CN103618758B - Web server and system resource access control method thereof - Google Patents
Web server and system resource access control method thereof Download PDFInfo
- Publication number
- CN103618758B CN103618758B CN201310530031.3A CN201310530031A CN103618758B CN 103618758 B CN103618758 B CN 103618758B CN 201310530031 A CN201310530031 A CN 201310530031A CN 103618758 B CN103618758 B CN 103618758B
- Authority
- CN
- China
- Prior art keywords
- resource
- api
- module
- work
- progress
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Information Transfer Between Computers (AREA)
Abstract
The invention discloses a Web server and a system resource access control method thereof. The method comprises the following steps that: after receiving a Web request, a host process allocates the Web request to a work process, and the work process calls a marking module and transmits the allocated Web request to the marking module; the marking module analyzes the received Web request to obtain a user identifier, and transmits the user identifier which is obtained through analysis to a sandbox system module configured for the work process; and when the work process calls a resource access API of the sandbox system module, the resource access API limits resource access operation according to a resource limitation setting item of the user identifier. With the Web server and the system resource access control method thereof of the invention adopted, server resources can be saved under the premise that user resource isolation is realized.
Description
Technical field
The present invention relates to network technology, particularly relate to Web server and system resource access control method thereof.
Background technology
The major function of Web server is to provide network information and browses service.At present, portal service provider
Widely used LAMP(Linux, Apache, MySQL, PHP, i.e. (SuSE) Linux OS, Apache
Server software, database software, PHP script) framework is a lot of web-site of company (the most multiple websites
Site users) exploitation webpage provide hardware and software platform support: the Apache software receipt on Web server to
After giving the solicited message of website, after carrying out resource access, process, the web data of generation is returned to visitor
The browser of family end presents.In this article, web-site user is referred to as user.
Specifically, the host process of the Apache software on Web server receives client and is sent to website
After Web request, the Web request of reception is distributed to a progress of work;This progress of work is according to this Web
Request, accesses the resource of server, and generates web data to client return.
In publicly-owned cloud platform, usual multiple users share same Web server.For ensureing each user
Between independence and do not interfere with each other, the isolation of the user resources of each user need to be realized.Existing one
The method realizing user resources isolation is: in the upper wound of same physical machine (i.e. Web server physical machine)
Building multiple stage virtual machine, a virtual machine is exclusively used in the Web request processing a user, and does not process other
The Web request of user;Due to the most independent between each virtual machine, the user resources of the most each user are also
Separate, it is achieved that the isolation of user resources.Such as, for user user1 and user2, permissible
Being virtual machine 1 Web request that processes user1, virtual machine 2 processes the Web request of user2.
But, the limited amount of the virtual machine that same physical machine can create, it is impossible to according to the visit of user
The scale of asking is extended so that the number of users that Web server can service is less, causes server
The waste of resource;Such as, for a physical machine, may be only capable of servicing ten several users by the method.
Existing another kind realizes the method for user resources isolation: create multiple stage in same physical machine
Virtual machine, and on same virtual machine, start multiple progress of work, a progress of work is specific to one
User, is exclusively used in the Web request processing this user, and can not process the Web request of other users;By
Mutual independence between each progress of work, thus the user resources of each user are also separate, thus
Achieve the isolation of user resources.Such as, for user user1 and user2, can be on virtual machine 1
Progress of work process1 process user1 Web request, progress of work process2 on virtual machine 1
Process the Web request of user2.
But, the quantity of the progress of work that same virtual machine can start is the most limited so that Web service
The number of users that device can service is less, also result in the waste of server resource;Such as, for one
Physical machine, may be only capable of servicing thousand of users by the method.
In sum, the existing method realizing user resources isolation all easily causes Web server resource
Waste, and when the access of user is larger, server resource waste is especially apparent.
Summary of the invention
The embodiment provides a kind of Web server and system resource access control method thereof, use
On the premise of realizing user resources isolation, save server resource.
According to an aspect of the invention, it is provided the system resource access controlling party of a kind of Web server
Method, including:
After host process receives Web request, this Web request is distributed to a progress of work, this work
Process invocation flags module, and send the Web request of distribution to described mark module;Described labelling mould
Block parses ID from the Web request received, and sends the ID parsed into this to
The sandbox system module of progress of work configuration;
Afterwards, when the resource that this progress of work calls this sandbox system module accesses API, described resource
Access API according to the resource limit setting option of corresponding described ID, resource access operations to be limited.
It is preferred that described resource accesses API specifically includes file access API, and
The resource limit setting option of the described ID of described correspondence specifically includes and is indicated by described ID
The memory space gone out;And
Described resource accesses API and accesses resource according to the resource limit setting option of corresponding described ID
Operation limits, particularly as follows:
Resource access operations is limited to the storage indicated by described ID by described file access API
In space.
Wherein, the described memory space indicated by described ID is particularly as follows: the entitled described use of catalogue
Memory space under the catalogue of family mark.
Or, described resource accesses API and specifically includes network resource accession API;And
The resource limit setting option of the described ID of described correspondence specifically includes: corresponding described ID
The network port number upper limit arranged;And
Described resource accesses API and accesses resource according to the resource limit setting option of corresponding described ID
Operation limits, and specifically includes:
Described network resource accession API is at the network of the CU determined corresponding to described ID
When connectivity port number reaches the network port number upper limit that corresponding described ID is arranged, to this progress of work
Return the information of refusal network resource accession.
Further, the resource limit setting option of the described ID of described correspondence also includes: corresponding described use
The IP address blacklist of family mark setting or IP address white list;And
Described resource accesses the API resource limit setting option according to corresponding described ID, visits resource
Ask that operation limits, also include:
Described network resource accession API is determining that the IP address involved by network resource accession operation is described
On the blacklist of IP address, then return the information of refusal network resource accession to this progress of work;Or,
Determine network resource accession operation involved by IP address not on the white list of described IP address, then to this work
Process of making returns the information of refusal network resource accession.
It is preferred that described progress of work invocation flags module, and the Web request of distribution is sent to described
Mark module;Described mark module parses ID from the Web request received, and will parse
ID send the sandbox system module configured for this progress of work to and specifically include:
When the described progress of work calls described mark module, also the process identification (PID) of this process is sent to described
Mark module;
Described mark module parses ID from the Web request received, and calls to enter described in correspondence
The ID of the sandbox system module of journey mark arranges API, described ID is passed to as parameter
Described ID arranges API, and described ID arranges API according to incoming ID, determines
Go out the resource limit setting option of corresponding described ID, using the resource limit setting option determined as this
The Current resource of sandbox system module limits setting option;And
Described resource accesses API and accesses resource according to the resource limit setting option of corresponding described ID
Operation carry out limiting particularly as follows:
Described resource accesses API and limits setting option to resource visit according to the Current resource of this sandbox system module
Ask that operation limits.
It is preferred that arrange API according to incoming ID in described ID, determine corresponding institute
After stating the resource limit setting option of ID, also include:
The described Web request if this progress of work is disposed, then send to described mark module and carry this
The Web request of the process identification (PID) of process is disposed notice;
Described mark module is disposed notice according to the Web request received, and calls corresponding described process mark
The ID of the sandbox system module known empties API;Described ID empties API by this sandbox system
The Current resource of system module limits setting option and empties.
According to another aspect of the present invention, additionally provide a kind of Web server, including: Web service
Device module, mark module, multiple sandbox system module;
Wherein, described Web server module is used for after its host process receives Web request, should
Web request distributes to a progress of work of described Web server module;This progress of work is called described
Mark module, and send the Web request of distribution to described mark module;
Described mark module is for parsing ID from the Web request received, and will parse
ID sends the sandbox system module configured for this progress of work to;
Described sandbox system module accesses for the resource calling this sandbox system module in the described progress of work
During API, described resource accesses the API resource limit setting option according to corresponding described ID to resource
Access operation to limit.
Wherein, the resource limit setting option of the described ID of described correspondence specifically includes: by described user
The memory space indicated;And described resource accesses API and specifically includes: file access API;
Or, the resource limit setting option of the described ID of described correspondence specifically includes: corresponding described use
The network port number upper limit that family mark is arranged, the IP address blacklist of corresponding described ID setting or IP
Address white list;And described resource accesses API and specifically includes: network resource accession API.
It is preferred that described mark module specifically for receive the described progress of work transmit Web request time,
Also receive the process identification (PID) of this progress of work that the described progress of work transmits;Described mark module is from reception
Web request parses ID, and calls the use of the sandbox system module of corresponding described process identification (PID)
Family mark arranges API, as parameter, described ID is passed to described ID and arranges API, by
Described ID arranges API and determines that the resource limit setting option of corresponding described ID is as this sand
The Current resource of case system module limits setting option;And
Described sandbox system module specifically for calling the resource of this sandbox system module in the described progress of work
When accessing API, described resource accesses API and limits setting option according to the Current resource of this sandbox system module
Resource access operations is limited.
In the technical scheme of the embodiment of the present invention, after receiving Web request due to host process, by this Web
Request assignment to a progress of work, the Web request of different user is not made a distinction;So, same
The individual progress of work can process the Web request of different user at different time, has saved server resource;
Meanwhile, the progress of work calls the resource of the sandbox system module configured for this progress of work when accessing API,
Resource access API according to set by corresponding different user resource limit setting option to resource access operations
Limit, thereby guarantee that the same progress of work is when processing the Web request of different user, it is achieved user
The isolation of resource, it is ensured that independence between each user and do not interfere with each other.Thus, the present invention is realizing
On the premise of user resources isolation, save server resource.
Accompanying drawing explanation
Fig. 1 is the internal structure block diagram of the Web server of the embodiment of the present invention;
Fig. 2 is the flow chart of the system resource access control method of the Web server of the embodiment of the present invention.
Detailed description of the invention
For making the purpose of the present invention, technical scheme and advantage clearer, develop simultaneously referring to the drawings
Going out preferred embodiment, the present invention is described in more detail.However, it is necessary to explanation, in description
The many details listed be only used to make reader one or more aspects of the present invention are had one thorough
Understand, the aspects of the invention can also be realized even without these specific details.
The term such as " module " used in this application, " system " is intended to include the entity relevant to computer,
Such as but not limited to hardware, firmware, combination thereof, software or executory software.Such as, mould
Block it may be that it is not limited to: on processor run process, processor, object, journey can be performed
Sequence, the thread of execution, program and/or computer.For example, application program calculating equipment run
Can be module with this calculating equipment.One or more modules may be located at an executory process and/
Or in thread, a module can also be positioned on a computer and/or be distributed in two or the calculating of more multiple stage
Between machine.
In technical scheme, a progress of work is no longer specific to a user, can be in difference
The Web request of time-triggered protocol different user, to save server resource;Use sandbox technology simultaneously
Ensure that the same progress of work is when processing the Web request of different user, it is achieved the isolation of user resources, protect
Demonstrate,prove the independence between each user and do not interfere with each other.
In network technology, sandbox (sandbox) is that source is insincere, possess destructiveness or nothing for some
Method judges a kind of safe virtual environment that the program being intended to provides;In other words, by sandbox system, can
So that the access of the program operated in sandbox operation is limited so that it is will not be to operating system or fortune
Row program outside sandbox produces impact or interference.But, current sandbox system can not directly be applied
In technical scheme, also need the program of calling system resource in sandbox system is improved,
Make it possible to be applied to technical scheme.
Such as, in the present invention, progress of work process1 can process user user1 and user2
Web request;When process1 processes the Web request of user1, call the sand into process1 configuration
The resource of case system module accesses API, and this resource accesses API according to the resource limit arranged for user1
The resource access operations of user1 is limited by setting option;When process1 processes the Web request of user2,
Call for process1 configuration sandbox system module resource access API, this resource access API according to
The resource access operations of user2 is limited by the resource limit setting option arranged for user2.
Describe the technical scheme of the embodiment of the present invention below in conjunction with the accompanying drawings in detail.The embodiment of the present invention provides
The internal structure block diagram of the Apache software on Web server is as it is shown in figure 1, specifically include: Web takes
Business device module 101, mark module 102 and multiple sandbox system module 103.
It is true that after the host process of Web server module 101 receives Web request, please by this Web
Seek the progress of work distributing to Web server module 101;This progress of work invocation flags module
102, and send the Web request of distribution to mark module 102.Mark module 102 is from the Web received
Request parses ID, and the ID parsed is sent to configures for this progress of work
Sandbox system module 103.This sandbox system module 103 calls this sandbox system module in this progress of work
When resource accesses API, this resource accesses the ID that API receives according to corresponding this sandbox system module
Resource limit setting option, resource access operations is limited.
Specifically, after the Apache software on Web server starts, LD_PRELOAD ring can be passed through
Border variable, loads each interface function in the dynamic link library of sandbox system module 103, the most each API
(Application Programming Interface, application programming interfaces), such as, resource access API,
ID provisioning API and ID empty API.Afterwards, Web server can be based on book server
On Apache software in Web server module 101, mark module 102 and multiple sandbox system mould
Block 103, carrys out the control of system resource access, and the flow process of concrete grammar is as in figure 2 it is shown, comprise the steps:
After the host process of S201:Web server module 101 receives Web request, by this Web request
Distribute to a progress of work.
In this step, the host process of the Web server module 101 in Apache software receives client
After end is sent to the Web request of website, choose an idle progress of work, please by the Web received
Ask and distribute to this progress of work.
When the Web request received being distributed to the progress of work due to host process, not to different user
Web request makes a distinction, and after this progress of work is disposed the current Web request distributed, also may be used
To receive the new Web request of host process distribution, do not differentiate between different user equally, thus, same work
The process of work can process the Web request of different user, has saved server resource.
S202: this progress of work invocation flags module 102, by Web request and this process of distribution
Process identification (PID) send mark module 102 to.
S203: mark module 102 parses ID from the Web request received, and calls correspondence and connects
The ID provisioning API of the sandbox system module 103 of the process identification (PID) received, and the user's mark that will parse
Know as parameter this ID provisioning API incoming.
Specifically, the Header of the Web request that client is sent to website carries the user of this user
Mark;In this article, the ID of user can be specifically the website logo (website id) of web-site.
And, for each progress of work, it is respectively configured sandbox system module 103, has namely established work
The process identification (PID) of process and the corresponding relation of sandbox system module 103.
In this step, the Web request that the progress of work is sent by mark module 102 resolves,
The ID parsed is sent to the sandbox system module 103 configured for this progress of work, detailed process
For: mark module 102 parses ID from the Web request received, and calls entering of corresponding reception
The ID provisioning API of sandbox system module 103 of journey mark, and using the ID that parses as
Parameter this ID provisioning API incoming.
S204: this ID provisioning API, according to incoming ID, is determined should user mark
The resource limit setting option known, and using the resource limit setting option determined as this sandbox system module 103
Current resource limit setting option.
Specifically, the Apache software of Web server have recorded the money of ID of each user respectively
Source limits setting option;Such as, in above-mentioned steps S203, the user of this ID provisioning API incoming
Being designated ID A, in this step, this ID provisioning API determines corresponding ID
The resource limit setting option of A, using the resource limit setting option of corresponding ID A as this sandbox system
The Current resource of module 103 limits setting option.
When S205: this progress of work calls the resource access API of sandbox system module 103, this resource is visited
Ask that API limits setting option according to the Current resource of this sandbox system module 103 and carries out resource access operations
Limit.
Specifically, during this progress of work processes the Web request of distribution, can be according to Web request
Involved resource access operations, such as file read-write operations, calls the process identification (PID) of this process corresponding
The resource of sandbox system module 103 accesses API;This resource accesses API according to this sandbox system module 103
Current resource limit setting option resource access operations is limited.Wherein, Current resource limits and arranges
Item, it is, ID provisioning API is according to incoming ID in above-mentioned steps S204, is determined
To should the resource limit setting option of ID.
Wherein, the resource limit setting option of corresponding ID specifically may include that and indicated by ID
The memory space gone out;And resource access API specifically may include that and indicated by ID with described
The corresponding file access API of memory space.
Such as, for a Web request A, mark module 102 parses user from Web request A
Mark A, if the resource limit setting option of corresponding ID A is the storage indicated by ID A
Space, then call the file access of sandbox system module 103 in the progress of work processing Web request A
During API, this document accesses the storage that resource access operations is limited to be indicated by API by ID A
In space.Wherein, the memory space that ID indicates is specifically as follows entitled ID A of catalogue
Catalogue (such as ,/dir/usera/xxx) under memory space.So, the file access of Web request A
Operation can only access the memory space under the catalogue of ID A.
Or, the resource limit setting option of corresponding ID specifically may include that corresponding ID sets
The network port number upper limit, the IP address blacklist of corresponding ID setting or the IP address white list put;
And resource accesses API and specifically may include that on the network port number arranged with described corresponding ID
The network money that limit is corresponding with the IP address blacklist of described corresponding ID setting or IP address white list
Source accesses API.
Such as, for a Web request B, mark module 102 parses user from Web request B
Mark B, if the resource limit setting option of corresponding ID B is the network that corresponding ID B is arranged
The port number upper limit, then call the network of sandbox system module 103 in the progress of work processing Web request B
When resource accesses API, this network resource accession API is determining that the user corresponding to ID B accounts for
Network connection port number when reaching the network port number upper limit that corresponding ID B is arranged, to this work
Process of making returns the information of refusal network resource accession;On the contrary, this network resource accession API is determining
The most corresponding ID B of network connection port number going out the CU corresponding to ID B sets
During the network port number upper limit put, this network resource accession API carries out network resource accession operation.
If the resource limit setting option of corresponding ID B is that the IP address that corresponding ID B is arranged is black
List or IP address white list, then call sandbox system module in the progress of work processing Web request B
103 network resource accession API time, this network resource accession API determines that network resource accession operates
When involved IP address is on the IP address blacklist that corresponding ID B is arranged, enter to this work
Journey returns the information of refusal network resource accession;Or, this network resource accession API determines that network provides
When IP address involved by the access operation of source is not on the IP address white list that corresponding ID B is arranged,
The information of refusal network resource accession is returned to this progress of work;On the contrary, this network resource accession API
Determine the IP ground that the IP address involved by network resource accession operation is not arranged in corresponding ID B
On the blacklist of location, or, this network resource accession API determines involved by network resource accession operation
When IP address is on the IP address white list that corresponding ID B is arranged, this network resource accession API
Carry out network resource accession operation.
Owing to the present invention being the sandbox system module of same progress of work configuration, can be according to for not
The resource limit setting option being respectively provided with user, carries out the limit of resource access operations respectively to different user
System, thereby it is ensured that the same progress of work is when processing the Web request of different user, it is achieved Yong Huzi
The isolation in source, and saved server resource.Such as, for a physical machine, the side of the application present invention
Method, can make Web Server Service hundreds of thousands user, several compared to ten or thousand of users, greatly
The utilization rate that improve server resource;In other words, at the Web request of the user processing equal number
Time, greatly reduce the consumption of server resource, save server resource.
Further, the Web request of distribution if the progress of work is disposed, then can be to mark module 102
Sending Web request to be disposed notice, this Web request is disposed in notifying and carries entering of this process
The ID that journey mark and mark module 102 parse from this Web request.
Mark module 102 receive Web request be disposed notice after, according to receive Web request at
Manage the process identification (PID) carried in complete notice, call should the sandbox system module 103 of process identification (PID)
ID empties API;This ID empties the API Current resource by this sandbox system module 103
Limit setting option to empty.Wherein, mark module 102 calls should the sandbox system of process identification (PID)
When the ID of module 103 empties API, it is also possible to notice that Web request is disposed is carried
ID this ID incoming empties API;This ID empties API and determines this sandbox system
After the Current resource of module 103 limits the resource limit setting option that setting option is corresponding incoming ID,
This ID empties API and is emptied by the Current resource restriction setting option of this sandbox system module 103.
In technical scheme, after receiving Web request due to host process, this Web request is divided
During one progress of work of dispensing, the Web request of different user is not made a distinction;So, same work
The process of work can process the Web request of different user at different time, has saved server resource;Meanwhile,
The progress of work calls the resource of the sandbox system module configured for this progress of work when accessing API, and resource is visited
Ask that resource access operations is limited by API according to the resource limit setting option set by corresponding different user,
Thereby guarantee that the same progress of work is when processing the Web request of different user, it is achieved the isolation of user resources,
Ensure that the independence between each user does not interferes with each other.Thus, the present invention is realizing user resources isolation
On the premise of, save server resource.
One of ordinary skill in the art will appreciate that all or part of step realizing in above-described embodiment method
The program that can be by completes to instruct relevant hardware, and this program can be stored in a computer-readable
Take in storage medium, such as: ROM/RAM, magnetic disc, CD etc..
The above is only the preferred embodiment of the present invention, it is noted that general for the art
For logical technical staff, under the premise without departing from the principles of the invention, it is also possible to make some improvement and profit
Decorations, these improvements and modifications also should be regarded as protection scope of the present invention.
Claims (10)
1. the system resource access control method of a Web server, it is characterised in that including:
After the host process of Web server module receives Web request, this Web request is distributed to one
The progress of work, this progress of work invocation flags module, and send the Web request of distribution to described labelling
Module;Described mark module parses ID, and the use that will parse from the Web request received
Family mark sends the sandbox system module configured for this progress of work to;
Afterwards, when the resource that this progress of work calls this sandbox system module accesses API, described resource
Access API according to the resource limit setting option of corresponding described ID, resource access operations to be limited.
2. the method for claim 1, it is characterised in that described resource accesses API and specifically includes
File access API, and
The resource limit setting option of the described ID of described correspondence specifically includes and is indicated by described ID
The memory space gone out;And
Described resource accesses API and accesses resource according to the resource limit setting option of corresponding described ID
Operation limits, particularly as follows:
Resource access operations is limited to the storage indicated by described ID by described file access API
In space.
3. method as claimed in claim 2, it is characterised in that described indicated by described ID
Memory space particularly as follows: the entitled described ID of catalogue catalogue under memory space.
4. the method for claim 1, it is characterised in that described resource accesses API and specifically includes
Network resource accession API;And
The resource limit setting option of the described ID of described correspondence specifically includes: corresponding described ID
The network port number upper limit arranged;And
Described resource accesses API and accesses resource according to the resource limit setting option of corresponding described ID
Operation limits, and specifically includes:
Described network resource accession API is at the network of the CU determined corresponding to described ID
When connectivity port number reaches the network port number upper limit that corresponding described ID is arranged, to this progress of work
Return the information of refusal network resource accession.
5. method as claimed in claim 4, it is characterised in that the money of the described ID of described correspondence
Source limits setting option and also includes: the white name of IP address blacklist or IP address that corresponding described ID is arranged
Single;And
Described resource accesses the API resource limit setting option according to corresponding described ID, visits resource
Ask that operation limits, also include:
Described network resource accession API is determining that the IP address involved by network resource accession operation is described
On the blacklist of IP address, then return the information of refusal network resource accession to this progress of work;Or,
Determine network resource accession operation involved by IP address not on the white list of described IP address, then to this work
Process of making returns the information of refusal network resource accession.
6. the method as described in claim 1-5 is arbitrary, it is characterised in that the described progress of work calls mark
Note module, and send the Web request of distribution to described mark module;Described mark module is from reception
Web request parses ID, and the ID parsed is sent to joins for this progress of work
The sandbox system module put specifically includes:
When the described progress of work calls described mark module, also the process identification (PID) of this process is sent to described
Mark module;
Described mark module parses ID from the Web request received, and calls to enter described in correspondence
The ID of the sandbox system module of journey mark arranges API, described ID is passed to as parameter
Described ID arranges API, and described ID arranges API according to incoming ID, determines
Go out the resource limit setting option of corresponding described ID, using the resource limit setting option determined as this
The Current resource of sandbox system module limits setting option;And
Described resource accesses API and accesses resource according to the resource limit setting option of corresponding described ID
Operation carry out limiting particularly as follows:
Described resource accesses API and limits setting option to resource visit according to the Current resource of this sandbox system module
Ask that operation limits.
7. method as claimed in claim 6, it is characterised in that API root is set in described ID
According to incoming ID, after determining the resource limit setting option of corresponding described ID, also include:
The described Web request if this progress of work is disposed, then send to described mark module and carry this
The Web request of the process identification (PID) of process is disposed notice;
Described mark module is disposed notice according to the Web request received, and calls corresponding described process mark
The ID of the sandbox system module known empties API;Described ID empties API by this sandbox system
The Current resource of system module limits setting option and empties.
8. a Web server, it is characterised in that including: Web server module, mark module,
Multiple sandbox system modules;Wherein,
This Web, for after its host process receives Web request, is asked by described Web server module
Seek the progress of work distributing to described Web server module;This progress of work calls described labelling mould
Block, and send the Web request of distribution to described mark module;
Described mark module is for parsing ID from the Web request received, and will parse
ID sends the sandbox system module configured for this progress of work to;
Described sandbox system module accesses for the resource calling this sandbox system module in the described progress of work
During API, described resource accesses the API resource limit setting option according to corresponding described ID to resource
Access operation to limit.
9. server as claimed in claim 8, it is characterised in that the described ID of described correspondence
Resource limit setting option specifically includes: the memory space indicated by described ID;And described money
Source accesses API and specifically includes: file access API;
Or, the resource limit setting option of the described ID of described correspondence specifically includes: corresponding described use
The network port number upper limit that family mark is arranged, the IP address blacklist of corresponding described ID setting or IP
Address white list;And described resource accesses API and specifically includes: network resource accession API.
10. server as claimed in claim 8 or 9, it is characterised in that
Described mark module is specifically for when receiving the Web request that the described progress of work transmits, also receiving
The process identification (PID) of this progress of work that the described progress of work transmits;Described mark module please from the Web received
Parse ID in asking, and call the ID of the sandbox system module of corresponding described process identification (PID)
API is set, described ID is passed to described ID as parameter API is set, by described use
Family mark arranges API and determines that the resource limit setting option of corresponding described ID is as this sandbox system
The Current resource of module limits setting option;And
Described sandbox system module specifically for calling the resource of this sandbox system module in the described progress of work
When accessing API, described resource accesses API and limits setting option according to the Current resource of this sandbox system module
Resource access operations is limited.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310530031.3A CN103618758B (en) | 2013-10-31 | 2013-10-31 | Web server and system resource access control method thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310530031.3A CN103618758B (en) | 2013-10-31 | 2013-10-31 | Web server and system resource access control method thereof |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103618758A CN103618758A (en) | 2014-03-05 |
| CN103618758B true CN103618758B (en) | 2017-01-11 |
Family
ID=50169462
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310530031.3A Active CN103618758B (en) | 2013-10-31 | 2013-10-31 | Web server and system resource access control method thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103618758B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107786413B (en) * | 2016-08-24 | 2022-03-22 | 中兴通讯股份有限公司 | Method for browsing e-mail and user terminal |
| CN106445562B (en) * | 2016-11-14 | 2019-11-15 | 用友网络科技股份有限公司 | OpenAPI implementation method and OpenAPI realization device based on metadata |
| JP6957194B2 (en) | 2016-12-13 | 2021-11-02 | キヤノン株式会社 | Service system, its control method, and its program |
| CN109327506A (en) * | 2018-09-06 | 2019-02-12 | 网宿科技股份有限公司 | A kind of resource allocation methods, device and readable storage medium storing program for executing |
| CN109683997B (en) * | 2018-12-21 | 2022-02-11 | 前锦网络信息技术(上海)有限公司 | Method for accessing application program interface through sandbox, sandbox and sandbox equipment |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1894667A (en) * | 2003-12-18 | 2007-01-10 | 康泰克创新公司 | System and method for allocating server resources |
| CN101782864A (en) * | 2009-12-01 | 2010-07-21 | 深圳市蓝韵实业有限公司 | Method for improving communication service stability of Web server |
| CN102447677A (en) * | 2010-09-30 | 2012-05-09 | 北大方正集团有限公司 | Resource access control method, system and equipment |
| CN102460389A (en) * | 2009-05-02 | 2012-05-16 | 思杰系统有限公司 | Methods and systems for launching applications into existing isolation environments |
| US8438640B1 (en) * | 2010-12-21 | 2013-05-07 | Adobe Systems Incorporated | Method and apparatus for reverse patching of application programming interface calls in a sandbox environment |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8196205B2 (en) * | 2006-01-23 | 2012-06-05 | University Of Washington Through Its Center For Commercialization | Detection of spyware threats within virtual machine |
-
2013
- 2013-10-31 CN CN201310530031.3A patent/CN103618758B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1894667A (en) * | 2003-12-18 | 2007-01-10 | 康泰克创新公司 | System and method for allocating server resources |
| CN102460389A (en) * | 2009-05-02 | 2012-05-16 | 思杰系统有限公司 | Methods and systems for launching applications into existing isolation environments |
| CN101782864A (en) * | 2009-12-01 | 2010-07-21 | 深圳市蓝韵实业有限公司 | Method for improving communication service stability of Web server |
| CN102447677A (en) * | 2010-09-30 | 2012-05-09 | 北大方正集团有限公司 | Resource access control method, system and equipment |
| US8438640B1 (en) * | 2010-12-21 | 2013-05-07 | Adobe Systems Incorporated | Method and apparatus for reverse patching of application programming interface calls in a sandbox environment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103618758A (en) | 2014-03-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9086897B2 (en) | Method and architecture for virtual desktop service | |
| US8271653B2 (en) | Methods and systems for cloud management using multiple cloud management schemes to allow communication between independently controlled clouds | |
| US20170235585A1 (en) | Management of IoT Devices in a Virtualized Network | |
| CN103618758B (en) | Web server and system resource access control method thereof | |
| CN107920138B (en) | User unified identification generation method, device and system | |
| US9753758B1 (en) | Building of virtual servers in a cloud via non-structured strings | |
| US20170371508A1 (en) | Menu management method, server, and system | |
| US10481921B2 (en) | Cloud platform, application running method, and access network unit | |
| CN102857370A (en) | Resource allocating method and device | |
| KR20130004607A (en) | Providing dynamic group subscriptions for m2m device communication | |
| US20140304713A1 (en) | Method and apparatus for distributed processing tasks | |
| CN114244717B (en) | Configuration method and device of virtual network card resources, computer equipment and medium | |
| US8429187B2 (en) | Method and system for dynamically tagging metrics data | |
| CN111835679B (en) | Tenant resource management method and device under multi-tenant scene | |
| CN103581111A (en) | Communication method and system | |
| CN105208047A (en) | Online and off line methods of distributed system server, and server | |
| CN103369038A (en) | PaaS (platform as a service) management platform and method | |
| WO2017054533A1 (en) | External resource management method, apparatus and system through cloud interworking | |
| CN113312168A (en) | Page access method and electronic equipment | |
| CN109347661A (en) | The instantiation method and device of consumer VNF | |
| US20140254548A1 (en) | Method and system for forming a common network using shared private wireless networks | |
| KR20200073447A (en) | System and method for Intent-based application to provision the virtual network infrastructure and computer readable medium storing a program of the same | |
| US20210256600A1 (en) | Connector leasing for long-running software operations | |
| US10523591B2 (en) | Discovering resource availability across regions | |
| KR101608327B1 (en) | Method for Providing Storage in Heterogeneous Hypervisor Environment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20230407 Address after: Room 501-502, 5/F, Sina Headquarters Scientific Research Building, Block N-1 and N-2, Zhongguancun Software Park, Dongbei Wangxi Road, Haidian District, Beijing, 100193 Patentee after: Sina Technology (China) Co.,Ltd. Address before: 100080, International Building, No. 58 West Fourth Ring Road, Haidian District, Beijing, 20 floor Patentee before: Sina.com Technology (China) Co.,Ltd. |
|
| TR01 | Transfer of patent right |