CN105991602A - Data access method and data access system - Google Patents

Abstract

The embodiment of the invention discloses a data access method and a data access system. The method comprises: a local authentication platform receives an access request sent by a local application belonging to a local authentication platform, and the access request carries a target authentication platform and the target application belonging to the target authentication platform; the local authentication platform generates a first roaming bill application request according to the access request; the first roaming bill application request is sent to the target authentication platform to allow the target authentication platform to generate a corresponding first roaming bill according to the application request in the first roaming bill; the local authentication platform receives the first roaming bill returned back by the target authentication platform; and the first roaming bill is sent to the local application to allow the local application to carry the first roaming bill for access the target application. The data access method performs roaming bill generation and forwarding through an authentication platform so as to effectively improve the roaming access speed between safety regions.

Description

Data access method and data access system

Technical field

The present invention relates to technical field of network security, particularly relate to the data access method between a kind of Multi-security domain and data Access system.

Background technology

Security domain refers to the interior character according to information of same system, the difference using the elements such as main body, Security Target and strategy The Different Logic subnet dividing or network, have inside each logic region identical safeguard protection demand, have identical Safe access control and boundary Control strategy, there is between logic region the relation of trusting each other, and identical security domain it Between share identical security strategy.

In prior art, when needing roaming access (i.e. cross-domain access is applied) between multiple security domains, general by overflowing Trip bill is centrally generated and forwards bill, specifically can be referring to shown in Fig. 1, and one roams the corresponding multiple security domains in bill center (accompanying drawing only showing two security domains as example), and this roaming bill central store has the application of each security domain corresponding The authentication information etc. of the resource number of resource, resource IP and account, thus (A security domain is referred to as at a security domain For access domain) in application have access in another security domain (B security domain, referred to as aiming field) application when, A Security domain needs first to roaming bill center application billing information, and this roaming bill center receives the authentication platform of A security domain The roaming ticket requests that sends simultaneously will roam bill and be forwarded to the authentication platform of A security domain accordingly；And then, A safety The authentication platform in territory carries the application that roaming bill accesses in B security domain on authentication platform, according to roaming bill B security domain Authentication platform to roaming bill center send verification application, this roaming bill center receive verification roaming bill verification Shen Please and carry out verifying certification to roaming bill, answering on authentication platform in A security domain after roaming bill verifies successfully Conduct interviews with the application entering in B security domain on authentication platform.

But, in existing roaming access method, if the authentication platform in multiple security domain needs to access other simultaneously In security domain during application on authentication platform, thus the certification in multiple security domain can only be received by roaming bill center and put down Platform sends request and the verification certification of roaming bill, may seriously cause at roaming bill central information bearing capacity and data Reason ability is significantly greatly increased, and then easily causes the reduction of roaming access speed and roaming bill central information bearing capacity excess load Cause the problems such as systemic breakdown.

Content of the invention

The embodiment of the present invention provides the data access method between a kind of Multi-security domain and data access system, existing to solve During having the roaming access between the security domain in technology, need to receive multiple security domain owing to roaming bill center simultaneously The request of interior authentication platform transmission roaming bill, and roam bill to generating and forwarding and the verification roaming bill is recognized Card, may cause roaming bill central information bearing capacity and data-handling capacity to be significantly greatly increased, and then easily causes roaming visit Ask that speed reduces and roaming bill central information bearing capacity excess load causes the problems such as systemic breakdown.

In order to solve above-mentioned technical problem, the embodiment of the invention discloses following technical scheme:

First aspect, the embodiment of the present invention provides a kind of data access method, comprising:

Receive locally applied the sent access request belonging to local authentication platform, in described access request, carry mesh Mark authentication platform and the intended application belonging to described target authentication platform；

Generate the first roaming bill application request according to described access request；

Send described first roaming bill application request to described target authentication platform, so that described target authentication platform root Generate the corresponding first roaming bill according to described first roaming bill application request；

Receive the first roaming bill that described target authentication platform returns；

Send described first roaming bill to described locally applied, locally applied carry the described first roaming ticket so that described According to the described intended application of access.

In conjunction with first aspect, in the first possible implementation of first aspect, described data access method also includes:

Receiving the second roaming bill application request that the 3rd authentication platform sends, described second roaming bill application request is institute State what the 3rd authentication platform generated according to the sent access request of the 3rd application belonging to described 3rd authentication platform；

According to described second roaming bill application request, generate the corresponding second roaming bill；

Send described second roaming bill to described 3rd authentication platform, so that described 3rd authentication platform is by described second Roaming bill sends to described 3rd application, and described 3rd application carry the described second roaming bill access described this locality should With.

In conjunction with the first possible implementation of first aspect, in the possible implementation of first aspect the second, described Data access method also includes:

Receiving the certification request of locally applied transmission, described certification request accesses described for locally applied according to the 3rd application The second roaming bill that ground application is carried generates；

According to described certification request verification certification, second roams bill, and described 3rd application accesses described this locality and answers With.

In conjunction with the first possible implementation of first aspect, in the third possible implementation of first aspect, described Generate the corresponding second roaming bill, comprising:

Search and confirm the type of the described second roaming bill application request；

Ask corresponding money according to the described second roaming bill application that described type search local authentication platform internal memory stores up Source information；

Search according to described resource information and draw the corresponding second roaming bill.

In conjunction with the possible implementation of first aspect the second, in the 4th kind of possible implementation of first aspect, described The second roaming bill according to verification certification is asked in described certification, and described 3rd application access is described locally applied, bag Include:

Judge whether the described second roaming bill verifies certification success, and send verification authentication result to the 3rd application；

If described second roaming bill verification certification success, then described 3rd application redirect access described locally applied；

If described second roaming bill verification authentification failure, return identity authentication error data, and should by the described 3rd With jumping to authentication wrong data.

Second aspect, the embodiment of the present invention provides a kind of data access system, comprising:

Access request receiver module, for receiving locally applied the sent access request belonging to local authentication platform, Carry target authentication platform in described access request and belong to the intended application of described target authentication platform；

Ticket requests generation module, for generating the first roaming bill application request according to described access request；

Ticket requests sending module, for putting down the generate first roaming bill application request transmission to described target authentication Platform；

Roaming ticket recipient module, for receiving the first roaming bill that described target authentication platform returns；

First roaming bill sending module, sends to belonging to local authentication platform for the first roaming bill that will receive Locally applied.

In conjunction with second aspect, in the first possible implementation of second aspect, described data access system also includes:

Ticket requests receiver module, for receiving the second roaming bill application request that the 3rd authentication platform sends, described the Two roaming bill application requests are sent out according to the 3rd application belonging to described 3rd authentication platform by described 3rd authentication platform The access request sent generates；

Roaming bill generation module, for according to described second roaming bill application request, generating the corresponding second roaming ticket According to；

Second roaming bill sending module, sends to described 3rd authentication platform for roaming bill by described second, so that Described 3rd authentication platform sends described second roaming bill to described 3rd application, and described 3rd application is carried described Second roaming bill accesses described locally applied.

In conjunction with the first possible implementation of second aspect, in the possible implementation of second aspect the second, described Data access system also includes:

Receiver module is asked in certification, and for receiving the certification request of locally applied transmission, described certification request is locally applied Access what described locally applied the second roaming bill carrying generated according to the 3rd application；

Verification authentication module, for the second roaming bill according to described certification request verification certification, and the described 3rd should Described locally applied with accessing.

In conjunction with the first possible implementation of second aspect, in the third possible implementation of second aspect, described Roaming bill generation module includes:

First lookup unit, for searching and confirming the type of the described second roaming bill application request；

Second lookup unit, for the described second roaming bill Shen stored up according to described type search local authentication platform internal memory Please ask corresponding resource information；

Roaming bill acquiring unit, draws the corresponding second roaming bill for searching according to described resource information.

In conjunction with the possible implementation of second aspect the second, in the 4th kind of possible implementation of second aspect, described Verification authentication module includes:

Judging unit, is used for judging whether the described second roaming bill verifies certification success, and sends verification authentication result To the 3rd application；

First jump-transfer unit, if for described second roaming bill verification certification success, then described 3rd application redirects visit Ask described locally applied；

Second jump-transfer unit, if for described second roaming bill verification authentification failure, returning an identity authentication error number According to, and described 3rd application is jumped to authentication wrong data.

The data access method being provided from above technical scheme, the embodiment of the present invention, in this locality of local authentication platform When application accesses the intended application of target authentication platform, local authentication platform receives from locally applied access intended application Access request, this access request carries target authentication platform and intended application, it is simple to local authentication platform generates correspondence First roaming bill application request of intended application, and send to corresponding target authentication platform, so that target authentication platform Generate the corresponding first roaming bill according to the first roaming bill application request receiving and the first roaming bill is back to Local authentication platform；Local authentication platform receive return first roaming bill after send it to locally applied, by this Ground application is carried this first roaming bill and is accessed intended application.The data access method being provided by the application, belongs to this When the locally applied needs of ground authentication platform access the intended application of different security domain, can be direct by local authentication platform Send the first roaming bill application request of corresponding access request to target authentication platform, thus receive by target authentication platform The the first roaming bill generating according to the first roaming bill application request, and to carry the first roaming bill direct by locally applied Access intended application.Thus it is prevented effectively from when carrying out roaming access between multiple security domain, the local authentication in each security domain Platform needs to carry out roaming ticket requests to bill roaming center respectively, thus increases the burden at bill roaming center, reduces The speed that security domain internetwork roaming accesses.

Further, in the data access method that the application provides, local authentication platform can receive the 3rd authentication platform It (is different from the 3rd authentication platform of local authentication platform and target authentication platform, and this three authentication platforms are respectively positioned on difference Security domain) the 3rd application that the 3rd authentication platform generates that belongs to that sends accesses the locally applied second roaming bill Shen Please ask, meanwhile, generate the corresponding second roaming bill according to the second roaming bill application request, and by this second roaming Bill forwards and sends to the 3rd authentication platform.Generated by the authentication platform in security domain and forward in requisition for access The roaming bill of application, thus avoid prior art being concentrated through roam the side that bill was centrally generated and forwarded roaming bill Formula, greatly reduces the data process load at roaming bill center, it is to avoid roaming bill central concentrated load is easily caused more greatly safety Cannot be carried out roaming access between territory, and effectively improve the speed of roaming access between security domain.

In addition, in the data access method of the application offer, local authentication platform is receiving carrying of locally applied generation After having the certification request of roaming bill, the roaming bill that meeting is carried when asking and access locally applied according to certification to the 3rd application Carry out verifying certification, and after verification certification success, it is locally applied that the 3rd application redirects access.Implemented by the application Example, can make authentication platform in security domain to needing the locally applied roaming carried belonging to this authentication platform that accesses Bill carries out verifying certification, it is to avoid be authenticated unified for certification request transmission to bill roaming center, and by authentication result Situation about being forwarded by authentication platform, thus saved data transmission stream journey, improve roaming access speed.

Brief description

In order to be illustrated more clearly that the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing In technology description, the accompanying drawing of required use is briefly described, it should be apparent that, for those of ordinary skill in the art Speech, on the premise of not paying creative work, can also obtain other accompanying drawing according to these accompanying drawings.

The schematic flow sheet of one embodiment of the data access method that Fig. 1 provides for the present invention；

The schematic flow sheet of another embodiment of the data access method that Fig. 2 provides for the present invention；

The schematic flow sheet of another embodiment of the data access method that Fig. 3 provides for the present invention；

The schematic flow sheet of another embodiment of the data access method that Fig. 4 provides for the present invention；

The schematic flow sheet of another embodiment of the data access method that Fig. 5 provides for the present invention；

The application structure schematic diagram of the data access method that Fig. 6 provides for the embodiment of the present invention；

The structural representation of one embodiment of the data access system that Fig. 7 provides for the present invention；

The structural representation of another embodiment of the data access system that Fig. 8 provides for the present invention；

The structural representation of another embodiment of the data access system that Fig. 9 provides for the present invention；

The structural representation of another embodiment of the data access system that Figure 10 provides for the present invention；

The structural representation of another embodiment of the data access system that Figure 11 provides for the present invention.

Detailed description of the invention

For the technical scheme making those skilled in the art be more fully understood that in the present invention, implement below in conjunction with the present invention Accompanying drawing in example, is clearly and completely described to the technical scheme in the embodiment of the present invention, it is clear that described reality Executing example is only a part of embodiment of the present invention, rather than whole embodiments.Based on the embodiment in the present invention, ability The every other embodiment that territory those of ordinary skill is obtained under the premise of not making creative work, all should belong to this The scope of invention protection.

See Fig. 1, for the schematic flow sheet of a kind of data access method that the embodiment of the present invention provides.

As it is shown in figure 1, the data access method that disclosure embodiment provides includes:

Step S101: receive locally applied the sent access request belonging to local authentication platform, described access request Inside carry target authentication platform and belong to the intended application of described target authentication platform；

Local authentication platform and target authentication platform all can be located in different security domains in implementation process, locally applied return Belonging to local authentication platform, intended application belongs to target authentication platform；In the present embodiment, with this local authentication platform The security domain at place is access domain, with the security domain at target authentication platform place as aiming field, is i.e. recognized by belonging to this locality The locally applied access of card platform belongs to the intended application of target authentication platform.During conducting interviews, locally applied The access instruction that user sends can be received, thus locally applied by the access instruction generation access request according to user, should Access request carries the target authentication platform needing to access and the intended application belonging to target authentication platform, specifically, Access request carries the specifying information of target authentication platform and intended application, so that local authentication platform receives this access Request, it is simple to local authentication platform can generate corresponding roaming bill application request according to the access request receiving, and Roaming bill application request is sent to corresponding authentication platform exactly.

Step S102: generate the first roaming bill application request according to described access request；

Wherein, in the data access method that the present embodiment provides, local authentication platform can carry mesh according to receive Mark authentication platform and the access request of intended application belonging to target authentication platform, generate the corresponding to access request One roaming bill application request；Concrete, target authentication platform and belong to the intended application of target authentication platform and pass through IP address etc. is identified, consequently facilitating the first roaming bill application request that local authentication platform can directly will generate. The concrete mode generating the first roaming bill application request does not elaborate in embodiments of the present invention.

Step S103: send described first roaming bill application request to described target authentication platform, so that described target Authentication platform generates the corresponding first roaming bill according to described first roaming bill application request；

Wherein, after local authentication platform generates the first roaming bill application request, this local authentication platform is according to the first roaming The corresponding target authentication platform of bill application request, local authentication platform sends the first roaming bill application request to target Authentication platform, is received this first roaming bill application request by target authentication platform, and by target authentication platform according to first Roaming bill application request generates the first corresponding roaming bill.

Target authentication platform and belong to the intended application of target authentication platform and be identified by IP address etc., thus It is easy to local authentication platform can directly the first roaming bill application request transmission generating be put down to correct target authentication Platform, and according to the IP address of intended application, enable target authentication platform to generate first corresponding with intended application and overflow Trip bill, the information carrier with authentication role that this first roaming bill is formed for form according to the rules, money can be included Source information, authentication information, timestamp and password etc..

Step S104: receive the first roaming bill that described target authentication platform returns；

Wherein, send the first roaming bill application request generating to target authentication platform, target at local authentication platform Authentication platform generates the corresponding first roaming bill and forwards transmission to local authentication platform；Local authentication platform receive this One roaming bill.Wherein, the embodiment of corresponding target authentication platform generation the first roaming bill does not enters in the present embodiment Row elaborates.

Step S105: send described first roaming bill to described locally applied so that described locally applied carry described First roaming bill accesses described intended application；

In order to ensure locally applied can directly to access intended application, this first roaming bill is sent extremely by local authentication platform Locally applied.In implementation process, locally applied receive the first roaming bill after, locally applied carry this first roaming Bill directly accesses intended application, owing to the first roaming bill represents the authentication information of locally applied access intended application, Therefore, when intended application receives the locally applied access carrying the first roaming bill, intended application can be according to first The information of roaming bill sends corresponding certification asks to target authentication platform, it is simple to target authentication platform is to the first roaming ticket According to carrying out verifying certification, so that locally applied can redirect access intended application.

It should be noted that in the data access method that the embodiment of the present invention provides, local authentication platform is stored with ownership The resource information of all application of Internet access in local authentication platform, and the resource information pair according to application that is stored with Roaming bill after should changing；Target authentication platform is stored with and belongs to all application of Internet access in target authentication platform Resource information, and the roaming bill after the resource information corresponding conversion according to this application that is stored with.Pass through local authentication Platform and target authentication storage belong to the corresponding bill of application in self platform, consequently facilitating under belonging to self platform Application be accessed in the case of, self platform can corresponding generate roaming bill.

In addition, in the present embodiment, also can be with switched access between this local authentication platform and target authentication platform, i.e. originally Security domain belonging to authentication platform for the ground is aiming field, and the security domain belonging to target authentication platform is access domain, belongs to target The intended application of authentication platform also cross-domain access can belong to locally applied (now, the local authentication of local authentication platform Platform is the target platform needing to access), this locality that the embodiment of this target authentication platform proposes with above-described embodiment is recognized The embodiment of card platform is identical, and specific embodiment is no longer described in detail in the present embodiment.

Use the data access method that the embodiment of the present invention provides, owing to local authentication platform is able to receive that belonging to this locality recognizes The access request of the locally applied transmission of card platform, thus generate roaming bill application request according to access request, this locality is recognized Card platform directly sends roaming bill application request to the target authentication platform that can generate roaming bill, and is directly connecing Send extremely locally applied, so that locally applied carry the first roaming after receiving the first roaming bill that target authentication platform returns Bill accesses intended application.The data access method being provided by the present embodiment such that it is able to remove bill roaming center, Directly being sent by carrying out roaming bill between two authentication platforms and receiving, being prevented effectively from bill roaming center needs to receive The roaming bill application that in all security domains, authentication platform sends is asked and the corresponding process generating and forwarding roaming bill, Can be directly by carrying out roaming the life of the transmission of bill application request and roaming bill between the authentication platform in security domain Become, forward, thus accelerate data access speed.

See Fig. 2, show the schematic flow sheet of the another kind of data access method that the embodiment of the present invention provides.

As in figure 2 it is shown, the data access method that the embodiment of the present application provides includes:

Step S201: receive the second roaming bill application request that the 3rd authentication platform sends, described second roaming bill Shen Please ask to apply sent access request by described 3rd authentication platform according to the belong to described 3rd authentication platform the 3rd Generate；

In the data access method that the embodiment of the present application provides, the 3rd authentication platform is in the present embodiment for being different from this locality Another authentication platform of authentication platform and target authentication platform, the 3rd authentication platform is as the authentication platform of access domain, originally Ground authentication platform is as the authentication platform of aiming field, thus in implementation process, belong to the 3rd authentication platform the 3rd should Carry, with the access instruction receiving user generation, the local authentication platform needing to access and locally applied access please Asking, this access request is sent by the 3rd application, is received this access request by the 3rd authentication platform, and please according to accessing Seek survival into corresponding to needing the second locally applied roaming bill application request accessing, by the second roaming bill application request Send to local authentication platform.

Wherein, local authentication platform internal memory contains the locally applied resource letter belonging to local authentication platform, Internet access Breath, and the roaming billing information becoming according to resource information corresponding conversion, thus local authentication platform receives the second roaming After bill application request, owing to the second roaming bill application request is for needing to access locally applied access according to the 3rd application Request generates, and therefore, the second roaming bill application request carries local authentication platform and locally applied mark (for example IP address etc.) so that local authentication platform can directly generate corresponding second according to the second roaming bill application request and overflow Trip bill, and forward transmission to the 3rd authentication platform by local authentication platform；And then, the 3rd authentication platform receives After two roaming bills, send the second roaming bill to the 3rd application, after the 3rd application receives the second roaming bill, should 3rd application is carried the second roaming bill and is directly accessed locally applied.

It should be noted that the 3rd application carry the second roaming bill directly access locally applied during, need to the The second roaming bill that three application are carried carries out bill verification certification, does not make at the present embodiment for bill verification certification Many elaborations, can be referring to the description of other related embodiment once.

Step S202: according to described second roaming bill application request, generate the corresponding second roaming bill；

The application request that second roaming bill application request sends for the 3rd authentication platform in step S201, wherein, second That roaming bill application request is mainly used in asking to belong to is that the 3rd application of the 3rd authentication platform needs to access, belong to this The locally applied roaming bill (locally applied authentication information) of ground authentication platform, thus, local authentication platform root According to the second roaming bill application request, generate the second roaming bill corresponding to the second roaming bill application request.

Concrete, it with reference to Fig. 3, show the schematic flow sheet of the another kind of data access method that the embodiment of the present application provides, Specifically, local authentication platform generates the schematic flow sheet of the second roaming bill.

As it is shown on figure 3, the method that the local authentication platform that the embodiment of the present application provides generates the second roaming bill includes:

Step S2021: search and confirm the type of the described second roaming bill application request；

The type of the roaming bill application request that the local authentication platform in the embodiment of the present application offer is stored with different, specifically The the second roaming bill accessing can be needed corresponding locally applied for what application request was carried, thus by the second roaming bill Application request determine need to access locally applied (belonging to local authentication platform locally applied has multiple application, often The corresponding IP address of individual application is different, accordingly, it would be desirable to which application confirms is).

Step S2022: the described second roaming bill application request stored up according to described type search local authentication platform internal memory Corresponding resource information；

Wherein, it is provided with the resource letter of the application of the Internet access belonging in local authentication platform in local authentication platform Breath, thus after step S2021 confirms the type of the second roaming bill application request, local authentication platform is according to confirmation 3rd application needs the locally applied of access, searches and draw the described second roaming bill application request in local authentication platform Corresponding resource information, and then generate the second roaming bill according to resource information；

If it should be noted that locally applied not the having the right in the storage of local authentication platform internal memory that local authentication platform confirms In the row of the application accessing, then it represents that authentication mistake or the 3rd application do not access locally applied authority；Otherwise turn To step S2023.

Step S2023: search according to described resource information and draw the corresponding second roaming bill；

Wherein, owing to local authentication platform can directly generate corresponding according to the resource information of the application of the Internet access of storage Roaming bill, and by corresponding roaming bill be stored in local authentication platform, thus step S2022 search draw After the resource information of corresponding second roaming bill application request, search corresponding roaming bill according to this resource information, It is the second roaming bill.

Belonged to the resource information of the application of local authentication platform Internet access, Yi Jizi by this local authentication platform storage The roaming bill of source information corresponding conversion, it is simple to local authentication platform can quickly generate unrestrained according to roaming bill application request Trip bill, and can accelerate to generate the speed of roaming bill by way of searching, effectively improve the speed of roaming access.

Step S203: send described second roaming bill to described 3rd authentication platform, so that described 3rd authentication platform Send described second roaming bill to described 3rd application, and described 3rd application is carried the described second roaming bill and accessed Described locally applied；

Wherein, after local authentication platform generates the second roaming bill, can be right according to sending the second roaming bill application request Second roaming bill is forwarded and sends to the 3rd authentication platform, it is simple to the 3rd authentication platform receives by the 3rd authentication platform answered The second roaming bill corresponding with the second roaming bill application request of feedback；So that the 3rd authentication platform overflows second Trip bill is sent to the 3rd application, and the 3rd application is carried the second roaming bill and directly accessed locally applied.

It should be noted that in this application, the 3rd authentication platform is also stored with and belongs to the 3rd authentication platform and have the right It is accessed for the resource information of application, and the roaming bill according to resource information corresponding conversion；And, the 3rd certification Platform also can be conducted interviews by other application as aiming field, and detailed description of the invention can be put down referring to related local authentication The embodiment of platform.

Using the data access method that the embodiment of the present invention provides, local authentication platform can receive the 3rd authentication platform and send out The 3rd application belonging to the 3rd authentication platform generation sent accesses the second locally applied roaming bill application request, simultaneously Generate the corresponding second roaming bill and be forwarded to the 3rd authentication platform.By embodiments herein, local authentication Platform can generate and forward corresponding roaming bill, belongs in local authentication platform owing to local authentication platform is stored with Have the right to be accessed for the resource information of application and the corresponding roaming bill changed, thus avoid bill roaming center to need to concentrate Storage belongs to the resource information having the right to be accessed for application of authentication platform in each security domain, reduces bill roaming center Data-handling capacity, accelerate the speed belonging to mutual cross-domain access between the application of authentication platform between security domain simultaneously Degree.

See Fig. 4, show the another kind of data access method that the embodiment of the present invention provides.

As shown in Figure 4, local authentication platform, target authentication platform and the 3rd authentication platform providing in the embodiment of the present invention All can directly carry out verifying certification to roaming bill, it is to avoid local authentication platform, target authentication platform and the 3rd certification are put down Platform needs to send the certification request of roaming bill to outside, as carried out verifying certification by bill roaming center, reduces behaviour Make flow process, effectively improve data access speed.In the present embodiment, with local authentication platform, school is carried out to the second roaming bill As a example by testing certification, and in implementation process, each of the above authentication platform (local authentication platform, target authentication platform and Three authentication platforms) be respectively positioned in different security domains, then data access method includes:

Step S301: receive the certification request of locally applied transmission, described certification request is applied according to the 3rd for locally applied Access what described locally applied the second roaming bill carrying generated；

Wherein, as a example by local authentication platform, belong to the 3rd of the 3rd authentication platform and apply cross-domain access to belong to this locality Authentication platform locally applied, receive in the 3rd application and the second roaming bill that the 3rd authentication platform sends (is used for energy Enough access locally applied authentication information) after, the 3rd application can be carried the second roaming bill and directly be accessed locally applied； Be positioned at different security domain due to locally applied from the 3rd application, then locally applied receiving carries the second roaming bill In the case that 3rd application accesses, locally applied needs confirms whether the 3rd application has access rights, second i.e. carrying Whether the authentication of roaming bill, policy validation or Authority Verification etc. are qualified；Therefore, locally applied needs should to this locality Send the certification request about the second roaming bill with the local authentication platform of ownership.

Due to local authentication platform internal memory contain belong to local authentication platform have the right be accessed for application resource information, And the roaming bill of resource information corresponding conversion, then local authentication platform is asked in the certification receiving locally applied transmission After, according to the second roaming bill, in the roaming bill or resource information of the storage of local authentication platform internal memory, search corresponding money Whether source information is identical with the second roaming bill, thus carries out verifying certification to the second roaming bill.

Step S302: second roams bill according to verification certification is asked in described certification, and described 3rd application accesses institute State locally applied；

Owing to carrying the second roaming bill when the 3rd application accesses locally applied, this is locally applied receives the 3rd application During access, corresponding certification can be generated according to the second roaming bill and ask and send to local authentication platform；Due to certification Request carries the information of the related second roaming bill, then local authentication platform carries the second roaming ticket according to receive According to certification request after, carry out verifying certification to the second roaming bill, and send verification authentication result to locally applied.

Concrete, see Fig. 5, show in step S302 and carry out verifying the flow process of verification process to the second roaming bill and show It is intended to.

As shown in Figure 5, it is known that step S302 farther includes:

Step S3021: judge whether the described second roaming bill verifies certification success, and verification authentication result is sent extremely 3rd application；

Wherein, local authentication platform is stored with the letter roaming bill changed according to the resource information that Internet access is applied Breath, therefore, after local authentication platform receives the certification request carrying the second roaming bill of locally applied transmission, The roaming bill related to the second roaming bill is searched in the roaming billing information of local authentication platform internal memory storage；And should The second roaming bill that roaming bill and certification request are carried is compared, and overflows with second if had in local authentication platform The identical roaming bill of trip bill, then it represents that the second roaming bill verifies successfully, then the 3rd application has access locally applied Authority；If not roaming the identical roaming bill of bill in local authentication platform with second, then it represents that the second roaming ticket According to verifying unsuccessfully, then the 3rd application does not access locally applied authority.Meanwhile, roam to second at local authentication platform After bill carries out verification certification, send the result of verification certification to the 3rd application.

In implementation process, this second roaming bill as a example by eight-digit binary number character string, then can be deposited in local authentication platform The roaming bill of the application of 0-255 Internet access of storage, if this second roaming bill is 01011001, then needs 0-255 roaming bill searches whether comparison has identical character string, if having identical character string, then it represents that the Two roaming bills verify successfully, and otherwise, the second roaming bill verifies unsuccessfully；These are only the illustration to roaming bill, The form of this roaming bill is not limited to the embodiment mentioned in the present embodiment.

Step S3022: if described second roams bill verification certification success, then described 3rd application redirects described in access Locally applied；

After step S3021 carries out verification certification to the second roaming bill, obtain the verification authentication result being related to, if Fruit verification certification success, then local authentication platform will be sent to the successful feedback information of locally applied verification, the i.e. the 3rd application Authentication success, has and accesses locally applied authority, then can directly to redirect access locally applied in the 3rd application.

Step S3023: if described second roaming bill verification authentification failure, return identity authentication error data, and Described 3rd application is jumped to authentication wrong data；

Wherein, after verifying authentification failure to the second roaming bill in step S3021, the i.e. the 3rd application does not have access this locality The authority of application, then cannot directly redirect access this is locally applied in the 3rd application；Meanwhile, for the ease of reminding user, just Can intuitively observe in user, then local authentication platform returns an identity authentication error information, and the 3rd application then jumps to body The page of part authentication error.

Use the data access system that the embodiment of the present invention provides, can be by this local authentication platform directly to carrying roaming Bill certification request carry out verify certification, and verification authentication result is sent directly to locally applied in, thus avoid show Have in technology, in the case of carrying out verification certification to roaming bill, need to send the certification request carrying roaming bill Roam center to bill, and forward certification request and authentication result by local authentication platform.Therefore, bill is not only removed Roaming center, and, when realizing roaming access, only raw by carrying out bill between the authentication platform in two security domains Become, bill forwards and bill identification, effectively improves access speed, reduces the access time.

It should be noted that above example only carries out as a example by local authentication platform the description of embodiment, but, In implementation process, this target authentication platform and the 3rd authentication platform are all identical with the function and structure of local authentication platform, It is identical with local authentication platform embodiment in implementation process, and detailed description of the invention can be referring to above example, at this No longer elaborate.

By the description of above embodiment of the method, those skilled in the art is it can be understood that can borrow to the present invention The mode helping software to add required general hardware platform realizes, naturally it is also possible to by hardware, but a lot of in the case of the former It is more preferably embodiment.Based on such understanding, prior art is substantially made by technical scheme in other words The part of contribution can embody with the form of software product, and this computer software product is stored in a storage medium, Including some instructions are with so that a computer equipment (can be personal computer, server, or the network equipment etc.) Perform all or part of step of method described in each embodiment of the present invention.And aforesaid storage medium includes: read-only storage The various media that can store program code such as device (ROM), random access memory (RAM), magnetic disc or CD.

Corresponding with the data access method embodiment that the present invention provides, present invention also offers a kind of data access system Embodiment.

See Fig. 6, show the structural representation of the data access method application process that the embodiment of the present invention provides, such as figure Shown in 6, locally applied 40 belong to local authentication platform 10, and intended application 50 belongs to target authentication platform 20, the Three application 60 belong to the 3rd authentication platform 30, and, this local authentication platform the 10th, target authentication platform the 20th, the 3rd Authentication platform 30 can be respectively positioned on different security domains, thus the access between applying is cross-domain, roaming access.Its In, the function that each authentication platform is arranged is all identical, and the security domain that i.e. each authentication platform is positioned at both can be as access The application of other security domains of domain browsing, it is also possible to accessed by the application of other security domains as aiming field.In the present embodiment, It is described in detail with the system architecture that data access system is arranged on local authentication platform 10.

See Fig. 7, show the structural representation of a kind of data access system that the embodiment of the present invention provides, specially set Put the data access system on local authentication platform.As it is shown in fig. 7, this data access system includes:

Access request receiver module 11: this access request receiver module 11 is for receiving the basis belonging to local authentication platform The sent access request of ground application, specially locally applied access belongs to the access request of the application of another authentication platform, Wherein, as a example by local authentication platform and target authentication platform, it is known that, it is arranged on the access request on local authentication platform Receiver module 11 is for receiving the access request of the locally applied access intended application of locally applied generation.

Ticket requests generation module 12: this ticket requests generation module 12 receives according to access request receiver module 11 Access request generation is corresponding with access request roams bill application request, so that roaming bill application request sends to another On authentication platform；Wherein, as a example by local authentication platform and target authentication platform, this access request is locally applied for carrying Need the request of the identification information of target authentication platform and the intended application accessing, so that this ticket requests generation module 12 Corresponding this roaming bill application of generation can ask, and roaming bill application request includes the target needing transmission to reach and recognizes The mark of card platform, it is simple to directly send roaming bill application request to target authentication platform.

Ticket requests sending module 13: after ticket requests generation module 12 generates roaming bill application request, due to life The target that belongs to that the roaming bill application request becoming carries the locally applied needs access belonging to local authentication platform is recognized The address (such as the IP address etc. of the target authentication platform that intended application is belonged to) of the intended application of card platform, then bill please Sending module 13 is asked to send roaming bill application request to the target authentication platform of intended application ownership, it is simple to target authentication Platform generates corresponding roaming bill according to roaming bill application request.Wherein, target authentication platform generates roaming bill Method can be referring to other related embodiment.

Roaming ticket recipient module 14: bill application request will be roamed at ticket requests sending module 13 and send to accordingly After target authentication platform, target authentication platform according to roaming bill application request generate corresponding first roaming bill and will First roaming bill is forwarded to local authentication platform, receives this first roaming bill by this roaming ticket recipient module 14, And the first roaming bill is sent extremely locally applied.

First roaming bill sending module 15, receives what target authentication platform sent for roaming ticket recipient module 14 After first roaming bill, corresponding first roaming bill is sent extremely locally applied by this first roaming bill sending module 15, And first roaming bill and locally applied generation need the access request of access intended application corresponding.

Use the data access system that the present embodiment provides, by including that access request receiver module the 11st, ticket requests generates The 13rd, module the 12nd, ticket requests sending module roams ticket recipient module 14 and first and roams bill sending module 15, energy Enough according to the locally applied access request needing the intended application accessing to generate, roam accordingly to target authentication platform request Roaming bill is simultaneously forwarded to locally applied by bill, so that locally applied directly access intended application；Pass through the present embodiment The application of the roaming bill being capable of between authentication platform, it is to avoid roaming bill center focuses on.

See Fig. 8, show the structural representation of data access system that the embodiment of the present invention provides, in the present embodiment, Still as a example by local authentication platform, this data access system is arranged on local authentication platform, and specially data access system is raw Become roaming bill and forward the system architecture of roaming bill.The present embodiment is described in detail as a example by local authentication platform, Wherein, cross-domain access is applied to belong to the locally applied of local authentication platform by belong to the 3rd authentication platform the 3rd.

As shown in Figure 8, the data access system that the present embodiment provides includes:

Ticket requests receiver module 21: the roaming bill application sending for receiving the 3rd authentication platform is asked, so that this Ground authentication platform can generate corresponding roaming bill according to the roaming billing information that roaming bill application request is carried.

Roaming bill generation module 22: after ticket requests receiver module 21 receives roaming bill application request, should Roaming bill generation module 22 generates second corresponding with roaming bill application request according to roaming bill application request and overflows Trip bill, owing to roaming bill application request carries the locally applied address information that the 3rd application needs to access, then overflows The trip direct roaming bill searched on local authentication platform corresponding thereto of bill generation module 22.

Wherein, Fig. 9 is seen, the concrete structure schematic diagram of shown roaming bill generation module 22, as it is shown in figure 9, should Roaming bill generation module 22 also includes:

First lookup unit 221: this first lookup unit 221 is for searching the unrestrained of this ticket requests receiver module 21 reception The type of trip bill application request；Wherein, this locality that the 3rd application carried according to the second roaming bill application request accesses The IP address etc. of application, searches the type of the second roaming bill application request, thus according to the second roaming bill application request Type draw roaming bill.

Second lookup unit 222: this second lookup unit 222 is for looking into according to the type of the second roaming bill application request The the described second roaming bill application looking for local authentication platform internal memory to store up asks corresponding resource information, so that it is determined that the 3rd should By the locally applied address information etc. needing access；

Wherein, in specific implementation process, being provided with memory cell in local authentication platform, this memory cell is mainly used in Storage has the right in belonging to local authentication platform to be accessed for the resource information of application and according to resource information corresponding conversion Roaming bill；Thus, after this first lookup unit 221 finds the type of roaming bill application request, can basis The type of roaming bill application request, is confirmed address locally applied in local authentication platform by the second lookup unit 221, And then search corresponding locally applied resource information.This memory cell can store related application with the form of database Resource information and roaming bill, it is simple to this first lookup unit 221 and roaming bill acquiring unit 223 are called, are searched.

Roaming bill acquiring unit 223: find basis corresponding with roaming bill application request at the first lookup unit 221 After the resource information of ground application, corresponding with corresponding second roaming bill by locally applied resource information, then this roaming ticket Can directly obtain the corresponding second roaming bill of locally applied resource information according to acquiring unit 223.

Second roaming bill sending module 23: this second roaming bill sending module 23 is at roaming bill generation module 22 After generating the second roaming bill, the second roaming bill is forwarded and sends to the 3rd authentication platform, so that the 3rd authentication platform The the second roaming bill receiving is sent to the 3rd application so that the 3rd application is carried the second roaming bill and directly accessed this Ground application；Wherein, the detailed description of the invention of this second roaming bill sending module 23, no longer elaborates at this, can join See above-mentioned related embodiment.

Use the data access system that the present embodiment provides, can be by this roaming bill generation module 22 according to roaming ticket Generate the corresponding second roaming bill according to application request, and forwarded transmission to recognize to the 3rd by the second roaming bill sending module 23 Card platform, thus in realizing authentication platform, can generate and forward roaming bill, it is to avoid must be by roaming ticket in prior art According to being centrally generated and forward roaming bill, thus effectively improve roaming access speed.

See Figure 10, show the structural representation of another data access system that the embodiment of the present invention provides, with this locality As a example by authentication platform, this data access system is arranged on this local authentication platform, is specially this local authentication platform to unrestrained Trip bill carries out verifying the structural representation of certification.

As shown in Figure 10, the data access system that the present embodiment provides includes:

Receiver module 31 is asked in certification: receive, at the 3rd authentication platform, the roaming bill that local authentication platform generates, forwards After, roaming bill is sent to the 3rd application by the 3rd authentication platform, and the 3rd application is carried roaming bill and accessed local answering With, locally applied receive carry roaming bill the 3rd application access after, locally applied according to roaming bill generate The certification carrying roaming bill is asked and sends to local authentication platform, thus is received by this certification request receiver module 31 This carries the certification request of roaming bill；Wherein, certification request receiver module 31 can be proposition in above-described embodiment Access request receiver module 11, detailed description of the invention can be referring to above-mentioned related embodiment, and in this not go into detail.

Verification authentication module 32: this verification authentication module 32 carries second according to what certification request receiver module 31 received The certification request of roaming bill, carries out verifying certification to the second roaming bill, concrete, can be according to roaming bill in this locality Authentication platform is searched storage belong to local authentication platform in have the right to be accessed for the roaming bill of application, and with reception To the second roaming bill contrast, send this comparison result to locally applied, so that locally applied can be according to check results Determine whether the 3rd application can redirect access locally applied.

Wherein, this verification authentication module 32 by that local authentication platform is stored, belong to local authentication platform in have The locally applied roaming bill that power is accessed by the 3rd application is inquired about, and with above-mentioned certification request, this roaming bill is received mould According to comparison result, the second roaming bill comparison carried in the access request that block 31 receives, judges whether the 3rd application has Access locally applied authority；If both are consistent, then verify certification success；If both are inconsistent, then verify certification Failure.

Concrete, see Figure 11, show the concrete structure schematic diagram of verification authentication module 32, as shown in figure 11, be somebody's turn to do Verification authentication module 32 includes:

Judging unit 321: for judging roaming bill that local authentication platform internal memory stores up by this verification authentication module 32 and recognizing The second roaming bill that the certification request that card request receiver module 31 receives is carried is compared result, thus judge this second Roam whether bill verifies certification success, and verification authentication result is sent extremely locally applied；Wherein, both comparisons are identical In the case of, the second roaming bill verification certification success, in the case that both comparisons are different, the second roaming bill verification is recognized Demonstrate,prove unsuccessfully.

First jump-transfer unit 322: receive this second roaming bill verification successful school of certification that this judging unit 321 sends Test authentication result, thus this successful result of verification certification is sent extremely locally applied；

Wherein, the successful result of verification certification that this first jump-transfer unit 322 sends carries the 3rd application and accesses this locality The access information of application, then redirect access this is locally applied in the 3rd application.

Second jump-transfer unit 323: if for the second roaming bill verification authentification failure, returning an identity authentication error number According to, and the 3rd application is jumped to authentication wrong data；

Wherein, if the second roaming bill that this judging unit 321 judges verifies authentification failure, then it represents that the 3rd application Do not have and access locally applied authority, then this second jump-transfer unit 323 send identity authentication error data to local should With the 3rd application, according to the authentication wrong data receiving, jumps to the authentication error interface being related to, i.e. User, authentication mistake can be reminded, it is impossible to carry out cross-domain access.

Use the data access system that the present embodiment provides, by verification authentication module 32, school is directly carried out to roaming bill Test, so that it is determined that belong to the 3rd authentication platform the 3rd application whether can redirect access locally applied, it is to avoid existing skill Art needs bill roaming center carry out verifying certification to roaming bill, and authentication platform is mainly used in receiving and forwards verification The result of certification, thus effectively improve roaming access speed.

It should be noted that in embodiment described above, be the integrated corresponding functional module of energy between unit, And be integrated in authentication platform, and above-mentioned only as a example by local authentication platform, but it is not limited to this, such as target authentication platform All including above unit and module with the 3rd authentication platform etc., in this not go into detail for detailed description of the invention, can With referring to above related embodiment.

For convenience of description, it is divided into various unit to be respectively described with function when describing apparatus above.Certainly, this is being implemented The function of each unit can be realized in same or multiple softwares and/or hardware during invention.

Each embodiment in this specification all uses the mode gone forward one by one to describe, identical similar part between each embodiment Seeing mutually, what each embodiment stressed is the difference with other embodiments.Especially for device Or for system embodiment, owing to it is substantially similar to embodiment of the method, so describing fairly simple, related part ginseng See that the part of embodiment of the method illustrates.Apparatus and system embodiment described above is only schematically, wherein The described unit illustrating as separating component can be or may not be physically separate, the portion showing as unit Part can be or may not be physical location, i.e. may be located at a place, or also can be distributed to multiple network On unit.Some or all of module therein can be selected according to the actual needs to realize the purpose of the present embodiment scheme. Those of ordinary skill in the art, in the case of not paying creative work, are i.e. appreciated that and implement.

It is understood that the present invention can be used in numerous general or special purpose computing system environment or configuration.For example: individual People's computer, server computer, handheld device or portable set, laptop device, multicomputer system, based on The system of microprocessor, set top box, programmable consumer-elcetronics devices, network PC, minicom, mainframe computer, Including DCE of any of the above system or equipment etc..

The present invention can be described in the general context of computer executable instructions, such as program mould Block.Usually, program module include perform particular task or realize the routine of particular abstract data type, program, object, Assembly, data structure etc..Also the present invention can be put into practice in a distributed computing environment, at these DCEs In, the remote processing devices connected by communication network is performed task.In a distributed computing environment, program Module may be located in the local and remote computer-readable storage medium including storage device.

It should be noted that herein, the such as relational terms of " first " and " second " or the like be used merely to by One entity or operation separate with another entity or operating space, and not necessarily require or imply these entities or behaviour There is relation or the order of any this reality between work.And, term " includes ", "comprising" or it is any Other variants are intended to comprising of nonexcludability so that include the process of a series of key element, method, article or Equipment not only includes those key elements, but also includes other key elements being not expressly set out, or also includes for this mistake The intrinsic key element of journey, method, article or equipment.In the case of there is no more restriction, statement " is included one It is individual ... " key element that limits, it is not excluded that there is also in process, method, article or the equipment include described key element Other identical element.

The above is only the detailed description of the invention of the present invention, makes skilled artisans appreciate that or realizes the present invention. Multiple modifications to these embodiments will be apparent to one skilled in the art, and as defined herein one As principle can realize in other embodiments without departing from the spirit or scope of the present invention.Therefore, this The bright the embodiments shown herein that is not intended to be limited to, and be to fit to and principles disclosed herein and features of novelty Consistent scope the widest.

Claims (10)

1. a data access method, it is characterised in that include:

Receive locally applied the sent access request belonging to local authentication platform, in described access request, carry mesh Mark authentication platform and the intended application belonging to described target authentication platform；

Generate the first roaming bill application request according to described access request；

Send described first roaming bill application request to described target authentication platform, so that described target authentication platform root Generate the corresponding first roaming bill according to described first roaming bill application request；

Receive the first roaming bill that described target authentication platform returns；

Send described first roaming bill to described locally applied, locally applied carry the described first roaming ticket so that described According to the described intended application of access.

2. data access method according to claim 1, it is characterised in that also include:

Receiving the second roaming bill application request that the 3rd authentication platform sends, described second roaming bill application request is institute State what the 3rd authentication platform generated according to the sent access request of the 3rd application belonging to described 3rd authentication platform；

According to described second roaming bill application request, generate the corresponding second roaming bill；

Send described second roaming bill to described 3rd authentication platform, so that described 3rd authentication platform is by described second Roaming bill sends to described 3rd application, and described 3rd application carry the described second roaming bill access described this locality should With.

3. data access method according to claim 2, it is characterised in that also include:

Receiving the certification request of locally applied transmission, described certification request accesses described for locally applied according to the 3rd application The second roaming bill that ground application is carried generates；

The second roaming bill according to verification certification is asked in described certification, and described 3rd application access is described locally applied.

4. data access method according to claim 2, it is characterised in that the corresponding second roaming ticket of described generation According to, comprising:

Search and confirm the type of the described second roaming bill application request；

Ask corresponding resource according to the described second roaming bill application that described type search local authentication platform internal memory stores up Information；

Search according to described resource information and draw the corresponding second roaming bill.

5. data access method according to claim 3, it is characterised in that described according to described certification request verification Second roaming bill described in certification, and described 3rd application access is described locally applied, comprising:

Judge whether the described second roaming bill verifies certification success, and send verification authentication result to the 3rd application；

If described second roaming bill verification certification success, then described 3rd application redirect access described locally applied；

If described second roaming bill verification authentification failure, return identity authentication error data, and should by the described 3rd With jumping to authentication wrong data.

6. a data access system, it is characterised in that include:

Access request receiver module, for receiving locally applied the sent access request belonging to local authentication platform, Carry target authentication platform in described access request and belong to the intended application of described target authentication platform；

Ticket requests generation module, for generating the first roaming bill application request according to described access request；

Ticket requests sending module, sends to described target authentication platform for the first roaming bill application request that will generate；

Roaming ticket recipient module, for receiving the first roaming bill that described target authentication platform returns；

First roaming bill sending module, sends to belonging to local authentication platform for the first roaming bill that will receive Locally applied.

7. data access system according to claim 6, it is characterised in that also include:

Ticket requests receiver module, for receiving the second roaming bill application request that the 3rd authentication platform sends, described the Two roaming bill application requests are sent out according to the 3rd application belonging to described 3rd authentication platform by described 3rd authentication platform The access request sent generates；

Roaming bill generation module, for according to described second roaming bill application request, generating the corresponding second roaming ticket According to；

Second roaming bill sending module, sends to described 3rd authentication platform for roaming bill by described second, so that Described 3rd authentication platform sends described second roaming bill to described 3rd application, and described 3rd application is carried described Second roaming bill accesses described locally applied.

8. data access system according to claim 7, it is characterised in that also include:

Receiver module is asked in certification, and for receiving the certification request of locally applied transmission, described certification request is locally applied Access what described locally applied the second roaming bill carrying generated according to the 3rd application；

Verification authentication module, for the second roaming bill according to described certification request verification certification, and the described 3rd should Described locally applied with accessing.

9. data access system according to claim 7, it is characterised in that described roaming bill generation module includes:

First lookup unit, for searching and confirming the type of the described second roaming bill application request；

Second lookup unit, for the described second roaming bill Shen stored up according to described type search local authentication platform internal memory Please ask corresponding resource information；

Roaming bill acquiring unit, draws the corresponding second roaming bill for searching according to described resource information.

10. data access system according to claim 8, it is characterised in that described verification authentication module includes:

Judging unit, is used for judging whether the described second roaming bill verifies certification success, and sends verification authentication result To the 3rd application；

First jump-transfer unit, if for described second roaming bill verification certification success, then described 3rd application redirects visit Ask described locally applied；

Second jump-transfer unit, if for described second roaming bill verification authentification failure, returning an identity authentication error number According to, and described 3rd application is jumped to authentication wrong data.