CN103944883B - The system and method for cloud application access control under a kind of cloud computing environment - Google Patents
The system and method for cloud application access control under a kind of cloud computing environment Download PDFInfo
- Publication number
- CN103944883B CN103944883B CN201410101018.0A CN201410101018A CN103944883B CN 103944883 B CN103944883 B CN 103944883B CN 201410101018 A CN201410101018 A CN 201410101018A CN 103944883 B CN103944883 B CN 103944883B
- Authority
- CN
- China
- Prior art keywords
- application
- cloud
- user
- information
- cloud application
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Abstract
The present invention provides a kind of system and method for cloud application access control under cloud computing environment, and gateway proxy is interacted with client, receives linking request or cloud application to user feedback mandate of the user to cloud application;By the user's application permission service module interacted with gateway proxy, the validity to user right is verified;Found in the routing table by the application route service module interacted with gateway proxy and effectively apply routing address;By the cloud application service module that is interacted with gateway proxy, there is provided the running environment of the cloud application matched with authority information.The present invention by gateway proxy will route and certification internally service between complete, realize to application permission be managed collectively, flexibly control, shield the possibility of information leakage.
Description
Technical field
The invention belongs to field of cloud calculation, and in particular to the use of cloud application and access mandate control technology.
Background technology
Cloud computing be it is a kind of it is dynamic, easily extend, the Resource Calculation mode based on virtualization, typically by internet
There is provided, user is not required to the details it is to be understood that inside cloud.Cloud computing service is service (IaaS), basis including 3 layers, i.e. infrastructure
Platform is that service (PaaS) and software service (SaaS).Infrastructure is that service is for the basis such as network, main frame, storage money
Source is managed, and is the foundation stone of cloud computing system, is the first step for realizing cloud computing;Basic platform is that service is for centre
Part, database are managed;Software is that service is managed for user's application.
Cloud application mainly has two kinds of ways of realization under cloud computing environment:First, the mode of application service trustship, is applied in visitor
There is local runnable interface at family end, but applies data and calculating section involved by inside all to be converged in backstage cloud data center
Always.2nd, the mode of remote application, allows you to access program by remote desktop service remote, just looks like that they are finally being used
Run on the local computer at family the same.These programs are referred to as cloud application program, during ordinary circumstance same application server it
On can run multiple application examples.However, for the second way, due to application be actual motion in far-end computer, institute
When multiple applications are used by multiple users, there is information each other between different application or different user application of the same race
The risk of leakage.
Information leakage risk is mainly reflected in, and 1. applications access the residual of record, and exposure accesses footprint;2. memory buffers are held
Easily obtained by subsequent login person;3. this level can be monitored other processes in application operation;4. can not accomplish it is effective every
From.
The content of the invention
The present invention provides a kind of system and method for cloud application access control under cloud computing environment, and cloud application authority is carried out
Control, supports flexible application isolation, makees physical isolation for high safety rank application, to solve asking for information leakage
Topic.
In order to achieve the above object, a technical scheme of the invention is to provide cloud application under a kind of cloud computing environment and accessed
The system of control, it is included:
Gateway proxy, as the interface with client, receives linking request of the user to cloud application, or award to user's transmission
The cloud application of power or the information for refusing linking request;
User's application permission service module, maintenance is managed to user right information, always according to the friendship with gateway proxy
User authentication information is mutually received, and authorization identifying result is fed back after being verified to the validity of user right to gateway proxy;
Using route service module, safeguarded and updated for the routing table that record has cloud application service to distribute information,
Always according to interacting for gateway proxy and find effective application routing address in the routing table and feed back to gateway proxy;
Cloud application service module, by being interacted with gateway proxy, there is provided the operation of the cloud application matched with authority information
Environment.
Alternatively, the application route service module is further included:
State update module, updates information, the service condition of application of application server in the routing table;
Correction verification module is checked, the application routing address matched for whether having in routing table with linking request is available
Checked.
Another technical scheme of the present invention is to provide a kind of method of cloud application access control under cloud computing environment, and it is wrapped
Containing following steps:
A. user is by linking request of the client initiation for cloud application, by the linking request and user authentication information
Send together to gateway proxy;
B. gateway proxy parsing relevant information, and user right is verified by user's application permission service module;
C. after receiving user right and being verified as effective information, gateway proxy is by application route service module in route
Qualified application routing address is searched in table;
D. according to the application routing address searched, gateway proxy applies road by cloud application service module to this is matched
Linked by the cloud application server of address;
The running environment of the cloud application matched with user right is provided by cloud application service module, fed back by gateway proxy
To the client of user.
Alternatively, it is all to update also by being initialized using route service module to routing table before step A
The information of application server, the service condition of all applications.
Alternatively, in step D, the application server that will also be distributed using route service module according to this linking request
Information be updated in the routing table.
Alternatively, after step D, also it is route included in cloud application using after exiting or when linking invalid by application
Service module update routing table state, allow next time application link can use.
Alternatively, in step C when searching application routing address, according between user right, whether mutual exclusion determines to be available for
The application server of deployment.
Alternatively, in step D, gateway proxy by cloud application service module to cloud application server linked when, also
The use control information of the application matched with user right is sent simultaneously.
Compared with prior art, the system and method for cloud application access control under the cloud computing environment that the present invention is provided, its
Advantage is:By way of gateway proxy will route and certification internally service between complete:Safeguard and update routing table and supply cloud
Using selection inquiry, by application permission service module and route service module determine to provide the cloud application address of service jointly,
To provide the cloud application matched with authority, so as to complete the access control of application.
The present invention supports the cloud application mode of remote application, should while being also applied for cloud that local client mode creates
With.The present invention can operate in different applications on uniform machinery according to routing policy, or operate in same session,
Or operate in different main frames, or operate in different sub-network, etc..The present invention is managed collectively to application permission, flexibly control,
Shield the possibility of information leakage.
Brief description of the drawings
Fig. 1 is the schematic diagram of routing table generation in the present invention.
Fig. 2 is the schematic diagram of cloud application access control system of the present invention.
Fig. 3 is the schematic diagram that client of the present invention uses cloud application process.
Fig. 4 is the timing diagram of cloud application links and accesses control of the present invention.
Embodiment
The application scenarios of the present invention include user and cloud application provider.User is mainly the promoter of application link,
Client may also have third-party desktop programs to aid in, the basic logon information for obtaining user, and these information are also wound
Build the call parameter of cloud application link.Cloud application provider, can provide management and the maintenance function of user right information, these use
Family authority information is stored in user's application permission service module.Cloud application can be operated in cloud application server, in reality
It is usually to have many sessions to dispose medium cloud application server(session)The server of login function, can be that virtual machine also may be used
To be physical machine.
Based on the present invention, shown following service role realizes the access control to cloud application in fig. 2 for cloud application provider
System, including:Gateway proxy, route service module, user's application permission service module, cloud application service module.
Gateway proxy:As the interface with user, receive the linking request of user or the cloud application authorized is sent to user
Or the information of refusal request;Also, the gateway proxy is obtained in different service stages by being interacted with other each service modules
Take relevant information:For example, to the authorization identifying information of user right, effective routing address, the cloud application authorized or refusal
Information of request, etc..
User's application permission service module:User right information is managed and safeguarded, which record user possesses should
With, and the application possessed can have the access right and other associated rights of which peripheral hardware;Also, according to gateway proxy instruction come
After being verified to the validity of user right, corresponding authorization identifying information is fed back to gateway proxy.
Using route service module:Safeguard and update routing table, record the distribution information related to cloud application service;And
And, feed back to gateway proxy after available routing address is found according to gateway proxy instruction.
Cloud application service module:The running environment of cloud application is provided according to gateway proxy instruction, and according to priority assignation
Use of the information to cloud application is limited.
It is the schematic diagram of routing table generation as shown in Figure 1.State, which is further provided with, using route service module updates mould
Block and inspection correction verification module:
State update module, can all update the information of all application servers, the service condition of all applications to road
In table.For example, user initiate linking request after, or according to authority and safety principle to user be assigned with it is available should
After server, or application disconnect or link it is invalid after, the state update module can all carry out corresponding to routing table information
Renewal.
Correction verification module is checked, when user applies for creating the routing iinformation of new opplication, for whether having legal to routing table
Effectively routing address is available is checked.
Coordinate referring to shown in Fig. 3, Fig. 4, after above-mentioned service role of the invention is completely disposed, user is created by client
When cloud application is linked, the method for cloud application access control includes procedure below:
1. routing table is initialized.Using route service module by the information updating of all application servers to routing table, also
The service condition of all applications is also updated in routing table.
2. user initiates the linking request for cloud application by client, wherein including the application message to be linked;
The linking request is transmitted together to gateway proxy with user authentication information.
3. gateway proxy parses relevant information, linking request is translated into specific application and application authorizes peripheral hardware information;
Also, the gateway proxy is also interacted with user's application permission service module, is further passed through by user's application permission service module
Inquiry certificate server confirms whether user right effective, if be verified as it is invalid if return fail.
4. when receiving the user right effective information of checking, gateway proxy is interacted with using route service module, by answering
Further search qualified application routing address in the routing table with route service module.Routing address is applied for searching
When routing policy, it is necessary to which whether mutual exclusion is determined according between user right, mutual exclusion represents that same application cannot be deployed in
In server.
5. being searched out using route service module behind available effective routing address, gateway proxy is fed back to, by net
Agency is closed to be linked according to the real cloud application server of routing address steering;Now, also can using route service module
The information of the application server distributed according to this linking request is updated in the routing table.
Gateway proxy obtains the visitor that user is sent it to after the cloud application authorized by being interacted with cloud application service module
Family end.Due to save the use control information of application in authorization service in the present invention, and cloud chain is created in gateway proxy
The use that the application matched with user right in the information for being sent to cloud application service module, can be carried when connecing is controlled
Information, so that can be according to the use control information of the application when cloud application service module provides the running environment of cloud application
Use to cloud application is limited.
6. cloud application using exit or link it is invalid after, can further update routing table using route service module
State, allow next time application link can use.
In summary, the method for cloud application access control, passes through gateway generation under a kind of cloud computing environment that the present invention is provided
The mode of reason will route and certification internally service between complete:Safeguard and update routing table and select inquiry for cloud application, by applying
Rights service module and route service module are determined to provide the cloud application address of service, matched to provide with authority jointly
Cloud application so that complete application access control.
The present invention supports the cloud application mode of remote application, should while being also applied for cloud that local client mode creates
With.The present invention can operate in different applications on uniform machinery according to routing policy, or operate in same session,
Or operate in different main frames, or operate in different sub-network, etc..The present invention is managed collectively to application permission, flexibly control,
Shield the possibility of information leakage.
Although present disclosure is discussed in detail by above preferred embodiment, but it should be appreciated that above-mentioned
Description is not considered as limitation of the present invention.After those skilled in the art have read the above, for the present invention's
A variety of modifications and substitutions all will be apparent.Therefore, protection scope of the present invention should be limited to the appended claims.
Claims (6)
1. the system of cloud application access control under a kind of cloud computing environment, it is characterised in that include:
Gateway proxy, can be interacted with other modules of system, and as the interface with client, is received user and sent out by client
The linking request and user authentication information to cloud application risen, and linking request is converted to using and using mandate peripheral hardware letter
Breath, or send the cloud application authorized or the information for refusing linking request to the client of user;
User's application permission service module, is managed maintenance to user right information, application that record user is possessed and its
The access right of corresponding peripheral hardware, receives user authentication information, and have to user right always according to interacting for gateway proxy
Effect property feeds back authorization identifying result to gateway proxy after being verified;
Using route service module, safeguarded and updated for the routing table that record has cloud application service to distribute information, go back root
Indicated according to interacting for gateway proxy, come according between user right, whether mutual exclusion determines to be available for the application service of deployment
Device, finds effective application routing address and feeds back to gateway proxy in the routing table;
Cloud application service module, by being interacted with gateway proxy, receives the use control to cloud application matched with user right
Information processed, to provide the running environment of the cloud application matched with authority information, and should to cloud according to the use control information
Use is limited.
2. the system as claimed in claim 1, it is characterised in that
The application route service module is further included:
State update module, after user initiates linking request or after being allocated according to linking request application server,
Or in cloud application using after exiting or when linking invalid, the state update module updates application server in the routing table
Information, the service condition of application;
Correction verification module is checked, the application routing address matched for whether having in routing table with linking request is available to be carried out
Check.
3. a kind of method of cloud application access control under cloud computing environment, it is characterised in that comprise the steps of:
A. user is by linking request of the client initiation for cloud application, by the linking request together with user authentication information
Send to gateway proxy;
B. gateway proxy parsing relevant information, linking request is converted to and applied and application mandate peripheral hardware information, and passes through record
The user's application permission service module for having the access right of application that user is possessed and its corresponding peripheral hardware verifies that user weighs
Limit;
C. after receiving user right and being verified as effective information, gateway proxy has cloud by application route service module in record
Qualified application routing address is searched in the routing table of application service distribution information;Wherein, in search application routing address
When, according between user right, whether mutual exclusion determines to be available for the application server of deployment;
D. according to the application routing address searched, gateway proxy enters to this is matched using the cloud application server of routing address
Row link;Also, gateway proxy sends the use to cloud application matched with user right to cloud application service module and controlled
Information, the running environment of the cloud application matched with user right is provided by cloud application service module, is fed back by gateway proxy
The cloud application of mandate to user client, and the cloud application service module according to the use control information to cloud application
Use limited.
4. method as claimed in claim 3, it is characterised in that
Before step A, also by being initialized using route service module to routing table, to update all application servers
Information, the service condition of all applications.
5. method as claimed in claim 3, it is characterised in that
In step D, using route service module also by the information of the application server distributed according to this linking request on road
It is updated in table.
6. method as claimed in claim 3, it is characterised in that
After step D, also updated included in cloud application using after exiting or when linking invalid by application route service module
Routing table state, allow next time application link can use.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410101018.0A CN103944883B (en) | 2014-03-19 | 2014-03-19 | The system and method for cloud application access control under a kind of cloud computing environment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410101018.0A CN103944883B (en) | 2014-03-19 | 2014-03-19 | The system and method for cloud application access control under a kind of cloud computing environment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103944883A CN103944883A (en) | 2014-07-23 |
| CN103944883B true CN103944883B (en) | 2017-08-11 |
Family
ID=51192367
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410101018.0A Active CN103944883B (en) | 2014-03-19 | 2014-03-19 | The system and method for cloud application access control under a kind of cloud computing environment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103944883B (en) |
Families Citing this family (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104158879B (en) * | 2014-08-18 | 2018-02-23 | 浪潮(北京)电子信息产业有限公司 | A kind of distributive data center cloud management platform architecture system and method |
| EP3128382B1 (en) * | 2015-08-05 | 2018-11-07 | ABB Schweiz AG | Secure mobile access for automation systems |
| CN105657033B (en) * | 2016-02-02 | 2019-04-23 | 明博教育科技股份有限公司 | A kind of user-isolated resource access method and system |
| CN108206803B (en) * | 2016-12-16 | 2021-02-05 | 腾讯科技(深圳)有限公司 | Service agency processing method and device |
| CN106850838A (en) * | 2017-03-06 | 2017-06-13 | 深圳铂睿智恒科技有限公司 | The control method and system of mobile terminal cloud application |
| CN107249209A (en) * | 2017-06-09 | 2017-10-13 | 苏州汉明科技有限公司 | wireless local area network gateway management method and system |
| CN107707522A (en) * | 2017-08-14 | 2018-02-16 | 北京奇安信科技有限公司 | A kind of authority control method and device based on cloud agency |
| CN107707641B (en) * | 2017-09-25 | 2020-12-25 | 睿哲科技股份有限公司 | Method and equipment for maintaining IPv6 cloud host through IPv4 terminal |
| CN110661747B (en) * | 2018-06-28 | 2022-06-28 | 南京南瑞继保工程技术有限公司 | Terminal safety control method for rail transit cloud |
| CN109391683B (en) * | 2018-09-26 | 2021-04-02 | 上海超算科技有限公司 | Data and service fusion agent system facing network application authorization and implementation method thereof |
| CN111193720A (en) * | 2019-12-16 | 2020-05-22 | 中国电子科技集团公司第三十研究所 | Trust service adaptation method based on security agent |
| CN111314130B (en) * | 2020-02-13 | 2022-09-13 | 浪潮软件股份有限公司 | Service management and control device and method |
| CN111488595B (en) * | 2020-03-27 | 2023-03-28 | 腾讯科技(深圳)有限公司 | Method for realizing authority control and related equipment |
| CN112329034B (en) * | 2020-11-02 | 2024-02-23 | 杭州当虹科技股份有限公司 | Application proxy method capable of controlling access policy based on application platform |
| CN113572738B (en) * | 2021-06-29 | 2023-04-07 | 中孚安全技术有限公司 | Zero trust network architecture and construction method |
| CN113378254A (en) * | 2021-07-13 | 2021-09-10 | 重庆云图软件科技有限公司 | Three-dimensional CAD cloud engine system |
| CN117349850A (en) * | 2022-06-28 | 2024-01-05 | 中兴通讯股份有限公司 | USB device management and control method, cloud device, terminal device and storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101132344A (en) * | 2007-08-24 | 2008-02-27 | 上海可鲁系统软件有限公司 | Safe intercommunication method and apparatus between two isolated networks |
| CN101741817A (en) * | 2008-11-21 | 2010-06-16 | 中国移动通信集团安徽有限公司 | System, device and method for multi-network integration |
| CN103237019A (en) * | 2013-04-03 | 2013-08-07 | 中国科学院合肥物质科学研究院 | Cloud service accessing gateway system and cloud service accessing method |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102055730B (en) * | 2009-11-02 | 2013-09-11 | 华为终端有限公司 | Cloud processing system, cloud processing method and cloud computing agent device |
-
2014
- 2014-03-19 CN CN201410101018.0A patent/CN103944883B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101132344A (en) * | 2007-08-24 | 2008-02-27 | 上海可鲁系统软件有限公司 | Safe intercommunication method and apparatus between two isolated networks |
| CN101741817A (en) * | 2008-11-21 | 2010-06-16 | 中国移动通信集团安徽有限公司 | System, device and method for multi-network integration |
| CN103237019A (en) * | 2013-04-03 | 2013-08-07 | 中国科学院合肥物质科学研究院 | Cloud service accessing gateway system and cloud service accessing method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103944883A (en) | 2014-07-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103944883B (en) | The system and method for cloud application access control under a kind of cloud computing environment | |
| US10992818B2 (en) | Usage tracking for software as a service (SaaS) applications | |
| JP7222036B2 (en) | Model training system and method and storage medium | |
| CN110086822B (en) | Method and system for implementing micro-service architecture-oriented unified identity authentication strategy | |
| CA3087858C (en) | Authentication and authorization using tokens with action identification | |
| CN106612290B (en) | Cross-domain single sign-on method oriented to system integration | |
| CN111783067B (en) | Automatic login method and device between multiple network stations | |
| CN104144167B (en) | User login authentication method of open intelligent gateway platform | |
| CN105991734B (en) | A kind of cloud platform management method and system | |
| CN107534557A (en) | The Identity Proxy of access control and single-sign-on is provided | |
| US9158913B2 (en) | Managing virtual machines using owner digital signatures | |
| US9491183B1 (en) | Geographic location-based policy | |
| CN107480509A (en) | O&M safety auditing system logs in vessel process, system, equipment and storage medium | |
| US20140173706A1 (en) | Apparatus and data processing systems for accessing an object | |
| CN110036385B (en) | Hybrid mode cloud in-house deployment (ON-pre) secure communication | |
| CN107483987B (en) | Authentication method and device for video stream address | |
| CN106850612A (en) | The cipher management method and system of a kind of facing cloud system | |
| CN103780396A (en) | Token obtaining method and device | |
| US9641522B1 (en) | Token management in a managed directory service | |
| CN106775950A (en) | A kind of virtual machine remote access method and device | |
| CN109088890A (en) | A kind of identity identifying method, relevant apparatus and system | |
| CN104967515B (en) | A kind of identity identifying method and server | |
| CN107276966B (en) | Control method and login system of distributed system | |
| EP3172884A1 (en) | Establishing secure computing devices for virtualization and administration | |
| CN105554084A (en) | System and method for generating one-time resource address and mapping between one-time resource address and real resource address |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |