A kind of XML secured views querying method based on Schema
Technical field
The present invention relates to the safe access control field of numerically controlled machine remote monitoring and diagnosis platform, specifically a kind of XML secured views querying method based on Schema.
Background technology
High-grade numerical control equipment is as electromechanical integrated product, its fault generation, fault propagation and mistaken diagnosis, the possibility of failing to pinpoint a disease in diagnosis are very high, by self diagnosis and programmable logic controller (PLC), Machine Tool Electric Appliance is done to simple state and detect the demand that cannot meet the healthy reliability service of numerical control equipment, therefore, numerically controlled machine remote monitoring and diagnosis platform arises at the historic moment.Can make full use of this platform Network Interface of digital control system in open type and existing Internet resource realize information sharing, monitoring and diagnosis, life prediction and integrated with third party's systems such as manufacturing execution system, Enterprise Resources Plannings, but realizing, it needs to solve following two aspect problems: data-interface and system integration norms between the network node (1) geographically disperseing exist larger difference, cause the Heterogeneity of numerical control equipment information, be not easy to the integration of information with shared; (2), when remote terminal needs mass data transmission for realizing judgement accurately, may cause the problems such as Network Transmission Delays and access control safety due to limiting factors such as the network bandwidth, invasion attacks.
Extend markup language (eXtensible Markup Language, XML) is as the implementation criteria of the upper data description of Web and exchange, and oneself is widely used in industry member.Therefore, can be by XML technology, to numerical control equipment information, processing technology information, running state information, carry out modeling and standardization is expressed, with the synchronous of each nodal information in implementation platform with share.Although the normalized information of this XML can facilitate authorized user configuration management function according to demand, under complex network manufacturing environment, realize resource and freely recombinate and efficient utilization, but the while has also been introduced the safe access control problem of sensitive information between heterogeneous network node.How for heterogeneous networks authorized user provides efficient, safe queried access, to control, become current study hotspot.
Be based on above-mentioned engineering demand, the research launching for XML information standard and safe access control is subject to common concern.Mainly comprise following three kinds of two kinds of research methods: the (1) access control method based on original XML document, not for user provides DTD (Document Type Definition) (Document Type Definition, DTD) or XML Schema definition (XML Schema Definition, XSD) carry out structuring accessive information, its search algorithm is complicated, and integrality expense is large.(2) the access control method based on DTD document; directly complete DTD document is showed to all users; it is many that not only the time of expending is upgraded in inquiry; and can not hide sensitive information path to user, make it likely utilize the query statement that seems safe to obtain the sensitive information of access control model protection.(3) the access control method based on DTD secured views, by being defined in security strategy on original DTD document, be that different user generates secured views, provide message reference within the scope of authority to control, and by query rewrite technology modification client XPath query statement, prevent that unauthorized user is to the direct access of sensitive information and reasoning access.But existing methodical view generation and search efficiency are not high, and due to the complicacy of DTD model itself, are not easy to user and develop, use and expand for tomorrow requirement.
Summary of the invention
Demand for Heterogeneous Information secure interactive in numerically controlled machine remote monitoring and diagnosis platform, and existing XML safety access control method above shortcomings part, the technical problem to be solved in the present invention is to provide a kind of XML secured views querying method based on Schema for numerically-controlled machine safe access control field that strengthens access control safety, raising view generation and information inquiry efficiency, reduction space expense, improves extensibility.
For solving the problems of the technologies described above, the technical solution used in the present invention is:
A kind of XML secured views querying method based on Schema of the present invention comprises the following steps:
Build numerically controlled machine remote monitoring and diagnosis platform, adopt XML Schema technology to carry out modeling and standardization expression to the numerical control equipment information in platform, processing technology information, running state information, form original Schema document;
System manager is the calling party setting operation authority of numerically controlled machine remote monitoring and diagnosis platform by graphic user interface, for user authority setting, information node in original Schema document is divided into three kinds of access limiting sets, comprise recurrence inaccessible node set, current inaccessible node set and the addressable node set of condition, the node beyond above-mentioned three kinds of set all belongs to addressable node;
System is according to user right explanation and original Schema document that generation is set by user, at server end, adopt secured views generating algorithm automatically to generate the new Schema document that has added path_to_parent attribute, in shielding sensitive information, preserve present node with the original path information between father node;
The corresponding secured views that removal path_to_parent attribute is obtained is stored in client, thereby hides sensitive information path, for user provides information inquiry within the scope of authority, controls;
Client is launched inquiry based on secured views, and server adopts query rewrite algorithm to rewrite XPath query statement, is the equivalence inquiry acting on original Schema document, and Query Result is returned to client by the query conversion acting on view.
Described numerically controlled machine remote monitoring and diagnosis platform comprises Terminal Server Client, server, router, digital control system, numerically-controlled machine, embedded monitoring diagnosis unit and corresponding sensor.
Described secured views generating algorithm comprises the following steps:
From the root node of original Schema document, the current node of processing of mark;
Judge whether present node travels through, if so, illustrate that take the branch node tree that present node is root was generating before, the next brother node that enters present node is processed;
Judge whether this brotgher of node exists, if, be labeled as present node, repeat previous step, if not, illustrate that take the width traversal that the father node of present node is root finishes, all child nodes of the father node of present node had all been carried out processing, the father node of mark present node is ergodic state, and this father node is recorded as to present node;
Judge whether present node is root node, and if not, the next brother node that enters present node is processed, repeat previous step, if so, generate new Schema document, remove path_to_parent attribute wherein, generate secured views, algorithm finishes.
If described present node is not traversed, further judge the access level of present node for user right, if present node belongs to recurrence inaccessible node set, delete present node and all nodes of follow-up descendants thereof, and the next brother node that enters present node processes, repeat above-mentioned view generation process.
If described present node belongs to the addressable node set of condition, present node is added in routing information together with condition query statement, and be stored in path_to_parent attribute, then the first child node that enters present node is processed, this child nodes of mark is present node, repeats above-mentioned view generation process.
If described present node belongs to current inaccessible node set, further judge whether present node is root node, if not, delete present node, and use all child nodes of present node to replace, and present node being recorded in routing information simultaneously, the first child node that then enters present node is processed, this child nodes of mark is present node, repeats above-mentioned view generation process.
If described present node is root node, further judge child's number of present node, if more than one child, use the dummy node of virtual increase to replace present node, and its path_to_parent attribute is set to sky, then the first child node that enters present node is processed, and this child nodes of mark is present node, repeats above-mentioned view generation process.
If described present node only has a child nodes, use this child nodes to replace present node, enter this child nodes and process, this child nodes of mark is present node, repeats above-mentioned view generation process.
If described present node is addressable node, present node is recorded in routing information, and is stored in path_to_parent attribute, the first child node that then enters present node is processed, this child nodes of mark is present node, repeats above-mentioned view generation process.
Described query rewrite algorithm comprises the following steps:
The XPath query statement of client input is divided into a plurality of subquery statements according to the basic query expression formula of XPath, for one of them subquery statement, according to the top-down order of document tree, carries out rewrite operation;
In new Schema document corresponding to user security view, the destination node of this subquery statement is searched, and the start node of searching is labeled as to temporary root node;
If can find destination node, record from temporary root node to destination node all node paths of process, and path_to_parent attributes all in this path is added in corresponding query statement, with the routing information of new record, replace original subquery statement, and target-marking node is the new temporary root node of new Schema document;
Judge whether also to exist subquery statement unprocessed, if so, repeat above-mentioned steps, if not, illustrate that rewrite process finishes, return to newly-generated XPath query statement, algorithm finishes;
If can not find described destination node, illustrate that current query script is illegal, the query statement that user inputs is illegal, the temporary root node of the new Schema document of need to resetting, and stop this inquiry, algorithm finishes.
The present invention has following beneficial effect and advantage:
1. effectively strengthen security.The inventive method not only can be for specific user's permission build secured views, hide sensitive information path and shielding sensitive information, and the processing of the XPath complex query statement of supporting the fine granularity access control based on Schema and comprising asterisk wildcard, qualifier etc., therefore effectively strengthened the mutual security of complicated Heterogeneous Information.
2. view generation and information inquiry efficiency are high.The inventive method adopts the definition of three kinds of access limiting sets, reduced the traversal number of times of document tree node in view generation process, and by path information storage in the attribute path_to_parent of node, by direct replacement client query statement, recover original path, saved in query rewrite process routing information with the matched and searched of node, thus view generation and information inquiry efficiency high.
3. space expense is low.Although the inventive method is deposited security document, need to take certain storage space, adopt three kinds access limiting sets definition, yojan security document number of nodes, document compressibility is high, therefore, space expense is low, can not cause large burden to physical storage device and Internet Transmission.
4. extensibility is good.The inventive method, based on Schema technical description XML document structure, adopts XML same syntax of figs to write, and without special solution parser, be convenient to user's study and develop for tomorrow requirement, so extensibility is good.
Accompanying drawing explanation
Fig. 1 is the numerically controlled machine remote monitoring and diagnosis platform schematic diagram of the inventive method application;
Fig. 2 is the secured views access control Organization Chart of the inventive method application;
Fig. 3 is secured views generating algorithm process flow diagram in the inventive method;
Fig. 4 is XPath query rewrite algorithm flow chart in the inventive method;
Fig. 5 is the XML Schema document tree schematic diagram of the inventive method application;
Fig. 6 is algorithm execution time result figure in the inventive method;
Fig. 7 is for being used the document compressibility result figure of the inventive method gained.
Embodiment
Below in conjunction with drawings and Examples, the embodiment of a kind of XML secured views querying method based on Schema of the present invention is elaborated.
As shown in Figure 1, the numerically controlled machine remote monitoring and diagnosis platform schematic diagram of applying for the inventive method.In this figure, serviceability temperature, noise, vibration transducer gather the mechanical load status information of numerically-controlled machine complete machine and kernel subsystems thereof, and the processing through embedded monitoring diagnosis unit, is sent to server; Digital control system is obtained facility information, processing technology information, electric state information in conjunction with fieldbus, is sent to server; Server is used XML Schema packaging information, by router, offers Terminal Server Client, and Query Information, the control information of receiving remote client, send to numerical control equipment simultaneously.
As shown in Figure 2, the secured views access control Organization Chart of applying for the inventive method.In this figure, use XML technology to carry out modeling to digital control system and numerically-controlled machine facility information, processing technology information, running state information, the XML document database of formation, by its legal structure of Schema language definition, forms original Schema document S; System manager is user's setting operation authority by graphic user interface, forms user right explanation R; System, according to user right explanation and original Schema document, adopts secured views generating algorithm automatically to generate the new Schema document NS that has added path_to_parent attribute at server end; After removing the path_to_parent attribute in NS, obtain its corresponding secured views S
v, and be stored in client; Client is based on S
vlaunch inquiry, server is based on S
vcorresponding NS document, adopts query rewrite algorithm to rewrite XPath query statement, will act on S
von query conversion be to act on the inquiry of equivalence on S; Query Result is returned to client.
As shown in Figure 3, be secured views generating algorithm process flow diagram in the inventive method.Wherein, new Schema document NS has set up path_to_parent attribute for each node, in order to preserve present node with the original path information between father node; N
rfor recurrence inaccessible node set, the node that its inside comprises represents the equal inaccessible of all follow-up descendants's node of this node and this node; N
lfor current inaccessible node set, the node that its inside comprises represents this node inaccessible, but has addressable follow-up descendants's node; N
qfor conditional access node set, the node that its inside comprises represents that this node is that condition is addressable, and [q] represents condition restriction statement; Node beyond above-mentioned three kinds of access limiting sets all belongs to addressable node.
For N
r, N
land N
qnode and addressable node in three kinds of access limiting sets, secured views generating algorithm specifically comprises the following steps:
From the root node Root of original Schema document S, carry out new Schema document NS and secured views S
vgeneration;
Use the current node of processing of A mark;
Whether decision node A travels through, if so, illustrates that take the branch node tree that A node is root was generating before, and the next brother node that enters A is processed;
Judge whether A exists next brother node, if existed, this brotgher of node is labeled as to A, repeat said process;
If there is not next brother node in A, explanation be take the width traversal that the father node of A is root and is finished, all child nodes of the father node of A had all been carried out processing, the father node of mark A is ergodic state, and this father node is labeled as to A, further judge whether A is root node, if not, the next brother node that enters A is processed, and repeats said process;
If A is root node, generate NS, remove path_to_parent attribute wherein, generate S
v, algorithm finishes;
If A is not traversed, judge the access level of A for user right, if A node belongs to N
rset, deletes A and all nodes of follow-up descendants thereof, and the next brother node that enters A processes, and repeats said process;
If A belongs to N
qset, adds condition query statement q in routing information TPath, A is recorded in TPath, and is stored in path_to_parent attribute, and the first child node that then enters A is processed, and this child nodes is labeled as to A, repeats said process;
If A belongs to N
lset, further judges whether A is root node, if not, delete A, and use all child nodes of A to replace, A is recorded in TPath simultaneously, then the first child node that enters A is processed, and this child nodes is labeled as to A, repeats said process;
If A is root node, further judge child's number of A, if more than one child, use the dummy node of virtual increase to replace A, and its path_to_parent attribute is set to sky, then the first child node that enters A is processed, and this child nodes is labeled as to A, repeats said process;
If A only has a child nodes, use this child nodes to replace A, enter this child nodes and process, this child nodes is labeled as to A, repeat said process;
If A is addressable node, A is recorded in TPath, and is stored in path_to_parent attribute, the first child node that then enters A is processed, and this child nodes is labeled as to A, repeats said process.
As shown in Figure 4, be XPath query rewrite algorithm flow chart in the inventive method.Specifically comprise the following steps:
The XPath query statement of client input is divided into a plurality of subquery statements according to the basic query expression formula of XPath, one of them subquery statement is labeled as to P, according to the top-down order of document tree, carry out rewrite operation;
At user security view S
vin corresponding new Schema document NS, the destination node of P is searched, and the start node of searching is labeled as to SRoot;
If can find destination node, record from SRoot to destination node all node paths of process, and path_to_parent attributes all in this path is added in corresponding query statement, with the routing information of new record, replace P, and the target-marking node new SRoot that is NS;
Judge whether also to exist other subquery statements unprocessed, if so, repeat said process, if not, illustrate that rewrite process finishes, return to newly-generated XPath query statement, algorithm finishes;
If can not find destination node, illustrate that current query script is illegal, the query statement that user inputs is illegal, the SRoot of NS that need to reset, and stop this inquiry, algorithm finishes.
Validity for checking the inventive method, is studied the XML secured views querying method based on Schema of the present invention by theoretical analysis and experiment test.
The inventive method not only can be for specific user's permission build secured views, hide sensitive information path and shielding sensitive information, and the processing of the XPath complex query statement of supporting the fine granularity access control based on Schema and comprising asterisk wildcard, qualifier etc., strengthened the mutual security of complicated Heterogeneous Information.
Secured views generating algorithm of the present invention, adopts N
r, N
land N
qlimiting set represents the access rights of node, and the node in traversal Schema document mates with three kinds of access limiting sets respectively, if node belongs to N
r, this node and descendants's node all can not be contained in S
v, its descendants's node also needn't travel through, and has reduced node traversal number of times; If node belongs to N
l, this node can not be contained in S
v, its descendants's node still needs to gather under further judgement; If node belongs to N
q, node must be contained in S
vin; If node does not all mate with three set, is addressable node, must be contained in S
vin.Therefore the time complexity of this algorithm is O (M*N), wherein M=|S
v|+| N
r|+| N
l|, N=|N
r|+| N
l|+| N
q|, M is the number of the node of traversal, | S
v| be the scale of node in secured views, | N
r|, | N
l| and | N
q| be N
r, N
l, N
qthe scale of node in set.The inventive method is directly stored in routing information in the attribute path_to_parent of node in view generation process, query rewrite algorithm is by directly replacing to recover original path to query statement, saved the matched and searched process of routing information with node, therefore the time complexity of this algorithm be O (| p|*|NS|), wherein | p| is the scale of basic query expression formula in query statement, | NS| is the scale of node in NS document.With respect to the existing access control method based on secured views, the view generation of the inventive method and the efficiency of information inquiry are greatly increased.
The inventive method realizes based on Schema technology, adopts the grammer identical with XML to write, and without special solution parser, is convenient to user's study and exploitation; Supported data type and NameSpace, can create the common description of XML document information in field, with formal mode protected data communication, can, for the random extended function of tomorrow requirement, have better extensibility.
As shown in Figure 5, the XML Schema document tree schematic diagram of applying for the inventive method.The inventive method is applied in numerically controlled machine remote monitoring and diagnosis platform, extracts its part Schema original document, secured views generating algorithm and query rewrite algorithm have been carried out to experiment test.The document tree comprises device descriptive information node, continuous data stream information node, discrete event stream information node and attribute information node, totally 177 label nodes, and document size is 25KB.
In experimentation, generate first at random three kinds of access limiting set N
r, N
l, N
q, to simulate the foundation of different user authority, then spent time of record security view generation algorithm, and the size of newly-generated Schema file NS, the last execution time that rewrites algorithm for a representational query statement test query.
As shown in Figure 6, be algorithm execution time result figure in the inventive method.The average consuming time of secured views generating algorithm is 3.96ms, and the average consuming time of query rewrite algorithm is 0.84ms, and time overhead is less, can meet the demand of system stable operation.Wherein, partial query rewrites the consuming time very low of algorithm, is only 0.1ms left and right, and this is because this query statement is illegal for the secured views generating in these situations, thereby has just stopped in early days the execution of query rewrite algorithm.
As shown in Figure 7, for using the document compressibility result figure of the inventive method gained.Three kinds access limiting sets definition yojan the NS Archive sit quantity (S that NS file is corresponding
vfile is less), it is 27% left and right that new file reaches average compression effectiveness, maximum can reach more than 80%.Therefore, although methods described herein are deposited security document, need to take certain storage space, document compressibility is higher, and space consumption is less, can not cause large burden to physical storage device and Internet Transmission, can effectively improve XPath search efficiency.
Above result shows, the inventive method has advantages of that access control safety is strong, view generation and information inquiry efficiency is high, space expense is low, extensibility is good, the safe access control field that can be applicable to numerically controlled machine remote monitoring and diagnosis platform, has a good application prospect.