A kind of XML secured views querying method based on Schema
Technical field
The present invention relates to the safe access control field of numerically controlled machine remote monitoring and diagnosis platform, concreteSay a kind of XML secured views querying method based on Schema.
Background technology
High-grade numerical control equipment is as electromechanical integrated product, its fault generation, fault propagation and mistaken diagnosis,The possibility of failing to pinpoint a disease in diagnosis is very high, by self diagnosis and programmable logic controller (PLC), Machine Tool Electric Appliance is done to simple shapeState detects the demand that cannot meet the healthy reliability service of numerical control equipment, therefore, and numerically controlled machine remote prisonControl diagnostic platform arises at the historic moment. This platform can make full use of the Network Interface of digital control system in open typeRealize information sharing, monitoring and diagnosis, life prediction and with Manufacture Execution be with existing Internet resourceThird party's systems such as system, Enterprise Resources Planning integrated, but it is realized and needs to solve following two aspects and askTopic: data-interface and system integration norms between the network node (1) geographically disperseing exist larger difference,Cause the Heterogeneity of numerical control equipment information, be not easy to the integration of information with shared; (2) remote terminal isRealize and judging accurately while needing mass data transmission, may be due to limits such as the network bandwidth, invasion attacksFactor processed causes the problem such as Network Transmission Delays and access control safety.
Extend markup language (eXtensibleMarkupLanguage, XML) is as the upper number of WebAccording to the implementation criteria of describing and exchanging, oneself is widely used in industrial quarters. Therefore, can be byXML technology, carries out modeling and rule to numerical control equipment information, processing technology information, running state informationModelization is expressed, with the synchronous of each nodal information in implementation platform with share. The normalized letter of this XMLAlthough breath can facilitate authorized user configuration management function according to demand, under complex network manufacturing environmentRealize resource and freely recombinate and efficient utilization, but also introduced sensitive information between heterogeneous network node simultaneouslySafe access control problem. How for providing efficient, safe inquiry, heterogeneous networks authorized user to visitAsk control, become current study hotspot.
Be based on above-mentioned engineering demand, for the research of XML information specification and safe access control expansionBe subject to common concern. Mainly comprise following three kinds of two kinds of research methods: (1) based on original XML documentAccess control method, not for user provide DTD (DocumentTypeDefinition,DTD) or XMLSchema definition (XMLSchemaDefinition, XSD) carry out structuringAccessive information, its search algorithm complexity, integrality expense is large. (2) the access control based on DTD documentMethod processed, directly shows all users by complete DTD document, not only inquiry upgrade expend timeBetween many, and can not hide sensitive information path to user, it is likely utilized and seems safe looking intoAsk statement and obtain the sensitive information of access control model protection. (3) the access control based on DTD secured viewsMethod processed, is that different user generates secured views by the security strategy being defined on original DTD document,The control of message reference is within the scope of authority provided, and by query rewrite technology modification client XPathQuery statement, prevents direct access and the reasoning access of unauthorized user to sensitive information. But existing sideThe view generation of method and search efficiency are not high, and due to the complexity of DTD model itself, inconvenienceDevelop, use and expand for tomorrow requirement in user.
Summary of the invention
For the demand of Heterogeneous Information secure interactive in numerically controlled machine remote monitoring and diagnosis platform, Yi JixianThere is XML safety access control method above shortcomings part, the technical problem to be solved in the present inventionBe to provide a kind of access control safety, raising view generation and information inquiry efficiency, reduction sky of strengtheningBetween expense, improve extensibility for Digit Control Machine Tool safe access control field based on Schema'sXML secured views querying method.
For solving the problems of the technologies described above, the technical solution used in the present invention is:
A kind of XML secured views querying method based on Schema of the present invention comprises the following steps:
Build numerically controlled machine remote monitoring and diagnosis platform, adopt XMLSchema technology in platformNumerical control equipment information, processing technology information, running state information carry out modeling and standardization is expressed, shapeBecome original Schema document;
The access that system manager is numerically controlled machine remote monitoring and diagnosis platform by graphic user interface is usedFamily setting operation authority, for user authority setting, draws the information node in original Schema documentBe divided into three kinds of access limiting sets, comprise recurrence inaccessible node set, current inaccessible nodeSet and the addressable node set of condition, the node beyond above-mentioned three kinds of set all belongs to addressableNode;
System is according to user right explanation and original Schema document that generation is set by user, at clothesBusiness device end employing secured views generating algorithm generates has automatically added the new of path_to_parent attributeSchema document, in shielding sensitive information, preserves original with between father node of present nodeRouting information;
The corresponding secured views that removal path_to_parent attribute is obtained is stored in client, thereby hiddenHide sensitive information path, for user provides the control of information inquiry within the scope of authority;
Client is launched inquiry based on secured views, and server adopts query rewrite algorithm to rewrite XPathQuery statement is the equivalence acting on original Schema document by the query conversion acting on viewInquiry, and Query Result is returned to client.
Described numerically controlled machine remote monitoring and diagnosis platform comprise Terminal Server Client, server, router,Digital control system, Digit Control Machine Tool, embedded monitoring diagnosis unit and corresponding sensor.
Described secured views generating algorithm comprises the following steps:
From the root node of original Schema document, the current node of processing of mark;
Judge whether present node travels through, if so, the branch node taking present node as root is describedTree was generating before, and the next brother node that enters present node is processed;
Judge whether this brotgher of node exists, and if so, is labeled as present node, repeats oneStep, if not, illustrates taking the father node of present node and finishes as the width of root travels through, currentAll child nodes of the father node of node had all been carried out processing, and the father node of mark present node is forErgodic state, and this father node is recorded as to present node;
Judge whether present node is root node, if not, enter the next brother joint of present nodePoint is processed, and repeats previous step, if so, generates new Schema document, removes whereinPath_to_parent attribute, generates secured views, and algorithm finishes.
If described present node is not traversed, further judge present node for user right andThe access level of speech, if present node belongs to recurrence inaccessible node set, deletes and works as prosthomerePoint and all nodes of follow-up descendants thereof, and the next brother node that enters present node processes,Repeat above-mentioned view generation process.
If described present node belongs to the addressable node set of condition, present node and condition are looked intoAsk statement and add in routing information together, and be stored in path_to_parent attribute, then enter and work asThe first child node of front nodal point is processed, and this child nodes of mark is present node, repeatsState view generation process.
If described present node belongs to current inaccessible node set, further prosthomere is worked as in judgementWhether point is root node, if not, deletes present node, and uses all children of present nodeNode replaces, present node is recorded in routing information simultaneously, then enters present nodeFirst child node is processed, and this child nodes of mark is present node, repeats above-mentioned view rawOne-tenth process.
If described present node is root node, further judge child's number of present node, asThe more than one child of fruit, uses the dummy node of virtual increase to replace present node, and by itPath_to_parent attribute is set to sky, and the first child node that then enters present node is processed,This child nodes of mark is present node, repeats above-mentioned view generation process.
If described present node only has a child nodes, use this child nodes to replace and work as prosthomerePoint, enters this child nodes and processes, and this child nodes of mark is present node, repeats above-mentioned lookingFigure generative process.
If described present node is addressable node, present node is recorded in routing information,And be stored in path_to_parent attribute, the first child node that then enters present node carries outProcess, this child nodes of mark is present node, repeats above-mentioned view generation process.
Described query rewrite algorithm comprises the following steps:
The XPath query statement of client input is divided into according to the basic query expression formula of XPathMultiple subquery statements, for one of them subquery statement, according to the top-down order of document treeCarry out rewrite operation;
In new Schema document corresponding to user security view, to the destination node of this subquery statementSearch, and the start node of searching is labeled as to temporary root node;
If can find destination node, record from temporary root node to destination node the institute of processThere is node path, and inquiry language corresponding to path_to_parent attributes all in this path add toIn sentence, replace original subquery statement with the routing information of new record, and target-marking node is newThe new temporary root node of Schema document;
Judge whether also to exist subquery statement unprocessed, if so, repeat above-mentioned steps, asFruit is no, illustrates that rewrite process finishes, and returns to newly-generated XPath query statement, and algorithm finishes;
If can not find described destination node, illustrate that current query script is illegal, Yong HusuoThe query statement of input is illegal, the temporary root node of the new Schema document of need to resetting, and stopThis inquiry, algorithm finishes.
The present invention has following beneficial effect and advantage:
1. effectively strengthen security. The inventive method not only can be for specific user's permission build safetyView, hides sensitive information path and shielding sensitive information, and supports the fine granularity based on SchemaThe processing of access control and the XPath complex query statement that comprises asterisk wildcard, qualifier etc., therefore hasEffect has strengthened the mutual security of complicated Heterogeneous Information.
2. view generation and information inquiry efficiency are high. The inventive method adopts three kinds of access limiting setsDefinition, has reduced the traversal number of times of document tree node in view generation process, and routing information has been depositedBe stored in the attribute path_to_parent of node, recover former by direct replacement client query statementBeginning path, has saved in query rewrite process routing information with the matched and searched of node, and therefore view is rawOne-tenth and information inquiry efficiency are high.
3. space expense is low. Although depositing security document, the inventive method need to take certain storage skyBetween, but adopt three kinds access limiting sets definition, yojan security document number of nodes, document pressShrinkage is high, and therefore, space expense is low, can not cause large bearing to physical storage device and Internet TransmissionLoad.
4. extensibility is good. The inventive method, based on Schema technical description XML document structure, is adoptedWrite by XML same syntax of figs, without special solution parser, be convenient to user's study and for tomorrow requirementDevelop, therefore extensibility is good.
Brief description of the drawings
Fig. 1 is the numerically controlled machine remote monitoring and diagnosis platform schematic diagram of the inventive method application;
Fig. 2 is the secured views access control Organization Chart of the inventive method application;
Fig. 3 is secured views generating algorithm flow chart in the inventive method;
Fig. 4 is XPath query rewrite algorithm flow chart in the inventive method;
Fig. 5 is the XMLSchema document tree schematic diagram of the inventive method application;
Fig. 6 is algorithm execution time result figure in the inventive method;
Fig. 7 is the document compression ratio result figure that uses the inventive method gained.
Detailed description of the invention
Below in conjunction with drawings and Examples, a kind of XML secured views based on Schema of the present invention is looked intoThe embodiment of inquiry method is elaborated.
As shown in Figure 1, the numerically controlled machine remote monitoring and diagnosis platform schematic diagram of applying for the inventive method.In this figure, serviceability temperature, noise, vibrating sensor gather Digit Control Machine Tool complete machine and kernel subsystems thereofMechanical load status information, through the processing of embedded monitoring diagnosis unit, is sent to server; Numerical controlSystem is obtained facility information, processing technology information, electric state information in conjunction with fieldbus, is sent toServer; Server uses XMLSchema packaging information, offers remote client by routerEnd, Query Information, the control information of receiving remote client, send to numerical control equipment simultaneously.
As shown in Figure 2, the secured views access control Organization Chart of applying for the inventive method. In this figureUse XML technology to digital control system and Digit Control Machine Tool facility information, processing technology information, running statusInformation is carried out modeling, and the XML document database of formation is by its legal structure of Schema language definition,Form original Schema document S; System manager is user's setting operation power by graphic user interfaceLimit, forms user right explanation R; System is according to user right explanation and original Schema document,Adopt secured views generating algorithm automatically to generate at server end and added the new of path_to_parent attributeSchema document NS; The safety that obtains its correspondence after path_to_parent attribute in removal NS is lookedFigure Sv, and be stored in client; Client is based on SvLaunch inquiry, server is based on SvCorresponding NSDocument, adopts query rewrite algorithm to rewrite XPath query statement, will act on SvOn query conversionFor acting on the equivalence inquiry on S; Query Result is returned to client.
As shown in Figure 3, be secured views generating algorithm flow chart in the inventive method. Wherein, newSchema document NS has set up path_to_parent attribute for each node, in order to preserve present nodeWith the original path information between father node; NrFor recurrence inaccessible node set, its inside comprisesNode represent the equal inaccessible of all follow-up descendants's node of this node and this node; NlFor currentInaccessible node set, the node that its inside comprises represents this node inaccessible, can but existFollow-up descendants's node of access; NqFor conditional access node set, the node that its inside comprises represents thisNode is that condition is addressable, and [q] represents condition restriction statement; Limit collection in above-mentioned three kinds of accessNode beyond closing all belongs to addressable node.
For Nr、NlAnd NqNode and addressable node in three kinds of access limiting sets, safety is lookedFigure generating algorithm specifically comprises the following steps:
From the root node Root of original Schema document S, carry out new Schema document NS andSecured views SvGeneration;
Use the current node of processing of A mark;
Whether decision node A travels through, if so, illustrates that the branch node tree taking A node as root existsGenerated, the next brother node that enters A is processed before;
Judge whether A exists next brother node, if existed, this brotgher of node be labeled as to A,Repeat said process;
If A does not exist next brother node, illustrate taking the father node of A as the width of root and traveled throughThrough finishing, all child nodes of the father node of A had all been carried out processing, and the father node of mark A isErgodic state, and this father node is labeled as to A, further judge whether A is root node, ifNo, the next brother node that enters A is processed, and repeats said process;
If A is root node, generate NS, remove path_to_parent attribute wherein, generateSv, algorithm finishes;
If A is not traversed, judge the access level of A for user right, if A jointPoint belongs to NrSet, deletes A and all nodes of follow-up descendants thereof, and enters the next brother of ANode is processed, and repeats said process;
If A belongs to NqSet, adds condition query statement q in routing information TPath, willA is recorded in TPath, and is stored in path_to_parent attribute, then enters first of AChild nodes is processed, and this child nodes is labeled as to A, repeats said process;
If A belongs to NlSet, further judges whether A is root node, if not, deletesA, and use all child nodes of A to replace, A is recorded in TPath simultaneously, then enterThe first child node that enters A is processed, and this child nodes is labeled as to A, repeats said process;
If A is root node, further judge child's number of A, if more than one child,Use the dummy node of virtual increase to replace A, and its path_to_parent attribute be set to sky,Then the first child node that enters A is processed, and this child nodes is labeled as to A, repeatsState process;
If A only has a child nodes, use this child nodes to replace A, enter this child's jointPoint is processed, and this child nodes is labeled as to A, repeats said process;
If A is addressable node, A is recorded in TPath, and is stored into path_to_parentIn attribute, the first child node that then enters A is processed, and this child nodes is labeled as to A,Repeat said process.
As shown in Figure 4, be XPath query rewrite algorithm flow chart in the inventive method. Specifically compriseFollowing steps:
The XPath query statement of client input is divided into according to the basic query expression formula of XPathMultiple subquery statements, are labeled as P by one of them subquery statement, top-down according to document treeOrder is carried out rewrite operation;
At user security view SvIn corresponding new Schema document NS, the destination node of P is carried outSearch, and the start node of searching is labeled as to SRoot;
If can find destination node, record from SRoot to destination node all joints of processPoint path, and path_to_parent attributes all in this path is added in corresponding query statement,Replace P with the routing information of new record, and the target-marking node new SRoot that is NS;
Judge whether also to exist other subquery statements unprocessed, if so, repeat said process,If not, illustrate that rewrite process finishes, return to newly-generated XPath query statement, algorithm finishes;
If can not find destination node, illustrate that current query script is illegal, user inputsQuery statement be illegal, the SRoot of NS that need to reset, and stop this inquiry, algorithm finishes.
For the validity of checking the inventive method, by theory analysis and experiment test to of the present inventionXML secured views querying method based on Schema is studied.
The inventive method not only can, for specific user's permission build secured views, be hidden sensitive informationPath and shielding sensitive information, and support the fine granularity access control based on Schema and comprise wildcardThe processing of the XPath complex query statement of symbol, qualifier etc., has strengthened complicated Heterogeneous Information mutualSecurity.
Secured views generating algorithm of the present invention, adopts Nr、NlAnd NqLimiting set represents nodeAccess rights, the node in traversal Schema document, carries out with three kinds of access limiting sets respectivelyJoin, if node belongs to Nr, this node and descendants's node all can not be contained in Sv, its descendants's node alsoNeedn't travel through, reduce node traversal number of times; If node belongs to Nl, this node can not be contained in Sv,Its descendants's node still needs to gather under further judgement; If node belongs to Nq, node must be contained inSvIn; If node does not all mate with three set, is addressable node, must be contained in SvIn.Therefore the time complexity of this algorithm is O (M*N), wherein M=|Sv|+|Nr|+|Nl|,N=|Nr|+|Nl|+|Nq|,M is the number of the node of traversal, | Sv| be the scale of node in secured views, | Nr|、|Nl| and | Nq| be Nr、Nl、NqThe scale of node in set. The inventive method is direct by routing information in view generation processBe stored in the attribute path_to_parent of node, query rewrite algorithm is by directly entering query statementRow is replaced and is recovered original path, has saved the matched and searched process of routing information with node, therefore shouldThe time complexity of algorithm is O (| p|*|NS|), wherein | and p| is the rule of basic query expression formula in query statementMould, | NS| is the scale of node in NS document. With respect to the existing access control based on secured viewsMethod, the view generation of the inventive method and the efficiency of information inquiry are greatly increased.
The inventive method realizes based on Schema technology, adopts the grammer identical with XML to write, nothingNeed special solution parser, be convenient to user's study and exploitation; Supported data type and NameSpace, canThe common description of XML document information in establishment field, with formal mode protected data communication, energyEnough in the random extended function of tomorrow requirement, there is better extensibility.
As shown in Figure 5, the XMLSchema document tree schematic diagram of applying for the inventive method. To thisInventive method is applied in numerically controlled machine remote monitoring and diagnosis platform, extracts the original literary composition of its part SchemaShelves, have carried out experiment test to secured views generating algorithm and query rewrite algorithm. Tree comprises the documentDevice descriptive information node, continuous data stream information node, discrete event stream information node and attribute letterBreath node, totally 177 label nodes, document size is 25KB.
In experimentation, generate first at random three kinds of access limiting set Nr、Nl、Nq, to simulate notWith the foundation of user right, the then spent time of record security view generation algorithm, and newbornBecome the size of Schema file NS, finally rewrite for a representational query statement test queryThe time of implementation of algorithm.
As shown in Figure 6, be algorithm execution time result figure in the inventive method. Secured views generates to be calculatedThe average consuming time of method is 3.96ms, and the average consuming time of query rewrite algorithm is 0.84ms, and time overheadLittle, can meet the demand of system stable operation. Wherein, partial query rewrites the very consuming time of algorithmLow, be only 0.1ms left and right, this is because this query statement is looked for the safety generating in these situationsFigure is illegal, thereby has just stopped in early days the execution of query rewrite algorithm.
As shown in Figure 7, for using the document compression ratio result figure of the inventive method gained. Three kinds of accessThe definition yojan of limiting set the NS Archive sit quantity (S that NS file is correspondingvFile is less), newIt is 27% left and right that file reaches average compression effectiveness, and maximum can reach more than 80%. Therefore, although hereinDescribed method is deposited security document need to take certain memory space, but document compression ratio is higher, skyBetween expend lessly, can not cause large burden to physical storage device and Internet Transmission, can be effectivelyImprove XPath search efficiency.
Above result shows, the inventive method has that access control safety is strong, view generation and informationThe advantage that search efficiency is high, space expense is low, extensibility is good, can be applicable to numerically controlled machine remoteThe safe access control field of monitoring and diagnosis platform, has a good application prospect.