CN106899543B

CN106899543B - Content access control method and related equipment

Info

Publication number: CN106899543B
Application number: CN201510954617.1A
Authority: CN
Inventors: 侯云静; 徐晖; 王胡成
Original assignee: China Academy of Telecommunications Technology CATT
Current assignee: China Academy of Telecommunications Technology CATT; Datang Mobile Communications Equipment Co Ltd
Priority date: 2015-12-17
Filing date: 2015-12-17
Publication date: 2020-10-20
Anticipated expiration: 2035-12-17
Also published as: CN106899543A; WO2017101627A1

Abstract

The invention discloses a content access control method and related equipment, which are used for performing distinguishing control on content requested to be accessed by different users using the same terminal. The method comprises the following steps: a content interception entity acquires a data packet of an access user of a current use terminal; and the content interception entity judges whether to intercept the data packet according to a content access control strategy corresponding to the access user of the current use terminal, if not, the data packet is sent to next hop equipment, otherwise, the data packet is intercepted.

Description

Content access control method and related equipment

Technical Field

The present invention relates to the field of communications technologies, and in particular, to a content access control method and a related device.

Background

At present, a mobile communication network supports a deep packet inspection mechanism, and applications currently used by a user can be inspected through the deep packet inspection mechanism, and a specific architecture of the deep packet inspection is shown in fig. 1.

The method includes that a Policy and Charging Rules Function (PCRF) entity formulates an application detection control Policy and sends the application detection control Policy to a Traffic Detection Function (TDF) entity. The application detection control policy includes information such as an application identifier, a service data filter list, a priority, and an operation performed on traffic, for example, an operation such as performing uplink and downlink rate limitation on traffic. Wherein the application identification and the service data filter list are used to identify a specific application or traffic.

When the TDF detects traffic matching the application identification or the traffic data flow filter list in the policy, the TDF processes the traffic according to the operations included in the policy.

With the development of mobile communication networks, more and more children use parents' smart phones to surf the internet, but at present, whether a user using a smart phone is a child cannot be distinguished on a network side, and fine-grained network content control cannot be performed on different users.

In view of this, it is desirable to provide a method capable of differentially controlling web contents that different users using the same terminal request access.

Disclosure of Invention

The embodiment of the invention provides a content access control method and related equipment, which are used for performing distinguishing control on content which is requested to be accessed by different users using the same terminal.

The embodiment of the invention provides the following specific technical scheme:

the embodiment of the invention provides a content access control method, which comprises the following steps:

a content interception entity acquires a data packet of an access user of a current use terminal;

and the content interception entity judges whether to intercept the data packet according to a content access control strategy corresponding to the access user of the current use terminal, if not, the data packet is sent to next hop equipment, otherwise, the data packet is intercepted.

In a possible embodiment, before the content interception entity obtains the data packet of the access user of the currently used terminal, the method further includes:

the content interception entity acquires content access control related information corresponding to more than two access users of the terminal configured by the terminal, and acquires content access control strategies corresponding to the more than two access users respectively according to the content access control related information corresponding to the more than two access users respectively;

and/or the presence of a gas in the gas,

the content interception entity obtains content access control strategies which are configured by a strategy control entity and correspond to more than two access users of the terminal respectively.

and the content interception entity acquires the content access control strategy of the access user of the current use terminal, which is configured by the strategy control entity.

In a possible implementation manner, the determining, by the content interception entity, whether to intercept the data packet according to a content access control policy corresponding to an access user of the current user terminal includes:

the content interception entity obtains a notification message sent by the terminal, the notification message carries an identity of an access user of the current use terminal, and a content access control strategy corresponding to the user of the current use terminal is determined according to the identity; alternatively, the first and second electrodes may be,

the content interception entity obtains a notification message sent by an identity management server, the notification message carries an identity of an access user of the current use terminal, and a content access control strategy corresponding to the user of the current use terminal is determined according to the identity.

In the embodiment of the invention, the content interception entity intercepts the data packet according to the content access control strategy corresponding to the user currently using the terminal, so that the content access control strategy of the current user of the terminal can be adopted for content access control.

The embodiment of the invention also provides a content access control method, which comprises the following steps:

the identity management server acquires content access control related information of an access user of the terminal;

the identity management server sends the content access control related information of the access user to a policy control entity, the policy control entity determines a corresponding content access control policy according to the received content access control related information of the access user, the determined content access control policy is sent to a content interception entity, and the content interception entity intercepts a data packet according to the received content access control policy.

In a possible embodiment, the sending, by the identity management server, content access control related information of the access user to a policy control entity includes:

the identity management server sends content access control related information corresponding to an access user currently using the terminal to a policy control entity;

alternatively, the first and second electrodes may be,

and the identity management server sends content access control related information corresponding to more than two access users of the terminal to a policy control entity.

In a possible implementation manner, the acquiring, by the identity management server, content access control related information of an access user of the terminal includes:

the identity management server acquires content access control related information which is configured by the terminal and corresponds to at least one access user of the terminal; and/or the presence of a gas in the gas,

and the identity management server acquires content access control related information which is sent by a third-party system and corresponds to at least one access user of the terminal.

In a possible implementation manner, before the identity management server sends, to a policy control entity, content access control related information corresponding to an access user currently using the terminal, the method further includes:

and the identity management server receives a notification message sent by the terminal, wherein the notification message carries the identity of the access user currently using the terminal, and determines the content access control related information corresponding to the access user currently using the terminal according to the identity.

In the embodiment of the invention, the identity management server sends the content access control related information of the access user of the terminal to the policy control entity so as to determine the content access control policy of the access user, and the content interception entity carries out content access control according to the content access control policy corresponding to the access user, thereby realizing the control of the content requested to be accessed by the access user using the terminal.

the terminal determines the current access user using the terminal;

and the terminal informs a content interception entity to intercept the data packet according to the content access control strategy corresponding to the access user currently using the terminal.

In a possible embodiment, the method further comprises:

the terminal acquires content access control related information of an access user;

and the terminal configures a content interception entity according to the content access control related information of the access user, and the content interception entity acquires a content access control strategy corresponding to the content access control related information of the access user, wherein the access user is the access user currently using the terminal or more than two access users of the terminal.

In a possible implementation manner, the configuring, by the terminal, a content interception entity according to the content access control related information of the access user includes:

the terminal directly sends the content access control related information of the access user to the content interception entity;

alternatively, the first and second electrodes may be,

the terminal sends the content access control related information of the access user to an identity management server, the identity management server sends the content access control related information of the access user to a policy control entity, the policy control entity determines a corresponding content access control policy according to the content access control related information of the access user, and the determined content access control policy is sent to the content interception entity.

In a possible implementation manner, the notifying, by the terminal, a content interception entity to intercept the data packet according to the content access control policy corresponding to the access user currently using the terminal includes:

the terminal sends a notification message to the content interception entity, the notification message carries the identity of the current access user using the terminal, the content interception entity obtains the content access control strategy corresponding to the current access user using the terminal according to the notification message, and intercepts a data packet according to the content access control strategy corresponding to the current access user using the terminal.

In a possible embodiment, the method further comprises:

the terminal sends a notification message to the identity management server, the notification message carries the identity of the access user currently using the terminal, the identity management server sends content access control related information corresponding to the access user currently using the terminal to the policy control entity according to the notification message, the policy control entity determines a corresponding content access control policy according to the content access control related information of the access user currently using the terminal, and sends the content access control policy corresponding to the access user currently using the terminal to the content interception entity.

In the embodiment of the invention, the terminal informs the content interception entity to intercept the data packet according to the content access control strategy corresponding to the access user currently using the terminal, thereby realizing the control of the content requested to be accessed by the access user currently using the terminal.

An embodiment of the present invention further provides a content access control system, including:

the terminal is used for determining the current access user using the terminal and informing a content interception entity to intercept a data packet according to a content access control strategy corresponding to the current access user using the terminal;

and the content interception entity is used for acquiring the data packet of the access user currently using the terminal, judging whether to intercept the data packet according to a content access control strategy corresponding to the access user currently using the terminal, and if not, sending the data packet to next-hop equipment, otherwise, intercepting the data packet.

In a possible embodiment, the terminal is further configured to:

acquiring content access control related information of an access user, and configuring a content interception entity according to the content access control related information of the access user, wherein the access user is the access user currently using the terminal or more than two access users of the terminal;

the content interception entity is further configured to:

and acquiring a content access control strategy corresponding to the content access control related information of the access user.

In a possible implementation manner, the system further comprises an identity management server and a policy control entity;

the terminal is specifically configured to:

sending the content access control related information of the access user to the identity management server;

the identity management server is configured to:

receiving the content access control related information of the access user sent by the terminal, and sending the content access control related information of the access user to the policy control entity;

the policy control entity is configured to:

and determining a corresponding content access control strategy according to the content access control related information of the access user sent by the identity management server, and sending the determined content access control strategy to the content interception entity.

An embodiment of the present invention further provides a content interception entity, including:

the acquisition module is used for acquiring a data packet of an access user of the current use terminal;

and the interception module is used for judging whether to intercept the data packet according to a content access control strategy corresponding to the access user of the current use terminal, if not, sending the data packet to next hop equipment, otherwise, intercepting the data packet.

In a possible embodiment, the obtaining module is further configured to:

before acquiring a data packet of an accessing user of a currently used terminal,

acquiring content access control related information which is configured by the terminal and corresponds to more than two access users of the terminal respectively, and acquiring content access control strategies which correspond to the more than two access users respectively according to the content access control related information which corresponds to the more than two access users respectively;

and/or the presence of a gas in the gas,

and acquiring content access control strategies corresponding to more than two access users of the terminal configured by a strategy control entity.

In a possible embodiment, the obtaining module is further configured to:

before acquiring a data packet of an access user of a current use terminal, acquiring a content access control strategy of the access user of the current use terminal, which is configured by a strategy control entity.

In a possible embodiment, the intercepting module is specifically configured to:

acquiring a notification message sent by the terminal, wherein the notification message carries an identity of an access user of the current use terminal, and determining a content access control strategy corresponding to the user of the current use terminal according to the identity; alternatively, the first and second electrodes may be,

acquiring a notification message sent by an identity management server, wherein the notification message carries an identity of an access user of the current use terminal, and determining a content access control strategy corresponding to the user of the current use terminal according to the identity.

An embodiment of the present invention further provides an identity management server, including:

the acquisition module is used for acquiring content access control related information of an access user of the terminal;

a sending module, configured to send content access control related information of the access user to a policy control entity, where the policy control entity determines a corresponding content access control policy according to the received content access control related information of the access user, sends the determined content access control policy to a content interception entity, and the content interception entity intercepts a data packet according to the received content access control policy.

In a possible implementation, the sending module is specifically configured to:

sending content access control related information corresponding to an access user currently using the terminal to a policy control entity;

alternatively, the first and second electrodes may be,

and sending content access control related information corresponding to more than two access users of the terminal to a policy control entity.

In a possible implementation manner, the obtaining module is specifically configured to:

acquiring content access control related information corresponding to at least one access user of the terminal configured by the terminal; and/or the presence of a gas in the gas,

and acquiring content access control related information which is sent by a third-party system and corresponds to at least one access user of the terminal.

In a possible embodiment, the system further includes a receiving module, configured to:

before the sending module sends the content access control related information corresponding to the access user currently using the terminal to a policy control entity, receiving a notification message sent by the terminal, wherein the notification message carries an identity of the access user currently using the terminal, and determining the content access control related information corresponding to the access user currently using the terminal according to the identity.

An embodiment of the present invention further provides a terminal, including:

the determining module is used for determining the current access user using the terminal;

and the notification module is used for notifying a content interception entity to intercept the data packet according to the content access control strategy corresponding to the access user currently using the terminal.

In a possible implementation manner, the system further comprises an obtaining module, configured to obtain content access control related information of an access user;

and the configuration module is used for configuring a content interception entity according to the content access control related information of the access user, and the content interception entity acquires a content access control strategy corresponding to the content access control related information of the access user, wherein the access user is the access user currently using the terminal or more than two access users of the terminal.

In a possible embodiment, the configuration module is specifically configured to:

directly sending the content access control related information of the access user to the content interception entity;

alternatively, the first and second electrodes may be,

and the identity management server sends the content access control related information of the access user to a policy control entity, the policy control entity determines a corresponding content access control policy according to the content access control related information of the access user, and sends the determined content access control policy to the content interception entity.

In a possible implementation, the notification module is specifically configured to:

and sending a notification message to the content interception entity, wherein the notification message carries the identity of the access user currently using the terminal, and the content interception entity acquires a content access control strategy corresponding to the access user currently using the terminal according to the notification message and intercepts a data packet according to the content access control strategy corresponding to the access user currently using the terminal.

In a possible embodiment, the notification module is further configured to:

sending a notification message to the identity management server, where the notification message carries an identity identifier of the access user currently using the terminal, the identity management server sends content access control related information corresponding to the access user currently using the terminal to the policy control entity according to the notification message, the policy control entity determines a corresponding content access control policy according to the content access control related information of the access user currently using the terminal, and sends the content access control policy corresponding to the access user currently using the terminal to the content interception entity.

The embodiment of the present invention provides another content interception entity, which mainly includes a processor, a memory and a transceiver, wherein the transceiver is used for receiving and sending data under the control of the processor, the memory stores a preset program, the processor is used for reading the program stored in the memory, and the following processes are executed according to the program:

acquiring a data packet of an access user of a current use terminal through a transceiver;

and judging whether to intercept the data packet according to a content access control strategy corresponding to the access user of the current use terminal, if not, sending the data packet to next hop equipment through a transceiver, otherwise, intercepting the data packet.

In a possible implementation manner, before the processor acquires a data packet of an access user of a currently used terminal through the transceiver, the processor acquires content access control related information corresponding to each of two or more access users of the terminal configured by the terminal through the transceiver, and acquires content access control policies corresponding to the two or more access users according to the content access control related information corresponding to each of the two or more access users;

and/or the presence of a gas in the gas,

and acquiring content access control strategies corresponding to more than two access users of the terminal configured by a strategy control entity through a transceiver.

In a possible embodiment, before the processor obtains the data packet of the access user of the currently used terminal through the transceiver, the processor obtains the content access control policy of the access user of the currently used terminal, configured by the policy control entity, through the transceiver.

In a possible implementation manner, a processor acquires a notification message sent by the terminal through a transceiver, wherein the notification message carries an identity of an access user of the currently used terminal, and determines a content access control strategy corresponding to the user of the currently used terminal according to the identity; alternatively, the first and second electrodes may be,

and obtaining a notification message sent by an identity management server through a transceiver, wherein the notification message carries an identity of an access user of the current use terminal, and determining a content access control strategy corresponding to the user of the current use terminal according to the identity.

The embodiment of the invention also provides another identity management server which mainly comprises a processor, a memory and a transceiver, wherein the transceiver is used for receiving and sending data under the control of the processor, the memory stores a preset program, the processor is used for reading the program stored in the memory, and the following processes are executed according to the program:

acquiring content access control related information of an access user of a terminal through a transceiver;

the method comprises the steps of sending content access control related information of an access user to a policy control entity through a transceiver, determining a corresponding content access control policy by the policy control entity according to the received content access control related information of the access user, sending the determined content access control policy to a content interception entity, and intercepting a data packet by the content interception entity according to the received content access control policy.

In a possible implementation manner, the processor sends content access control related information corresponding to an access user currently using the terminal to a policy control entity through the transceiver;

alternatively, the first and second electrodes may be,

the processor sends content access control related information corresponding to more than two access users of the terminal to the policy control entity through the transceiver.

In a possible implementation manner, the processor acquires content access control related information corresponding to at least one access user of the terminal configured by the terminal through the transceiver; and/or the presence of a gas in the gas,

and acquiring content access control related information which is sent by a third-party system and corresponds to at least one access user of the terminal through a transceiver.

In a possible implementation manner, the processor receives a notification message sent by the terminal through the transceiver, where the notification message carries an identity of the access user currently using the terminal, and determines, according to the identity, content access control related information corresponding to the access user currently using the terminal.

The embodiment of the invention also provides another terminal, which mainly comprises a processor, a memory and a transceiver, wherein the transceiver is used for receiving and sending data under the control of the processor, the memory stores preset programs, the processor is used for reading the programs stored in the memory, and the following processes are executed according to the programs:

determining an access user currently using the terminal;

and informing a content interception entity to intercept the data packet according to the content access control strategy corresponding to the access user currently using the terminal through the transceiver.

In a possible implementation mode, the processor acquires content access control related information of an access user through the transceiver;

and configuring a content interception entity according to the content access control related information of the access user, and acquiring a content access control strategy corresponding to the content access control related information of the access user by the content interception entity, wherein the access user is the access user currently using the terminal or more than two access users of the terminal.

In a possible implementation manner, the processor directly transmits the content access control related information of the access user to the content interception entity through the transceiver;

alternatively, the first and second electrodes may be,

In a possible implementation manner, the processor sends a notification message to the content interception entity through the transceiver, where the notification message carries an identity of the access user currently using the terminal, and the content interception entity obtains a content access control policy corresponding to the access user currently using the terminal according to the notification message and intercepts a data packet according to the content access control policy corresponding to the access user currently using the terminal.

In a possible implementation manner, the processor sends a notification message to the identity management server through the transceiver, where the notification message carries an identity of the access user currently using the terminal, the identity management server sends content access control related information corresponding to the access user currently using the terminal to the policy control entity according to the notification message, the policy control entity determines a corresponding content access control policy according to the content access control related information of the access user currently using the terminal, and sends the content access control policy corresponding to the access user currently using the terminal to the content interception entity.

Drawings

FIG. 1 is a block diagram of an embodiment of deep packet inspection;

fig. 2 is a flowchart illustrating a method for controlling content access by a content interception entity according to a first embodiment of the present invention;

fig. 3 is a flowchart illustrating a method for controlling content access by an identity management server according to a second embodiment of the present invention;

fig. 4 is a flowchart illustrating a method for controlling content access by a terminal according to a third embodiment of the present invention;

FIG. 5 is a diagram illustrating a content access control system according to a fourth embodiment of the present invention;

FIG. 6 is a diagram illustrating another architecture of a content access control system according to a fourth embodiment of the present invention;

FIG. 7 is a diagram illustrating a fifth embodiment of a content interception entity according to the present invention;

fig. 8 is a schematic structural diagram of an identity management server according to a sixth embodiment of the present invention;

fig. 9 is a schematic structural diagram of a terminal according to a seventh embodiment of the present invention;

FIG. 10 is a diagram illustrating an architecture of a content interception entity according to an eighth embodiment of the present invention;

fig. 11 is a schematic structural diagram of an identity management server according to a ninth embodiment of the present invention;

fig. 12 is a schematic structural diagram of a terminal according to a tenth embodiment of the present invention.

Detailed Description

In order to make the objects, technical solutions and advantages of the present invention clearer, the present invention will be described in further detail with reference to the accompanying drawings, and it is apparent that the described embodiments are only a part of the embodiments of the present invention, not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

In the following embodiments, the content interception entity may be deployed on the TDF or the PGW, or may be deployed in a (S) Gi-Local Area Network (LAN) as a service function, where (S) Gi is a name of an interface between the PGW and the service Network.

In the following embodiments, the policy control entity may be a PCRF entity.

As shown in fig. 2, in the first embodiment of the present invention, a detailed method flow for a content interception entity to perform content access control is as follows:

step 201: the content interception entity acquires a data packet of an access user of the current use terminal.

In implementation, before acquiring a data packet of an access user of a currently used terminal, a content interception entity needs to acquire a content access control policy corresponding to the access user of the currently used terminal, and the acquisition mode may be any one or a combination of two implementation modes listed below:

firstly, a content interception entity obtains content access control related information corresponding to more than two access users of the terminal configured by the terminal, and obtains content access control strategies corresponding to the more than two access users respectively according to the content access control related information corresponding to the more than two access users respectively, wherein the more than two access users comprise the access user of the currently used terminal.

Secondly, the content interception entity obtains content access control policies corresponding to more than two access users of the terminal configured by the policy control entity, wherein the more than two access users include the access user of the terminal currently used.

The combination of the two acquisition modes refers to that the content interception entity can combine the content access control policies of the same access user of the terminal, which are respectively configured by the terminal and the policy control entity.

Corresponding to any one or combination of the above two manners of acquiring the content access control policy, the content access control entity needs to select the content access control policy corresponding to the user currently using the terminal from the stored content access control policies of the multiple users of the terminal.

In implementation, the content interception entity determines a content access control policy corresponding to an access user of a currently used terminal, including but not limited to the following two implementation manners:

firstly, a content interception entity acquires a notification message sent by a terminal, wherein the notification message carries an identity of an access user currently using the terminal, and a content access control strategy corresponding to the user currently using the terminal is determined according to the identity;

secondly, the content interception entity obtains a notification message sent by the identity management server, the notification message carries the identity of the access user of the current terminal, and the content access control strategy corresponding to the user using the terminal is determined according to the identity.

Specifically, the identity is a password and/or a user name used by the access user to log in the terminal.

In the specific application, a user installs content control software on a terminal, and the user sets user names and/or passwords used by a plurality of login terminals through a human-computer interaction interface provided by the content control software. The terminal needs a user to input a set user name and/or password when unlocking the screen, and sends a notification message after unlocking the screen each time, wherein the notification message carries the user name and/or password obtained in the screen unlocking process. Optionally, when the user sets a user name and/or a password used by the login terminal through the content control software, the user name and/or the password may also be set to the content access control related information corresponding to the user name and/or the password.

Specifically, the terminal acquires a user name, a password and content access control related information set for an access user using the terminal through installed content control software, sends a message to the identity management server (or a content interception entity) after acquiring a submission instruction, wherein the message carries a corresponding relationship between each set user name, password and content access control related information, and the identity management server (or the content interception entity) stores the corresponding relationship.

In implementation, the content interception entity can obtain the content access control policy of the access user of the current use terminal configured by the policy control entity, the content interception entity only stores the content access control policy of the access user of the current use terminal, and the content interception entity does not need to know which user the access user of the current use terminal is, and can intercept the access user directly according to the stored content access control policy.

Step 202: and the content interception entity judges whether to intercept the data packet according to a content access control strategy corresponding to an access user of the current use terminal, if not, the data packet is sent to the next hop equipment, otherwise, the data packet is intercepted.

Wherein the content access control policy is used to define content that the accessing user can access or to define content that the accessing user cannot access. For example, the content access control policy corresponding to the child user of the mobile phone specifies that the child user cannot access the video, or that the child can only access the military website.

Specifically, according to different application scenarios, the next-hop device may be a router or a device deployed by an operator and running a value-added service.

In the first embodiment, the content interception entity intercepts the data packet according to the content access control policy corresponding to the access user of the current user terminal, so that the content access control can be performed by using the content access control policy of the access user of the current user terminal.

As shown in fig. 3, in a second embodiment of the present invention, a detailed method flow for performing content access control by an identity management server is as follows:

step 301: the identity management server obtains content access control related information of an access user of the terminal.

In implementation, the identity management server obtains the content access control related information of the access user of the terminal, and any one or a combination of the following two implementation manners may be adopted:

firstly, an identity management server acquires content access control related information which is configured by a terminal and corresponds to at least one access user of the terminal;

secondly, the identity management server obtains content access control related information which is sent by a third-party system and corresponds to at least one access user of the terminal.

For example, the third-party system may be a banking system or a billing system of an operator, when the credit rating of the access user at the bank decreases, the banking server actively provides the credit rating of the access user to the identity management server, the identity management server sends the credit rating of the access user to the policy control entity, and the policy control entity makes a content access control policy capable of prohibiting the access user from accessing content that does not match the credit rating according to the credit rating of the access user. When an operator charging system finds that an access user is in charge of arrearage, the arrearage information of the access user is actively provided for an identity management server, the identity management server sends the arrearage information of the access user to a policy control entity, and the policy control entity formulates a content access control policy of content which can prohibit the access user from accessing under the state of arrearage according to the arrearage information of the access user.

Step 302: and the identity management server sends the content access control related information of the access user to a policy control entity.

The policy control entity determines a corresponding content access control policy according to the received content access control related information of the access user, sends the determined content access control policy to the content interception entity, and the content interception entity intercepts the data packet according to the received content access control policy.

In implementation, the identity management server sends content access control related information of the access user to the policy control entity, including but not limited to the following two implementation manners:

firstly, the identity management server sends content access control related information corresponding to an access user of a current use terminal to a policy control entity.

In implementation, the policy control entity determines a content access control policy according to the content access control related information of the access user of the current use terminal, the policy control entity sends the content access control policy of the access user of the current use terminal to the content interception entity, and the content interception entity intercepts a data packet according to the content access control policy of the access user of the current use terminal.

In the first implementation manner, the identity management server needs to determine the access user currently using the terminal, and specifically, the identity management server receives a notification message sent by the terminal, where the notification message carries an identity of the access user currently using the terminal.

In the first implementation manner, the identity management server determines content access control related information corresponding to an access user of a current use terminal according to an identity carried in the notification message, sends the content access control related information corresponding to the access user of the current use terminal to the policy control entity, determines a content access control policy corresponding to the received content access control related information by the policy control entity, sends the content access control policy to the content interception entity, and the content interception entity intercepts the data packet according to the content access control policy. In the embodiment, the content interception entity only stores the content access control policy corresponding to the access user of the current use terminal, and does not need to know which access user the current use terminal belongs to, and directly intercepts the data packet according to the stored content access control policy.

In the first implementation manner, the identity management server obtains a notification message sent after the terminal switches the access user each time, and the notification message carries the identity of the access user currently using the terminal. And the identity management server determines the access user of the current using terminal according to the notification message and sends the content access control related information of the access user of the current using terminal to the policy control entity.

In the first implementation manner, after acquiring the updated content access control related information of any access user of the terminal, the identity management server updates the locally stored content access control related information of the access user.

Secondly, the identity management server sends content access control related information corresponding to more than two access users of the terminal to the policy control entity.

In the second implementation manner, the identity management server needs to determine the access user currently using the terminal, and specifically, the identity management server receives a notification message sent by the terminal, where the notification message carries an identity of the access user currently using the terminal.

In the second implementation manner, the identity management server notifies the content interception entity to select a content access control policy corresponding to the currently used access user of the terminal from the stored content access control policies corresponding to the respective users of the terminal according to the identity, and intercepts the data packet according to the content access control policy corresponding to the currently used access user of the terminal.

In the second implementation manner, the identity management server obtains a notification message sent after the terminal switches the access user each time, where the notification message carries an identity of the access user currently using the terminal.

In the second implementation manner, after acquiring updated content access control related information of any access user of the terminal, the identity management server updates the locally stored content access control related information of the access user, sends the updated content access control related information of the access user to the policy control entity, and the policy control entity determines the content access control policy corresponding to the updated content access control information of the access user respectively and sends the updated content access control policy of the access user to the content interception entity.

In the above two implementation manners, the identity management server may actively send the content access control related information of the access user of the terminal to the policy control entity, or may send the content access control related information of the access user of the terminal to the policy control entity under the request of the policy control entity.

In the second embodiment of the present invention, the identity management server sends the content access control related information of the access user of the terminal to the policy control entity to determine the content access control policy corresponding to the access user, and the content interception entity performs content access control according to the content access control policy corresponding to the access user, thereby implementing content access control for the access user using the terminal.

As shown in fig. 4, in a third embodiment of the present invention, a detailed method flow for a terminal to perform content access control is as follows:

step 401: the terminal determines an access user currently using the terminal.

Step 402: the terminal informs a content interception entity to intercept the data packet according to a content access control strategy corresponding to the current access user using the terminal.

In the implementation, the terminal acquires the content access control related information of the access user, configures a content interception entity according to the content access control related information of the access user, and the content interception entity acquires a content access control strategy corresponding to the content access control related information of the access user.

The access user is the access user currently using the terminal, or more than two access users of the terminal.

Specifically, the terminal acquires content access control related information which is input by a privileged user of the terminal and corresponds to other one or more access users through a human-computer interaction interface (such as client software); or the terminal acquires the content access control related information corresponding to at least one access user according to the subscription information provided by the operator network.

In the first embodiment, a terminal directly sends content access control related information of an access user to a content interception entity, and the content interception entity obtains a content access control strategy corresponding to the access user according to the content access control related information of the access user;

specifically, the content interception entity uses the content access control related information corresponding to the access user as the content access control policy corresponding to the access user, and intercepts the data packet according to the content access control policy corresponding to the access user after determining the access user currently using the terminal.

In the first embodiment, the terminal needs to send a notification message to the content interception entity, where the notification message carries an identity of an access user of the currently used terminal, and the content interception entity obtains a content access control policy corresponding to the access user of the currently used terminal according to the notification message and intercepts the data packet according to the content access control policy corresponding to the access user of the currently used terminal. Or, the terminal sends a notification message to the identity management server, the notification message carries the identity of the access user of the currently used terminal, and the identity management server notifies the content interception entity to select the content access control strategy corresponding to the access user of the currently used terminal according to the notification message.

In implementation, when determining that the content access control related information of any access user of the terminal is updated, the terminal sends the updated content access control related information to the content interception entity.

In the second embodiment, the terminal sends the content access control related information of the access user to the identity management server, and the identity management server sends the content access control related information of the access user to the policy control entity; and the policy control entity determines a corresponding content access control policy according to the received content access control related information of the access user, and sends the determined content access control policy to the content interception entity.

In the second embodiment, the terminal needs to send a notification message to the content interception entity, where the notification message carries the identity of the access user of the currently used terminal, and the content interception entity obtains the content access control policy corresponding to the access user of the currently used terminal according to the notification message and intercepts the data packet according to the content access control policy corresponding to the access user of the currently used terminal.

Alternatively, the first and second electrodes may be,

the terminal sends a notification message to an identity management server, the notification message carries an identity of an access user of the currently used terminal, the identity management server sends content access control related information corresponding to the access user of the currently used terminal to a policy control entity according to the notification message, the policy control entity determines a corresponding content access control policy according to the content access control related information of the access user of the currently used terminal, and the content access control policy corresponding to the access user of the currently used terminal is sent to a content interception entity.

In the second embodiment, the identity management server stores content access control related information corresponding to each of a plurality of access users of the terminal.

In a first implementation manner, the identity management server sends content access control related information corresponding to an access user of a currently used terminal to the policy control entity. The policy control entity determines a content access control policy according to the received content access control related information, and sends the determined content access control policy to the content interception entity. And the content interception entity intercepts the data packet according to the received content access control strategy.

In this specific implementation, before the identity management server sends the content access control related information corresponding to the access user of the currently used terminal to the policy control entity, a notification message is sent to the identity management server, where the notification message carries the identity of the access user of the currently used terminal. And the identity management server determines the content access control related information corresponding to the access user currently using the terminal according to the notification message.

In a second implementation manner, the identity management server sends content access control related information corresponding to each of the multiple access users to the policy control entity. The policy control entity determines the content access control policy corresponding to each access user according to the received content access control related information of each access user, and sends the determined content access control policy to the content interception entity. And the content interception entity intercepts the data packet according to the received content access control strategy.

In the specific implementation, the terminal sends a notification message to the identity management server, where the notification message carries an identity of an access user currently using the terminal. And the identity management server informs the content interception entity to select a content access control strategy interception data packet corresponding to the access user of the current use terminal.

As shown in fig. 5, in a fourth embodiment of the present invention, a content access control system includes a terminal 501 and a content interception entity 502, specifically:

a terminal 501, configured to determine an access user currently using the terminal, and notify a content interception entity 502 to intercept a data packet according to a content access control policy corresponding to the access user currently using the terminal;

the content interception entity 502 is configured to obtain a data packet of an access user currently using a terminal, determine whether to intercept the data packet according to a content access control policy corresponding to the access user currently using the terminal, and send the data packet to next-hop equipment if the data packet is not intercepted, otherwise, intercept the data packet.

In implementation, the terminal is further configured to:

the content interception entity is further configured to:

In a specific implementation, as shown in fig. 6, the content access control system further includes an identity management server 503 and a policy control entity 504, specifically:

the terminal 501 is specifically configured to:

the identity management server 503 is configured to:

the policy control entity 504 is configured to:

determining a corresponding content access control policy according to the content access control related information of the access user sent by the identity management server, and sending the determined content access control policy to the content interception entity 502.

In the first embodiment, the identity management server 503 is configured to obtain content access control related information corresponding to at least one access user of the terminal, and send the content access control related information corresponding to the at least one access user of the terminal to the policy control entity 504;

a policy control entity 504, configured to receive content access control related information, sent by the identity management server 503, corresponding to at least one access user of the terminal, determine a content access control policy corresponding to the at least one access user of the terminal according to the content access control related information corresponding to the at least one access user of the terminal, and send the content access control policy corresponding to the at least one access user of the terminal to the content interception entity 502;

the content interception entity 502 is configured to receive a content access control policy corresponding to each of the at least one access user of the terminal sent by the policy control entity 504, and intercept a data packet according to the content access control policy corresponding to each of the at least one access user of the terminal.

In the implementation, the identity management server acquires content access control related information which is configured by the terminal and corresponds to at least one access user of the terminal; and/or acquiring content access control related information which is sent by a third-party system and corresponds to at least one access user of the terminal.

In implementation, the identity management server receives a notification message sent by the terminal, wherein the notification message carries the identity of the access user of the currently used terminal. Specifically, the identity management server notifies the content interception entity to select the content access control policy corresponding to the access user of the current user terminal according to the notification message, and intercepts the data packet according to the content access control policy corresponding to the access user of the current user terminal.

In a second specific embodiment, an identity management server obtains content access control related information corresponding to at least one access user of a terminal, determines an access user currently using the terminal, and sends the content access control related information corresponding to the access user currently using the terminal to a policy control entity;

the policy control entity receives content access control related information corresponding to an access user of a current use terminal sent by an identity management server, determines a content access control policy according to the content access control related information of the access user of the current use terminal, and sends the content access control policy of the access user of the current use terminal to a content interception entity;

and the content interception entity receives the content access control strategy of the access user of the current use terminal, which is sent by the strategy control entity, and intercepts the data packet according to the content access control strategy.

In the implementation, the identity management server receives a notification message sent by the terminal, the notification message carries the identity of the access user of the currently used terminal, and the content access control related information corresponding to the access user of the currently used terminal is determined according to the identity.

The process of content access control is illustrated below by three specific examples.

First embodiment

A parent presets a child account on a mobile phone, and a current child unlocks the mobile phone by inputting a user name and a password of the child account;

the mobile phone finds the login of the child account, and sends a user name of the child account and content access control related information set for the child account by a parent to an identity management server, for example, a game website cannot be browsed; if the child account is logged in for the first time or content access control related information set by a parent changes, the mobile phone needs to send the latest content access control related information of the child account to an identity management server;

the identity management server sends a message to the policy control entity, wherein the message carries the identification of the mobile phone, the user name of the child account and the content access control related information corresponding to the child account;

the strategy control entity makes a content access control strategy according to content access control related information corresponding to the child account, and the content access control strategy enables flow related to games to be intercepted when the child account logs in the mobile phone;

the policy control entity sends the mobile phone identification, the child account and the content access control policy corresponding to the child account to the content interception entity;

and the content interception entity intercepts the flow related to the game according to the content access control strategy when the child account logs in the mobile phone.

Second embodiment

The credit level of the signed user of the mobile phone in the bank system is reduced, and the bank server sends the identification of the signed user of the mobile phone and the credit level reduction information to the identity management server;

the identity management server sends a message to the policy control entity, wherein the message comprises the identification of the signed user of the mobile phone and the credit level descending information;

the policy control entity formulates a content access control policy of the subscriber according to the received message, so that the subscriber cannot use a specific application, such as a web browsing application, and sends the content access control policy to a content interception entity;

and the content interception entity intercepts the flow related to the webpage browsing application according to the content access control strategy when the signed account of the mobile phone logs in the mobile phone.

Third embodiment

The charging system finds that the user arrearage exceeds the preset amount, and sends a user identifier (such as IMSI) and arrearage information to the identity management server;

the identity management server sends a message to the policy control entity, wherein the message carries a user identifier and arrearage information;

As shown in fig. 7, a fifth embodiment of the present invention provides a content interception entity, and the specific implementation of the content interception entity may refer to the description of the above method, and repeated details are not repeated, where the content interception entity mainly includes:

an obtaining module 701, configured to obtain a data packet of an access user of a currently-used terminal;

an intercepting module 702, configured to determine whether to intercept the data packet according to a content access control policy corresponding to an access user of the current user terminal, and if not, send the data packet to a next-hop device, otherwise, intercept the data packet.

In an implementation, the obtaining module is further configured to:

and/or the presence of a gas in the gas,

In an implementation, the obtaining module is further configured to:

In implementation, the intercepting module is specifically configured to:

As shown in fig. 8, a sixth embodiment of the present invention provides an identity management server, and specific implementation of the identity management server may refer to the description of the foregoing method embodiment, and repeated descriptions are omitted, where the identity management server mainly includes:

an obtaining module 801, configured to obtain content access control related information of an access user of a terminal;

a sending module 802, configured to send content access control related information of the access user to a policy control entity, where the policy control entity determines a corresponding content access control policy according to the received content access control related information of the access user, sends the determined content access control policy to a content interception entity, and the content interception entity intercepts a data packet according to the received content access control policy.

In implementation, the sending module is specifically configured to:

alternatively, the first and second electrodes may be,

In implementation, the obtaining module is specifically configured to:

In an implementation, the apparatus further includes a receiving module 803 configured to:

As shown in fig. 9, a seventh embodiment of the present invention provides a terminal, and specific implementation of the terminal may refer to the description of the foregoing method embodiment, and repeated details are not repeated, where the terminal mainly includes:

a determining module 901, configured to determine an access user currently using the terminal;

a notifying module 902, configured to notify a content interception entity to intercept a data packet according to a content access control policy corresponding to the access user currently using the terminal.

In implementation, the system further comprises an obtaining module 903, configured to obtain content access control related information of an access user;

a configuration module 904, configured to configure a content interception entity according to the content access control related information of the access user, where the content interception entity obtains a content access control policy corresponding to the content access control related information of the access user, and the access user is the access user currently using the terminal or two or more access users of the terminal.

In implementation, the configuration module is specifically configured to:

alternatively, the first and second electrodes may be,

In implementation, the notification module is specifically configured to:

In an implementation, the notification module is further configured to:

As shown in fig. 10, in an eighth embodiment of the present invention, another content interception entity is provided, where the content interception entity may be a stand-alone device or integrated in a network device, and the content interception entity mainly includes a processor 1001, a memory 1002, and a transceiver 1003, where the transceiver is configured to receive and transmit data under the control of the processor, the memory stores a preset program, and the processor is configured to read the program stored in the memory, and according to the program, perform the following processes:

and/or the presence of a gas in the gas,

As shown in fig. 11, in a ninth embodiment of the present invention, another identity management server is provided, where the identity management server mainly includes a processor 1101, a memory 1102 and a transceiver 1103, where the transceiver 1103 is configured to receive and send data under the control of the processor 1101, the memory 1102 stores a preset program therein, and the processor 1101 is configured to read the program stored in the memory 1102, and according to the program, perform the following processes:

alternatively, the first and second electrodes may be,

As shown in fig. 12, in a tenth embodiment of the present invention, a terminal is provided, where the terminal mainly includes a processor 1201, a memory 1202, and a transceiver 1203, where the transceiver 1203 is configured to receive and transmit data under the control of the processor 1201, a preset program is stored in the memory 1202, and the processor 1201 is configured to read the program stored in the memory 1202, and execute the following processes according to the program:

determining an access user currently using the terminal;

alternatively, the first and second electrodes may be,

In the eighth to tenth embodiments, the processors, the memories and the transceivers are connected by buses, and the bus architecture may include any number of interconnected buses and bridges, in particular, with one or more processors represented by the processors and various circuits of the memories represented by the memories being linked together. The bus architecture may also link together various other circuits such as peripherals, voltage regulators, power management circuits, and the like, which are well known in the art, and therefore, will not be described any further herein. The bus interface provides an interface. The transceiver may be a plurality of elements, i.e., including a transmitter and a transceiver, providing a means for communicating with various other apparatus over a transmission medium. The processor is responsible for managing the bus architecture and the usual processing, and the memory may store data used by the processor in performing operations.

As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, optical storage, and the like) having computer-usable program code embodied therein.

The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.

Claims

1. A content access control method, comprising:

a content interception entity acquires a content access control strategy corresponding to an access user of a current use terminal;

the content interception entity acquires a data packet of the access user currently using the terminal;

the content interception entity judges whether to intercept the data packet according to a content access control strategy corresponding to the access user currently using the terminal, if not, the data packet is sent to next hop equipment, otherwise, the data packet is intercepted;

the method for acquiring the content access control strategy of the access user of the current use terminal by the content interception entity comprises the following steps:

the content interception entity obtains a notification message sent by the terminal after unlocking a screen, the notification message carries an identity of an access user currently using the terminal, and a content access control strategy corresponding to the user currently using the terminal is determined according to the identity; the identity identification is a login password and/or a user name input in a human-computer interaction interface provided by the terminal when the terminal unlocks a screen; alternatively, the first and second electrodes may be,

the content interception entity obtains a notification message sent by an identity management server, wherein the notification message carries an identity of an access user currently using the terminal, and determines a content access control strategy corresponding to the user currently using the terminal according to the identity; the identity identification is a login password and/or a user name input in a human-computer interaction interface provided by the terminal when the terminal unlocks a screen;

the content access control policy corresponding to the access user currently using the terminal is determined based on content access control related information corresponding to the access user currently using the terminal configured by the terminal and content access control related information corresponding to the access user currently using the terminal sent by a third-party system, or is determined based on content access control related information corresponding to the access user currently using the terminal sent by the third-party system; the third party system is a bank system or a charging system.

2. The method of claim 1, wherein before the content interception entity obtains the content access control policy corresponding to the access user of the currently used terminal, the method further comprises:

and/or the presence of a gas in the gas,

3. A content access control method, comprising:

the identity management server receives a notification message sent by a terminal before a content interception entity acquires a data packet of an access user currently using the terminal, wherein the notification message carries an identity of the access user currently using the terminal, and content access control related information corresponding to the access user currently using the terminal is determined according to the identity; the identity identification is a login password and/or a user name input in a human-computer interaction interface provided by the terminal when the terminal unlocks a screen; the content access control related information of the access user currently using the terminal includes: the content access control related information corresponding to the access user currently using the terminal, which is configured by the terminal, and the content access control related information corresponding to the access user currently using the terminal, which is sent by a third-party system, or the content access control related information corresponding to the access user currently using the terminal, which is sent by the third-party system; the third party system is a bank system or a charging system;

the identity management server sends the content access control related information of the access user currently using the terminal to a policy control entity, the policy control entity determines the corresponding content access control policy according to the received content access control related information of the access user currently using the terminal, the determined content access control policy is sent to the content interception entity, and the content interception entity judges whether to intercept the data packet according to the received content access control policy.

4. The method of claim 3, wherein the identity management server sends content access control related information of the access user currently using the terminal to a policy control entity, comprising:

and the identity management server sends content access control related information corresponding to more than two access users of the terminal to the policy control entity.

5. A content access control method, comprising:

the terminal determines the current access user using the terminal;

the terminal sends a notification message to a content interception entity, wherein the notification message carries the identity of the access user currently using the terminal, and the content interception entity acquires a content access control strategy corresponding to the access user currently using the terminal according to the notification message; the identity identification is a login password and/or a user name input in a human-computer interaction interface provided by the terminal when the terminal unlocks a screen; the content access control policy corresponding to the access user currently using the terminal is determined based on the content access control related information corresponding to the access user currently using the terminal configured by the terminal and the content access control related information corresponding to the access user currently using the terminal sent by a third-party system, or is determined based on the content access control related information corresponding to the access user currently using the terminal sent by the third-party system; the third party system is a bank system or a charging system;

and the terminal sends a data packet of the access user currently using the terminal to the content interception entity, and the content interception entity judges whether to intercept the data packet according to a content access control strategy corresponding to the access user currently using the terminal.

6. The method of claim 5, wherein the method further comprises:

7. The method of claim 6, wherein the terminal configuring a content interception entity according to the content access control related information of the access user comprises:

alternatively, the first and second electrodes may be,

8. The method of claim 7, wherein the method further comprises:

9. A content access control system, comprising:

the terminal is used for determining the current access user using the terminal and sending a data packet of the current access user using the terminal to a content interception entity;

the identity management server is used for receiving a notification message sent by the terminal, wherein the notification message carries an identity of the access user currently using the terminal, and content access control related information corresponding to the access user currently using the terminal is determined according to the identity; the identity identification is a login password and/or a user name input in a human-computer interaction interface provided by the terminal when the terminal unlocks a screen; the content access control related information of the access user currently using the terminal includes: the content access control related information corresponding to the access user currently using the terminal, which is configured by the terminal, and the content access control related information corresponding to the access user currently using the terminal, which is sent by a third-party system, or the content access control related information corresponding to the access user currently using the terminal, which is sent by the third-party system; the third party system is a bank system or a charging system;

the content interception entity is used for acquiring a content access control strategy corresponding to the current terminal-using access user before receiving the data packet of the current terminal-using access user, judging whether to intercept the data packet according to the content access control strategy corresponding to the current terminal-using access user, and if not, sending the data packet to next hop equipment, otherwise, intercepting the data packet; and the content access control strategy corresponding to the access user currently using the terminal is determined based on the content access control related information of the access user currently using the terminal.

10. The system of claim 9, wherein the terminal is further configured to:

the content interception entity is further configured to:

11. The system of claim 10, further comprising a policy control entity;

the terminal is specifically configured to:

the identity management server is configured to:

the policy control entity is configured to:

12. A content interception entity, comprising:

the acquisition module is used for acquiring a content access control strategy corresponding to the access user of the current use terminal before acquiring the data packet of the access user of the current use terminal;

an interception module to:

acquiring a notification message sent by the terminal after unlocking a screen, wherein the notification message carries an identity of an access user currently using the terminal, and determining a content access control strategy corresponding to the user currently using the terminal according to the identity; the identity identification is a login password and/or a user name input in a human-computer interaction interface provided by the terminal when the terminal unlocks a screen; alternatively, the first and second electrodes may be,

acquiring a notification message sent by an identity management server, wherein the notification message carries an identity of an access user currently using the terminal, and determining a content access control strategy corresponding to the user currently using the terminal according to the identity; the identity identification is a login password and/or a user name input in a human-computer interaction interface provided by the terminal when the terminal unlocks a screen;

judging whether the data packet is intercepted or not according to a content access control strategy corresponding to the access user of the current use terminal, if not, sending the data packet to next hop equipment, otherwise, intercepting the data packet;

13. The content interception entity of claim 12, wherein said acquisition module is further configured to:

before acquiring the content access control strategy corresponding to the access user of the current use terminal,

and/or the presence of a gas in the gas,

14. An identity management server, comprising:

a receiving module, configured to receive a notification message sent by a terminal before a content interception entity obtains a data packet of an access user currently using the terminal, where the notification message carries an identity of the access user currently using the terminal, and determine, according to the identity, content access control related information corresponding to the access user currently using the terminal; the identity identification is a login password and/or a user name input in a human-computer interaction interface provided by the terminal when the terminal unlocks a screen; the content access control related information of the access user currently using the terminal includes: the content access control related information corresponding to the access user currently using the terminal, which is configured by the terminal, and the content access control related information corresponding to the access user currently using the terminal, which is sent by a third-party system, or the content access control related information corresponding to the access user currently using the terminal, which is sent by the third-party system; the third party system is a bank system or a charging system;

a sending module, configured to send content access control related information of the access user currently using the terminal to a policy control entity, where the policy control entity determines a corresponding content access control policy according to the received content access control related information of the access user currently using the terminal, sends the determined content access control policy to the content interception entity, and the content interception entity determines whether to intercept the data packet according to the received content access control policy.

15. The identity management server of claim 14, wherein the sending module is specifically configured to:

16. A terminal, comprising:

a notification module, configured to send a notification message to a content interception entity, where the notification message carries an identity of the access user currently using the terminal, and the content interception entity obtains, according to the notification message, a content access control policy corresponding to the access user currently using the terminal; the identity identification is a login password and/or a user name input in a human-computer interaction interface provided by the terminal when the terminal unlocks a screen; the content access control policy corresponding to the access user currently using the terminal is determined based on the content access control related information corresponding to the access user currently using the terminal configured by the terminal and the content access control related information corresponding to the access user currently using the terminal sent by a third-party system, or is determined based on the content access control related information corresponding to the access user currently using the terminal sent by the third-party system; the third party system is a bank system or a charging system;

17. The terminal of claim 16, further comprising an obtaining module for obtaining content access control related information of an accessing user;

18. The terminal of claim 17, wherein the configuration module is specifically configured to:

alternatively, the first and second electrodes may be,

19. The terminal of claim 18, wherein the notification module is further configured to: