CN107094140B - Session-based permission control method and system - Google Patents
Session-based permission control method and system Download PDFInfo
- Publication number
- CN107094140B CN107094140B CN201710272386.5A CN201710272386A CN107094140B CN 107094140 B CN107094140 B CN 107094140B CN 201710272386 A CN201710272386 A CN 201710272386A CN 107094140 B CN107094140 B CN 107094140B
- Authority
- CN
- China
- Prior art keywords
- session
- role
- acquiring
- authority
- identity information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/105—Multiple levels of security
Abstract
The embodiment of the invention discloses a session-based authority control method, which comprises the following steps: when the process of the application program carries out system calling, acquiring a session to which the system calling belongs; acquiring corresponding session authority according to the session; and controlling the current system call according to the session authority corresponding to each session. The process of the application program introduces the check of the session authority to the system call to check and verify the authority when the system call is carried out in the server so as to control the authority of the application program, and the control of the authority is realized when the process executes the system call and is not limited to the attributes of the process user and the file. The invention also discloses a session-based authority control system, the effect of which is the same as the method, and the description is omitted.
Description
Technical Field
The invention relates to the technical field of access authority management, in particular to an authority control method and system based on a session.
Background
With the development of science and technology, more and more internet users acquire shared resources of an external network in a remote access mode. When the user wants to realize remote access, the client of the user is required to be connected to the server in a remote login mode, and then the server calls corresponding information in the database to return to the client.
However, in internet applications, the server provides different services to different users, i.e. different clients have different respective access rights. Each client can only obtain the information in the database within the access authority range of the client. In general, when a user performs remote access, the server determines the authority of system call, which is usually directly applied to the data (files and directories) and database connection of the file system, and the system call refers to a call that a process traps in the kernel of the operating system to execute system functions, such as creating a file, modifying a file and executing a program. While system permissions generally refer to permissions at the time of system invocation, permissions are typically determined by file attributes and the group of users to which the process operates. The process may be limited by the nature of the process user and the file when performing the system call.
Therefore, how to implement the control of the authority without being limited to the attributes of the process user and the file when the process executes the system call is a technical problem that needs to be solved by those skilled in the art at present.
Disclosure of Invention
The invention aims to provide a session-based authority control method and a session-based authority control system, which can realize the authority control without being limited to the attributes of process users and files when a process execution system is called.
In order to solve the technical problems, the invention provides the following technical scheme:
a method for session-based rights control, comprising:
when the process of the application program carries out system calling, acquiring a session to which the system calling belongs;
acquiring a corresponding session authority according to the session;
and controlling the current system call according to the session authority corresponding to each session.
Preferably, the acquiring the corresponding session right according to the session includes:
identifying identity information of a role to which the session belongs;
and acquiring the authority configuration of the role according to the identity information of the role.
Preferably, the identity information for identifying the role to which the session belongs includes:
acquiring the IP address of the session initiator;
and acquiring the identity information of the role of the session according to the IP address.
Preferably, the identity information for identifying the role to which the session belongs includes:
pre-establishing an intermediate agent;
acquiring request content of the session through the intermediate proxy;
judging whether the request content contains preset authentication information representing the identity of the role of the session or not through the intermediate proxy;
and if so, identifying the identity information of the role corresponding to the authentication information through the intermediate proxy.
Preferably, the identity information for identifying the role to which the session belongs includes:
a virtual communication network tunnel for preset role communication is established in advance;
and identifying the source tunnel of the session so as to judge the identity information of the role to which the session belongs.
A session-based entitlement control system comprising:
the system comprises a first acquisition module, a second acquisition module and a processing module, wherein the first acquisition module is used for acquiring a session to which a system call belongs when the system call is carried out on a process of an application program;
the second acquisition module is used for acquiring the corresponding session permission according to the session;
and the control module is used for controlling the current system call according to the session authority corresponding to each session.
Preferably, the second obtaining module includes:
the identification unit is used for identifying the identity information of the role to which the session belongs;
and the permission obtaining unit is used for obtaining the permission configuration of the role according to the identity information of the role.
Preferably, the identification unit includes:
a first obtaining subunit, configured to obtain an IP address of the session initiator;
and the second acquiring subunit is used for acquiring the identity information of the role of the session according to the IP address.
Preferably, the identification unit includes:
and the intermediate agent subunit is used for acquiring the request content of the session, judging whether the request content contains preset authentication information representing the identity of the role of the session, and identifying the identity information of the role corresponding to the authentication information when judging that the request content contains the authentication information.
Preferably, the identification unit includes:
a tunnel establishing subunit, configured to establish in advance a virtual communication network tunnel for communication of a preset role;
and the identification subunit is used for identifying the source tunnel of the session so as to judge the identity information of the role to which the session belongs.
Compared with the prior art, the technical scheme has the following advantages:
the embodiment of the invention provides a session-based right control method, which comprises the following steps: when the process of the application program carries out system calling, acquiring a session to which the system calling belongs; acquiring corresponding session authority according to the session; and controlling the current system call according to the session authority corresponding to each session. The process of the application program introduces the check of the session authority to the system call to check and verify the authority when the system call is carried out in the server so as to control the authority of the application program, and the control of the authority is realized when the process executes the system call and is not limited to the attributes of the process user and the file.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
Fig. 1 is a flowchart of a session-based rights control method according to an embodiment of the present invention;
fig. 2 is a schematic structural diagram of a session-based rights control system according to an embodiment of the present invention.
Detailed Description
The core of the invention is to provide a method and a system for controlling the authority based on the conversation, which can realize the authority control without being limited to the attributes of process users and files when a process execution system is called.
In order to make the aforementioned objects, features and advantages of the present invention comprehensible, embodiments accompanied with figures are described in detail below.
In the following description, specific details are set forth in order to provide a thorough understanding of the present invention. The invention can be implemented in a number of ways different from those described herein and similar generalizations can be made by those skilled in the art without departing from the spirit of the invention. Therefore, the present invention is not limited to the specific embodiments disclosed below.
Referring to fig. 1, fig. 1 is a flowchart illustrating a session-based rights control method according to an embodiment of the present invention.
A specific embodiment of the present invention provides a session-based rights control method, including:
s11: when the process of the application program carries out system calling, acquiring a session to which the system calling belongs;
s12: acquiring corresponding session authority according to the session;
s13: and controlling the current system call according to the session authority corresponding to each session.
In this embodiment, when the client accesses the server through a preset application program to obtain data in the database, a session related to a system call is established between the client and the server. Different clients have different permission configurations according to different roles of the clients, so that corresponding session permission can be acquired according to the session. And executing the current system call only when the data of the system call passes the examination of the session authority, and returning the system call after the current system call is executed to execute a new system call.
The session authority indicates the access authority of the role corresponding to the session, so that when judging whether the system call accords with the authority, the file attribute of the system call and the attribute of the running affiliated user do not need to be judged, and the authority judging process is greatly simplified. The process of the application program introduces the session authority to the system call to control the authority of the application program, and the authority is controlled without being limited to the attributes of the process user and the file when the process executes the system call.
It should be noted that, in the whole communication service process in this document, the system call mainly includes a system call of an application program for performing file read-write on a disk file system, and a system call of an application program for performing connection read-write on a database of a database program. In both cases, the authority is checked and determined when a system call is made.
It should be noted that the system call also includes a system call in which the database program reads and writes data from and to the database data, and since the technical permission check is of little significance, in this embodiment, the permission check determination may not be performed on the system call here.
In an embodiment of the present invention, acquiring a corresponding session right according to a session includes: identifying identity information of a role to which the session belongs; and acquiring the authority configuration of the role according to the identity information of the role.
In this embodiment, a role refers to a user identity, and one identity has a set of operation right configurations in the system. In order to know the authority of the client, in the embodiment, the identity information of the role to which the session established by the client belongs, that is, the identity of the client initiating the session is identified, and only if the identity of the client is known, the server can give the corresponding authority to the client to perform system call.
In one embodiment of the present invention, the identification information of the role to which the session belongs includes: acquiring an IP address of a session initiator; and acquiring the identity information of the role of the session according to the IP address.
In this embodiment, the identity of the client initiating the session is identified by reading the IP address of the initiator of the session. If there are two clients accessing the server, the IP address of the client a is 192.168.1.1, the identity thereof is the administrator, and the authority is "all"; client B has an IP address of 123.45.67.89, its identity is a normal user, and the right is "part". When a certain client accesses the server and initiates a session, the server reads the IP address of the client initiating the session, and can obtain the identity information of the client according to the IP address, if the read IP address of the client a is the IP address of the client a, the client at the moment is determined to be an administrator, and accordingly, the corresponding authority of the client can be served to control the current system call. Because each client has a unique IP address different from other clients, the identity of the client can be identified by identifying the IP address of the client initiating the session, and the corresponding authority is called to control system call.
In another embodiment of the present invention, the identification information for identifying the role to which the session belongs includes: pre-establishing an intermediate agent; acquiring request content of a session through an intermediate agent; judging whether the request content contains preset authentication information representing the identity of the role of the session or not through the intermediate proxy; and if so, identifying the identity information of the role corresponding to the authentication information through the intermediate proxy.
In the present embodiment, the character is identified using secondary authentication. The intermediate proxy is introduced into the secondary authentication, so that all data reaching the server pass through the intermediate proxy firstly, and the intermediate proxy authenticates the connection and then transmits the connection to the server for requesting.
Specifically, in the above embodiment, taking the IP address of the session initiator to obtain the identity information of the role of the session as an example, in general, one computer corresponds to one IP address, that is, when a system call is performed through a certain computer, all the permissions of the computer during the system call can be identified through the IP address of the computer. However, when the user uses another computer, because the IP address of the new computer is different from the IP address of the original computer, it is difficult to identify the authority of the operator, so in this embodiment, a secondary authentication method is adopted, and the request content of the current computer is analyzed by the intermediate proxy to authenticate the identity of the user of the current computer, so that the server can identify the identity of the user when the user operates on the originally preset computer or another computer, thereby determining the authority.
The client sends request content to the intermediate proxy, the intermediate proxy returns a signal needing authentication, the client sends the request content with authentication information to the intermediate proxy, the request content and related role information are sent to the server after the intermediate proxy passes the authentication, and the server returns reply content to the client. In this process, the identity of the client initiating the session is identified by the intermediate proxy.
In another embodiment of the present invention, the identification information for identifying the role to which the session belongs includes: a virtual communication network tunnel for preset role communication is established in advance; and identifying a source tunnel of the session so as to judge the identity information of the role to which the session belongs.
In the present embodiment, the role recognition is performed by using a tunnel method. In the process, the client establishes a virtual private communication network tunnel with the server and identifies the role by distinguishing a source tunnel. For example, when the client roles are divided into an administrator and a common user, the tunnel for the administrator client and the server to communicate is a virtual private communication network tunnel, and the tunnel for the common user client and the server to communicate is common network access, so that when the client and the server establish a session, the identity information of the role to which the session belongs can be determined only by identifying the source tunnel of the session.
Referring to fig. 2, fig. 2 is a schematic structural diagram of a session-based rights control system according to an embodiment of the present invention.
Correspondingly, an embodiment of the present invention further provides a session-based rights control system, including: a first obtaining module 21, configured to obtain a session to which a system call belongs when the system call is performed in a process of an application; a second obtaining module 22, configured to obtain a corresponding session permission according to the session; and the control module 23 is configured to control current system invocation according to the session authority corresponding to each session.
Further, the second obtaining module includes: the identification unit is used for identifying the identity information of the role to which the session belongs; and the permission obtaining unit is used for obtaining the permission configuration of the role according to the identity information of the role.
In this embodiment, when the client accesses the server through a preset application program to obtain data in the database, a session related to a system call is established between the client and the server. Different clients have different permission configurations according to different roles of the clients, so that corresponding session permission can be acquired according to the session. And executing the current system call only when the data of the system call passes the examination of the session authority, and returning the system call after the current system call is executed to execute a new system call.
In this embodiment, the first obtaining module obtains a session to which the system call belongs when the system call is performed, that is, obtains a session established between the client and the server, and obtains a session right corresponding to the session through the second obtaining module, that is, obtains a right configuration of the client, so that when it is determined whether the system call conforms to the right, it is not necessary to determine a file attribute of the system call and an attribute of a running user to which the system call belongs, thereby greatly simplifying a determination process of the right. The process of the application program introduces the session authority to the system call to control the authority of the application program, and the authority is controlled without being limited to the attributes of the process user and the file when the process executes the system call.
In one embodiment of the present invention, the identification unit includes: the first acquisition subunit is used for acquiring the IP address of the session initiator; and the second acquiring subunit is used for acquiring the identity information of the role of the session according to the IP address. In this embodiment, the role is identified by the peer IP of the session, and when the IP address of the initiator of the session matches the configuration of the role, the session identification is the role.
In another embodiment of the present invention, the identification unit includes: and the intermediate agent subunit is used for acquiring the request content of the session, judging whether the request content contains preset authentication information representing the identity of the role of the session, and identifying the identity information of the role corresponding to the authentication information when judging that the request content contains the authentication information.
In the present embodiment, the role is identified using secondary authentication by establishing an intermediate proxy subunit. The intermediate proxy is introduced into the secondary authentication, so that all data reaching the server pass through the intermediate proxy firstly, and the intermediate proxy authenticates the connection and then transmits the connection to the server for requesting.
In another embodiment of the present invention, the identification unit includes: a tunnel establishing subunit, configured to establish in advance a virtual communication network tunnel for communication of a preset role; and the identification subunit is used for identifying the source tunnel of the session so as to judge the identity information of the role to which the session belongs.
In the present embodiment, the role recognition is performed by using a tunnel method. In the process, the client establishes a virtual private communication network tunnel with the server and identifies the role by distinguishing a source tunnel. For example, when the client roles are divided into an administrator and a common user, the tunnel for the administrator client and the server to communicate is a virtual private communication network tunnel, and the tunnel for the common user client and the server to communicate is common network access, so that when the client and the server establish a session, the identity information of the role to which the session belongs can be determined only by identifying the source tunnel of the session.
In summary, the method and system for controlling permission based on session according to the present invention introduce the examination of session permission to the process call of the application program to check and verify the permission when the system call is performed in the server, so as to control the permission of the application program, and realize the control of the permission without being limited to the attributes of the process user and the file when the process executes the system call.
The above is a detailed description of the method and system for controlling the authorization based on the session provided by the present invention. The principles and embodiments of the present invention are explained herein using specific examples, which are presented only to assist in understanding the present invention and its core concepts. It should be noted that, for those skilled in the art, it is possible to make various improvements and modifications to the present invention without departing from the principle of the present invention, and those improvements and modifications also fall within the scope of the claims of the present invention.
Claims (6)
1. A method for controlling authority based on conversation is characterized by comprising the following steps:
when the process of the application program carries out system calling, acquiring a session to which the system calling belongs;
acquiring a corresponding session authority according to the session;
controlling the current system call according to the session authority corresponding to each session;
wherein, the acquiring the corresponding session authority according to the session includes:
identifying identity information of a role to which the session belongs by using an intermediate agent;
acquiring the authority configuration of the role according to the identity information of the role;
identifying, with the intermediary agent, identity information of a role to which the session belongs, comprising:
pre-establishing an intermediate agent;
acquiring request content of the session through the intermediate proxy;
judging whether the request content contains preset authentication information representing the identity of the role of the session or not through the intermediate proxy;
and if so, identifying the identity information of the role corresponding to the authentication information through the intermediate proxy.
2. The method of claim 1, wherein the identifying identity information of the role to which the session belongs comprises:
acquiring the IP address of the session initiator;
and acquiring the identity information of the role of the session according to the IP address.
3. The method of claim 1, wherein the identifying identity information of the role to which the session belongs comprises:
a virtual communication network tunnel for preset role communication is established in advance;
and identifying the source tunnel of the session so as to judge the identity information of the role to which the session belongs.
4. A session-based entitlement control system, comprising:
the system comprises a first acquisition module, a second acquisition module and a processing module, wherein the first acquisition module is used for acquiring a session to which a system call belongs when the system call is carried out on a process of an application program;
the second acquisition module is used for acquiring the corresponding session permission according to the session;
the control module is used for controlling the current system call according to the session authority corresponding to each session;
wherein the second obtaining module includes:
the identification unit is used for identifying the identity information of the role to which the session belongs by utilizing the intermediate proxy;
the authority acquisition unit is used for acquiring the authority configuration of the role according to the identity information of the role;
the recognition unit includes:
the intermediate agent subunit is used for establishing an intermediate agent in advance; acquiring request content of the session through the intermediate proxy, judging whether the request content contains preset authentication information representing the identity of the role of the session through the intermediate proxy, and identifying the identity information of the role corresponding to the authentication information through the intermediate proxy when the request content contains the authentication information.
5. The system of claim 4, wherein the identification unit comprises:
a first obtaining subunit, configured to obtain an IP address of the session initiator;
and the second acquiring subunit is used for acquiring the identity information of the role of the session according to the IP address.
6. The system of claim 4, wherein the identification unit comprises:
a tunnel establishing subunit, configured to establish in advance a virtual communication network tunnel for communication of a preset role;
and the identification subunit is used for identifying the source tunnel of the session so as to judge the identity information of the role to which the session belongs.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710272386.5A CN107094140B (en) | 2017-04-24 | 2017-04-24 | Session-based permission control method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710272386.5A CN107094140B (en) | 2017-04-24 | 2017-04-24 | Session-based permission control method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107094140A CN107094140A (en) | 2017-08-25 |
| CN107094140B true CN107094140B (en) | 2021-01-19 |
Family
ID=59638281
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710272386.5A Active CN107094140B (en) | 2017-04-24 | 2017-04-24 | Session-based permission control method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107094140B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1773413A (en) * | 2004-11-10 | 2006-05-17 | 中国人民解放军国防科学技术大学 | Character constant weight method |
| EP2194456A1 (en) * | 2008-12-05 | 2010-06-09 | NTT DoCoMo, Inc. | Method and apparatus for performing a file operation |
| CN102104607A (en) * | 2011-03-10 | 2011-06-22 | 易程(苏州)软件股份有限公司 | Method, device and system for controlling safety of service access |
| CN104052775A (en) * | 2013-03-14 | 2014-09-17 | 腾讯科技(深圳)有限公司 | Authority management method of cloud platform service, device and system |
| CN104052747A (en) * | 2014-06-23 | 2014-09-17 | 桂林长海科技有限责任公司 | Permission management system based on RBAC |
| CN105450581A (en) * | 2014-06-20 | 2016-03-30 | 北京新媒传信科技有限公司 | Authority control method and device |
-
2017
- 2017-04-24 CN CN201710272386.5A patent/CN107094140B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1773413A (en) * | 2004-11-10 | 2006-05-17 | 中国人民解放军国防科学技术大学 | Character constant weight method |
| EP2194456A1 (en) * | 2008-12-05 | 2010-06-09 | NTT DoCoMo, Inc. | Method and apparatus for performing a file operation |
| CN102104607A (en) * | 2011-03-10 | 2011-06-22 | 易程(苏州)软件股份有限公司 | Method, device and system for controlling safety of service access |
| CN104052775A (en) * | 2013-03-14 | 2014-09-17 | 腾讯科技(深圳)有限公司 | Authority management method of cloud platform service, device and system |
| CN105450581A (en) * | 2014-06-20 | 2016-03-30 | 北京新媒传信科技有限公司 | Authority control method and device |
| CN104052747A (en) * | 2014-06-23 | 2014-09-17 | 桂林长海科技有限责任公司 | Permission management system based on RBAC |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107094140A (en) | 2017-08-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107133516B (en) | Authority control method and system | |
| CN111556006B (en) | Third-party application system login method, device, terminal and SSO service platform | |
| US8281381B2 (en) | Techniques for environment single sign on | |
| WO2018036314A1 (en) | Single-sign-on authentication method and apparatus, and storage medium | |
| CN108881228B (en) | Cloud registration activation method, device, equipment and storage medium | |
| US11190501B2 (en) | Hybrid single sign-on for software applications and services using classic and modern identity providers | |
| CN110300133B (en) | Cross-domain data transmission method, device, equipment and storage medium | |
| US20150373026A1 (en) | Permission management method, device and system for cloud platform service | |
| RU2237275C2 (en) | Server and method (variants) for determining software surroundings of client node in a network having client/server architecture | |
| WO2022143174A1 (en) | Data transmission method and apparatus, device, storage medium, and computer program product | |
| CN110795174A (en) | Application program interface calling method, device, equipment and readable storage medium | |
| CN114531945A (en) | Template-based loading of web-enabled devices | |
| CN112507320A (en) | Access control method, device, system, electronic equipment and storage medium | |
| CN112039873A (en) | Method for accessing business system by single sign-on | |
| CN113765655A (en) | Access control method, device, equipment and storage medium | |
| CN111241523A (en) | Authentication processing method, device, equipment and storage medium | |
| CN107071040B (en) | Authority control method and system based on file descriptor and session | |
| CN113901429A (en) | Access method and device of multi-tenant system | |
| CN107018140B (en) | Authority control method and system | |
| CN110049106B (en) | Service request processing system and method | |
| CN107094140B (en) | Session-based permission control method and system | |
| WO2015021842A1 (en) | Method and apparatus of accessing ott application and method and apparatus of pushing message by server | |
| KR20050009945A (en) | Method and system for managing virtual storage space using mobile storage | |
| CN113901428A (en) | Login method and device of multi-tenant system | |
| CN107105036B (en) | Activity tracing method and system for server |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |