Content of the invention
For weak point present in the problems referred to above, the invention provides one kind is towards concurrent access request incidence relation
Access control coordination approach and its device, reasonably dispatched by concurrent access request, with realize to concurrently access please
The access control co-ordination asked.
For achieving the above object, the present invention provides a kind of access control coordination side towards concurrent access request incidence relation
Method, comprises the following steps:
The incidence relation set that s10, collection concurrently access;
S20, by access request incidence relation construct multiple directed graphs;
S30, set up Directed Graph Model for each directed graph, and load its structure content in Directed Graph Model;
S40, according in directed graph structure content execution resource access;
S50, the access request results to the current layer of directed graph judge, if the access request of the current layer of directed graph
Result is unsatisfactory for the incidence relation of current layer, then the node of directed graph lower floor does not continue to access resource;
Resource after s60, Dynamic Announce access control are coordinated accesses result.
The above-mentioned access control coordination approach towards concurrent access request incidence relation, wherein, in step s10, root
According to content and the level of security of object resource, judge whether two object resources being associated in set of relationship have association and close
System, the client's body resource that there will be incidence relation collects the control coordination that conducts interviews;
There is not the access request of incidence relation by directly concurrent access object resource.
The above-mentioned access control coordination approach towards concurrent access request incidence relation, wherein, in step s20,
During generating access request directed graph, the access request with incidence relation is divided at one group, according to the peace of access request
The level of full partition of the level directed graph.
The above-mentioned access control coordination approach towards concurrent access request incidence relation, wherein, in step s40, makes
With the mode of multithreading, according to the construction access object resource of access request directed graph, introducing an access for each thread please
Seek directed graph, between different threads is parallel access resource simultaneously, accelerate the speed accessing resource it is ensured that main body
Safety and order that resource accesses.
The above-mentioned access control coordination approach towards concurrent access request incidence relation, wherein, in directed graph
During object resource conducts interviews, conduct interviews according to level of security from low to high, every layer of resource accesses must be abided by
The principle following access request incidence relation conducts interviews, and specific implementation step is as follows:
, according to the construction of directed graph, the transmission of the request that conducted interviews by low layer to high level, in the access of current layer for a, main body
In the case that request response meets incidence relation description, then the access request executing next layer;
If the access request response of b current layer is unsatisfactory for the incidence relation description of current layer, the other layer of higher security level
Access request no longer will be performed resource and accesses;
If the level of c current accessed has progressed to last layer of directed graph, or the level refusal execution of current accessed
Resource accesses, then terminate the access of directed graph, the result that Dynamic Announce resource accesses.
The present invention also provides a kind of access control conditioning unit towards concurrent access request incidence relation, comprising:
Collection module, for collecting the incidence relation set concurrently accessing;
Directed graph constitutes module, for constructing multiple directed graphs by access request incidence relation;
Oriented module sets up module, for setting up Directed Graph Model for each directed graph, and adds in Directed Graph Model
Carry its structure content;
Resource access module, for accessing according to the structure content execution resource in directed graph;
Judge module, the access request results for the current layer to directed graph judge, if the current layer of directed graph
Access request results be unsatisfactory for the incidence relation of current layer, then the node of directed graph lower floor does not continue to access resource;
Display module, the resource after coordinating for Dynamic Announce access control accesses result.
Above-mentioned device, wherein, in described collection module, the content according to object resource and level of security, judge into
Whether two object resources in row incidence relation set have incidence relation, and the client's body resource that there will be incidence relation is collected
Control of getting up to conduct interviews is coordinated;
There is not the access request of incidence relation by directly concurrent access object resource.
Above-mentioned device, wherein, in described directed graph constructing module, the access request with incidence relation is divided one
Group, the level of the security classification directed graph according to access request.
Above-mentioned device, wherein, in described resource access module, using the mode of multithreading, has according to access request
Access object resource to the construction of figure, introduce an access request directed graph for each thread, between different threads is simultaneously
Row accesses resource simultaneously, accelerates the speed accessing resource it is ensured that the safety that accesses of main body resource and order.
Compared with prior art, the invention has the advantages that
1st, mainly carried out in user front end due to the coordination process of access control of the present invention, after therefore, it can mitigate
The load pressure of platform server end;
2nd, after coordinating, the access request of access rights is not had not retransmit, can hence for whole network environment
To play the effect saving network traffics;
3rd, the mode of hierarchical access can find the access request of malice during important resource accesses in time.With
When, the user interface of the client after coordinating will be more friendly.
The present invention provides a kind of access control coordination approach towards concurrent access request incidence relation to be asked it is proposed that accessing
Seek directed graph construction algorithm, and give the access method of execution access request directed graph;Directed graph construction algorithm will have pass
Connection relation access request packet, group in by access request according to level of security layering from low to high, every layer node company
Connect one and collect node, connected to next layer by collecting node, be constructed to directed graph;In the access method of directed graph, main
Body, according to the construction of directed graph, the transmission of the request that conducted interviews by low layer to high level, meets in the access request response of current layer
In the case of incidence relation description, then the access request executing next layer.If the access request response of current layer is unsatisfactory for current
The incidence relation description of layer, then the access request of the other layer of higher security level no longer will be performed.
Specific embodiment
In the present invention it is proposed that the type of incidence relation between concurrent access request and decision method.Please accessing
Ask during concurrently accessing object resource, between concurrent access request, there is mutual incidence relation.Specific association is closed
System comprise following five kinds: or with, non-, rely on, be polymerized.
(1) "or" relation, is designated " ∪ ", and representative is two concurrent access request, and at least one obtains access control
The permission of system, main body could obtain the result of two access request responses.
(2) "AND" relation, is designated " ∩ ", and representative is two concurrent access request, all obtains permitting of access control
Permitted, main body could obtain the result of two access request responses.
(3) " non-" relation, be designated "!", represent concurrent access request 1, in concurrent access request 2 access control refusal
In the case of, main body could obtain the result of two access request responses.
(4) " preferential " relation, be designated " → ", representative is concurrent access request 1 it should before concurrent access request 2
Face, is preferentially performed.
(5) " be polymerized " relation, be designated "×", representative be this concurrent access request be by multiple concurrently sub- access request
Composition.
As shown in Figures 1 and 2, the present invention provides a kind of access control coordination side towards concurrent access request incidence relation
Method, comprises the following steps:
The incidence relation set that s10, collection concurrently access.
In step s10, the content according to object resource and level of security, judge be associated in set of relationship two
Whether object resource has incidence relation, and the client's body resource that there will be incidence relation collects the control coordination that conducts interviews;
There is not the access request of incidence relation by directly concurrent access object resource.
S20, by access request incidence relation construct multiple directed graphs.
In step s20, during generating access request directed graph, the access request with incidence relation is divided
One group, the level of the security classification directed graph according to access request.
S30, set up Directed Graph Model for each directed graph, and load its structure content in Directed Graph Model.
S40, according in directed graph structure content execution resource access.
In step s40, using the mode of multithreading, the construction according to access request directed graph accesses object resource, is
Each thread introduces an access request directed graph, and between different threads is parallel access resource simultaneously, accelerates visit
Ask the speed of resource it is ensured that main body resource access safety and order.
During the object resource in directed graph is conducted interviews, visited according to level of security from low to high
Ask, every layer of resource accesses and must comply with the principle of access request incidence relation and conduct interviews, and specific implementation step is as follows:
, according to the construction of directed graph, the transmission of the request that conducted interviews by low layer to high level, in the access of current layer for a, main body
In the case that request response meets incidence relation description, then the access request executing next layer;
If the access request response of b current layer is unsatisfactory for the incidence relation description of current layer, the other layer of higher security level
Access request no longer will be performed resource and accesses;
If the level of c current accessed has progressed to last layer of directed graph, or the level refusal execution of current accessed
Resource accesses, then terminate the access of directed graph, the result that Dynamic Announce resource accesses.
S50, the access request results to the current layer of directed graph judge, if the access request of the current layer of directed graph
Result is unsatisfactory for the incidence relation of current layer, then the node of directed graph lower floor does not continue to access resource.
If in addition, the access request results of the current layer of directed graph meet the incidence relation of current layer, return to step
s40.
Resource after s60, Dynamic Announce access control are coordinated accesses result.
The present invention proposes a kind of access request directed graph construction algorithm.The construction algorithm of access request directed graph is by basis
Incidence relation construction directed graph between access request, in access request directed graph, each concurrent access request is as directed graph
One of node, directed graph construction process adopt recurrence method, have having the joint structure connecting each other at one
To in figure, the process setting up access request directed graph is as follows:
Concurrent access request is respectively created an oriented node of graph;
According to the attribute of access request, access request is grouped, the access request node of triggering access control is individually divided into one
Group (a group), the access request node not triggering access control is divided into one group (b group);
, according to the access control safety rank of access request node visit resource, by nodal hierarchy, every layer related for a group
Combination of nodes gets up, the common node connecting a new establishment, referred to as " collects node ".When relevant between layers,
Upper layer node is combined with lower level node by collecting node, more jointly connect one new create collect node.Repeat to hold
Row is above-mentioned, generates access request directed graph;
The access request directed graph that a group generates, the figure not connected each other is split, forms multiple access figures;
According to multiple the access figures of type structure accessing resource, every accesses in figure and sets one layer of access control node b group.
As shown in figure 3, the present invention also provides a kind of access control conditioning unit towards concurrent access request incidence relation,
Including collection module 1, directed graph constitute module 2, oriented module set up module 3, resource access module 4, judge module 5 with aobvious
Show module 6.
Collection module is used for collecting the incidence relation set concurrently accessing.
In collection module, the content according to object resource and level of security, judge be associated in set of relationship two
Whether individual object resource has incidence relation, and the client's body resource that there will be incidence relation collects the control association that conducts interviews
Adjust;There is not the access request of incidence relation by directly concurrent access object resource.
Directed graph constitutes module and is used for constructing multiple directed graphs by access request incidence relation.
In directed graph constructing module, the access request with incidence relation is divided at one group, according to the safety of access request
The level of partition of the level directed graph.
Oriented module sets up module for setting up Directed Graph Model for each directed graph, and loads in Directed Graph Model
Its structure content.
Resource access module is used for accessing according to the structure content execution resource in directed graph.
In resource access module, using the mode of multithreading, the construction according to access request directed graph accesses object money
Source, introduces an access request directed graph for each thread, and between different threads is parallel access resource simultaneously, accelerates
Access the speed of resource it is ensured that the safety that accesses of main body resource and order.
The access request results that judge module is used for the current layer to directed graph judge, if the current layer of directed graph
Access request results are unsatisfactory for the incidence relation of current layer, then the node of directed graph lower floor does not continue to access resource.
If in addition, the access request results of the current layer of directed graph meet the incidence relation of current layer, return resource and visit
Ask module.
The resource that display module is used for after the coordination of Dynamic Announce access control accesses result.
Using the mode of multithreading, the construction according to access request directed graph accesses object resource, introduces for each thread
One access request directed graph, between different threads is parallel access resource simultaneously, accelerates the speed accessing resource,
Ensure that safety and the order of main body resource access.
During the object resource in directed graph is conducted interviews, visited according to level of security from low to high
Ask, every layer of resource accesses and must comply with the principle of access request incidence relation and conduct interviews, and specific implementation step is as follows:
, according to the construction of directed graph, the transmission of the request that conducted interviews by low layer to high level, in the access of current layer for a, main body
In the case that request response meets incidence relation description, then the access request executing next layer;
If the access request response of b current layer is unsatisfactory for the incidence relation description of current layer, the other layer of higher security level
Access request no longer will be performed resource and accesses;
If the level of c current accessed has progressed to last layer of directed graph, or the level refusal execution of current accessed
Resource accesses, then terminate the access of directed graph, the result that Dynamic Announce resource accesses.
The present invention proposes a kind of access request directed graph construction algorithm.The construction algorithm of access request directed graph is by basis
Incidence relation construction directed graph between access request, in access request directed graph, each concurrent access request is as directed graph
One of node, directed graph construction process adopt recurrence method, have having the joint structure connecting each other at one
To in figure, the process setting up access request directed graph is as follows:
Concurrent access request is respectively created an oriented node of graph;
According to the attribute of access request, access request is grouped, the access request node of triggering access control is individually divided into one
Group (a group), the access request node not triggering access control is divided into one group (b group);
, according to the access control safety rank of access request node visit resource, by nodal hierarchy, every layer related for a group
Combination of nodes gets up, the common node connecting a new establishment, referred to as " collects node ".When relevant between layers,
Upper layer node is combined with lower level node by collecting node, more jointly connect one new create collect node.Repeat to hold
Row is above-mentioned, generates access request directed graph;
The access request directed graph that a group generates, the figure not connected each other is split, forms multiple access figures;
According to multiple the access figures of type structure accessing resource, every accesses in figure and sets one layer of access control node b group.
Only as described above, only presently preferred embodiments of the present invention, professional who are familiar with this art such as.?
After understanding the technological means of the present invention, natural energy, according to actual needs, is changed under the teachings of the present invention.Therefore all
The equal change made according to scope of the present invention patent and modification, once should still remain within the scope of the patent.