key, is provided with the key authentication database in the described Resource Supply system;
In described step S2, the authentication secret in the described resource request instruction is verified in described key authentication database checking is by then entering step S3, have no right visit information otherwise return.
In resource access authorization verification method of the present invention, described step S3 comprises:
S3-1: described Resource Supply system carries out the request permissions checking with the matched data in the internal memory of described customer parameter information and described Resource Supply system, after the request permissions checking is passed through, execution in step S3-2, when the request permissions checking can't be passed through, execution in step S3-3;
S3-2: described Resource Supply system is according to the described resource request instruction load resource output page, and when loading resource corresponding to resource output page face, again from the client-requested system that sends described resource request instruction, obtain customer parameter information, and carry out the request permissions checking with the matched data in the internal memory of described Resource Supply system, after the request permissions checking is passed through, return corresponding resource;
S3-3: the user library of storing in described customer parameter information and the described Resource Supply system is mated in described Resource Supply system, after coupling is passed through, described customer parameter information is written in the matched data in the internal memory of described Resource Supply system, again execution in step S3-1 and S3-2; When coupling can't by the time, return and have no right visit information.
In the described step S3-1 of resource access authorization verification method of the present invention, described customer parameter information comprises user name and the user right corresponding with user name; Described matched data comprises authorized user name and the authorized user authority corresponding with the authorized user name; Carrying out request permissions when checking, when described user name and user right can be with described authorized user name and authorized user permission matchs, by the request permissions checking, otherwise can't pass through.
In the described step S3-2 of resource access authorization verification method of the present invention, when loading resource corresponding to resource output page face, the OPADD of resolving resource corresponding label is transmitted to a Handle processing to every address; After this Handle receives the request of address, get access to the parameter value in the address, and again get acquisition customer parameter information in the client-requested system, after the request permissions checking is passed through, return corresponding resource according to the parameter value in the address.
In the described step S3-3 of resource access authorization verification method of the present invention, the mandate interface module of described Resource Supply system is called by described client-requested system by Web Service, by authorizing interface module to receive described customer parameter information, and with described Resource Supply system in the user library stored mate, after coupling is passed through, described customer parameter information is written in the matched data in the internal memory of described Resource Supply system.
The present invention also provides a kind of resource access authorization verification system, the client-requested system and the Resource Supply system that comprise connecting communication, described client-requested system comprises request module, be used for sending the resource request instruction, include authentication secret and customer parameter information in the described resource request instruction;
Described Resource Supply system comprises:
The access authentication module is used for checking from the authentication secret of described client-requested system;
The Authority Verification module is used for carrying out the request permissions checking from the customer parameter information of described client-requested system;
Processing module is used for the result according to described access authentication module and Authority Verification module, to processing from the resource request instruction of described client-requested system; And
Memory module stores key authentication database and user library.
In resource access authorization verification system of the present invention, described Resource Supply system also comprises:
Internal memory is used for the storage matched data; And
Authorize interface module, with described Memory linkage, be used for and mate from customer parameter information and the described user library of described client-requested system, and the described customer parameter information processing that will mate is described matched data, and be stored in the described internal memory.
In resource access authorization verification system of the present invention, described Authority Verification module and described Memory linkage will carry out the request permissions checking from customer parameter information and the matched data in the described internal memory of described client-requested system.
Implement the present invention and have following beneficial effect: by multiple-authentications such as authentication secret, request permissions checkings, guaranteed the fail safe of resource; And all checkings are all finished in the Resource Supply system, can effectively avoid illegally distorting of client-requested system, the fail safe that has improved resource.
In addition, since request permissions checking only need with internal memory in matching list carry out, matching list is as the relation data of light weight, avoided taking too much Resource Supply system resource, and database, the client-requested system with memory module of need not frequently carries out mutual frequently, Effective Raise runnability.
In addition, even leak at resource link, also can ensure the safety of this resource, because when disabled user's request resource is arranged, all the time all can arrive the Resource Supply system resource that conducts interviews, and during access resources, must verify mandate, the disabled user can't read resource all the time like this, thereby has guaranteed the fail safe of resource.
Description of drawings
The invention will be further described below in conjunction with drawings and Examples, in the accompanying drawing:
Fig. 1 is the schematic block diagram of an embodiment of resource access authorization verification system of the present invention;
Fig. 2 is the schematic flow diagram of authorisation step of an embodiment of resource access authorization verification method of the present invention;
Fig. 3 is the schematic flow diagram of resource request of an embodiment of resource access authorization verification method of the present invention.
Embodiment
As shown in Figure 1, be an embodiment of resource access authorization verification system of the present invention, but comprise client-requested system 10 and Resource Supply system 20 that communication connects.In the present embodiment, this client-requested system 10 and Resource Supply system 20 are the Web application system.Wherein, the Web application system is applied to Web Service technology, and Web Service is an application component, and its logicality is to provide geodata and services for other application programs.Each application program visits Web Service by some standard data formats (Http, XML, Soap) of procotol and regulation, obtains results needed by inner execution of Web Service.Web Service can carry out any function from simple request to complicated business processing.In case after disposing, the service that it is disposed can be found and call to other Web Service application programs.
Wherein, client-requested system 10 is used for to Resource Supply system 20 request resource, comprises request module 11, is used for sending the resource request instruction.Include authentication secret and customer parameter information etc. in this resource request instruction, certainly, also comprise the specifying information of request resource etc.
This Resource Supply system 20 for client-requested system 10 provides resource, comprises access authentication module 21, Authority Verification module 22, processing module 22, memory module 24, internal memory 25 etc. as server.
This access authentication module 21 is used for to verifying from the authentication secret of client-requested system 10, by authentication secret and key authentication database are compared checking, to determine that whether client-requested system 10 is as validated user.
This Authority Verification module 22 is used for carry out the request permissions checking from the customer parameter information of client-requested system 10, by the matched data in customer parameter information and the internal memory 25 is compared, to determine this client-requested system 10 whether the authority of corresponding resource is arranged.
The result that this processing module 22 is used for according to access authentication module 21 and Authority Verification module 22 is processed the resource request instruction from client-requested system 10, to return the resource of request by checking and request with authority.
This memory module 24 is used for storage key validation database and user library etc., and for verifying, licensing.
Further, this Resource Supply system 20 also is provided with authorizes interface module 26, be connected with internal memory 25, be used for and mate from the customer parameter information of client-requested system 10 and the user library of memory module 24, and with the coupling the customer parameter information processing be matched data, and be stored in the internal memory 25, use for Authority Verification module 22, be about to carry out the request permissions checking from customer parameter information and the matched data in the internal memory 25 of client-requested system 10.
Shown in Fig. 2,3, be an embodiment of resource access authorization verification method of the present invention.In the present embodiment, the method comprises checking configuration step, authorisation step and checking authorisation step etc.
(not shown) in configuration step, client-requested system 10 and the Resource Supply system 20 common privately owned shared keys (such as the Passport key) of consulting, be provided with the key authentication database in the Resource Supply system 20, identify thus whether Internet access Resource Supply system 20 of client-requested system 10.
Before providing system 20, access resources can read the key authentication database one time, the key that checking client Request System 10 is held.If meet the key that 20 allowances of Resource Supply system are called, just accessible resource provides system 20.If key does not meet, will be judged to be malice and authorize or authorize and illegally distorted, return and have no right to access.
This key can adopt the Passport key, specifies a private cipher key to deposit in the allocation list field of key authentication database by Resource Supply system 20.Key can carry to Resource Supply system 20 in client-requested system 10, carries out key authentication.If key conforms to the allocation list field, then think these client-requested system 10 Internet access; Otherwise visit information is had no right in output, for example, returns and haves no right access notifications, the notice etc. of makeing mistakes.
As shown in Figure 2, when client-requested system 10 sends resource request instruction request resource to Resource Supply system 20 (S201), must carry out request permissions checking (S202), Resource Supply system 20 carries out the request permissions checking with the matched data in customer parameter information and the internal memory 25, after the request permissions checking is passed through, return the resource corresponding with the resource request instruction (S203); When the request permissions checking can't be passed through, need authorize client-requested system 10.
The mandate interface module 26 of Resource Supply system 20 is called by client-requested system 10 by Web Service, by authorizing interface module 26 to receive customer parameter information (S204), and with the memory module 24 of Resource Supply system 20 in the user library of storage mate (S205), after coupling is passed through, customer parameter information is written in the matched data of internal memory 25 of Resource Supply system 20 (S206); When coupling can't by the time, return and have no right visit information (S207).
Understandable, can preserve overall matched data in this internal memory 25, preserve all authorized user names and the authorized user authority corresponding with this authorized user name in this table.And Resource Supply system 20 can record the authority record of this authorized user name, generates daily record, deposits database in.
Exactly because in internal memory 25, preserve the relation data of light weight, thus reach namely can be not too much the resource that takies Resource Supply system 20, can be not frequently not mutual with database, client-requested system 10 yet, the Effective Raise runnability.
As shown in Figure 3, be the flow chart that client-requested system 10 sends a resource request, at first, the user is to client-requested system 10 request resource.These users of checking of client-requested system 10 request of sending of whether having the right, if having the right, then client-requested system 10 sends the resource request instruction, includes authentication secret and customer parameter information in the resource request instruction; If have no right, then output haves no right to check prompting.
Client-requested system 10 loads user's resource request instruction, and the resource request instruction is issued to Resource Supply system 20, for example exports Resource Supply system 20 to by Web Server.
Resource Supply system 20 receives the resource request instruction, and the authentication secret of resource request instruction is verified, when checking can't be passed through, output had no right to check prompting; When checking is passed through, when this customer parameter information does not also write the internal memory 25 of Resource Supply system 20, carry out the foregoing step that client-requested system 10 is authorized.
When customer parameter information had deposited internal memory 25 in, client-requested system 10 quoted the resource output page of Resource Supply system 20; And, these users of checking of Resource Supply system 20 requests for page of whether having the right.
Resource Supply system 20 carries out the request permissions checking with the matched data in customer parameter information and the internal memory 25.Customer parameter information comprises user name and the user right corresponding with user name; Matched data comprises authorized user name and the authorized user authority corresponding with the authorized user name.Carrying out request permissions when checking, when user name and user right can be with authorized user name and authorized user permission matchs, by the request permissions checking, otherwise can't pass through.
When checking client Request System 10 was had no right the access resources output page, output had no right to check indication.
When the checking client Request System 10 Internet access resources output page, continue the corresponding resource whether checking has the right to ask this page, after checking is passed through, normal output.Otherwise output haves no right to check indication.
When loading resource corresponding to resource output page face, the OPADD of resolving resource corresponding label is transmitted to a Handle processing to every address; After this Handle receives the request of address, get access to the parameter value in the address, and again get acquisition customer parameter information in the client-requested system 10, after the request permissions checking is passed through, return corresponding resource according to the parameter value in the address; Thereby, even if the link of resource page is leaked or is circulated away, the visitor is when carrying out the page resource access, also need again authentication of users parameter information, the disabled user can't be by checking, just have no right to browse the resource of actual request, also can't carry out subscriber authorisation, further improved Security of the system.
In addition, even the resource of the client-requested system 10 output page is revealed or circulated away, illegal user still needs can play the risk that prevents resource stealing equally through above-mentioned mandate, checking, has further improved Security of the system.
Can be combined into as required various embodiment between above-mentioned each technical characterictic, again not do and give unnecessary details.Understandable, above embodiment has only expressed preferred implementation of the present invention, and it describes comparatively concrete and detailed, but can not therefore be interpreted as the restriction to claim of the present invention; Should be pointed out that for the person of ordinary skill of the art, without departing from the inventive concept of the premise, can carry out independent assortment to above-mentioned technical characterstic, can also make some distortion and improvement, these all belong to protection scope of the present invention; Therefore, all equivalents and modifications of doing with claim scope of the present invention all should belong to the covering scope of claim of the present invention.