Summary of the invention
The technical problem to be solved in the present invention is the defect cannot carrying out priority assignation for prior art file uploader to file, there is provided one can prevent file from revealing and by mistake amendment, the mandate method for authenticating of cloud file-sharing of the control of authority and files passe person can conduct interviews to file.
The technical solution adopted for the present invention to solve the technical problems is:
The invention provides a kind of mandate method for authenticating of cloud file-sharing, comprise the following steps:
S1, primary user use oneself user name, after password login server, upload the file that will share;
After S2, files passe complete, primary user can in the user interface of server end, adds the token of primary user, from the user name of user and token, and arranges from the access rights of user to the shared file uploaded;
S3, primary user complete after the mandate of user, inform from user by the user name of primary user, password and the token from user, by authentication, specifically will comprise the following steps from user login services device end:
S31, utilize primary user from user username and password logon server after, server request, acquisition checking are from the token of user;
S32, server according to after checking from User Token, find the user name from user, and get from the access rights of user to shared file from server.
The particular content that step S2 shared file is arranged is for comprising:
Server is preserved and is arranged result in access control list ACL and User Control List UCL;
The list of access control list ACL include file, to the user list that listed files is assigned, user list to the list of access rights of listed files file, additional conditions list and user founder;
User Control List UCL comprises user name and token.
Described additional conditions list comprises: spatial geographical locations information, equipment identification information or for empty, be not construed as limiting for sky represents.
User interface in step S2 specifically comprises:
New user adds interface, and primary user adds the token of primary user in this interface, add prepare to arrange file access authority from user, and arrange from the user name of user and token;
User file access rights arrange interface, and primary user can be arranged from the access rights of user to file in this interface, arranges content and comprises listed files, user list, list of access rights, additional conditions list and user founder.
In step S2 after completing and arranging the access rights from user, primary user can continue logon server and add other access rights, or to the operation that these access rights are modified and deleted.
In step S3 from user to the authority of file be ownership in limited time, can should again distribute authority to specified file for other users from user, further expand mandate.
The present invention also provides a kind of mandate right discriminating system of cloud file-sharing, specifically comprises:
Files passe unit, after using user name logon server primary user, uploads the file that will share;
Primary user's granted unit, for after files passe completes, primary user, in the user interface of server end, adds the token of primary user, from the user name of user and token, and arranges from the access rights of user to the shared file uploaded;
From subscription authentication unit, for completing primary user after the mandate of user, the user name of primary user, password and the token from user being informed from user, carrying out authentication from user login services device end, specifically comprising:
Token authentication unit, for after the username and password logon server utilizing primary user from user, server request, acquisition checking are from the token of user;
Authority acquiring unit, server according to after checking from User Token, find the user name from user, and get from the access rights of user to shared file from server.
Described primary user's granted unit specifically comprises:
Access Control List (ACL) unit, for being saved in the access control list ACL of server by arranging result, this Access Control List (ACL) include file list, to the user list that listed files is assigned, user list to the list of access rights of listed files file, additional conditions list and user founder;
User Control List unit, for being saved in the User Control List UCL of server by arranging result, this User Control List comprises user name and token.
User interface in primary user's granted unit specifically comprises:
New user adds interface, and primary user adds the token of primary user in this interface, add prepare to arrange file access authority from user, and arrange from the user name of user and token;
User file access rights arrange interface, and primary user can be able to be arranged from the access rights of user to file in this interface, arranges content and comprises listed files, user list, list of access rights, additional conditions list and user founder.
From subscription authentication unit from user to the authority of file be ownership in limited time, can should again distribute authority to specified file for other users from user, further expand mandate.
The beneficial effect that the present invention produces is: the mandate method for authenticating that the invention provides a kind of cloud file-sharing, by using token, different users is identified, make non-administrative users also access rights can be set for different user to the cloud shared file uploaded, and by server end, the token from user is identified, and then authentication is carried out to it; The method can prevent file from leaking, by mistake amendment, and convenient and swift, and amount of calculation is little, easily realizes.
Embodiment
In order to make object of the present invention, technical scheme and advantage clearly understand, below in conjunction with drawings and Examples, the present invention is further elaborated.Should be appreciated that specific embodiment described herein only in order to explain the present invention, be not intended to limit the present invention.
As shown in Figure 1, the mandate method for authenticating of cloud file-sharing of the present invention comprises the following steps:
S1, primary user upload the file that will share after using user name UserName and token Token logon server.Such as: primary user utilizes oneself cloud account number (being assumed to be " cug "), and password (being assumed to be " 123456 ") log in Cloud Server and (be assumed to be Kingsoft cloud dish, Baidu's cloud dish, some in Ali's cloud dish) after, upload file (supposing that file is called F1, F2, F3); After files passe completes, automatically can add one at server end and be recorded in access control list ACL, this is recorded as <FList={F1, F2, F3}, UserName=Master, OWN, CList=NULL, ByWhom=NULL>; Then server can continue automatically to add one and is recorded in User Control List UCL, and this is recorded as <UserName=Master, Token=Master>.
After S2, files passe complete, the user interface of primary user's logon server end.In one embodiment of the present of invention, this user interface specifically can comprise:
New user adds interface, primary user can the token of primary user oneself in this interface, add prepare arrange file access authority from user, and the user name UserName arranged from user and token Token, such as, <UserName1, Token1>, <UserName2, Token2>;
User file access rights arrange interface, and primary user can be able to be arranged from the access rights of user to file in this interface, arranges content and comprises listed files, user list, list of access rights, additional conditions list and document creation person.Add from UserName and Token of user, arrange from the access rights of user to the shared file uploaded, such as, <F1, UserName1, Modify, NULL, Master>, <F2, UserName1, Update, Null, Master>, <F3, UserName2, Read, NULL, Master>; In other words the ByWhom in 3 records newly added is primary user Master, and CList is empty, does not namely limit.Complete after the priority assignation of user primary user, primary user can continue the operation of modifying to access rights in this priority assignation page and deleting.
After accomplishing the setting up, in the result arranged in server preservation interface to the ACL table and UCL table of server.Then primary user is by the cloud account number of oneself, and namely and password, and inform from user from the Token that user is corresponding, namely " cug ", " 123456 ", " Token1 " inform user 1, and " cug ", " 123456 ", " Token2 " inform user 2.
Wherein, the listed files FList in ACL comprises one or more file name F, and user list UList comprises one or more user's name UserName; List of access rights PList comprises one or more access rights title P; Additional conditions list CList comprises one or more additional conditions title C; In addition, the relation between them be user in UList to the cloud file name FList be assigned, when additional conditions CList meets, there is identical cloud file access authority name PList, document creation person ByWhom; User Control List UCL comprises user name UserName and token Token.
Additional conditions list CList comprises: spatial geographical locations information, equipment identification information, or is NULL, and expression is not construed as limiting.Equipment beacon information comprises: from the terminal equipment MAC Address of user, from the IMSI of the terminal equipment of user, and the IMEI of terminal equipment from user.List of access rights PList specifically comprises: have authority (OWN), upgrades authority (Update), amendment authority (Modify), read right (READ).
S3, primary user complete after the mandate of user, carry out authentication, specifically comprise the following steps from user login services device end:
S31, after user login services device, server obtains and verifies the token Token from user; Such as, user 2 is after the cloud account number utilizing primary user and password login Cloud Server, and server will inquire its Token; User 2 shows that its Token is Token2.
S32, server according to after checking from User Token Token, find the user name UserName from user, and get from the access rights of user to shared file from server.
This step S32 can be specially further, and server, after the Token learning current login user, learns its UserName according to UCL, and obtains its FList that can access according to UserName access ACL, and PList and CList corresponding with FList; Such as, in this example, server is after learning that its Token is Token2, learn that its UserName is UserName2 according to UCL, then access ACL according to UserName2 and obtain <F3, UserName2, Read, NULL, Master>, namely " can read " file F3.
If some file permission that the user name UserName obtained is corresponding is OWN authority, then this user name UserName further can expand Authorized operation to these files.
In another embodiment of the mandate method for authenticating of cloud file-sharing of the present invention, in the process of authorizing from user, user file access rights arrange interface, comprise filename, user name, authority name, additional conditions name; Such as, <FList={F1, F2}, UserName1, OWN, NULL, Master>, <F3, UserName2, Read, NULL, Master>; In other words F1 and F2 is OWN authority for UserName1, and UserName1 can continue the authority of allocate file.
So to carrying out in the process of authentication from user, from user such as user 1 after the cloud account number utilizing primary user and password login Cloud Server, server will inquire its Token; User 1 shows that its Token is Token1.Server is after learning that its Token is Token1, learn that its UserName is UserName1 according to UCL, then access ACL according to UserName1 and obtain <FList={F1, F2}, UserName1, OWN, NULL, Master>, namely can continue to distribute authority to file F1 and F2.
If the P that some F in the FList that this UserName is corresponding is corresponding is OWN authority, then UserName further can expand Authorized operation to these F, comprise: add new user UserName_Sub, (new record is new user UserName_Sub in ACL to preserve new record, to the access rights P of file F, and the ByWhom of new record is this UserName); Add new user name and claim UserName_Sub and Token to UCL.
In the present embodiment, user 1 can be considered group leader, continue to distribute group member and carry out Document Editing, such as UserName1 is to interpolation UserName_Sub1 and UserName_Sub2, to Token be Token_Sub1 and Token_Sub2, by <UserName_Sub1, Token_Sub1> and <UserName_Sub2, in Token_Sub2> to UCL; The access rights of two group members are set, such as: <F1, UserName_Sub1, Modify, NULL, UserName1>, <F2, UserName_Sub2, Modify, NULL, UserName1>, add in ACL, the ByWhom of these 2 records is UserName1 as seen.These two group members can modify respectively to file F1 and F2, but can not upgrade, and upgrade and are responsible for by group leader.
When CList is not empty, such as: <F3, UserName2, Read, CList={Location=Nanjing }, Master>, so only has geographical position UserName2 when Nanjing just can read (" Read ") file F3; <F3, UserName2, Read, CList={Location=Nanjing, MAC=AABBCCDD}, Master>, so only have geographical position when Nanjing, and the MAC Address of equipment used is when being " AABBCCDD ", UserName2 just can read (" Read ") file F3.
As shown in Figure 2, the mandate right discriminating system of the cloud file-sharing of the embodiment of the present invention, for realizing the mandate method for authenticating of the cloud file-sharing of above-described embodiment, specifically comprises:
Files passe unit 201, after using user name logon server primary user, uploads the file that will share;
Primary user's granted unit 202, for after files passe completes, the user interface of primary user's logon server end, adds the user name from user and token, and arranges from the access rights of user to the shared file uploaded;
From subscription authentication unit 203, for completing primary user after the mandate of user, the user name of primary user, password and the token from user being informed from user, carrying out authentication from user login services device end, specifically comprising:
Token authentication unit, for after the username and password logon server utilizing primary user from user, server request, acquisition checking are from the token of user;
Authority acquiring unit, server according to after checking from User Token, find the user name from user, and get from the access rights of user to shared file from server.
Primary user's granted unit specifically comprises:
Access Control List (ACL) unit, for being saved in the access control list ACL of server by arranging result, this Access Control List (ACL) include file list, to the user list that listed files is assigned, user list to the list of access rights of listed files file, additional conditions list and user founder;
User Control List unit, for being saved in the User Control List UCL of server by arranging result, this User Control List comprises user name and token.
User interface in primary user's granted unit specifically comprises:
New user adds interface, and primary user adds the token of primary user in this interface, add prepare to arrange file access authority from user, and arrange from the user name of user and token;
User file access rights arrange interface, and primary user can be able to be arranged from the access rights of user to file in this interface, arranges content and comprises listed files, user list, list of access rights, additional conditions list and user founder.
From subscription authentication unit from user to the authority of file be ownership in limited time, can should again distribute authority to specified file for other users from user, further expand mandate.
Should be understood that, for those of ordinary skills, can be improved according to the above description or convert, and all these improve and convert the protection range that all should belong to claims of the present invention.