CN104486357A - Method for achieving role-based access control (RBAC) based on SSH website - Google Patents

Method for achieving role-based access control (RBAC) based on SSH website Download PDF

Info

Publication number
CN104486357A
CN104486357A CN201410843787.8A CN201410843787A CN104486357A CN 104486357 A CN104486357 A CN 104486357A CN 201410843787 A CN201410843787 A CN 201410843787A CN 104486357 A CN104486357 A CN 104486357A
Authority
CN
China
Prior art keywords
role
user
authority
session
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201410843787.8A
Other languages
Chinese (zh)
Inventor
周世义
刘若鸿
武扬
刘伟
段明明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
BEIJING DEVELOPMENT AREA Co Ltd
Original Assignee
BEIJING DEVELOPMENT AREA Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by BEIJING DEVELOPMENT AREA Co Ltd filed Critical BEIJING DEVELOPMENT AREA Co Ltd
Priority to CN201410843787.8A priority Critical patent/CN104486357A/en
Publication of CN104486357A publication Critical patent/CN104486357A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a method for achieving a role-based access control (RBAC) based on an SSH website. The method includes the following steps that a user makes a request for access to a page, whether a user name variable in Session is null or not is judged, if the user name variable is null, a login page is jumped to so that the user can log in, and otherwise user information is stored in the Session; the user gets access to a database, and the user information about successful login is stored in the Session; an ORM module gets access to the database and obtains authority information corresponding to the access page; an AOP interceptor is triggered and obtains the authority information of the user from the Session; the AOP interceptor judges the authority information of the user, if the authority information includes the authority information corresponding to the access page, user access is successful, and otherwise access fails. The method for achieving the RBAC based on the SSH website has the advantages that logics are clear, the coupling degree among all the logics is low, the reusability of programs is high, and the development efficiency is high.

Description

A kind of method realizing RBAC access privilege control based on SSH website
Technical field
The present invention relates to access control and Website development technical field thereof, in particular to a kind of method realizing RBAC access privilege control based on SSH website.
Background technology
In contemporary information systems, safety management is pith always.Access control technology is then the important step of safety information system, and its main task ensures that resource is not illegally used and accesses.Access control based roles (Role-Based Access Control) receives as the replacement of traditional access control and pays close attention to widely.RBAC comprises three entities: user, Role and privilege.User is the main body operated data object, can be people, robot and computer etc.Authority is to the exercisable right of a certain data object.Role is then the middle bridge of user and authority.RBAC achieves the logical separation of user and authority by introducing the concept of role, support being separated of technical staff and business personnel's responsibility, and user obtains authority operate object by obtaining role, thus realizes rights management and control.
But traditional RBAC character species when information system is set up is determined, the incidence relation between Role and privilege has also been bound, and the system expandability is poor, and the degree of coupling between logic is high, and the reusability of program is not high, development efficiency is low.
Summary of the invention
For solving the problem, the object of the present invention is to provide a kind of clear logic, the degree of coupling low, the reusability of program is high, a kind of method realizing RBAC access privilege control based on SSH website that development efficiency is high.
The invention provides a kind of method realizing RBAC access privilege control based on SSH website, it is characterized in that, comprise the following steps:
Step 1, user, to the page request of conducting interviews, judges whether the user name variable in Session is empty, if it is empty, then jumps to login page and allow user log in, otherwise user profile be kept in described Session;
Step 2, user accesses data storehouse, and the user profile logined successfully is kept in described session;
Step 3, database described in ORM module accesses, obtains the corresponding authority information of accession page from described database;
Step 4, trigger AOP blocker, described APO blocker obtains the authority information of user from described Session;
Step 5, described AOP blocker judges the authority information of user, and the authority information that step 3 obtains if comprise, then user accesses successfully, otherwise accesses unsuccessfully.
Wherein, described database comprises:
Subscriber's meter, comprises subscriber-coded and user name, for stored user information;
Role shows, and comprises role's coding and role name, for storing Role Information;
Authority list, comprises authority coding, authority name and URL address, for storing concrete authority information;
User role table, comprise subscriber-coded and role's coding, the multi-to-multi realizing user and role maps;
Role-security table: comprise role's coding and authority coding, the multi-to-multi realizing Role and privilege maps;
Described role's table carries out associating of multi-to-multi by described user role table with described subscriber's meter;
Described role's table carries out multi-to-multi by described role-security table and described authority list and associates.
Further improve as the present invention, in described role's table, add the classification of parent role coding in order to adapt to role.
Further improve as the present invention, described user profile, described Role Information and described authority information are all stored in session with the form of variable name.
Beneficial effect of the present invention is:
1, by the design of database, the logic of user and authority well separated, the degree of coupling between each logic reduces;
2, by ORM module to database access and AOP blocker to the inspection of calling party authority, make that the reusability of calling program is high, development efficiency is high.
Accompanying drawing explanation
Fig. 1 is the structure chart of a kind of database described in the embodiment of the present invention.
Fig. 2 is a kind of flow chart realizing the method for RBAC access privilege control based on SSH website described in the embodiment of the present invention;
Embodiment
Also by reference to the accompanying drawings the present invention is described in further detail below by specific embodiment.
As shown in Figure 1, database of the present invention comprises:
Subscriber's meter, comprises subscriber-coded userid and user name username, for stored user information;
Role shows, and comprises role and to encode roleid and role name rolename, for storing Role Information;
Authority list, comprises authority coding rightid, authority name rightname and URL address, for storing concrete authority information;
User role table, comprise subscriber-coded userid and role and to encode roleid, the multi-to-multi realizing user and role maps;
Role-security table: comprise role encode roleid and authority coding rightid, realize Role and privilege multi-to-multi map;
Described role's table carries out associating of multi-to-multi by described user role table with described subscriber's meter;
Described role's table carries out multi-to-multi by described role-security table and described authority list and associates.
As shown in Figure 2, a kind of method realizing RBAC access privilege control based on SSH website described in the embodiment of the present invention, comprises the following steps:
Step 1, user, to the page request of conducting interviews, judges whether the username variable in Session is empty, if it is empty, then jumps to login page and allow user log in, otherwise user profile be kept in described Session;
Step 2, user accesses data storehouse, and the user profile logined successfully is kept in described session;
Step 3, database described in ORM module accesses, obtains the corresponding authority information of accession page from described database;
Step 4, trigger AOP blocker, described APO blocker obtains the authority information of user from described Session;
Step 5, described AOP blocker judges the authority information of user, and the authority information that step 3 obtains if comprise, then user accesses successfully, otherwise accesses unsuccessfully.
Owing to being visited by the page time user accesses, be exactly a URL address, and the authority that user has identifies by encoding when input, this just needs to set up one between encoding with authority in URL address and associates.Because URL address is preserved in a database with associating of authority, this just needs to visit database by ORM module, to realize inquiring about the authority corresponding to URL address.
When user logs in, encode roleid, role name rolename, authority coding rightid, authority name rightname and URL address of subscriber-coded userid, the user name username that user can be had, role is stored in Session with the form of variable name, standbyly calls when needing.When user accesses certain page, just trigger AOP blocker, AOP blocker obtains user right information from Session, and the authority information obtained with ORM module compares, and to judge whether the authority of accessing this page, realizes access control.
Further improve as the present invention, in described role's table, add the classification of parent role coding in order to adapt to role.
The foregoing is only the preferred embodiments of the present invention, be not limited to the present invention, for a person skilled in the art, the present invention can have various modifications and variations.Within the spirit and principles in the present invention all, any amendment done, equivalent replacement, improvement etc., all should be included within protection scope of the present invention.

Claims (4)

1. realize a method for RBAC access privilege control based on SSH website, it is characterized in that, comprise the following steps:
Step 1, user, to the page request of conducting interviews, judges whether the user name variable in Session is empty, if it is empty, then jumps to login page and allow user log in, otherwise user profile be kept in described Session;
Step 2, user accesses data storehouse, and the user profile logined successfully is kept in described session;
Step 3, database described in ORM module accesses, obtains the corresponding authority information of accession page from described database;
Step 4, trigger AOP blocker, described APO blocker obtains the authority information of user from described Session;
Step 5, described AOP blocker judges the authority information of user, and the authority information that step 3 obtains if comprise, then user accesses successfully, otherwise accesses unsuccessfully.
2. a kind of method realizing RBAC access privilege control based on SSH website according to claim 1, it is characterized in that, described database comprises:
Subscriber's meter, comprises subscriber-coded and user name, for stored user information;
Role shows, and comprises role's coding and role name, for storing Role Information;
Authority list, comprises authority coding, authority name and URL address, for storing concrete authority information;
User role table, comprise subscriber-coded and role's coding, the multi-to-multi realizing user and role maps;
Role-security table: comprise role's coding and authority coding, the multi-to-multi realizing Role and privilege maps;
Described role's table carries out associating of multi-to-multi by described user role table with described subscriber's meter;
Described role's table carries out multi-to-multi by described role-security table and described authority list and associates.
3. a kind of method realizing RBAC access privilege control based on SSH website according to claim 2, is characterized in that, adds the classification of parent role coding in order to adapt to role in described role's table.
4. a kind of method realizing RBAC access privilege control based on SSH website according to claim 2, is characterized in that, described user profile, described Role Information and described authority information are all stored in session with the form of variable name.
CN201410843787.8A 2014-12-30 2014-12-30 Method for achieving role-based access control (RBAC) based on SSH website Pending CN104486357A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410843787.8A CN104486357A (en) 2014-12-30 2014-12-30 Method for achieving role-based access control (RBAC) based on SSH website

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410843787.8A CN104486357A (en) 2014-12-30 2014-12-30 Method for achieving role-based access control (RBAC) based on SSH website

Publications (1)

Publication Number Publication Date
CN104486357A true CN104486357A (en) 2015-04-01

Family

ID=52760861

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410843787.8A Pending CN104486357A (en) 2014-12-30 2014-12-30 Method for achieving role-based access control (RBAC) based on SSH website

Country Status (1)

Country Link
CN (1) CN104486357A (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105262780A (en) * 2015-11-27 2016-01-20 国网信息通信产业集团有限公司 Authority control method and system
CN107147671A (en) * 2017-06-19 2017-09-08 上海斐讯数据通信技术有限公司 One kind is based on website route access right control method, access method and system
CN109472127A (en) * 2018-10-11 2019-03-15 北京三快在线科技有限公司 Permission processing method, device, using side apparatus and storage medium
CN110727929A (en) * 2019-10-12 2020-01-24 北京明略软件系统有限公司 AOP-based line-level authority control method, device and client
CN110750747A (en) * 2019-10-22 2020-02-04 杭州安恒信息技术股份有限公司 Page jump method, device, equipment and readable storage medium
CN110971563A (en) * 2018-09-28 2020-04-07 北京国双科技有限公司 Authority information processing method and device
CN111625842A (en) * 2019-02-28 2020-09-04 武汉朗立创科技有限公司 Permission control system based on RBAC

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140157350A1 (en) * 2012-12-03 2014-06-05 Microsoft Corporation Role-based access control modeling and auditing system
CN104052747A (en) * 2014-06-23 2014-09-17 桂林长海科技有限责任公司 Permission management system based on RBAC
CN104063636A (en) * 2013-03-22 2014-09-24 鸿富锦精密工业(深圳)有限公司 Role permission control method and system
CN104243453A (en) * 2014-08-26 2014-12-24 中国科学院信息工程研究所 Access control method and system based on attribute and role

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140157350A1 (en) * 2012-12-03 2014-06-05 Microsoft Corporation Role-based access control modeling and auditing system
CN104063636A (en) * 2013-03-22 2014-09-24 鸿富锦精密工业(深圳)有限公司 Role permission control method and system
CN104052747A (en) * 2014-06-23 2014-09-17 桂林长海科技有限责任公司 Permission management system based on RBAC
CN104243453A (en) * 2014-08-26 2014-12-24 中国科学院信息工程研究所 Access control method and system based on attribute and role

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
任翔: "基于J2EE权限管理系统平台设计与实现", 《中国优秀硕士学位论文全文数据库 信息科技辑》 *
郭文龙等: "基于SSH框架的RBAC设计与实现", 《软件》 *

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105262780A (en) * 2015-11-27 2016-01-20 国网信息通信产业集团有限公司 Authority control method and system
CN105262780B (en) * 2015-11-27 2018-12-18 国网信息通信产业集团有限公司 A kind of authority control method and system
CN107147671A (en) * 2017-06-19 2017-09-08 上海斐讯数据通信技术有限公司 One kind is based on website route access right control method, access method and system
CN110971563A (en) * 2018-09-28 2020-04-07 北京国双科技有限公司 Authority information processing method and device
CN110971563B (en) * 2018-09-28 2022-10-04 北京国双科技有限公司 Authority information processing method and device
CN109472127A (en) * 2018-10-11 2019-03-15 北京三快在线科技有限公司 Permission processing method, device, using side apparatus and storage medium
CN111625842A (en) * 2019-02-28 2020-09-04 武汉朗立创科技有限公司 Permission control system based on RBAC
CN110727929A (en) * 2019-10-12 2020-01-24 北京明略软件系统有限公司 AOP-based line-level authority control method, device and client
CN110727929B (en) * 2019-10-12 2021-07-30 北京明略软件系统有限公司 AOP-based line-level authority control method, device and client
CN110750747A (en) * 2019-10-22 2020-02-04 杭州安恒信息技术股份有限公司 Page jump method, device, equipment and readable storage medium

Similar Documents

Publication Publication Date Title
CN104486357A (en) Method for achieving role-based access control (RBAC) based on SSH website
CN109614823B (en) Data processing method, device and equipment
US8590003B2 (en) Controlling access to resources by hosted entities
CN107733972B (en) Short link analysis method, device and equipment
US9218481B2 (en) Managing password strength
CN106471466B (en) Transient applications
CN102904889B (en) Support the forced symmetric centralization system and method for cross-platform unified management
CN104102880B (en) A kind of application program rewrite method detecting the attack of Android privilege-escalation and system
CN104954383A (en) Application program login method and system
US20180054456A1 (en) Website security tracking across a network
US10740286B1 (en) Migration task validation before data migration
US10135913B2 (en) Impact analysis system and method
US20200412736A1 (en) Dynamic security policy consolidation
CN106446638A (en) Cloud computing operation system security access method and device
US10891357B2 (en) Managing the display of hidden proprietary software code to authorized licensed users
US20230101337A1 (en) Domain replication across regions
Mathas et al. On the design of IoT security: Analysis of software vulnerabilities for smart grids
TWI716385B (en) Authentication method and authentication device
CN105069366A (en) Account registration and management method and device
US9037609B1 (en) Method for determining access of queries
US11243756B1 (en) Extensible resource compliance management
US9330276B2 (en) Conditional role activation in a database
CN109683942B (en) Script management method, script management device, script management medium and electronic equipment
Suwarningsih et al. The multi-tenancy queueing system “QuAntri” for public service mall
US10482279B2 (en) Pattern-less private data detection on data sets

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20150401

RJ01 Rejection of invention patent application after publication