A kind of access control method and device
Technical field
The present embodiments relate to cloud resources technology field, particularly relate to a kind of access control method and device.
Background technology
In cloud service scene, the most publicly-owned cloud scene, same cloud project there will be the resource pool and old of newly reaching the standard grade
Resource pool situation about depositing.Resource pool of newly reaching the standard grade refers to just release, the resource pool that on-line time is shorter;Old resource pool refers to relatively
Early release, the resource pool that on-line time is longer.Resource pool of newly reaching the standard grade typically requires the maintenance several months, as the friendly user test phase.
Within the friendly user test phase of resource pool of newly reaching the standard grade, all users can access old resource pool, but only allows the friend selected
Good user sees and accesses the resource of resource pool of newly reaching the standard grade.It is thus possible to the problem exposed is controlled at friendly user scope
In, it is to avoid risk expands, and according to the problem exposed and the feedback of friendly user, rectifies and improves resource pool of newly reaching the standard grade, simultaneously
The experience of friendly user can also be ensured, it is to avoid disturbed by the use of other users.
In actual application, identity and Access Management Access (Identity and Access Management, IAM) server lead to
It is usually used in being responsible for, all users to the resource pool all new, old in the request same cloud project of access, does uniform registration and identity
Authentication management.Non-friendly user so will be caused can also to access resource pool of newly reaching the standard grade, thus to risk control and friendly use
The use at family causes severe jamming.
A solution of the prior art is, arranges network on the fire wall on resource pool control station border of newly reaching the standard grade
Agreement (Internet Protocol, IP) address white list, only allows friendly user to access resource pool of newly reaching the standard grade, but this kind of side
Strict restriction has been done in IP address by formula, and friendly user only could access, by the terminal specifying IP address, resource pool of newly reaching the standard grade,
Resource pool of newly reaching the standard grade can not be accessed by other IP address;Further, if IP address changes, then weight on fire wall is needed
Newly configure, thus cause the experience of user poor.
Summary of the invention
The embodiment of the present invention provides a kind of access control method and device, it is possible to allow friendly user by having any IP
The terminal access of address is newly reached the standard grade resource pool.
For reaching above-mentioned purpose, embodiments of the invention adopt the following technical scheme that
First aspect, the embodiment of the present invention provides a kind of access control method, is applied to exclusive IAM module, and one exclusive
The corresponding resource pool of newly reaching the standard grade of IAM module, and preserve the close friend that newly the reach the standard grade resource pool corresponding with exclusive IAM module is corresponding
The account information of the user in user's group, the method includes: first, and exclusive IAM module receives first that portal server sends
Account information.Wherein, the first account information is the logged-in user that request accesses resource pool of newly reaching the standard grade corresponding to exclusive IAM module
Account information, logged-in user is the user having logged in portal server.Secondly, exclusive IAM module is according to the close friend preserved
The account information of the user in user's group, is authenticated the first account information.Then, exclusive IAM module is to portal server
Sending certification instruction message, certification instruction message for instruction the first account information, whether pass through by certification.
Owing to exclusive IAM module is newly the reach the standard grade resource pool corresponding to exclusive IAM module according to " account information ", corresponding
Friendly user's group in logged-in user carry out authentication rather than " IP address " according to user place terminal carry out
Certification, thus it is positioned at the user in friendly user's group of anywhere, all can be according to account information by any IP address
Terminal access newly reach the standard grade resource pool, and do not limited by IP address of terminal, thus improve the experience of user.
In a kind of possible design, in the account information according to the user in the friendly user's group preserved, to the first account
Before number information is authenticated, method also includes: exclusive IAM module receives the second account information that global I AM module sends.Its
In, the account of the user in friendly user's group that resource pool of newly reaching the standard grade that the second account information is corresponding with exclusive IAM module is corresponding
Number information.The mode of the account information of this user arranged in exclusive IAM module in friendly user's group is relatively simple convenient.
In a kind of possible design, when the on-line time of resource pool of newly reaching the standard grade is more than or equal to preset time threshold
Time, the method also includes: exclusive IAM module receives the account information of all users that global I AM module sends.Thus, exclusive
IAM module is preserved the account information of all users, request can be accessed the resource of newly reaching the standard grade that this exclusive IAM module is corresponding
All logged-in users in pond, carry out authentication.
Second aspect, the embodiment of the present invention provides one to control access method, is applied to global I AM module, global I AM mould
Block preserves the log-on message of all users, and log-on message includes that account information, the method include: global I AM module receives door
The first account information that family server sends.Wherein, the first account information is the logged-in user that request accesses old resource pool
Account information.Then, the first account information, according to the log-on message of all users preserved, is authenticated by global I AM module.
Further, global I AM module is respectively by the user's in friendly user's group corresponding with each resource pool of newly reaching the standard grade in all users
Account information, in the exclusive IAM module that transmission to resource pool of newly reaching the standard grade is corresponding.
Thus, the account information of the logged-in user that all requests access old resource pool can be carried out by global I AM module
Certification.Further, global I AM module is respectively by the use in friendly user's group corresponding with each resource pool of newly reaching the standard grade in all users
The account information at family, the exclusive IAM module that transmission to resource pool of newly reaching the standard grade is corresponding, can be simply and easily in exclusive IAM module
The account information of the middle user arranged in friendly user's group.
In a kind of possible design, the method also includes: when the on-line time of resource pool of newly reaching the standard grade is more than or equal to
During preset time threshold, global I AM module is by exclusive IAM corresponding for the account information transmission of all users to resource pool of newly reaching the standard grade
In module, so that exclusive IAM module can be preserved the account information of all users, thus request can be accessed and be somebody's turn to do
All logged-in users of the resource pool of newly reaching the standard grade that exclusive IAM module is corresponding, carry out authentication.
In a kind of possible design, log-on message also includes encrypted message, and method also includes: first, global I AM module
Receive the second account information and encrypted message that portal server sends.Wherein, the second account information and encrypted message are request
Log in account information and the encrypted message of the user of portal server.Secondly, global I AM module is according to all users' preserved
Log-on message, is authenticated the second account information and encrypted message.Then, global I AM module sends to portal server and recognizes
Card instruction message, certification instruction message for indicating the second account information and encrypted message, whether pass through by certification.Thus, the overall situation
The identity of all users that request logs in portal server can be authenticated by IAM module.
The third aspect, it is provided that a kind of access control method, is applied to portal server, and the method includes: first, and door takes
Business device is after user logs in portal server, and instruction terminal shows resource pool list to logged-in user.Secondly, portal server
Receiving the resource pool access request of newly reaching the standard grade that terminal sends, resource pool access request of newly reaching the standard grade includes the account letter of logged-in user
Breath and resource pool mark of newly reaching the standard grade to be visited.Then, the account information of logged-in user is sent to be visited by portal server
The exclusive identity of resource pool of newly reaching the standard grade mark correspondence and Access Management Access IAM module.Afterwards, portal server receives exclusive IAM mould
The first certification instruction message that block sends, the first certification instruction message is for indicating the account information whether certification of logged-in user
Pass through.Finally, when the first certification indicates message instruction certification to pass through, it is allowed to logged-in user accesses resource of newly reaching the standard grade to be visited
Pond.
So, when logged-in user desires access to newly reach the standard grade resource pool, portal server can be by logged-in user
Account information is sent to newly go up the exclusive IAM module that resource pool is corresponding, so that exclusive IAM module is to use according to the close friend preserved
" account information " of the user in the group of family logged-in user is carried out authentication rather than according to user place terminal
" IP address " is authenticated, thus is positioned at the user in friendly user's group of anywhere, all can pass through according to account information
The arbitrarily terminal access of IP address is newly reached the standard grade resource pool, and is not limited by IP address of terminal, thus improves the use of user
Experience.
In a kind of possible design, the most also include: also included before method: first, portal service
Device receives the login request message that terminal sends, and login request message includes that request logs in the account letter of the user of portal server
Breath and encrypted message.Secondly, account information and the encrypted message of the user of request login portal server are sent out by portal server
Give global I AM module.Then, portal server receives the second certification instruction message that global I AM module sends.Wherein,
Two certification instruction message for indicating the account information asking to log in the user of portal server and encrypted message, whether lead to by certification
Cross.Then, if the second certification instruction message instruction certification is passed through, then portal server allows user to log in.Thus, global I AM
The identity of all users that request logs in portal server can be authenticated by module.
In a kind of possible design, portal server instruction terminal includes to logged-in user display resource pool list:
When do not exist on-line time more than or equal to preset time threshold newly reach the standard grade resource pool time, portal server instruction terminal exist
In resource pool list, show that the user in had been friends in the past resource pool and corresponding friendly user's group includes logging in logged-in user
All resource pools of newly reaching the standard grade of user.
So, the user in friendly user's group can see in terminal and click on newly reach the standard grade resource pool and old resource pool,
Thus ask to access newly reach the standard grade resource pool and old resource pool.Rather than the user in close friend's user's group only can see also in terminal
Click on old resource pool, without seeing resource pool of newly reaching the standard grade, thus cannot ask and access resource pool of newly reaching the standard grade, resource of newly reaching the standard grade
The account information of the user in non-friendly user's group also would not be authenticated by exclusive IAM module corresponding to pond, thus reduces
The workload of exclusive IAM module.
In a kind of possible design, when there is the on-line time resource of newly reaching the standard grade more than or equal to preset time threshold
Chi Shi, portal server instruction terminal, in resource pool list, shows had been friends in the past resource pool and on-line time to logged-in user
More than or equal to all resource pools of newly reaching the standard grade of preset time threshold, and on-line time less than preset time threshold new on
In line resource pool, the corresponding user in friendly user's group includes all resource pools of newly reaching the standard grade of logged-in user.It is thus possible to
When resource pool of newly reaching the standard grade is by the friendly user test phase, resource pool of this newly being reached the standard grade is open to all users, and be not only right
User in friendly user's group is open.
In a kind of possible design, the method also includes: portal server receives the old resource pool access that terminal sends
Request, old resource pool access request includes account information and the old resource pool to be visited mark of logged-in user.Then, door clothes
The account information of logged-in user is sent to global I AM module by business device, request is accessed old resource by global I AM module
The account information of the logged-in user in pond is authenticated.
Another aspect, embodiments provides a kind of system, this system include above-mentioned aspect can realize exclusive
The device of the function of IAM module, the device of the function of global I AM module can be realized and the function of portal server can be realized
Device.
Another further aspect, embodiments provides a kind of computer-readable storage medium, is used for saving as above-mentioned exclusive IAM mould
Computer software instructions used by block, it comprises for performing the program designed by above-mentioned aspect.
Another further aspect, embodiments provides a kind of computer-readable storage medium, is used for saving as above-mentioned global I AM mould
Computer software instructions used by block, it comprises for performing the program designed by above-mentioned aspect.
Another further aspect, embodiments provides a kind of computer-readable storage medium, is used for saving as above-mentioned portal service
Computer software instructions used by device, it comprises for performing the program designed by above-mentioned aspect.
Compared to prior art, in the scheme that the embodiment of the present invention provides, exclusive IAM module is according to the friendly user preserved
In group, the account information of user carries out authentication rather than is authenticated according to " IP address " logged-in user, thus position
User in friendly user's group of anywhere, all can be according to account information by the terminal access of any IP address newly
Line resource pool, thus improve the experience of user.
In order to make it easy to understand, the explanation giving part concept related to the present invention of example is for reference.As follows:
Portal website: refer to lead to the comprehensive internet information resource of certain class and the application system about information service is provided,
It it is the website of portal server management.
Resource pool: refer to the cloud resource pool under cloud service scene in the embodiment of the present invention, is the set of multiple cloud resource.This
In cloud resource can include cloud computing resources, cloud storage resource etc., the cloud resource in resource pool typically requires by multiple things
Reason load bearing equipment is carried.
Single-sign-on: in multiple application systems, user has only to log in and the most just can access all mutual trusts
Application system.
Control station: be the framework of storage and managenent instrument, including file and other containers, webpage and other management item.Control
Platform processed is with window, and these windows are provided that control station tree view and the management attribute caused by the item in control station tree, service
And the view of event.
Accompanying drawing explanation
In order to be illustrated more clearly that the technical scheme of the embodiment of the present invention, below will be in embodiment or description of the prior art
The required accompanying drawing used is briefly described, it should be apparent that, the accompanying drawing in describing below is only some realities of the present invention
Execute example, for those of ordinary skill in the art, on the premise of not paying creative work, it is also possible to according to these accompanying drawings
Obtain other accompanying drawing.
A kind of basic framework schematic diagram accessing control system that Fig. 1 provides for the embodiment of the present invention;
The basic framework schematic diagram of the access control system of a kind of improvement that Fig. 2 provides for the embodiment of the present invention;
A kind of access control method flow chart that Fig. 3 provides for the embodiment of the present invention;
The another kind of access control method flow chart that Fig. 4 provides for the embodiment of the present invention;
The method flow of a kind of portal server instruction terminal demonstration resource pool list that Fig. 5 provides for the embodiment of the present invention
Figure;
A kind of terminal demonstration interface schematic diagram that Fig. 6 A provides for the embodiment of the present invention;
The another kind of terminal demonstration interface schematic diagram that Fig. 6 B provides for the embodiment of the present invention;
The another kind of access control method flow chart that Fig. 7 provides for the embodiment of the present invention;
The another kind of access control method flow chart that Fig. 8 provides for the embodiment of the present invention;
The structural representation of a kind of exclusive IAM module that Fig. 9 provides for the embodiment of the present invention;
The structural representation of a kind of global I AM module that Figure 10 provides for the embodiment of the present invention;
The structural representation of a kind of portal server that Figure 11 provides for the embodiment of the present invention;
The structural representation of the another kind exclusive IAM module that Figure 12 A provides for the embodiment of the present invention;
The structural representation of the another kind exclusive IAM module that Figure 12 B provides for the embodiment of the present invention;
The structural representation of the another kind of global I AM module that Figure 13 A provides for the embodiment of the present invention;
The structural representation of the another kind of global I AM module that Figure 13 B provides for the embodiment of the present invention;
The structural representation of the another kind of portal server that Figure 14 A provides for the embodiment of the present invention;
The structural representation of the another kind of portal server that Figure 14 B provides for the embodiment of the present invention.
Detailed description of the invention
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clear, complete
Describe wholely.Obviously, described embodiment is only a part of embodiment of the present invention rather than whole embodiments.Based on
Embodiment in the present invention, it is every other that those of ordinary skill in the art are obtained under not making creative work premise
Embodiment, broadly falls into the scope of protection of the invention.
Fig. 1 provides under a kind of cloud service scene, and resource pool accesses the basic framework schematic diagram of control system.This resource pool
Access control system and include terminal, portal server, access control apparatus, fire wall, control station and physical carrier equipment.Its
In, portal server can be connected with at least one terminal, to receive logging request or the resource pool that user is sent by terminal
Access request;Portal server is also connected with access control apparatus, with by the logging request of user or resource pool access request
The identity information of the user carried, is sent to access control apparatus and is authenticated;Portal server can also be with multiple control stations
Being connected, the corresponding resource pool of each control station, to be redirected to resource pool pair to be asked by the resource pool access request of user
The control station answered, thus access resource pool to be asked;Each control station can be connected with at least one physical carrier equipment, and this is extremely
Few physical carrier equipment is for carrying the resource pool that this control station is corresponding.Concrete, access control apparatus here is concrete
Can be IAM server, terminal here can be specifically the physical equipments such as computer, mobile phone, iPad.As it is shown in figure 1, a cloud
Can there is multiple resource pool in project, different resource pond may be located at different geographical position simultaneously, such as Beijing, Shanghai,
Shenzhen etc..Here resource pool specifically can include multiple old resource pool relatively early released and the resource of newly reaching the standard grade of multiple firm release
Pond.User can pass through single-sign-on portal server in terminal, i.e. logs in the mode of portal website, accesses in this cloud project
All resource pools.
On the prior art fire wall by the control station border corresponding at the resource pool of newly reaching the standard grade shown in Fig. 1, IP is set
Address white list, so that within the friendly user test phase of resource pool of newly reaching the standard grade, only allowing the user in friendly user's group to visit
Ask resource pool of newly reaching the standard grade.Strict restriction has been done in IP address by this kind of mode, and the user in friendly group is only by white list middle finger
The terminal that fixed IP address is corresponding, could access resource pool of newly reaching the standard grade, and can not pass through the terminal access that other IP address is corresponding
Newly reach the standard grade resource pool, thus reduce user's experience.
For the problems referred to above, the embodiment of the present invention proposes the access control system of a kind of improvement, and its basic framework is illustrated
Figure may refer to Fig. 2.Wherein, compared with framework shown in Fig. 1, in the framework shown in Fig. 2, access control apparatus includes the overall situation
IAM module and at least one exclusive IAM module, different IAM modules can be respectively arranged in different physical equipments, it is also possible to
It is integrated in same physical equipment, is not specifically limited here.Wherein, global I AM module is preserved the note of all users
Volume information, this log-on message includes the identity information of the user such as account information and encrypted message.It is right that global I AM module is used for being responsible for
Request logs in the user of portal server and carries out authentication, and the user that request accesses had been friends in the past resource pool carries out identity and recognizes
Card.Here logged-in user refers to the user of Successful login portal server.Each exclusive IAM module correspondence one is new
Reaching the standard grade resource pool, such as, as in figure 2 it is shown, resource pool 1 of newly reaching the standard grade is corresponding to exclusive IAM module 1, resource pool 2 of newly reaching the standard grade corresponds to
Exclusive IAM module 2 etc..Exclusive IAM module is only preserved the close friend that resource pool of newly reaching the standard grade corresponding to this exclusive IAM module is corresponding
The account information of user in user's group, exclusive IAM module is for being responsible for stepping on of newly the reach the standard grade resource pool corresponding to request access
The account information employing family is authenticated.
Wherein, exclusive IAM module is according to " the account of the user in friendly user's group corresponding to resource pool of newly reaching the standard grade preserved
Information ", " account information " of the logged-in user that request accesses resource pool of newly reaching the standard grade corresponding to this exclusive IAM module recognizes
Demonstrate,prove rather than according to " IP address ", logged-in user carried out authentication, thus being positioned at friendly user's group of anywhere
In user, can access and newly reach the standard grade resource pool by having the terminal of any IP address, without being limited by IP address
System, such that it is able to improve the experience of user.
In conjunction with the basic framework schematic diagram shown in Fig. 2, embodiments provide a kind of access control method, see figure
3, the method may include that
301, after user logs in portal server, portal server instruction terminal is to logged-in user display resource pool row
Table.
Wherein, logged-in user here refers to log in the user of portal server, has the most logged in portal server pipe
The user of the portal website of reason.After user is by terminal and browser Successful login portal server, portal server can
To indicate terminal demonstration resource pool list.Resource pool list is for presenting, to logged-in user, the resource pool that can access.
302, portal server receives the resource pool access request of newly reaching the standard grade that terminal sends, resource pool access request of newly reaching the standard grade
Account information and resource pool mark of newly reaching the standard grade to be visited including logged-in user.
303, the account information of logged-in user is sent to resource pool mark correspondence of newly reaching the standard grade to be visited by portal server
Exclusive IAM module.
When in logged-in user request access resource pool list newly reaches the standard grade resource pool, login user can pass through
Terminal sends to portal server and newly reaches the standard grade resource pool access request, and carries this in resource pool access request of newly reaching the standard grade and step on
Employ the account information at family and resource pool mark of newly reaching the standard grade to be visited.Wherein, resource pool of newly reaching the standard grade to be visited identifies for uniquely
Identify this resource pool of newly reaching the standard grade to be visited.
In step 302-303, the logged-in user that portal server accesses, in the request of receiving, resource pool of newly reaching the standard grade is sent out
Send newly reach the standard grade resource pool access request time, can by the accounts information of logged-in user in resource pool access request of newly reaching the standard grade,
It is transmitted to the exclusive IAM module that resource pool mark of newly reaching the standard grade to be visited is corresponding.
304, exclusive IAM module is after receiving the first account information that portal server sends, and uses according to the close friend preserved
The account information of the user in the group of family, is authenticated the first account information.
Wherein, the first account information here refers to what portal server sent in step 303, and request accesses exclusive
The account information of the logged-in user of the resource pool of newly reaching the standard grade that IAM module is corresponding.Receiving the account information of logged-in user
After, the exclusive IAM module newly reaching the standard grade resource pool mark correspondence to be visited can be according to the user's in the friendly user's group preserved
Account information, is authenticated this first account information.
As user during logged-in user is friendly user's group that resource pool of newly reaching the standard grade to be visited is corresponding, this has logged in use
The account information at family can be by the certification of exclusive IAM module;When logged-in user is that resource pool of newly reaching the standard grade to be visited is corresponding
During user in non-friendly user's group, the account information of this logged-in user can not be by the certification of exclusive IAM module.
305, exclusive IAM module sends certification instruction message to portal server, and certification instruction message is for instruction first
Account information whether pass through by certification.
After first account information is authenticated by exclusive IAM module in step 304, authentication result can be passed through certification
Instruction message is sent to portal server, to notify portal server the first account information whether pass through by certification.
306, portal server is after receiving the first certification instruction message that exclusive IAM module sends, when the first certification refers to
Show when message instruction certification is passed through, it is allowed to logged-in user accesses resource pool of newly reaching the standard grade to be visited.
After receiving the first certification instruction message that exclusive IAM module sends, when the first certification indicates message instruction certification
By time, portal server allow logged-in user access resource pool of newly reaching the standard grade to be visited;When the first certification indicates message instruction
Unverified by time, portal server do not allow logged-in user access resource pool of newly reaching the standard grade to be visited.
Concrete, when portal server allow logged-in user access to be visited newly reach the standard grade resource pool time, can will step on
Employ the resource pool access request of newly reaching the standard grade that family is sent by terminal, be redirected to the control that resource pool of newly reaching the standard grade to be visited is corresponding
Platform, thus access resource pool of newly reaching the standard grade to be visited by control station.
In the access control method that the embodiment of the present invention provides, exclusive IAM module is responsible for request is accessed the new of correspondence
The account information of logged-in user of resource pool of reaching the standard grade is authenticated, when logged-in user request accesses and newly reaches the standard grade resource pool,
The exclusive IAM module that resource pool of newly reaching the standard grade is corresponding may determine that the account information of this logged-in user, if preserves with self
Certain account information of user in friendly user's group matches.If coupling, then illustrate that this log-on message is friendly user's group
In user, this logged-in user passes through authentication, it is possible to access this resource pool of newly reaching the standard grade.If not mating, then explanation is specially
Belonging to the account information not preserving this logged-in user in IAM module, it is corresponding that this logged-in user belongs to this resource pool of newly reaching the standard grade
Non-friendly user's group in user, thus authentication can not be passed through, also cannot access this resource pool of newly reaching the standard grade.
Therefore, if request accesses the logged-in user of this resource pool of newly reaching the standard grade, for the user in non-friendly user's group, the most
The account information of login user by the certification of this exclusive IAM module, thus cannot cannot access this resource pool of newly reaching the standard grade;And work as
Request accesses the logged-in user of this resource pool of newly reaching the standard grade, during for user in friendly user's group, then and the account of logged-in user
Information can be by the certification of this exclusive IAM module, such that it is able to access this resource pool of newly reaching the standard grade.Thus, resource of reaching the standard grade when newly
When the service of the offer in pond, function or operation system go wrong, the problem that resource pool of newly reaching the standard grade exposes can be controlled
In friendly user scope, it is to avoid risk expands, and according to the problem exposed and the feedback of friendly user, resource pool of newly reaching the standard grade is entered
Row rectification, at the same time it can also be ensure the experience of friendly user, it is to avoid the use interference of non-friendly user.
Further, due to exclusive IAM module be according to " account information " logged-in user carried out authentication rather than
It is authenticated according to " IP address ", thus is positioned at the user in friendly user's group of anywhere, all can believe according to account
Cease and newly reached the standard grade resource pool by the terminal access of any IP address, i.e. can reach the effect of " account white list ", and by eventually
The restriction of end IP address, even if the IP address of terminal there occurs change, does not interferes with the positive frequentation of user in friendly user's group yet
Ask resource pool of newly reaching the standard grade, thus improve the experience of user.
It should be noted that in embodiments of the present invention, the friend that in exclusive IAM module, the resource pool of newly reaching the standard grade of preservation is corresponding
The account information of the user in good user's group, specifically can pre-set, it is also possible to be by global I AM module or other
Equipment or device are sent to exclusive IAM module, the most specifically limit.
Alternatively, seeing Fig. 4, before above-mentioned steps 304, the method can also include:
307, global I AM module is respectively by friendly user's group corresponding with each resource pool of newly reaching the standard grade in all users
The account information of user, in the exclusive IAM module that transmission to resource pool of newly reaching the standard grade is corresponding.
Owing to preserving the log-on message of all users in global I AM module, log-on message includes account information, thus
Can be sent to specially by global I AM module by the account information of the user in friendly user's group corresponding for resource pool of newly reaching the standard grade
Belong to IAM module, and this kind of mode is the most simple and convenient.
Corresponding with step 307, exclusive IAM module can receive " the second account information " that global I AM module sends, this
In " the second account information " be that global I AM module sends in step 307, newly the reach the standard grade money corresponding with exclusive IAM module
The account information of the user in friendly user's group that pond, source is corresponding.Receiving the second account information that global I AM module sends
And after preserving, request can be accessed new according to the account information of the user in the friendly user's group preserved by exclusive IAM module
The account information of logged-in user of resource pool of reaching the standard grade is authenticated.
Concrete, in above-mentioned steps 301, portal server instruction terminal shows resource pool list to logged-in user,
Can include step 3011 as shown in Figure 5 and step 3012:
3011, when do not exist on-line time more than or equal to preset time threshold newly reach the standard grade resource pool time, door take
Business device instruction terminal, in resource pool list, shows in had been friends in the past resource pool and corresponding friendly user's group to logged-in user
User includes all resource pools of newly reaching the standard grade of logged-in user.
Wherein, this preset time threshold can be the duration of the friendly user test phase preset.When there is not on-line time
More than or equal to preset time threshold newly reach the standard grade resource pool time, each new upper resource pool all within the friendly user test phase, this
Time can to logged-in user show had been friends in the past resource pool and correspondence friendly user's group in user include logged-in user
All resource pools of newly reaching the standard grade.So, the user in friendly user's group can see and click on the money of newly reaching the standard grade of correspondence in terminal
Yuan Chi and old resource pool, thus ask to access corresponding newly reach the standard grade resource pool and old resource pool.Rather than the use in close friend's user's group
Family only can be seen in terminal and click on old resource pool, without seeing resource pool of newly reaching the standard grade, thus cannot ask and access
Newly reaching the standard grade resource pool, the exclusive IAM module that resource pool of newly reaching the standard grade is corresponding also would not be to the account of the user in non-friendly user's group
Number information is authenticated, thus decreases the workload of exclusive IAM module.
Exemplary, if user 1 is friendly user's group of resource pool 1 (Shanghai resource pool) correspondence of newly reaching the standard grade shown in Fig. 2
In user, but be not the user in friendly user's group that the resource pool 2 (Beijing resource pool) of newly reaching the standard grade of Fig. 2 is corresponding, then see
Terminal demonstration interface shown in Fig. 6 A, after user 1 logs in portal server by terminal, can arrange at the resource pool of terminal demonstration
In table, it is seen that newly reach the standard grade resource pool 1 (Shanghai resource pool) and had been friends in the past resource pool, but resource pool 2 (Beijing of newly reaching the standard grade cannot be seen
Resource pool).User 1 can click on the resource pool of display in terminal, to conduct interviews it.
Additionally, when do not exist on-line time more than or equal to preset time threshold newly reach the standard grade resource pool time, door take
Business device also can indicate that terminal shows all resource pools to logged-in user in resource pool list, if logged-in user is not certain
User in friendly user's group that individual resource pool of newly reaching the standard grade is corresponding, then this display mode newly reaching the standard grade resource pool is different from other money
The display mode in pond, source, and click on nothing response after this resource pool of newly reaching the standard grade.So, although the user in non-friendly user's group is permissible
Terminal is seen resource pool of newly reaching the standard grade, but cannot ask and access resource pool of newly reaching the standard grade.
Exemplary, see Fig. 6 B, after user 1 is logged in by terminal, all moneys shown in Fig. 2 can be seen in terminal
Pond, source, but the display format of the icon of resource pool 2 (Beijing resource pool) of newly reaching the standard grade is different from the display of icon of other resource pool
Without response after form, and click, user 1 cannot access the resource newly reached the standard grade in resource pool 2.
3012, when exist on-line time more than or equal to preset time threshold newly reach the standard grade resource pool time, portal service
To logged-in user, device instruction terminal, in resource pool list, shows that had been friends in the past resource pool and on-line time are more than or equal to pre-
If all resource pools of newly reaching the standard grade of time threshold, and on-line time less than preset time threshold newly reach the standard grade in resource pool, right
User in the friendly user's group answered includes all resource pools of newly reaching the standard grade of logged-in user.
When the on-line time of resource pool of newly reaching the standard grade is more than or equal to preset time threshold, this has newly reached the standard grade resource pool
By the friendly user test phase, service, function and operation system etc. that this resource pool of newly reaching the standard grade provides have tended towards stability, now
Resource pool of can this newly being reached the standard grade is open to all users, and is not only the user in friendly user's group open.Thus, door
Server may indicate that terminal in resource pool list, to logged-in user show had been friends in the past resource pool and on-line time be more than or
Person is equal to all resource pools of newly reaching the standard grade of preset time threshold, and on-line time is less than the resource of newly reaching the standard grade of preset time threshold
Chi Zhong, the corresponding user in friendly user's group includes all resource pools of newly reaching the standard grade of logged-in user.
Further, when the on-line time of resource pool of newly reaching the standard grade is more than or equal to preset time threshold, the method is also
May include that global I AM module is by exclusive IAM module corresponding for the account information transmission of all users to resource pool of newly reaching the standard grade
In.
As such, it is possible to make on-line time be more than or equal to corresponding exclusive of the resource pool of newly reaching the standard grade of preset time threshold
In IAM module, preserve the account information of all users.When logged-in user request access this newly reach the standard grade resource pool time, no matter
This logged-in user be the user in friendly user's group be also the user in non-friendly user's group, as long as this logged-in user is
The validated user of registration, its account information all by the certification of this exclusive IAM module, thus can allow this logged-in user to visit
Ask this resource pool of newly reaching the standard grade.
It should be noted that saved, before in exclusive IAM module, the friend that corresponding resource pool of newly reaching the standard grade is corresponding
The account information of the user of good user group, thus the on-line time of resource pool of ought newly reaching the standard grade is more than or equal to preset time threshold
Time, global I AM module can be sent to new only by the account information of the user of non-friendly user's group corresponding for resource pool of newly reaching the standard grade
The exclusive IAM module that resource pool of reaching the standard grade is corresponding, so that can preserve the account information of all users in exclusive IAM module.
Additionally, when the on-line time of resource pool of newly reaching the standard grade is more than or equal to preset time threshold, if there being new user to enter
Row registration, then global I AM module can preserve the log-on message of new user, and by the account information synchronized transmission of new user to being somebody's turn to do
In the exclusive IAM module that resource pool of newly reaching the standard grade is corresponding.
Further, seeing Fig. 7, before above-mentioned steps 301, the method can also include:
701, portal server receives the login request message that terminal sends, and login request message includes that request logs in door
The account information of the user of server and encrypted message.
702, account information and the encrypted message of the user of request login portal server are sent to entirely by portal server
Office's IAM module.
703, global I AM module is after the second account information receiving portal server transmission and encrypted message, according to guarantor
The log-on message of all users deposited, is authenticated the second account information and encrypted message.
Wherein, the second account information and encrypted message here refer to, portal server sends in a step 702, please
Ask account information and the encrypted message of the user logging in portal server.
704, global I AM module sends certification instruction message to portal server, and certification instruction message is for instruction second
Whether certification is passed through for account information and encrypted message.
705, after receiving the second certification instruction message that global I AM module sends, if the second certification instruction message refers to
Show that certification is passed through, then portal server allows user to log in.
Wherein, " the second certification instruction message " that in step 705, portal server receives, it is in step 704 overall situation
" the certification instruction message " that IAM module sends, for indicating account information and the password of the user of request login portal server
Information whether pass through by certification.
If passing through additionally, the second certification instruction message instruction is unverified, then portal server does not allow user to log in.
It should be noted that in embodiments of the present invention, request logs in the account information of the user of portal server and close
The identity informations such as code information are authenticated by global I AM module.
Further, after above-mentioned steps 705, seeing Fig. 8, the method that the embodiment of the present invention provides can also include:
801, portal server receives the old resource pool access request that terminal sends, and old resource pool access request includes stepping on
Employ account information and the old resource pool to be visited mark at family.
802, the account information of logged-in user is sent to global I AM module by portal server.
What portal server determined that logged-in user desires access to according to old resource pool to be visited mark is old resource pool, because of
And the account information of logged-in user can be sent to global I AM module and be authenticated.
803, after receiving the first account information that portal server sends, global I AM module is all according to preserve
The log-on message of user, is authenticated the first account information.
" the first account letter it should be noted that different from " the first account information " in step 304, in step 803
Breath " refer to what portal server sent in step 802, request accesses the account information of the logged-in user of old resource pool.
Visible, in embodiments of the present invention, global I AM module is responsible for logging in request the logged-in user of portal server
Account information and encrypted message verify, and the account information of logged-in user that request accesses old resource pool is recognized
Card;Exclusive IAM module then accesses the logged-in user of resource pool of newly reaching the standard grade corresponding to this exclusive IAM module specially to request
Account information is authenticated.
It should be noted that global I AM module and each exclusive IAM module can be respectively arranged at different physics and set
In Bei, and when exclusive IAM module is positioned at same geographic location with corresponding resource pool, it is possible to reduce the access of user controls
Time delay, thus improve user's experience.Such as, the exclusive IAM module that Shanghai resource pool is corresponding can be arranged on Shanghai, Beijing
The exclusive IAM module that resource pool is corresponding can be arranged on Beijing.Certainly, global I AM module and all exclusive IAM modules can also
It is integrated in a physical equipment, is not especially limited here.
As it is shown in figure 9, the embodiment of the present invention provides the apparatus structure schematic diagram of a kind of exclusive IAM module 900.This is exclusive
IAM module 900 may include that reception unit 901, for receiving the first account information that portal server sends, the first account
Information is the account information that request accesses the logged-in user of resource pool of newly reaching the standard grade corresponding to exclusive IAM module, logged-in user
For logging in the user of portal server;Authentication ' unit 902, for the account letter according to the user in the friendly user's group preserved
Breath, is authenticated the first account information;Transmitting element 903, for sending certification instruction message to portal server, certification refers to
Show whether pass through by certification for indicating the first account information for message.
Further, what during the device shown in Fig. 9 may be used for execution said method flow process, exclusive IAM module performed is arbitrary
Flow process.
As shown in Figure 10, the embodiment of the present invention provides the apparatus structure schematic diagram of a kind of global I AM module 1000.This is exclusive
IAM module 1000 may include that reception unit 1001, for receiving the first account information that portal server sends, the first account
Number information is the account information that request accesses the logged-in user of old resource pool;Authentication ' unit 1002, for according to the institute preserved
There is the log-on message of user, the first account information is authenticated;Transmitting element 1003, for respectively by all users with every
The account information of the user in friendly user's group that individual resource pool of newly reaching the standard grade is corresponding, sends to corresponding exclusive of resource pool of newly reaching the standard grade
In IAM module.
Further, what during the device shown in Figure 10 may be used for execution said method flow process, global I AM module performed appoints
One flow process.
As shown in figure 11, the embodiment of the present invention provides the apparatus structure schematic diagram of a kind of portal server 1100.This door
Server 1100 may include that indicating member 1101, and for after user logs in portal server, instruction terminal is to logging in use
Family display resource pool list;Receive unit 1102, for receiving the resource pool access request of newly reaching the standard grade that terminal sends, money of newly reaching the standard grade
Pond, source access request includes the account information of logged-in user and resource pool mark of newly reaching the standard grade to be visited;Transmitting element 1103, uses
In the account information of logged-in user being sent to exclusive identity corresponding to resource pool mark of newly reaching the standard grade to be visited and Access Management Access
IAM module;Receive unit 1102 to be additionally operable to, receive the first certification instruction message that exclusive IAM module sends, the first certification instruction
Message for indicating the account information of logged-in user, whether pass through by certification;Processing unit 1104, for when the first certification instruction
When message instruction certification is passed through, it is allowed to logged-in user accesses resource pool of newly reaching the standard grade to be visited.
Further, what during the device shown in Figure 11 may be used for execution said method flow process, portal server performed is arbitrary
Flow process.
The scheme that the embodiment of the present invention is provided by above-mentioned angle the most mutual between each network element is described.Can
To be understood by, each network element, the most exclusive IAM module, global I AM module and portal server etc. are in order to realize above-mentioned merit
Can, it comprises the execution corresponding hardware configuration of each function and/or software module.Those skilled in the art should be easy to meaning
Knowledge is arrived, the unit of each example described in conjunction with the embodiments described herein and algorithm steps, the present invention can with hardware or
The combining form of hardware and computer software realizes.Certain function drives the side of hardware actually with hardware or computer software
Formula performs, and depends on application-specific and the design constraint of technical scheme.Professional and technical personnel can to each specifically
Should be used for using different methods to realize described function, but this realization is it is not considered that beyond the scope of this invention.
The embodiment of the present invention can be according to said method example to exclusive IAM module, global I AM module and portal service
Devices etc. carry out the division of functional module, for example, it is possible to each function corresponding divides each functional module, it is also possible to by two or two
Individual above function is integrated in a processing module.Above-mentioned integrated module both can realize to use the form of hardware, it is possible to
To use the form of software function module to realize.It should be noted that the division to module is schematic in the embodiment of the present invention
, it is only a kind of logic function and divides, actual can have other dividing mode when realizing.
In the case of using integrated unit, Figure 12 A shows exclusive IAM module involved in above-described embodiment
A kind of possible structural representation.Exclusive IAM module 1200 includes: processing module 1202 and communication module 1203.Processing module
1202 for being controlled management to the action of exclusive IAM module, and such as, processing module 1202 is used for supporting exclusive IAM module
Perform the process 304 in Fig. 3 and Fig. 4, and/or other process for techniques described herein.Communication module 1203 is used for
Support the communication of exclusive IAM module and other network entities, such as with the functional module shown in Fig. 2, Fig. 3, Fig. 4 or Fig. 7 or
Communication between network entity.Exclusive IAM module can also include memory module 1201, for storing the journey of exclusive IAM module
Sequence code and data.
Wherein, processing module 1202 can be processor or controller, such as, can be central processing unit (Central
Processing Unit, CPU), general processor, digital signal processor (Digital Signal Processor, DSP),
Special IC (Application-Specific Integrated Circuit, ASIC), field programmable gate array
(Field Programmable Gate Array, FPGA) or other PLDs, transistor logic, hard
Part parts or its combination in any.It can realize or perform various exemplary the patrolling combined described by the disclosure of invention
Collect square frame, module and circuit.Described processor can also be the combination realizing computing function, such as, comprise one or more micro-place
Reason device combination, combination of DSP and microprocessor etc..Communication module 1203 can be communication interface, transmission circuit etc..Storage mould
Block 1201 can be memorizer.
When processing module 1202 is processor, and communication module 1203 is communication interface, when memory module 1201 is memorizer,
Exclusive IAM module involved by the embodiment of the present invention can be for the exclusive IAM module shown in Figure 12 B.
Refering to shown in Figure 12 B, this exclusive IAM module 1210 includes: processor 1212, communication interface 1213, memorizer
1211 and bus 1214.Wherein, communication interface 1213, processor 1212 and memorizer 1211 are interconnected by bus 1214 phase
Connect;Bus 1214 can be Peripheral Component Interconnect standard (Peripheral Component Interconnect, PCI) bus
Or EISA (Extended Industry Standard Architecture, EISA) bus etc..Described always
Line can be divided into address bus, data/address bus, control bus etc..For ease of representing, Figure 12 B only represents with a thick line, but
It is not offered as only a bus or a type of bus.
In the case of using integrated unit, Figure 13 A shows global I AM module involved in above-described embodiment
A kind of possible structural representation.Global I AM module 1300 includes: processing module 1302 and communication module 1303.Processing module
1302 for being controlled management to the action of global I AM module, and such as, processing module 1302 is used for supporting global I AM module
Perform the process 703 in Fig. 7, the process 703 and 803 in Fig. 8, and/or other process for techniques described herein.Logical
Letter module 1303 for supporting the communication of global I AM module and other network entities, such as, is shown with Fig. 2, Fig. 4, Fig. 7 or Fig. 8
Communication between the functional module or the network entity that go out.Global I AM module can also include memory module 1301, for storage
The program code of Unit one and data.
Wherein, processing module 1302 can be processor or controller, such as, can be central processor CPU, general place
Reason device, digital signal processor DSP, application-specific integrated circuit ASIC, on-site programmable gate array FPGA or other able to programme patrol
Collect device, transistor logic, hardware component or its combination in any.It is open interior that it can realize or perform to combine the present invention
Various exemplary logic block described by appearance, module and circuit.Described processor can also be the group realizing computing function
Close, such as, comprise combination of one or more micro processor combination, DSP and microprocessor etc..Communication module 1303 can be
Communication interface, transmission circuit etc..Memory module 1301 can be memorizer.
When processing module 1302 is processor, and communication module 1303 is communication interface, when memory module 1301 is memorizer,
Global I AM module involved by the embodiment of the present invention can be for the global I AM module shown in Figure 13 B.
Refering to shown in Figure 13 B, this global I AM module 1310 includes: processor 1312, communication interface 1313, memorizer
1311 and bus 1314.Wherein, communication interface 1313, processor 1312 and memorizer 1311 are interconnected by bus 1314 phase
Connect;Bus 1314 can be Peripheral Component Interconnect standard PCI bus or EISA eisa bus etc..Described bus
Address bus, data/address bus, control bus etc. can be divided into.For ease of representing, Figure 13 B only represents with a thick line, but also
Do not indicate that only a bus or a type of bus.
In the case of using integrated unit, Figure 14 A shows portal server involved in above-described embodiment
A kind of possible structural representation.Portal server 1400 includes: processing module 1402 and communication module 1403.Processing module
1402 for being controlled management to the action of portal server, and such as, processing module 1402 is used for supporting that portal server is held
Process 306 in row Fig. 3 and Fig. 4, the process 306 in Fig. 7 or process 705, the process 705 in Fig. 8, and/or for institute herein
Other process of the technology described.Communication module 1403 is for supporting the communication of portal server and other network entities, such as
And the communication between the functional module shown in Fig. 2, Fig. 3, Fig. 4, Fig. 5, Fig. 7 or Fig. 8 or network entity.Portal server also may be used
To include memory module 1401, for storing program code and the data of first module.
Wherein, processing module 1402 can be processor or controller, such as, can be central processor CPU, general place
Reason device, digital signal processor DSP, application-specific integrated circuit ASIC, on-site programmable gate array FPGA or other able to programme patrol
Collect device, transistor logic, hardware component or its combination in any.It is open interior that it can realize or perform to combine the present invention
Various exemplary logic block described by appearance, module and circuit.Described processor can also be the group realizing computing function
Close, such as, comprise combination of one or more micro processor combination, DSP and microprocessor etc..Communication module 1403 can be
Communication interface, transmission circuit etc..Memory module 1401 can be memorizer.
When processing module 1402 is processor, and communication module 1403 is communication interface, when memory module 1401 is memorizer,
Portal server involved by the embodiment of the present invention can be for the portal server shown in Figure 14 B.
Refering to shown in Figure 14 B, this portal server 1410 includes: processor 1412, communication interface 1413, memorizer 1411
And bus 1414.Wherein, communication interface 1413, processor 1412 and memorizer 1411 are connected with each other by bus 1414;
Bus 1414 can be Peripheral Component Interconnect standard PCI bus or EISA eisa bus etc..Described bus can
To be divided into address bus, data/address bus, control bus etc..For ease of representing, Figure 14 B only represents with a thick line, but not
Represent and only have a bus or a type of bus.
Another embodiment of the present invention provides a kind of system, and its basic structure schematic diagram may refer to Fig. 2, and this system can be wrapped
Include at least one exclusive IAM module as depicted, global module as depicted, and portal server as depicted.
Wherein, exclusive IAM module, global I AM module and portal server are for performing the access provided in said method embodiment
Control method.
Concrete, a corresponding resource pool of newly reaching the standard grade of exclusive IAM module, and preserve and described exclusive IAM module
The account information of the user in friendly user's group that corresponding resource pool of newly reaching the standard grade is corresponding.Exclusive IAM module may be used for receiving
The first account information that portal server sends, described first account information is that the request described exclusive IAM module of access is corresponding
Newly reaching the standard grade the account information of logged-in user of resource pool, described logged-in user is the use having logged in described portal server
Family;According to the account information of the user in the friendly user's group preserved, described first account information is authenticated;To described door
Family server sends certification instruction message, and described certification instruction message is used for indicating described first account information, and whether certification is led to
Cross.
Wherein, global I AM module preserves the log-on message of all users, and described log-on message includes account information, can
For receiving the first account information that portal server sends, described first account information is that request has accessed old resource pool
The account information of login user;According to the log-on message of all users preserved, described first account information is authenticated;Point
Not by the account information of the user in friendly user's group corresponding with each resource pool of newly reaching the standard grade in all users, send to described
In the exclusive IAM module that resource pool of newly reaching the standard grade is corresponding.
Portal server may be used for, and after user logs in portal server, instruction terminal is to logged-in user display money
Source pool list;Receiving the resource pool access request of newly reaching the standard grade that terminal sends, described resource pool access request of newly reaching the standard grade includes stepping on
Employ the account information at family and resource pool mark of newly reaching the standard grade to be visited;The account information of described logged-in user is sent to described
The exclusive identity of resource pool mark correspondence of newly reaching the standard grade to be visited and Access Management Access IAM module;Receive described exclusive IAM module to send
The first certification instruction message, described first certification instruction message is to deny for indicating the account information of described logged-in user
Card passes through;When described first certification instruction message instruction certification is passed through, it is allowed to described logged-in user accesses described to be visited
Newly reach the standard grade resource pool.
Step in conjunction with the method described by the disclosure of invention or algorithm can realize in the way of hardware, it is possible to
Realize in the way of being to be performed software instruction by processor.Software instruction can be made up of corresponding software module, software mould
Block can be stored on random access memory (Random Access Memory, RAM), flash memory, read only memory (Read
Only Memory, ROM), Erasable Programmable Read Only Memory EPROM (Erasable Programmable ROM, EPROM), electricity can
EPROM (Electrically EPROM, EEPROM), depositor, hard disk, portable hard drive, read-only optical disc
(CD-ROM) or in the storage medium of other form any well known in the art.A kind of exemplary storage medium coupled to place
Reason device, thus enable a processor to from this read information, and information can be write to this storage medium.Certainly, storage
Medium can also be the ingredient of processor.Processor and storage medium may be located in ASIC.It addition, this ASIC can position
In core network interface equipment.Certainly, processor and storage medium can also be present in core network interface as discrete assembly and set
In Bei.
Those skilled in the art it will be appreciated that in said one or multiple example, merit described in the invention
Can be able to realize by hardware, software, firmware or their combination in any.When implemented in software, can be by these functions
It is stored in computer-readable medium or is transmitted as the one or more instructions on computer-readable medium or code.
Computer-readable medium includes computer-readable storage medium and communication media, and wherein communication media includes being easy to from a place to separately
One local any medium transmitting computer program.Storage medium can be universal or special computer can access any
Usable medium.
Above-described detailed description of the invention, has been carried out the purpose of the present invention, technical scheme and beneficial effect further
Describe in detail, be it should be understood that the detailed description of the invention that the foregoing is only the present invention, be not intended to limit the present invention
Protection domain, all on the basis of technical scheme, any modification, equivalent substitution and improvement etc. done, all should
Within being included in protection scope of the present invention.