Summary of the invention
The embodiment of the present invention provides a kind of user authority control method and device, to be suitable for the huge electronics battalion of user volume
Industry Room system.
First aspect of the embodiment of the present invention provides a kind of user authority control method, comprising:
The user information of access user is obtained, includes at least one attribute value in the user information;
At least one described attribute value is matched with role expressions, obtains the role of the access user;
User right set corresponding with the role is obtained, includes at least one business function in the user right set
Energy;
User right is controlled according to the user right set.
With reference to first aspect, in the first possible implementation, described by least one described attribute value and role
Expression formula is matched, and the role of the access user is obtained, comprising:
Role's decision Binary Tree is generated according to the role expressions;
It, will at least one described attribute value and role's decision Binary Tree progress using postorder traversal matching algorithm
Match, obtains the role of access user.
With reference to first aspect or the first possible implementation, in the second possible implementation, the basis
The user right set controls user right, comprising:
If the business function of the access of the user is the function of belonging in the user right set, allow the use
Family accesses the business function;
If the business function of the access of the user is not belonging to the function in the user right set, forbid the use
Family accesses the business function.
With reference to first aspect or the first or second of possible implementation, in the third possible implementation,
It is described to match at least one described attribute value with role's expression, obtain the role of the access user, comprising:
Session stage is being established, at least one described attribute value is matched with role's expression, the access is obtained and uses
The role at family.
With reference to first aspect or the first any possible implementation into the third possible implementation,
It is described to obtain user right set corresponding with the role in four kinds of possible implementations, comprising:
According to the mapping table of role and user right set, the corresponding user right set of the role is obtained.
Second aspect of the embodiment of the present invention provides a kind of user right control device, comprising:
Module is obtained, includes at least one attribute value in the user information for obtaining the user information of access user;
Matching module obtains the access and uses for matching at least one described attribute value with role expressions
The role at family;
The acquisition module is also used to obtain user right set corresponding with the role, the user right set
In include at least one business function;
Control module, for controlling user right according to the user right set.
In conjunction with second aspect, in the first possible implementation, the matching module is specifically used for according to the angle
Color expression formula generates role's decision Binary Tree;It, will at least one described attribute value and the angle using postorder traversal matching algorithm
Color decision Binary Tree is matched, and the role of access user is obtained.
In conjunction with second aspect or the first possible implementation, in the second possible implementation, the control
If the business function that module is specifically used for the access of the user is the function of belonging in the user right set, allow institute
It states user and accesses the business function;If the business function of the access of the user is not belonging to the function in the user right set
Can, then forbid the user to access the business function.
In conjunction with second aspect or the first or second of possible implementation, in the third possible implementation,
The matching module is specifically used for establishing session stage, at least one described attribute value is matched with role's expression, is obtained
Take the role of the access user.
In conjunction with second aspect or the first any possible implementation into the third possible implementation,
In four kinds of possible implementations, the acquisition module is specifically used for the mapping table according to role and user right set,
Obtain the corresponding user right set of the role.
User authority control method and device provided in an embodiment of the present invention, by obtaining the user information of access user,
It include at least one attribute value in the user information;At least one described attribute value is matched with role expressions, is obtained
Take the role of the access user;User right set corresponding with the role is obtained, includes in the user right set
At least one business function;User right is controlled according to the user right set.As can be seen that in the process, access is used
The role at family is that the attribute value in each access, by accessing user carries out matching dynamic acquisition with role expressions, and
It does not need to be pre-configured with role, the huge electronics business hall system of user volume can be suitable for.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on
Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts every other
Embodiment shall fall within the protection scope of the present invention.
The present invention by obtaining at least one attribute value of access user, by least one attribute value and role expressions into
Row matching, dynamic acquisition access the role of user, corresponding user right set are obtained according to role, according to user right set
Control user right.The affiliated role of static configuration user is not needed, and when user uses online electronics business hall system, dynamic
It determines role belonging to user, the huge electronics business hall system of user volume can be suitable for, and it is possible to according to actual operation
It needs, the corresponding relationship for flexibly modifying role and user right set accesses the angle of user when user property value changes
Color is also changed to no longer need to the matched role of attribute value of access user by opening during the operation of online electronics business hall system
Hair personnel modify the corresponding role's code of user, shorten the release cycle and O&M cost of version.With existing hard coded
Mode is compared, and hard coded mode refers to the corresponding access privilege control code coding of each business function in business function module
In, the access privilege control code being originally scattered in each business function module, the present invention uses unified permission view, is conducive to
The distribution and management of user right, also, compared with hard coded mode, the modification of permission control routine in hard coded mode can
Business function module local instability can be caused, influences the reliability service of system, and the solution of the present invention, without changing code,
Therefore, the stability and reliability of system be will not influence;In addition to this, developer no longer needs to compile in each business function module
Write permission control routine, by same authority configuration management code, and the authority configuration management code is in other similar version
It can directly be multiplexed, improve product component degree.
Technical solution of the present invention is described in detail with specifically embodiment below.These specific implementations below
Example can be combined with each other, and the same or similar concept or process may be repeated no more in some embodiments.
Fig. 1 is the flow diagram of user authority control method embodiment one of the present invention, and the method for the present embodiment is as follows:
S101: obtaining the user information of access user, includes at least one attribute value in user information.
Specifically, it can be in process of user login, according to the information for capableing of unique identification user, from the data of user
User information relevant to the user is extracted in model.In different electronics business halls, the information for the user to be obtained may
Difference, such as: in the online business hall of mobile operator, attribute value can be with are as follows: network entry time, arrearage state, is stepped on ownership place
Record state etc.;In the online business hall of the shopping such as Taobao, attribute value can be with are as follows: registion time, shopping number, amount of consumption etc..
S102: at least one attribute value is matched with role expressions, obtains the role of access user.
Different roles corresponds to different role expressions, by user information at least one attribute value and each role
Expression formula is matched, using the corresponding role of matched role expressions as the role of above-mentioned access user.In general, establishing
At least one attribute value is matched with role's expression, obtains the role of access user by session stage.
Wherein, at least one attribute value and role expressions are carried out there are many matched modes, the present invention does not make this
Limitation.One of matching way are as follows: be arranged in each role expressions comprising variable, reference value corresponding with variable, variable
Logical relation between reference value, after the attribute value for obtaining user, by the variable replacement in the role expressions of user
For corresponding attribute value, the calculated result of role expressions is obtained according to the logical relation between variable and reference value, according to meter
Calculate the role that result determines access user.
More specifically, role's decision Binary Tree can be generated according to role expressions;Then, it is matched and is calculated using postorder traversal
Method matches at least one attribute value with role's decision Binary Tree, obtains the role of access user.
S103: obtaining user right set corresponding with role, includes at least one business function in user right set.
Role and the corresponding relationship of user right set can be stored with plurality of data structures, one of, be to build
The mapping table of vertical role and user right set, one of example such as table 1, according to pair of role and user right set
Relation table is answered, the corresponding user right set of role is obtained.
The mapping table of table 1 role and user right set
It include at least one business function in user right set, such as: integral inquiry, accumulated point exchanging, historical bills are looked into
Ask etc..
S104: user right is controlled according to user right set.
Specifically, if the business function of the access of user is the function of belonging in user right set, user is allowed to visit
Ask above-mentioned business function;
If the business function of the access of user is not belonging to the function in user right set, user is forbidden to access above-mentioned industry
Business function.
It include at least one attribute in the user information by obtaining the user information of access user in the present embodiment
Value;At least one described attribute value is matched with role expressions, obtains the role of the access user;Obtain with it is described
Role's corresponding user right set includes at least one business function in the user right set;It is weighed according to the user
Limit set control user right.As can be seen that in the process, the role for accessing user is passed through in each login process
The attribute value of access user carries out matching dynamic acquisition with role expressions, does not need to be pre-configured with role, can be applicable in
In the electronics business hall system that user volume is huge.
In the above-described embodiments, different roles corresponds to different role expressions, and above-mentioned role expressions are by essence
Heart design, it can be matched according at least one attribute value of user with role expressions, determine different user roles.
It in the above-described embodiments, include at least one atomic expression in role expressions, each atomic expression includes
Entity attribute, operator, entity property value, it is referred to as compound when in expression formula including two or more atomic expressions
Expression formula, the relationship between atomic expression in compound expression are expressed by logical operation connector.
Such as: when in expression formula including two atomic expressions: [entity attribute, operator, entity property value] [logic fortune
Calculate connector] [entity attribute, operator, entity property value]
Such as: code is " login==true&&subscriberType==0 ", wherein " login==true "
For an atom expression, " login " presentation-entity attribute;"==" indicates operator;" true " presentation-entity attribute value;
" subscriberType==0 " is another atomic expression, " subscriberType " presentation-entity attribute;"==" table
Show operator;" 0 " presentation-entity attribute value;" && " indicates the logical operation connector between two atomic expressions.
Table is passed through to the rule definition of operator, logical operation connector definition rule and priority adjustment symbol below
Mode is described:
Table 1 is the rule definition of operator
Table 2 is the definition of logical operation connector rule
Operator |
Description |
Operation data type |
and |
And |
Operation expression |
or |
Or |
Operation expression |
3 priority of table adjustment symbol
Operator |
Description |
Operation data type |
() |
And |
Operation expression |
The present invention also provides an examples, generate role's decision Binary Tree according to role expressions for describing;Then, it adopts
With postorder traversal matching algorithm, at least one attribute value is matched with role's decision Binary Tree, obtains the angle of access user
Color.
Example is as follows:
Role: loyal user
Role expressions: " login==true and subscriberType==0and activeDate > '
2012-01-01 ' and (status=='B01'or status=='B02') "
Expression formula meaning: user is more than 2 years in net, and situation is the prepaid user not shut down, and user completes login.
Function definition: the role is able to use accumulated point exchanging function.
The role's decision Binary Tree generated according to the role expressions in above-mentioned example is as shown in Fig. 2, Fig. 2 is root of the present invention
The schematic diagram of role's decision Binary Tree is generated according to role expressions;Conversion principle are as follows: the entity attribute of each atomic expression
Two crunode of leaf of binary tree is converted into entity property value, connector is converted into limb node, and adjusts according to priority
The node of y-bend is constituted.Using postorder traversal matching algorithm, i.e., the expression formula of left subtree is always first matched, then matches right son again
Tree, last root node matching, determines whether to belong to the corresponding role of role's decision Binary Tree according to final result, if
Final result is to indicate the result of affirmative, then it is assumed that the role for accessing user is the corresponding role of role's decision Binary Tree,
If final result is to indicate the result of negative, then it is assumed that the role for accessing user is not that role's decision Binary Tree is corresponding
Role.In Fig. 2 " $ { activeDate } ", " $ { type } ", " $ status ", " $ { Login } " indicate variable, " AND " indicate
Carry out logic and operation, " OR " indicates to carry out logic or operation.
The present invention also provides one embodiment to weigh after obtaining the corresponding user right set of role according to user
One example of limit set control user right.As shown in figure 3, Fig. 3 is user authority control method embodiment two of the present invention
Flow diagram;
S301: access user sends the access request of access business function 1 to unified rights blocker;
S302: unified rights blocker obtains user right set, and judges whether user has access business function 1
Permission;If it is not, S303 is executed, if so, executing S304.
Wherein, user right set usually uses set of URL to close and indicates.
If the URL of user access request is not in the URL of user right set, it is determined that user does not access business function
The permission of energy 1;If the URL of user access request is in the URL of user right set, it is determined that user has access business function
The permission of energy 1;
S303: unified rights blocker sends to access user and indicates without access authority.
This step is optional step, and access user can not carry out next step operation, that is, indicate no access authority.
S304: the access request of user is forwarded to 1 module of business function by unified rights blocker;
S305: 1 module of business function carries out business processing;
S306: 1 module of business function sends the response data of access request to access user.
One user only need to determine the role of primary access user during session establishment in a conversation procedure,
After session establishment, the accessible multiple business functions of user, to the access authority of each business function by establishing session
The corresponding user right set judgement of determining role in the process.
Using the above method of the invention, has the advantages that but be not limited to as follows: not needing to be pre-configured with user role, it can
The electronics business hall system huge suitable for user volume, and it is possible to flexibly modify role and user according to actual operation needs
The corresponding relationship of permission set, when user property value changes, user role also synchronize change for after variation
The matched role of attribute value no longer needs to modify the corresponding role's code of user by developer, shortens the publication week of version
Phase and O&M cost.Compared with existing hard coded mode, hard coded mode refers to the corresponding access authority of each business function
Control routine encodes in business function module, the access privilege control code being originally scattered in each business function module, this
Invention uses unified permission view, conducive to the distribution and management of user right, also, compared with hard coded mode, hard coded
The modification of permission control routine in mode, may cause business function module local instability, influence the reliability service of system, and
Therefore the solution of the present invention, will not influence the stability and reliability of system without changing code;In addition to this, developer
It no longer needs to write permission control routine in each business function module, by same authority configuration management code, and the permission is matched
Setting management code can directly be multiplexed in other similar version, improve product component degree.
Fig. 4 is the structural schematic diagram of user right control device embodiment one of the present invention, as shown in figure 4, the present embodiment
Device includes obtaining module 401, matching module 402 and control module 403, wherein obtains module 401 for obtaining access user
User information, include at least one attribute value in above-mentioned user information;Matching module 402 is used at least one above-mentioned attribute
Value is matched with role expressions, obtains the role of above-mentioned access user;Above-mentioned acquisition module 402 be also used to obtain with it is above-mentioned
The corresponding user right set of role includes at least one business function in above-mentioned user right set;Control module 403 is used for
User right is controlled according to above-mentioned user right set.
In the above-described embodiments, above-mentioned matching module 402 is specifically used for generating role's decision according to above-mentioned role expressions
Binary tree;Using postorder traversal matching algorithm, at least one above-mentioned attribute value is matched with above-mentioned role's decision Binary Tree,
Obtain the role of access user.
In the above-described embodiments, if the business function that above-mentioned control module 403 is specifically used for the access of above-mentioned user is to belong to
Function in above-mentioned user right set then allows above-mentioned user to access above-mentioned business function;If the access of above-mentioned user
Business function is not belonging to the function in above-mentioned user right set, then above-mentioned user is forbidden to access above-mentioned business function.
In the above-described embodiments, above-mentioned matching module 402 is specifically used for establishing session stage, by least one above-mentioned category
Property value and role expression match, obtain the role of above-mentioned access user.
In the above-described embodiments, above-mentioned acquisition module 402 is specifically used for closing according to role is corresponding with user right set
It is table, obtains the corresponding user right set of above-mentioned role.
The device of the present embodiment, the corresponding technical solution that can be used for executing embodiment of the method shown in Fig. 1, realization principle
Similar with technical effect, details are not described herein again.
Fig. 5 is the structural schematic diagram of user right control device embodiment two of the present invention, as shown in figure 5, the present embodiment
Device includes memory 501 and processor 502, wherein above-mentioned memory 501, which is used to store, executes user authority control method
Code;Above-mentioned processor 502 is used to call above-mentioned code, performs the following operations:
The user information of access user is obtained, includes at least one attribute value in the user information;
At least one described attribute value is matched with role expressions, obtains the role of the access user;
User right set corresponding with the role is obtained, includes at least one business function in the user right set
Energy;
User right is controlled according to the user right set.
In the above-described embodiments, processor 502 is specifically used for generating role's decision Binary Tree according to the role expressions;
Using postorder traversal matching algorithm, at least one described attribute value is matched with role's decision Binary Tree, obtains and visit
Ask the role of user.
In the above-described embodiments, if processor 502 is described to belong to specifically for the business function of the access of the user
Function in user right set then allows the user to access the business function;If the business function of the access of the user
The function that can be not belonging in the user right set then forbids the user to access the business function.
In the above-described embodiments, processor 502 is specifically used for establishing session stage, will at least one described attribute value with
Role's expression matches, and obtains the role of the access user.
In the above-described embodiments, processor 502 is specifically used for the mapping table according to role and user right set, obtains
Take the corresponding user right set of the role.
The device of the present embodiment, the corresponding technical solution that can be used for executing embodiment of the method shown in Fig. 1, realization principle
Similar with technical effect, details are not described herein again.
Those of ordinary skill in the art will appreciate that: realize that all or part of the steps of above-mentioned each method embodiment can lead to
The relevant hardware of program instruction is crossed to complete.Program above-mentioned can be stored in a computer readable storage medium.The journey
When being executed, execution includes the steps that above-mentioned each method embodiment to sequence;And storage medium above-mentioned include: ROM, RAM, magnetic disk or
The various media that can store program code such as person's CD.
Finally, it should be noted that the above embodiments are only used to illustrate the technical solution of the present invention., rather than its limitations;To the greatest extent
Pipe present invention has been described in detail with reference to the aforementioned embodiments, those skilled in the art should understand that: its according to
So be possible to modify the technical solutions described in the foregoing embodiments, or to some or all of the technical features into
Row equivalent replacement;And these are modified or replaceed, various embodiments of the present invention technology that it does not separate the essence of the corresponding technical solution
The range of scheme.