CN103841081A - Capability scheduling method and system - Google Patents

Capability scheduling method and system Download PDF

Info

Publication number
CN103841081A
CN103841081A CN201210477965.0A CN201210477965A CN103841081A CN 103841081 A CN103841081 A CN 103841081A CN 201210477965 A CN201210477965 A CN 201210477965A CN 103841081 A CN103841081 A CN 103841081A
Authority
CN
China
Prior art keywords
ability
request message
call request
sender
security token
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201210477965.0A
Other languages
Chinese (zh)
Inventor
渠娜
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN201210477965.0A priority Critical patent/CN103841081A/en
Publication of CN103841081A publication Critical patent/CN103841081A/en
Pending legal-status Critical Current

Links

Images

Abstract

The invention discloses a capability scheduling method. The method comprises a capability open system receiving a capability scheduling request message, selecting a capability scheduling mode according to the capability scheduling request message, performing authentication on the capability scheduling request message when the selected capability scheduling mode needs the authentication by the capability open system, and triggering a corresponding capability scheduling process according to the selected capability scheduling mode. According to the invention, at an initial stage, corresponding capability scheduling modes are selected according to different conditions so as to provide differentiated scheduling modes for various applications and scheduled capabilities, thus the capability scheduling flexibility is improved. The invention at the same time discloses a system applying the method.

Description

A kind of capacity calling method and system
Technical field
The present invention relates to communication technical field, particularly a kind of capacity calling method and system.
Background technology
In the mobile Internet epoch, the technical approach of Internet service is constantly sought telecommunication capability to open and incorporate by operator, and under this trend, Ge great operator also opens telecommunication capability gradually, structuring capacity provides system (or title ability provides platform), for application developer provides one-stop service.
Ability provides system to integrate better and utilize external resource by modes such as open application programming interface (API).Handling capacity provides system, telecommunication capability is carried provider service is packaged into unified, discernible interface and opens away, provide in system to make ability provide system user third party's ability user (or claiming third party's application) to be in addition linked into ability with corresponding form, thereby the API that provides system to open by call capability, realizes the business that third party applies.In addition, ability provides system also to can be ability for third party capability development person in addition system providing capability products & services is provided.
In the time having application to need call capability that the ability that system provides is provided, its directly and ability provide system to carry out alternately, ability provides the ability call request that system is initiated this application to carry out after authentication and checking, call the API of respective capabilities module, and the response of this ability module is sent to this application.
For application and ability in prior art provide the flow process that between system, ability is called, along with user's demand constantly increases, the kind of ability is also more and more above, and existing single ability call flow cannot meet the differentiation processing that different abilities are called.
Summary of the invention
The embodiment of the present invention provides a kind of capacity calling method and system, the flexibility of calling with raising ability.
For achieving the above object, one aspect of the present invention provides a kind of capacity calling method, and the method comprises the following steps:
Ability open system receiving ability call request message;
Described ability open system is according to described ability call request message, selective power method of calling, and in the time that selected ability method of calling needs described ability open system to carry out authentication, described ability call request message is carried out to authentication;
Described ability open system triggers respective capabilities invoked procedure according to the ability method of calling of selecting.
Described ability open system is according to described ability call request message, and selective power method of calling, specifically comprises:
Described ability open system according to the sender of described ability call request message or/and the ability of institute's request call, selective power method of calling; Described ability method of calling comprises Full Proxy mode, half agent way or transparent mode;
Described ability open system triggers respective capabilities invoked procedure according to the ability method of calling of selecting, and specifically comprises:
If selected ability method of calling is Full Proxy mode, the sender of ability open system to described ability call request message security token is verified, the authenticating identity of sender to described ability call request message, and in checking with after authentication passes through, the sender who acts on behalf of described ability call request message provides system initiating capacity invoked procedure to ability;
If selected ability method of calling is half agent way, the sender of ability open system to described ability call request message authenticating identity, and in authentication by rear generation half agent security token and return to the sender of this ability call request message, make the sender of this ability call request message use this half agent security token to provide system initiating capacity invoked procedure to ability;
If selected ability method of calling is transparent mode, ability open system indicates the sender of described ability call request message to provide system initiating capacity invoked procedure to ability.
On the other hand, the present invention also provides a kind of ability open system, comprises administration module, also comprises:
Comprise: access module and authentication module;
Described access module, for receiving ability call request message, according to described ability call request message, selective power method of calling, and in the time that selected ability method of calling needs described ability open system to carry out authentication, call described authentication module described ability call request message is carried out to authentication, trigger respective capabilities invoked procedure according to the ability method of calling of selecting;
Described authentication module, for accepting calling of described access module, carries out authentication to described ability call request message.
Preferably, described access module specifically for, according to the sender of described ability call request message or/and the ability of institute's request call, selective power method of calling; Described ability method of calling comprises Full Proxy mode, half agent way or transparent mode;
If selected ability method of calling is Full Proxy mode, calling the sender of described authentication module to described ability call request message security token verifies, and the authenticating identity of sender to described ability call request message, and in checking with after authentication passes through, the sender who acts on behalf of described ability call request message provides system initiating capacity invoked procedure to ability;
If selected ability method of calling is half agent way, call the sender of described authentication module to described ability call request message authenticating identity, and in authentication by rear generation half agent security token, and described half agent security token is returned to the sender of this ability call request message, make the sender of this ability call request message use this security token to provide system initiating capacity invoked procedure to ability;
If selected ability method of calling is transparent mode, indicate the sender of described ability call request message to provide system initiating capacity invoked procedure to ability.
Compared with prior art, the present invention has the following advantages:
Handling capacity open system is selected corresponding ability method of calling according to ability call request message, to provide differentiation method of calling, the flexibility that raising ability is called for various application and the ability called thereof.
Brief description of the drawings
The structural representation of the ability open system that Fig. 1 provides for the embodiment of the present invention;
The ability call flow schematic diagram that Fig. 2 provides for the embodiment of the present invention;
The Full Proxy ability call flow schematic diagram that Fig. 3 provides for the embodiment of the present invention;
The half agent capability call flow schematic diagram that Fig. 4 provides for the embodiment of the present invention;
The transparent ability call flow schematic diagram that Fig. 5 provides for the embodiment of the present invention.
Embodiment
Based on the deficiency of prior art scheme, the embodiment of the present invention provides ability open system, and this ability open system can be selected suitable ability method of calling according to ability call request.
Below in conjunction with accompanying drawing, the embodiment of the present invention is described in detail.
Referring to Fig. 1, the structural representation of the ability open system providing for the embodiment of the present invention, in this system, mainly comprise access module 103 and authentication module 102, also can comprise one or more modules that realize ASSOCIATE STATISTICS or management function, such as, for the door management of fulfillment capability open system and the administration module 101 of common management functionality.
Access module 103 in aforementioned capabilities open system, is mainly used in selecting suitable ability method of calling according to the received ability call request of ability open system, and carries out respective handling according to selected ability method of calling.Such as, if selected ability method of calling needs ability open system to complete, ability call request is carried out to authentication, call capability authentication module 102 is carried out authentication.Authentication module 102 is mainly used in accepting calling of access module 103, and ability call request is carried out to authentication.
Aforementioned capabilities open system can be supported Full Proxy, half agency and transparent three kinds of method of calling:
(1) Full Proxy mode
Under which, ability open system is participated in the overall process and has been controlled ability call flow, and wherein the checking of ability call request and authentication operations complete by ability open system.Which can effectively ensure the safety of ability invoked procedure, and correspondingly, ability open system and ability provide the mutual data volume of system also more, and the load of ability open system carrying is also higher.
(2) half agent ways
Under which, ability open system has been responsible for the authorizing procedure to ability call request, after ability call request authentication is passed through, ability open system generates half agent security token and is back to the sender of this ability call request (be generally certain application), makes the sender of ability call request carry this security token and provides system initiating capacity call request to ability.Although this ability method of calling is not as Full Proxy mode aspect fail safe, obviously under half agent way, ability open system has higher handling property, and the data volume that itself and ability provide system direct interaction also still less.
(3) transparent mode
Once ability open system is selected to adopt which, meaning that the sender of ability call request is follow-up can provide system to carry out alternately in existing mode with ability, and fulfillment capability calls.
In above three kinds of cited ability method of calling, what wherein fail safe was the highest is Full Proxy mode, and half agent way is taken second place, and the fail safe of transparent mode is minimum comparatively speaking; But correspondingly, complete ability by Full Proxy mode and call a large amount of data traffic of needs, take higher to the performance of ability open system; Half agent way expends less data traffic and takies less systematic function; Transparent mode does not need the participation of ability open system substantially, is minimum to the requirement of data traffic and system system energy yet.
Because the fail safe that above three kinds of ability method of calling provide is extremely low different from height, the load that spent data traffic and ability open system are born is thus also proportional, therefore can select corresponding ability method of calling according to actual situation, make ability open system select optimum ability method of calling for current entire system situation.
Aforementioned capabilities open system one of can be in the following ways or combination selective power method of calling:
(1) ability open system, in advance for specific ability or capability class, specifies the ability method of calling adopting.
Such as, only want ability or the capability class using ability open system as displaying and publication channel for some, because this ability does not need ability open system, calling of ability carried out to authentication and management and control, therefore can adopt transparent mode for such ability regulation; For the ability (video etc.) of some larger types of data traffic, can specify to adopt half agent way, to alleviate the performance pressure to ability open system; For the ability that has certain security requirement, and do not wish that multipair ability provides in the situation that system carries out, and can specify to adopt Full Proxy mode.
For another example, if the ability of certain ability or certain type, there is certain security-sensitive, as, can't stand the security risk that the abilities such as message-replay are called, can specify to adopt Full Proxy mode (because under half agent way, can cause to a certain extent assailant's intercepts messages to carry out Replay Attack with the security token of the term of validity).
(2) set in advance 2 flow threshold thread1 and thread2(thread1<thread2), if the data flux statistics value of the ability of institute's request call lower than thread1, ability open system is selected Full Proxy mode; If the data flux statistics value of the ability of institute's request call is higher than thread2, ability open system is selected transparent mode; Otherwise ability open system continues to select half agent way according to other mode.
(3) ability open system, according to the traffic statistics value of the ability of the security requirement of ability call request and institute's request call, is selected suitable ability method of calling.Such as, ability open system is in advance for the higher application of security requirement or application type, and regulation adopts Full Proxy or half agent way, and for the lower application of security requirement or application type, regulation adopts transparent mode, and flow threshold is set; If the application that ability open system is called according to initiating capacity or affiliated type, determine and can adopt power agency or half agent way, can further judge whether the traffic statistics value of the ability of institute's request call exceedes the flow threshold of setting, if exceed, adopt half agent way, otherwise adopt agent way.
(4) set in advance the corresponding relation of ability method of calling and time period, ability open system, according to the residing time period of the time of reception of ability call request, is selected corresponding ability method of calling.
In specific implementation process, for the higher application of security requirement, in the ability call request message that it sends, conventionally carry the security token that this application generates, therefore, if ability open system parses security token from the ability call request message receiving, can adopt Full Proxy mode.If ability open system does not parse security token from the ability call request message receiving, can from half agent way and transparent mode, select a kind of, select according to type or traffic statistics value or the security requirement etc. of ability that can be institute's request call, such as, if the traffic statistics value of the ability of institute's request call is higher than setting threshold, select transparent mode, otherwise select half agent way; If the sender's of ability call request message security requirement grade, higher than setting threshold, is selected half agent way, otherwise select Full Proxy mode.
Some preferred implementations that above rule only proposes for the embodiment of the present invention, those skilled in the art can carry out other adaptive increase or adjustment on this basis, such as, in advance the demand for security of the application for each type is carried out to grade classification, take half agent way or transparent mode for the junior application of demand for security.These improve and all belong to protection scope of the present invention.
Based on the system architecture of aforementioned capabilities open system, the ability call flow that the embodiment of the present invention provides can as shown in Figure 2, comprise:
Step 201, ability open system receiving ability call request message.
Step 202, ability open system is according to ability call request message, selective power method of calling.Concrete, ability open system can be selected suitable ability method of calling according to aforementioned manner, such as, the ability method of calling that the application of selection and initiating capacity call request adapts, or the ability method of calling of the corresponding adaptation of ability of selection and institute's request call.
Step 203, ability open system triggers respective capabilities invoked procedure according to the ability method of calling of selecting.
In this step, if what ability open system was selected is Full Proxy mode, ability open system is responsible for ability call request message sender's security token to verify, the authenticating identity of sender to ability call request message, and in checking with after authentication passes through, the sender of agent capability call request message provides system initiating capacity invoked procedure to ability; If what ability open system was selected is half agent way, the authenticating identity of ability open system to ability call request message sender, and generate half agent security token in authentication by the rear sender for this ability call request message and return to the sender of this ability call request message, make the sender of this ability call request use this security token to provide system initiating capacity invoked procedure to ability; If what ability open system was selected is transparent mode, the sender of ability open system instruction ability call request provides system initiating capacity invoked procedure to ability.
The ability call flow providing in order to further describe the embodiment of the present invention, below respectively in conjunction with Fig. 3, Fig. 4 and Fig. 5, describes the ability call flow under Full Proxy mode, half agent way and transparent mode.
Referring to Fig. 3, be the ability call flow under the Full Proxy mode of specific embodiment of the invention proposition, this flow process specifically comprises the following steps:
Step 301, application is to ability open system transmitting capacity call request message.The ability of having carried in this ability call request message is called required relevant information, specifically can comprise the mark of the application of initiating this ability call request, the security token of application side (this security token is the local generation of being applied in of initiating capacity call request), and the parameter such as the attribute of the ability of institute's request call, wherein the attribute of ability comprises the ID of ability, title, the information such as access way, the information that ability open system can comprise according to the attribute of ability is determined application need to call for which ability.
Step 302, the access module in ability open system is obtained respective capabilities information according to the capabilities attribute carrying in this ability call request message.Wherein, ability information can comprise mark, title and the type etc. of ability.
Step 303, the access module in ability open system is according to this ability call request message selective power method of calling, concrete selection mode ditto described in.In this flow process, access module is selected Full Proxy mode.
Step 304 ~ 306, the access module in ability open system is called authentication module, and the security token in this ability call request is verified, after being verified, goes to step 307.
In this process, access module sends security token checking request in step 304 to authentication module, in step 305, authentication module is according to this request, verify that whether the application under this security token is legal, and whether the term of validity of verifying this security token is expired etc., authentication module is returned to the result in step 306 to access module; Access module is carried out follow-up flow process according to the result, that is, if the verification passes, proceed to step 307, otherwise abandon this ability call request, and ability invoked procedure finishes.This flow process is to be verified as example description.
It should be noted that, under Full Proxy mode, security token only single is effective, this also mean in the time that this application request ability is again called, need to regenerate Full Proxy security token.
Step 307 ~ 309, the access module in ability open system is called identity and the authority of authentication module to ability call request sender and is carried out authentication, and after authentication is passed through, goes to step 310.
In this process, access module is called authentication request in step 307 to authentication module transmitting capacity; In step 308, authentication module is according to this request, the legitimacy of the identity to this ability call request sender is differentiated, and judge whether this ability call request sender calls this ability authority etc., and authentication module is returned to authenticating result in step 309 to access module then; Access module is carried out follow-up flow process according to authenticating result, if authentication is passed through, proceeds to step 310, if failed authentication abandons this ability call request, ability invoked procedure finishes.This flow process is passed through to describe as example taking authentication.
Step 310, the access module of ability open system provides system transmitting capacity call request message to ability, the relevant information of the ability of the institute's request call wherein carrying, identical with the ability information of carrying in ability call request received in step 301, can comprise in addition the ability information getting in step 302.
Step 311 ~ 312, ability open system receives ability provides the ability that system is returned to call after response message, ability is called to response message and is back to the sender of respective capabilities call request.
Due under Full Proxy mode, what provide system transmitting capacity call request message to ability is ability open system, under half agent way and transparent mode, what provide system transmitting capacity call request message to ability is application, and therefore whether whether provide system to be that ability open system determines according to the sender of ability call request be Full Proxy mode to ability.If Full Proxy mode, ability provides system can directly call asked ability this ability call request is responded, and handling capacity is called response message and returned to response results.
Referring to Fig. 4, be the ability call flow under double agent way, this flow process can comprise:
Step 401, application is to ability open system transmitting capacity call request message.This ability call request message has been carried ability and has been called required relevant information, specifically can comprise the mark of the application of initiating this ability call request, and the parameter such as the attribute of the ability of institute's request call.
Step 402, the access module in ability open system is obtained respective capabilities information according to the capabilities attribute carrying in this ability call request message.Wherein, ability information can comprise mark, title and the type etc. of ability.
Step 403, the access module in ability open system is according to this ability call request message selective power method of calling, concrete selection mode ditto described in.In this flow process, ability open system is selected half agent way.
Step 404 ~ 406, the access module in ability open system is called identity and the authority of authentication module to ability call request sender and is carried out authentication, and after authentication is passed through, goes to step 407.
In this step, access module is called authentication request in step 404 to authentication module transmitting capacity; In step 405, authentication module is according to this request, and the legitimacy of the identity to this ability call request sender is differentiated, and judged whether this ability call request sender calls this ability authority etc.; Authentication module is returned to authenticating result in step 406 to access module subsequently, carries out follow-up flow process by access module according to authenticating result.If authentication is passed through, go to step 407, if failed authentication, ability open system abandons this ability call request message, ability invoked procedure finishes.This flow process is passed through to describe as example taking authentication.
Step 407 ~ 410, the access module of ability open system is obtained half agent security token (i.e. security token half agent way) from authentication module, and attribute (as the term of validity and the access times) handling capacities such as this security token and permission to use information thereof is called to response message and are back to the transmit leg of ability call request message.
In this process, access module sends the request of obtaining of security token under half agent way to authentication module in step 407; In step 408, authentication module generates half agent security token, and (this half agent security token is corresponding with the sender of this ability call request message and the ability of its request call, the sender that can identify this ability call request message calls the behavior of this ability), and in step 409, this half agent security token is back to access module; Access module is back to this half agent security token in step 410 transmit leg of ability call request message subsequently.It should be noted that, under half agent way, the half agent security token being generated by authentication module is with the attribute such as the term of validity, access times.The half agent security token that ability open system generates, the security token generating from application has different forms, or carries specific information, to two kinds of security tokens are distinguished.
Step 411, application provides system transmitting capacity call request message to ability, and this ability call request message has been carried ability and has been called required relevant information, the half agent security token generating comprising ability open system.
Step 412, ability provides system from this ability call request message, to obtain half agent security token, and the attribute of local this half agent security token preserved of inquiry, if do not inquire, proceeds to step 413.Here,, because this half agent security token is first generation, therefore ability provides the relevant information that does not also store this half agent security token in system.
Step 413, ability provides system to verify that by security token this half agent security token is sent to ability open system by request message, to ask capability development system to be verified this half agent security token.
Step 414 ~ 415, the authentication module of ability open system, receiving after security token checking request message, is verified half agent security token wherein.And after being verified, inquire about the attribute of this half agent security token, as the term of validity, access times etc., and above-mentioned attribute is back to ability by authentication response information system is provided.
In this process, if ability provides system not inquire half agent security token, send security token checking in step 413 and ask to the authentication module of ability open system; In step 414, authentication module, according to this request, verifies that whether the application under this security token is legal, and whether the term of validity is expired etc.In step 415, authentication module provides system to return to the result to ability, if be verified, authentication module resettability in this step provides the attribute of this security token of system, as the term of validity, effective access times etc.Further, if in step 415 authentication failed, authentication module provides system to return to failure result to ability in this step, ability provides system to receive process ends after this failure result.
Step 416, ability provides system Receipt Validation response message, preserve half agent security token and the attribute thereof wherein carrying, if the attribute of security token comprises effective degree, ability provides system also correspondence to be upgraded to the effective degree of local this half agent security token of preserving.
Step 417, ability provides the ability that system call is asked to respond this ability call request, and calls response message to sender's resettability of ability call request.
Further, this flow process also can comprise:
Step 418, in the time that application also needs to call identical ability, inquire about the term of validity of the corresponding half agent security token of behavior that this application request calls this ability, if in validity, this application provides system transmitting capacity call request message to ability, in this ability call request message, carrying capacity is called required relevant information, comprises the attribute of the ability of mark, the request call of the application of initiating this ability call request, and corresponding half agent security token.
Step 419, ability provides system from this ability call request message, to obtain half agent security token, and the attribute of local this half agent security token preserved of inquiry, and the attribute of this half agent security token is verified, as whether expired in the validity that judges this half agent security token, whether exceed maximum access times, after being verified, ability provides the access times of local this security token preserved of system update, and goes to step 420.
Step 420, ability provides the ability that system call is asked to respond this ability call request, calls response message to sender's transmitting capacity of ability call request, and resettability calls result.
If in above-mentioned steps 418, application query is to the term of validity mistake of this agent security token, to ability open system transmitting capacity call request message, described in processing ditto after this, do not repeat them here.
If in above-mentioned steps 419, if the attribute authentication failed to this security token is as out of date in the term of validity, abandon this ability call request, ability invoked procedure finishes.
Referring to Fig. 5, is the ability call flow of the embodiment of the present invention under transparent mode:
Step 501, application is to ability open system transmitting capacity call request message.This ability call request message has been carried ability and has been called required relevant information, specifically can comprise the mark of the application of initiating this ability call request, and the parameter such as the attribute of the ability of institute's request call.
Step 502, the access module in ability open system is obtained respective capabilities information according to the capabilities attribute carrying in this ability call request message, and wherein, ability information can comprise mark, title and the type etc. of ability.
Step 503, the access module in ability open system is according to this ability call request message selective power method of calling, concrete selection mode ditto described in.In this flow process, ability open system is selected transparent mode.
Step 504, the access module in ability open system is returned to transparent mode Indication message to the transmit leg of ability call request message, to indicate it directly and ability provides system interaction.
Step 505, this application, according to this Indication message, provides system transmitting capacity call request message to ability, and receiving ability provides the ability that system is returned to call response message.
According to above flow process, in the ability open system shown in Fig. 1, the major function of correlation function module is as described below:
A kind of ability open system, comprising: access module 103 and authentication module 102;
Described access module 103, for receiving ability call request message, according to described ability call request message, selective power method of calling, and in the time that selected ability method of calling needs described ability open system to carry out authentication, call described authentication module 102 described ability call request message is carried out to authentication, trigger respective capabilities invoked procedure according to the ability method of calling of selecting;
Described authentication module 102, for accepting calling of described access module 103, carries out authentication to described ability call request message.
Further, in concrete application scenarios, described access module 103 specifically for, according to the sender of described ability call request message or/and the ability of institute's request call, selective power method of calling; Described ability method of calling comprises Full Proxy mode, half agent way or transparent mode;
If selected ability method of calling is Full Proxy mode, calling the sender of described authentication module 102 to described ability call request message security token verifies, and the authenticating identity of sender to described ability call request message, and in checking with after authentication passes through, the sender who acts on behalf of described ability call request message provides system initiating capacity invoked procedure to ability;
If selected ability method of calling is half agent way, call the sender of described authentication module 102 to described ability call request message authenticating identity, and in authentication by rear generation half agent security token, and described half agent security token is returned to the sender of this ability call request message, make the sender of this ability call request message use this security token to provide system initiating capacity invoked procedure to ability;
If selected ability method of calling is transparent mode, indicate the sender of described ability call request message to provide system initiating capacity invoked procedure to ability.
Further, in concrete application scenarios, described access module 103 specifically for, if parse security token from described ability call request message, select Full Proxy mode; If do not parse security token from described ability call request message,, according to the data flux statistics value of the ability of the sender's of described ability call request message security requirement or institute's request call, in half agent way or transparent mode, select.
Further, in concrete application scenarios, described access module 103 specifically for, if the sender's of described ability call request message security requirement grade is higher than setting threshold, select half agent way, otherwise select Full Proxy mode; Or, if the data flux statistics value of the ability of institute's request call is higher than setting threshold, select half agent way, otherwise select transparent mode.
Further, in concrete application scenarios, described access module 103 specifically for, obtain corresponding ability information according to the capabilities attribute carrying in described ability call request message, calling described authentication module 102 verifies described security token, and after being verified, call sender's identity and the authority of call capability of described authentication module 102 to described ability call request message and carry out authentication, and after authentication is passed through, provide system transmitting capacity call request message to ability, in described ability call request message, carry the ability information getting, and receiving described ability provides the ability that system is returned to call response message, and described ability is called to response message and is returned to the sender of described ability call request message.
Further, in concrete application scenarios, described access module 103 specifically for, obtain corresponding ability information according to the capabilities attribute carrying in described ability call request message, call sender's identity and the authority of call capability of described authentication module 102 to described ability call request message and carry out authentication, after authentication is passed through, call described authentication module 102 and generate half agent security token, the usage license information of this half agent security token is set, and this half agent security token and usage license information are sent to the sender of described ability call request message,
Described authentication module 102 also for, receive the checking request message that described ability provides system to send, and the half agent security token carrying in described checking request message is verified, and after being verified, the usage license information of described security token is carried on to authentication response information sends to described ability that system is provided, so that the half agent security token carrying in the ability call request message that described ability provides system to receive according to the usage license information butt joint of described half agent security token is verified, and after being verified, this ability call request message is responded, wherein, described checking request message is that described ability provides system receiving after ability call request message, does not inquire to send after the usage license information of the local corresponding half agent security token of preserving.
As can be seen here, in specific embodiments of the invention, by select corresponding ability method of calling according to different conditions when initial, to provide differentiation method of calling, the flexibility that raising ability is called for various application and the ability called thereof.
It should be noted that, the Module Division adopting for descriptive power open system in above embodiment is explanation and shows that example ﹑ is nonrestrictive.Because this ability open system can be carried out function and not depart from spirit or the essence of invention with multiple composition form, so be to be understood that, above-described embodiment is not limited to any aforesaid details, and explain widely in the spirit and scope that should limit in the claim of enclosing, therefore fall into whole variations in claim or its equivalent scope and remodeling and all should be the claim of enclosing and contain.
Through the above description of the embodiments, those skilled in the art can be well understood to the present invention and can realize by hardware, and the mode that also can add necessary general hardware platform by software realizes.Based on such understanding, technical scheme of the present invention can embody with the form of software product, it (can be CD-ROM that this software product can be stored in a non-volatile memory medium, USB flash disk, portable hard drive etc.) in, comprise that each implements the method described in scene in order to make a computer equipment (can be personal computer, server, or the network equipment etc.) carry out the present invention in some instructions.
It will be appreciated by those skilled in the art that accompanying drawing is a schematic diagram of preferably implementing scene, the module in accompanying drawing or flow process might not be that enforcement the present invention is necessary.
It will be appreciated by those skilled in the art that the module in the device of implementing in scene can be distributed in the device of implementing scene according to implementing scene description, also can carry out respective change and be arranged in the one or more devices that are different from this enforcement scene.The module of above-mentioned enforcement scene can be merged into a module, also can further split into multiple submodules.
The invention described above sequence number, just to describing, does not represent the quality of implementing scene.
Disclosed is above only several concrete enforcement scene of the present invention, and still, the present invention is not limited thereto, and the changes that any person skilled in the art can think of all should fall into protection scope of the present invention.

Claims (12)

1. a kind of capacity calling method, is characterized in that, comprising:
ability open system receiving ability call request message;
described ability open system is according to described ability call request message, selective power method of calling, and in the time that selected ability method of calling needs described ability open system to carry out authentication, described ability call request message is carried out to authentication;
described ability open system triggers respective capabilities invoked procedure according to the ability method of calling of selecting.
2. the method of claim 1, is characterized in that, described ability open system is according to described ability call request message, and selective power method of calling, specifically comprises:
described ability open system according to the sender of described ability call request message or/and the ability of institute's request call, selective power method of calling; Described ability method of calling comprises Full Proxy mode, half agent way or transparent mode;
described ability open system triggers respective capabilities invoked procedure according to the ability method of calling of selecting, and specifically comprises:
if selected ability method of calling is Full Proxy mode, the sender of ability open system to described ability call request message security token is verified, the authenticating identity of sender to described ability call request message, and in checking with after authentication passes through, the sender who acts on behalf of described ability call request message provides system initiating capacity invoked procedure to ability;
if selected ability method of calling is half agent way, the sender of ability open system to described ability call request message authenticating identity, and in authentication by rear generation half agent security token and return to the sender of this ability call request message, make the sender of this ability call request message use this half agent security token to provide system initiating capacity invoked procedure to ability;
if selected ability method of calling is transparent mode, ability open system indicates the sender of described ability call request message to provide system initiating capacity invoked procedure to ability.
3. method as claimed in claim 2, is characterized in that, described ability open system is according to the sender of described ability call request message or/and the ability of institute's request call, and selective power method of calling, specifically comprises:
if described capability development system parses security token from described ability call request message, described ability open system is selected Full Proxy mode;
if described ability open system does not parse security token from described ability call request message, described ability open system, according to the data flux statistics value of the ability of the sender's of described ability call request message security requirement or institute's request call, is selected in half agent way or transparent mode.
4. method as claimed in claim 3, it is characterized in that, described ability open system, according to the data flux statistics value of the ability of the sender's of described ability call request message demand for security or institute's request call, is selected in half agent way or transparent mode, specifically comprises:
if the sender's of described ability call request message security requirement grade, higher than setting threshold, is selected half agent way, otherwise select Full Proxy mode; Or,
if the data flux statistics value of the ability of institute's request call, higher than setting threshold, is selected half agent way, otherwise select transparent mode.
5. method as claimed in claim 2, it is characterized in that, the sender of described ability open system to described ability call request message security token is verified, the authenticating identity of sender to described ability call request message, and in checking with after authentication passes through, the sender who acts on behalf of described ability call request message provides system initiating capacity invoked procedure to ability, specifically comprises:
described ability open system is obtained corresponding ability information according to the capabilities attribute carrying in described ability call request message;
described ability open system is verified described security token, and after being verified, the identity of the sender to described ability call request message and the authority of call capability are carried out authentication;
after authentication is passed through, described ability open system provides system transmitting capacity call request message to ability, in described ability call request message, carries the ability information getting;
described ability open system receives described ability provides the ability that system is returned to call response message, and described ability is called to response message and returned to the sender of described ability call request message.
6. method as claimed in claim 2, it is characterized in that, the sender of described ability open system to described ability call request message authenticating identity, and in authentication by rear generation half agent security token and return to the sender of this ability call request message, specifically comprise:
described ability open system is obtained corresponding ability information according to the capabilities attribute carrying in described ability call request message;
sender's identity and the authority of call capability of described ability open system to described ability call request message carried out authentication;
after authentication is passed through, the behavior of sender's request call respective capabilities that described ability open system is described ability call request message generates half agent security token, the usage license information of this half agent security token is set, and this half agent security token and usage license information is sent to the sender of described ability call request message;
described ability open system receives the checking request message that described ability provides system to send, and the half agent security token carrying in described checking request message is verified; Wherein, described checking request message is that described ability provides system receiving after ability call request message, does not inquire to send after the usage license information of the local corresponding half agent security token of preserving;
described ability open system is after double agent security token authentication passes through, the usage license information of described half agent security token is carried on to authentication response information sends to described ability that system is provided, so that the half agent security token carrying in the ability call request message that described ability provides system to receive according to the usage license information butt joint of described half agent security token verifies, and after being verified, this ability call request message is responded.
7. a kind of ability open system, is characterized in that, comprising: access module and authentication module;
described access module, for receiving ability call request message, according to described ability call request message, selective power method of calling, and in the time that selected ability method of calling needs described ability open system to carry out authentication, call described authentication module described ability call request message is carried out to authentication, trigger respective capabilities invoked procedure according to the ability method of calling of selecting;
described authentication module, for accepting calling of described access module, carries out authentication to described ability call request message.
8. ability open system as claimed in claim 7, is characterized in that, described access module specifically for, according to the sender of described ability call request message or/and the ability of institute's request call, selective power method of calling; Described ability method of calling comprises Full Proxy mode, half agent way or transparent mode;
if selected ability method of calling is Full Proxy mode, calling the sender of described authentication module to described ability call request message security token verifies, and the authenticating identity of sender to described ability call request message, and in checking with after authentication passes through, the sender who acts on behalf of described ability call request message provides system initiating capacity invoked procedure to ability;
if selected ability method of calling is half agent way, call the sender of described authentication module to described ability call request message authenticating identity, and in authentication by rear generation half agent security token, and described half agent security token is returned to the sender of this ability call request message, make the sender of this ability call request message use this security token to provide system initiating capacity invoked procedure to ability;
if selected ability method of calling is transparent mode, indicate the sender of described ability call request message to provide system initiating capacity invoked procedure to ability.
9. ability open system as claimed in claim 8, is characterized in that, described access module specifically for, if parse security token from described ability call request message, select Full Proxy mode; If do not parse security token from described ability call request message,, according to the data flux statistics value of the ability of the sender's of described ability call request message security requirement or institute's request call, in half agent way or transparent mode, select.
10. ability open system as claimed in claim 9, is characterized in that, described access module specifically for, if the sender's of described ability call request message security requirement grade is higher than setting threshold, select half agent way, otherwise select Full Proxy mode; Or, if the data flux statistics value of the ability of institute's request call is higher than setting threshold, select half agent way, otherwise select transparent mode.
11. ability open system as claimed in claim 8, it is characterized in that, described access module specifically for, obtain corresponding ability information according to the capabilities attribute carrying in described ability call request message, calling described authentication module verifies described security token, and after being verified, call the sender of described authentication module to described ability call request message identity and the authority of call capability is carried out authentication, and after authentication is passed through, provide system transmitting capacity call request message to ability, in described ability call request message, carry the ability information getting, and receiving described ability provides the ability that system is returned to call response message, and described ability is called to response message and is returned to the sender of described ability call request message.
12. ability open system as claimed in claim 8, it is characterized in that, described access module specifically for, obtain corresponding ability information according to the capabilities attribute carrying in described ability call request message, call the sender of described authentication module to described ability call request message identity and the authority of call capability is carried out authentication, after authentication is passed through, call described authentication module and generate half agent security token, the usage license information of this half agent security token is set, and this half agent security token and usage license information are sent to the sender of described ability call request message,
described authentication module also for, receive the checking request message that described ability provides system to send, and the half agent security token carrying in described checking request message is verified, and after being verified, the usage license information of described security token is carried on to authentication response information sends to described ability that system is provided, so that the half agent security token carrying in the ability call request message that described ability provides system to receive according to the usage license information butt joint of described half agent security token is verified, and after being verified, this ability call request message is responded, wherein, described checking request message is that described ability provides system receiving after ability call request message, does not inquire to send after the usage license information of the local corresponding half agent security token of preserving.
CN201210477965.0A 2012-11-22 2012-11-22 Capability scheduling method and system Pending CN103841081A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201210477965.0A CN103841081A (en) 2012-11-22 2012-11-22 Capability scheduling method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201210477965.0A CN103841081A (en) 2012-11-22 2012-11-22 Capability scheduling method and system

Publications (1)

Publication Number Publication Date
CN103841081A true CN103841081A (en) 2014-06-04

Family

ID=50804217

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201210477965.0A Pending CN103841081A (en) 2012-11-22 2012-11-22 Capability scheduling method and system

Country Status (1)

Country Link
CN (1) CN103841081A (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106209728A (en) * 2015-04-30 2016-12-07 中国电信股份有限公司 Telecommunication capability call method and system
CN106713244A (en) * 2015-11-17 2017-05-24 中国移动通信集团公司 Capability access method and network element
CN108509286A (en) * 2018-03-27 2018-09-07 中国银联股份有限公司 A kind of processing method and processing device of message category
CN109995733A (en) * 2017-12-30 2019-07-09 中国移动通信集团辽宁有限公司 Capability service opening method, device, system, equipment and medium

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106209728A (en) * 2015-04-30 2016-12-07 中国电信股份有限公司 Telecommunication capability call method and system
CN106209728B (en) * 2015-04-30 2019-07-02 中国电信股份有限公司 Telecommunication capability call method and system
CN106713244A (en) * 2015-11-17 2017-05-24 中国移动通信集团公司 Capability access method and network element
CN106713244B (en) * 2015-11-17 2021-01-15 中国移动通信集团公司 Capability access method and network element
CN109995733A (en) * 2017-12-30 2019-07-09 中国移动通信集团辽宁有限公司 Capability service opening method, device, system, equipment and medium
CN109995733B (en) * 2017-12-30 2021-11-09 中国移动通信集团辽宁有限公司 Capability service opening method, device, system, equipment and medium
CN108509286A (en) * 2018-03-27 2018-09-07 中国银联股份有限公司 A kind of processing method and processing device of message category
CN108509286B (en) * 2018-03-27 2022-09-27 中国银联股份有限公司 Message classification processing method and device

Similar Documents

Publication Publication Date Title
CN108989263A (en) Short message verification code attack guarding method, server and computer readable storage medium
CN105100708B (en) Request processing method and device
CN103139182B (en) A kind of method that user of permission accesses, client, server and system
CN105450581B (en) The method and apparatus of permission control
CN104917807B (en) Resource transfers methods, devices and systems
CN111211911B (en) Collaborative signature method, device, equipment and system
CN104283841A (en) Method, device and system for carrying out service access control on third-party application
CN107528865A (en) The method for down loading and system of file
CN106331003B (en) The access method and device of application door system on a kind of cloud desktop
CN105681258B (en) Session method and conversational device based on third-party server
CN112968892B (en) Information verification method, device, computing equipment and medium
CN111614548A (en) Message pushing method and device, computer equipment and storage medium
CN106304264A (en) A kind of wireless network access method and device
CN103841081A (en) Capability scheduling method and system
CN108600234A (en) A kind of auth method, device and mobile terminal
CN102567903B (en) A kind of Web applications subscribe method, Apparatus and system
CN110430167A (en) Management method, electronic equipment, management terminal and the storage medium of holding account
CN105635124A (en) Flow control method and device
CN107645474B (en) Method and device for logging in open platform
CN103559430B (en) application account management method and device based on Android system
CN102263797B (en) Session control method and device
CN108924149B (en) Token-based identity validity verification method and system
CN109753769A (en) A kind of software authorization method and system based on block chain
CN108965335A (en) Prevent method, electronic equipment and the computer media of malicious access login interface
CN106487776B (en) Method, network entity and system for protecting machine type communication equipment

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20140604

RJ01 Rejection of invention patent application after publication