CN107465641A - Based on three-tier architecture software systems and its data request method - Google Patents
Based on three-tier architecture software systems and its data request method Download PDFInfo
- Publication number
- CN107465641A CN107465641A CN201610383404.2A CN201610383404A CN107465641A CN 107465641 A CN107465641 A CN 107465641A CN 201610383404 A CN201610383404 A CN 201610383404A CN 107465641 A CN107465641 A CN 107465641A
- Authority
- CN
- China
- Prior art keywords
- request
- data
- module
- client
- database
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/045—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply hybrid encryption, i.e. combination of symmetric and asymmetric encryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/108—Network architectures or network communication protocols for network security for controlling access to devices or network resources when the policy decisions are valid for a limited amount of time
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0643—Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/088—Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Power Engineering (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
- Storage Device Security (AREA)
Abstract
Present invention is disclosed one kind to be based on three-tier architecture software systems and its data request method, and the software systems include script flag module, access request module, unauthorized access judge module, access limitation module, result feedback module.Script flag module is setting the mark of database SQL script;Access request module identifies to be sent to application server corresponding to access request;Unauthorized access judge module whether there is unauthorized access to judge to correspond to client;Limitation module is accessed to transfer out database SQL script corresponding to mark automatically according to mark, its access rights is obtained according to active user's client, and volitional check user is to the access profile of database;As a result final data storehouse SQL scripts are submitted to database and performed by feedback module, return result to caller.The present invention can improve the security of system, prevent unauthorized access data.
Description
Technical field
The invention belongs to computer software technical field, is related to a kind of software systems, more particularly to one kind is based on three layer frames
Structure software systems;Meanwhile the invention further relates to a kind of data request method based on three-tier architecture software systems.
Background technology
With the rise of internet, increasing software all starts to provide access and application based on internet.At this
In the case of kind, the framework generally used is all that " database server-application server-client application or client are clear
Look at device " three-tier architecture.Wherein, application server opens to internet, so that client is accessed by way of internet.This
In the case of kind, the calling of client application server and data interaction, it is necessary to ensure safe efficient.Current this calling
It is divided into several ways:
(1) website mode.Application server is a Website server, and what it is to client return is webpage, and client makes
Interacted and used with web browser (such as Chrome, Internet Explorer).This is also the B-S that we often say
Framework.
(2) API Calls based on database statement.Client is an application program, and the application program will can need to hold
Capable sentence is sent to application server, and application server submits to database server execution, returns result to caller.
(3) API Calls based on class of business.Client is an application program, and the application program needs request data
When, an instruction is sent to application server, command content includes:Business operation species, relevant parameter, application server receive
To after the instruction, according to the parsing to instruction, reconvert transfers to database server to perform into database statement, and result is returned
To caller.
Following deficiency be present in the said goods:
(1) deficiency of website mode:The application terminal of this pattern must be web browser, the work(of many application software
Species, the version influence of browser can be limited to, suitability is difficult.The characteristic of web browser also causes many behaviour of user
Make convenience, client and the autgmentability of other soft and hardware interfaces to have a greatly reduced quality.
(2) deficiency of the API Calls based on database script:Because sentence by client-side program directly submits application service
Device and the database server control of authority difficult to realize to become more meticulous, because sentence itself is extremely complex, are related to multiple objects,
Service end is difficult whether the user for judging current request has operating rights to those objects, and low rights account passes through simulant-client journey
Sequence, it is also possible to obtain the data access gone beyond one's commission.In addition, call request is all one section of complete database sql script every time, increase
The capacity of request bag, wastes bandwidth resources.
(3) deficiency of the API Calls based on class of business:Application server needs to carry out largely to parse and transport to instruction
Calculate, can just change into database SQL script and be submitted to database execution, expense is big, and cost is high;Client is in development of new applications
During, application server renewal can be related to, renewal is inconvenient.
In view of this, nowadays there is an urgent need to design a kind of new software systems, to overcome existing for existing software systems
Drawbacks described above.
The content of the invention
The technical problems to be solved by the invention are:One kind is provided and is based on three-tier architecture software systems, system can be improved
Security, prevent unauthorized access data.
In addition, the present invention also provides a kind of data request method based on three-tier architecture software systems, system can be improved
Security, prevent unauthorized access data.
In order to solve the above technical problems, the present invention adopts the following technical scheme that:
One kind is based on three-tier architecture software systems, and the software systems include:
Script numbering setting module, to set the numbering of database SQL script, the corresponding one group of data of each unique number
Storehouse SQL scripts;
Access request module, is arranged at client, to send numbering corresponding to access request to application server, that is, counts
According to numbering corresponding to the SQL scripts of storehouse;Also include relevant parameter (necessary additional filter condition parameter) in the information sent simultaneously;
Unauthorized access judge module, is arranged at application server, to judge that corresponding client whether there is unauthorized access,
Judge whether subscription client there is it to send the authority of numbering correspondence database SQL scripts;
Limitation module is accessed, is arranged in application server, to transfer out data corresponding to numbering automatically according to numbering
Storehouse SQL scripts, its access rights is obtained according to active user's client, and volitional check user is to the access profile of database;
Request merges calling module, and multiple request of data are merged into a request of data collection, request of data is concentrated
The numbering and parameter of multiple requests are recorded, the application program of client only needs to interact with application server once, with regard to obtaining in batches
Get whole result sets;
Executable script generation module, is arranged at application server, to the authority according to the user, is submitted with reference to user
Parameter, the further condition of database SQL script is added, the database SQL script that finally can perform;
As a result feedback module, it is arranged in application server, is held final data storehouse SQL scripts are submitted into database
OK, caller (corresponding to client) is returned result to;The result feedback module includes returning result ciphering unit, to
Request data and returning result are compressed and then encrypted according to specified method;When increasing dynamic in request data instruction
Between Hybrid Encryption technology, during client request data, according to the password and current time of active user, carry out MD5 Hybrid Encryptions,
Result is submitted into application server;When application server receives the instruction, judge whether request time misses with current time
It is no more than setting time T before and after difference, after the proving time is effective, then passes through the time and the password progress for being reserved in application service end
MD5 Hybrid Encryptions, compare the result is that no consistent with the result at application service end, compare it is consistent after, just understand customer in response end
Request of data;The mechanism protects client password to be not exposed in network, even if the packet asked by network interception
And calling password is isolated, the effective time of the password is also only limitted in twice of setting time 2T.
One kind is based on three-tier architecture software systems, and the software systems include:
Script flag module, to set the mark of database SQL script, the corresponding one group of data of each unique mark
Storehouse SQL scripts;
Access request module, is arranged at client, to send mark corresponding to access request to application server, that is, counts
According to mark corresponding to the SQL scripts of storehouse;
Unauthorized access judge module, is arranged at application server, to judge that corresponding client whether there is unauthorized access,
Judge whether subscription client has the authority of its transmission mark correspondence database SQL script;
Limitation module is accessed, is arranged in application server, to transfer out data corresponding to mark automatically according to mark
Storehouse SQL scripts, its access rights is obtained according to active user's client, and volitional check user is to the access profile of database;
As a result feedback module, it is arranged in application server, final data storehouse SQL scripts are submitted into database performs,
Return result to caller.
As a preferred embodiment of the present invention, the software systems also include executable script generation module, are arranged at
Application server, to the authority according to the user, the parameter submitted with reference to user, to the further condition of database SQL script
It is additional, the database SQL script that finally can perform.
As a preferred embodiment of the present invention, the software systems also include request and merge calling module, will be more
Individual request of data is merged into a request of data collection, the mark and parameter of the multiple requests of request of data centralized recording, client
Application program only needs to interact with application server once, with regard to getting whole result sets in batches.
As a preferred embodiment of the present invention, the script flag module setting is identified as numbering.
As a preferred embodiment of the present invention, the result feedback module includes returning result ciphering unit, to incite somebody to action
Request data and returning result are compressed and then encrypted according to specified method;Increase dynamic time in request data instruction
Hybrid Encryption technology, during client request data, according to the password and current time of active user, MD5 Hybrid Encryptions are carried out, will
As a result application server is submitted to;When application server receives the instruction, judge request time whether with current time error
It is front and rear to be no more than setting time T, after the proving time is effective, then pass through the time and the password progress for being reserved in application service end
MD5 Hybrid Encryptions, compare the result is that no consistent with the result at application service end, compare it is consistent after, just understand customer in response end
Request of data;The mechanism protects client password to be not exposed in network, even if the packet asked by network interception
And calling password is isolated, the effective time of the password is also only limitted in twice of setting time 2T.
A kind of data request method based on three-tier architecture software systems, the data request method comprise the following steps:
Script numbering setting module sets the numbering of database SQL script, the corresponding one group of database SQL of each unique number
Script;
Access request module is arranged at client, and numbering, i.e. database corresponding to access request are sent to application server
Numbered corresponding to SQL scripts;
Unauthorized access judge module is arranged at application server, judges that corresponding client whether there is unauthorized access, that is, sentences
Whether disconnected subscription client there is it to send the authority of numbering correspondence database SQL scripts;
Access limitation module to be arranged in application server, database SQL corresponding to numbering is transferred out automatically according to numbering
Script, its access rights is obtained according to active user's client, and volitional check user is to the access profile of database;
Request merges calling module and multiple request of data is merged into a request of data collection, and request of data centralized recording is more
The numbering and parameter of individual request, the application program of client only need to interact with application server once, complete with regard to getting in batches
Portion's result set;
Executable script generation module is according to the authority of the user, the parameter submitted with reference to user, to database SQL script
Further condition is added, the database SQL script that finally can perform;
As a result final data storehouse SQL scripts are submitted to database and performed by feedback module, return result to caller;Institute
State result feedback module request data and returning result are compressed and then encrypted according to specified method;Refer in request data
Increase dynamic time Hybrid Encryption technology in order, during client request data, according to the password and current time of active user, enter
Row MD5 Hybrid Encryptions, application server is submitted to by result;When application server receives the instruction, judge that request time is
No and current time error is front and rear to be no more than setting time T, after the proving time is effective, then by the time and is reserved in using clothes
The be engaged in password at end carries out MD5 Hybrid Encryptions, compares the result is that no consistent with the result at application service end, compare it is consistent after,
The request of data at meeting customer in response end;The mechanism protects client password to be not exposed in network, even if being cut by network
Obtain the packet of request and isolate calling password, the effective time of the password is also only limitted in twice of setting time 2T.
A kind of data request method based on three-tier architecture software systems, the data request method comprise the following steps:
Script flag module sets the mark of database SQL script, the corresponding one group of database SQL of each unique mark
Script;
Access request module is arranged at client, and mark, i.e. database corresponding to access request are sent to application server
Identified corresponding to SQL scripts;
Unauthorized access judge module is arranged at application server, judges that corresponding client whether there is unauthorized access, that is, sentences
Whether disconnected subscription client has the authority of its transmission mark correspondence database SQL script;
Access limitation module to be arranged in application server, database SQL corresponding to mark is transferred out automatically according to mark
Script, its access rights is obtained according to active user's client, and volitional check user is to the access profile of database;
As a result final data storehouse SQL scripts are submitted to database and performed by feedback module, return result to caller.
As a preferred embodiment of the present invention, the data request method further comprises:Request merges calling module
Multiple request of data are merged into a request of data collection, the mark and parameter of the multiple requests of request of data centralized recording, client
The application program at end only needs to interact with application server once, with regard to getting whole result sets in batches.
As a preferred embodiment of the present invention, the data request method further comprises:Executable script generation mould
Root tuber the parameter submitted with reference to user, is added to the further condition of database SQL script, obtained final according to the authority of the user
Executable database SQL script.
As a preferred embodiment of the present invention, the script flag module setting is identified as numbering.
As a preferred embodiment of the present invention, the result feedback module is by request data and returning result according to specified
Method be compressed then encrypt;Increase dynamic time Hybrid Encryption technology, client request number in request data instruction
According to when, according to the password and current time of active user, carry out MD5 Hybrid Encryptions, result submitted into application server;Using
When server receives the instruction, whether request time is judged with being no more than setting time T before and after current time error, during checking
Between effectively after, then by the time and be reserved in application service end password carry out MD5 Hybrid Encryptions, compare the result is that it is no with
The result at application service end is consistent, after comparing unanimously, just understands the request of data at customer in response end;The mechanism protects client close
Code be not exposed in network, even if by network interception ask packet and isolate calling password, the password it is effective
Time is also only limitted in twice of setting time 2T.
Present system includes:
(1) one is enclosed in application development, it is allowed to the mechanism of database SQL script and numbering is defined by application module.
(2) a set of mechanism that may determine that user in the application server and whether there is unauthorized access to current number.
(3) it is a set of in the application server, can automatically according to numbering and active user, transfer out corresponding database
SQL scripts and numbering, and volitional check user is to the mechanism of the access profile of tables of data.
(4) in the application development process of application program, it is allowed to which by number and request of data is initiated in parameter, independent or merging
Method.
The inventive method flow includes:
(1) in client application development process, when such as running into client operation and being related to data demand, opened in application module
The database SQL script of the request of data defined in hair, and specify numbering and mandatory condition.
(2) when end user carries out this practical operation, the numbering can be submitted to application server.
(3) application server carries out authority judgement according to the module title, judges whether active user award by the module
Power.
(4) application server extracts the database SQL script, root according to the module and numbering from prior definition
According to active user and ambient conditions, automatic additional range limitation.Such as:The database SQL script has a definition, user's inquiry
During sales figure, the sale of shops where limitation can only inquire about me.Application server will be automatically attached according to current request user
Add the query context.
(5) application server is according to abovementioned steps computing, the parameter submitted according still further to end user, to database SQL pin
Further condition is added for this, the database SQL script that finally can perform.
(6) final data storehouse SQL scripts are submitted to database and performed by application server, return result to caller.
The beneficial effects of the present invention are:(1) it is proposed by the present invention to be based on three-tier architecture software systems and its request of data
Method, the security of system can be improved, prevent unauthorized access data.It can prevent the user of low rights from being adjusted by simulant-client
With the high permissions data of access, moreover it is possible to force limitation to access part number therein according to different users same tables of data
According to.Such as:In the case of there are multiple shops in a company, each shops shopkeeper can only access this shops in trading statement by limitation
Sales data.
(2) invention software system is flexible, is easy to development and application.During application and development, it is only necessary to for current
Module carries out the definition of request of data, after asking data, it is allowed to which client carries out the judgement of service logic according to current environment
And computing, especially allow to carry out service logic computing according to the result interactively entered of operator.Developer need not additionally close
The setting of heart user right.
(3) invention software systematic difference server version is unified, and development of new applications simultaneously need not update application service
Device.
(4) invention software systematic difference server stress is small, because application server only needs to extract database SQL
Script and the computing for carrying out authority judgement, not service logic.So application server pressure is small.The partial pressure is all scattered
To large number of client, materially affect will not be produced to client substantially.
(5) in invention software system, request instruction packet is small, saves network bandwidth, it is allowed to merge request data, pole
Big reduction interaction intersection number, improve user's operating experience of client.
The present invention is by safely controllable mode, the number that client application can be allowed to be deployed into server
According to situation about then being selected according to these data in conjunction with the user's operation upper and lower and user mutual of client, in client
Logic judgment and computing are carried out in application program.Judge and the process of computing is not related to interacting with application server.It is this
Mode is greatly improved the flexibility that client application handles various complicated business scenes.
Brief description of the drawings
Fig. 1 is the composition schematic diagram of the invention based on three-tier architecture software systems.
Fig. 2 is the flow chart of the data request method of the invention based on three-tier architecture software systems.
Embodiment
The preferred embodiment that the invention will now be described in detail with reference to the accompanying drawings.
Embodiment one
Referring to Fig. 1, present invention is disclosed one kind to be based on three-tier architecture software systems, the software systems include:Script
Numbering setting module 1, access request module 2, unauthorized access judge module 3, access limitation module 4, request merge calling module
5th, script generation module 6, result feedback module 7 be can perform.
For script numbering setting module 1 to set the numbering of database SQL script, each unique number corresponds to one group of data
Storehouse SQL scripts.It is not necessarily numbering it is of course also possible to which the flag of database SQL script is identified for other.In visitor
In the application development process of family end, when such as running into client operation and being related to data demand, the data defined in application module exploitation
The database SQL script of request, and specify numbering and mandatory condition.
Access request module 2 is arranged at client, to send numbering corresponding to access request to application server, that is, counts
According to numbering corresponding to the SQL scripts of storehouse;Also include relevant parameter (necessary additional filter condition parameter) in the information sent simultaneously.
Such as:It is the order of all storage documents of inquiry corresponding to some database SQL script numbering data, and parameter can be then tool
Some document numbering of body;The result so asked just only specifies the data of document.
Unauthorized access judge module 3 is arranged at application server, to judge that corresponding client whether there is unauthorized access,
Judge whether subscription client there is it to send the authority of numbering correspondence database SQL scripts.
Access limitation module 4 to be arranged in application server, to transfer out data corresponding to numbering automatically according to numbering
Storehouse SQL scripts, its access rights is obtained according to active user's client, and volitional check user is to the access profile of database.
Application server extracts the database SQL script according to the module and numbering from prior definition, according to active user and
Ambient conditions, automatic additional range limitation.Such as:The database SQL script has a definition, when user inquires about sales figure,
The sale of shops where limitation can only inquire about me;Application server will add the inquiry model automatically according to current request user
Enclose.
Request merges calling module 5 multiple request of data are merged into a request of data collection, and request of data is concentrated
The numbering and parameter of multiple requests are recorded, the application program of client only needs to interact with application server once, with regard to obtaining in batches
Get whole result sets.
Executable script generation module 6 is arranged at application server, to the authority according to the user, is submitted with reference to user
Parameter, the further condition of database SQL script is added, the database SQL script that finally can perform.
As a result feedback module 7 is arranged in application server, is held final data storehouse SQL scripts are submitted into database
OK, caller (corresponding to client) is returned result to.
Preferably, the result feedback module 7 includes returning result ciphering unit, to by request data and returning result
It is compressed and then encrypts according to specified method;Increase dynamic time Hybrid Encryption technology, client in request data instruction
When holding request data, according to the password and current time of active user, MD5 Hybrid Encryptions are carried out, result is submitted to using clothes
Business device;When application server receives the instruction, when whether judging request time with being no more than setting before and after current time error
Between T (such as 5 minutes), after the proving time is effective, then by the time be reserved in application service end password carry out MD5 mix add
It is close, compare the result is that no consistent with the result at application service end, compare it is consistent after, just understand the request of data at customer in response end;
The mechanism protects client password to be not exposed in network, though by network interception ask packet and isolate tune
With password, the effective time of the password is also only limitted in twice of setting time 2T (10 minutes).
The composition of the invention based on three-tier architecture software systems is described above, the present invention is disclosing the same of said system
When, a kind of data request method based on three-tier architecture software systems is also disclosed, referring to Fig. 2, the data request method bag
Include following steps:
【Step S1】Script numbering setting module sets the numbering of database SQL script, and each unique number is corresponding one group
Database SQL script;
【Step S2】Access request module is arranged at client, and numbering corresponding to access request is sent to application server,
Numbered corresponding to database SQL script;
【Step S3】Unauthorized access judge module is arranged at application server, judges corresponding client with the presence or absence of visit of going beyond one's commission
Ask, that is, judge whether subscription client there is it to send the authority of numbering correspondence database SQL scripts;
【Step S4】Access limitation module to be arranged in application server, number corresponding to numbering is transferred out automatically according to numbering
According to storehouse SQL scripts, its access rights, and access model of the volitional check user to database are obtained according to active user's client
Enclose;
【Step S5】Request merges calling module and multiple request of data is merged into a request of data collection, request of data collection
The middle numbering and parameter for recording multiple requests, the application program of client only need to interact with application server once, just batch
Get whole result sets;
【Step S6】Executable script generation module is according to the authority of the user, the parameter submitted with reference to user, to data
The storehouse further condition of SQL scripts is added, the database SQL script that finally can perform;
【Step S7】As a result final data storehouse SQL scripts are submitted to database and performed by feedback module, are returned result to
Caller;Request data and returning result are compressed and then encrypted according to specified method by the result feedback module;
Increase dynamic time Hybrid Encryption technology in request data instruction, during client request data, according to the password of active user with
Current time, MD5 Hybrid Encryptions are carried out, result is submitted into application server;When application server receives the instruction, judge
Whether request time is with being no more than setting time T before and after current time error, after the proving time is effective, then by the time and in advance
The password for staying in application service end carries out MD5 Hybrid Encryptions, compares the result is that no consistent with the result at application service end, comparison
After consistent, the request of data at customer in response end is just understood;The mechanism protects client password to be not exposed in network, even if logical
Cross the packet of network interception request and isolate calling password, the effective time of the password is also only limitted to twice of setting time
In 2T.
Embodiment two
One kind is based on three-tier architecture software systems, and the software systems include:Script flag module, access request mould
Block, unauthorized access judge module, access limitation module, result feedback module.
Script flag module, to set the mark of database SQL script, the corresponding one group of data of each unique mark
Storehouse SQL scripts;
Access request module, is arranged at client, to send mark corresponding to access request to application server, that is, counts
According to mark corresponding to the SQL scripts of storehouse;
Unauthorized access judge module, is arranged at application server, to judge that corresponding client whether there is unauthorized access,
Judge whether subscription client has the authority of its transmission mark correspondence database SQL script;
Limitation module is accessed, is arranged in application server, to transfer out data corresponding to mark automatically according to mark
Storehouse SQL scripts, its access rights is obtained according to active user's client, and volitional check user is to the access profile of database;
As a result feedback module, it is arranged in application server, final data storehouse SQL scripts are submitted into database performs,
Return result to caller.
The present invention also discloses a kind of data request method based on three-tier architecture software systems, the data request method bag
Include following steps:
Script flag module sets the mark of database SQL script, the corresponding one group of database SQL of each unique mark
Script;
Access request module is arranged at client, and mark, i.e. database corresponding to access request are sent to application server
Identified corresponding to SQL scripts;
Unauthorized access judge module is arranged at application server, judges that corresponding client whether there is unauthorized access, that is, sentences
Whether disconnected subscription client has the authority of its transmission mark correspondence database SQL script;
Access limitation module to be arranged in application server, database SQL corresponding to mark is transferred out automatically according to mark
Script, its access rights is obtained according to active user's client, and volitional check user is to the access profile of database;
As a result final data storehouse SQL scripts are submitted to database and performed by feedback module, return result to caller.
In summary, it is proposed by the present invention to be based on three-tier architecture software systems and its data request method, system can be improved
Security, prevent unauthorized access data.It can prevent the user of low rights from being called by simulant-client to access high authority number
According to, moreover it is possible to force limitation to access partial data therein according to different users same tables of data.Such as:For one
There is the situation of multiple shops in company, and each shops shopkeeper can only be accessed the sales data of this shops in trading statement by limitation.
Invention software system is flexible, is easy to development and application.During application and development, it is only necessary to for current block
The definition of request of data is carried out, after asking data, it is allowed to which client carries out judgement and the fortune of service logic according to current environment
Calculate, especially allow to carry out service logic computing according to the result interactively entered of operator.Developer need not additionally be concerned about use
The setting of family authority.
Invention software systematic difference server version is unified, and development of new applications simultaneously need not update application server.
Invention software systematic difference server stress is small, because application server only needs to extract database SQL script and progress
Authority judgement, the not computing of service logic.So application server pressure is small.The partial pressure is all distributed to large number of
Client, substantially will not to client produce materially affect.
In invention software system, request instruction packet is small, saves network bandwidth, it is allowed to merge request data, greatly
Reduction interaction intersection number, improve user's operating experience of client.
The present invention is by safely controllable mode, the number that client application can be allowed to be deployed into server
According to situation about then being selected according to these data in conjunction with the user's operation upper and lower and user mutual of client, in client
Logic judgment and computing are carried out in application program.Judge and the process of computing is not related to interacting with application server.It is this
Mode is greatly improved the flexibility that client application handles various complicated business scenes.
Here description of the invention and application are illustrative, are not wishing to limit the scope of the invention to above-described embodiment
In.The deformation and change of embodiments disclosed herein are possible, real for those skilled in the art
The replacement and equivalent various parts for applying example are known.It should be appreciated by the person skilled in the art that the present invention is not being departed from
Spirit or essential characteristics in the case of, the present invention can in other forms, structure, arrangement, ratio, and with other components,
Material and part are realized.In the case where not departing from scope and spirit of the present invention, embodiments disclosed herein can be entered
The other deformations of row and change.
Claims (10)
1. one kind is based on three-tier architecture software systems, it is characterised in that the software systems include:
Script numbering setting module, to set the numbering of database SQL script, the corresponding one group of database of each unique number
SQL scripts;
Access request module, is arranged at client, to send numbering, i.e. database corresponding to access request to application server
Numbered corresponding to SQL scripts;Also include necessary additional filter condition parameter in the information sent simultaneously;
Unauthorized access judge module, is arranged at application server, to judge that corresponding client whether there is unauthorized access, that is, sentences
Whether disconnected subscription client there is it to send the authority of numbering correspondence database SQL scripts;
Limitation module is accessed, is arranged in application server, to transfer out database SQL corresponding to numbering automatically according to numbering
Script, its access rights is obtained according to active user's client, and volitional check user is to the access profile of database;
Request merges calling module, multiple request of data are merged into a request of data collection, request of data centralized recording
The numbering and parameter of multiple requests, the application program of client only needs to interact with application server once, with regard to getting in batches
Whole result sets;
Executable script generation module, is arranged at application server, to the authority according to the user, the ginseng submitted with reference to user
Number, is added, the database SQL script that finally can perform to the further condition of database SQL script;
As a result feedback module, it is arranged in application server, is performed final data storehouse SQL scripts are submitted into database,
Return result to caller;The result feedback module includes returning result ciphering unit, to by request data and return
As a result it is compressed and then encrypts according to specified method;Dynamic time Hybrid Encryption skill is added in request data instruction
Art, during client request data, according to the password and current time of active user, MD5 Hybrid Encryptions are carried out, result is submitted to
Application server;When application server receives the instruction, judge request time whether with being no more than before and after current time error
Setting time T, after the proving time is effective, then by the time and be reserved in application service end password carry out MD5 Hybrid Encryptions,
Compare the result is that no consistent with the result at application service end, compare it is consistent after, just understand the request of data at customer in response end;The machine
System protect client password to be not exposed in network, even if by network interception ask packet and isolate call it is close
Code, the effective time of the password are also only limitted in twice of setting time 2T.
2. one kind is based on three-tier architecture software systems, it is characterised in that the software systems include:
Script flag module, to set the mark of database SQL script, the corresponding one group of database of each unique mark
SQL scripts;
Access request module, is arranged at client, to send mark, i.e. database corresponding to access request to application server
Identified corresponding to SQL scripts;
Unauthorized access judge module, is arranged at application server, to judge that corresponding client whether there is unauthorized access, that is, sentences
Whether disconnected subscription client has the authority of its transmission mark correspondence database SQL script;
Limitation module is accessed, is arranged in application server, to transfer out database SQL corresponding to mark automatically according to mark
Script, its access rights is obtained according to active user's client, and volitional check user is to the access profile of database;
As a result feedback module, it is arranged in application server, final data storehouse SQL scripts are submitted into database performs, and will tie
Fruit returns to caller.
3. according to claim 2 be based on three-tier architecture software systems, it is characterised in that:
The software systems also include executable script generation module, application server are arranged at, to the power according to the user
Limit, the parameter submitted with reference to user, is added, the database SQL that finally can perform to the further condition of database SQL script
Script.
4. according to claim 2 be based on three-tier architecture software systems, it is characterised in that:
The software systems also include request and merge calling module, multiple request of data are merged into a request of data
Collection, the mark and parameter of the multiple requests of request of data centralized recording, the application program of client only need to hand over application server
Mutually once, with regard to getting whole result sets in batches.
5. according to claim 2 be based on three-tier architecture software systems, it is characterised in that:
The result feedback module includes returning result ciphering unit, to by request data and returning result according to specified side
Method is compressed and then encrypted;Increase dynamic time Hybrid Encryption technology in request data instruction, during client request data,
According to the password and current time of active user, MD5 Hybrid Encryptions are carried out, result is submitted into application server;Application service
When device receives the instruction, whether request time is judged with being no more than setting time T before and after current time error, the proving time has
After effect, then by the time and the password progress MD5 Hybrid Encryptions for being reserved in application service end, compare the result is that no with applying
The result of service end is consistent, after comparing unanimously, just understands the request of data at customer in response end;The mechanism protects client password not
Can expose in a network, though by network interception ask packet and isolate calling password, the effective time of the password
Also it is only limitted in twice of setting time 2T.
6. a kind of data request method based on three-tier architecture software systems, it is characterised in that the data request method includes
Following steps:
Script numbering setting module sets the numbering of database SQL script, the corresponding one group of database SQL pin of each unique number
This;
Access request module is arranged at client, and numbering, i.e. database SQL pin corresponding to access request are sent to application server
Numbered corresponding to this;
Unauthorized access judge module is arranged at application server, judges that corresponding client whether there is unauthorized access, that is, judges to use
Whether family client there is it to send the authority of numbering correspondence database SQL scripts;
Access limitation module to be arranged in application server, database SQL script corresponding to numbering transferred out automatically according to numbering,
Its access rights is obtained according to active user's client, and volitional check user is to the access profile of database;
Request merges calling module and multiple request of data is merged into a request of data collection, and request of data centralized recording is multiple please
The numbering and parameter asked, the application program of client only needs to interact with application server once, with regard to getting whole knots in batches
Fruit collects;
Executable script generation module the parameter submitted with reference to user, enters one according to the authority of the user to database SQL script
Step condition is added, the database SQL script that finally can perform;
As a result final data storehouse SQL scripts are submitted to database and performed by feedback module, return result to caller;The knot
Request data and returning result are compressed and then encrypted according to specified method by fruit feedback module;In request data instruction
Increase dynamic time Hybrid Encryption technology, during client request data, according to the password and current time of active user, carry out
MD5 Hybrid Encryptions, result is submitted into application server;When application server receives the instruction, whether request time is judged
With being no more than setting time T before and after current time error, after the proving time is effective, then by the time and application service is reserved in
The password at end carries out MD5 Hybrid Encryptions, compares the result is that no consistent with the result at application service end, after comparing unanimously, just meeting
The request of data at customer in response end;The mechanism protects client password to be not exposed in network, even if passing through network interception
The packet of request simultaneously isolates calling password, and the effective time of the password is also only limitted in twice of setting time 2T.
7. a kind of data request method based on three-tier architecture software systems, it is characterised in that the data request method includes
Following steps:
Script flag module sets the mark of database SQL script, the corresponding one group of database SQL pin of each unique mark
This;
Access request module is arranged at client, and mark, i.e. database SQL pin corresponding to access request are sent to application server
Identified corresponding to this;
Unauthorized access judge module is arranged at application server, judges that corresponding client whether there is unauthorized access, that is, judges to use
Whether family client has the authority of its transmission mark correspondence database SQL script;
Access limitation module to be arranged in application server, database SQL script corresponding to mark transferred out automatically according to mark,
Its access rights is obtained according to active user's client, and volitional check user is to the access profile of database;
As a result final data storehouse SQL scripts are submitted to database and performed by feedback module, return result to caller.
8. data request method according to claim 7, it is characterised in that:
The data request method further comprises:Multiple request of data are merged into a data by request merging calling module please
Collection is sought, the mark and parameter of the multiple requests of request of data centralized recording, the application program of client only needs and application server
Interact once, with regard to getting whole result sets in batches.
9. data request method according to claim 7, it is characterised in that:
The data request method further comprises:Executable script generation module carries according to the authority of the user with reference to user
The parameter of friendship, the further condition of database SQL script is added, the database SQL script that finally can perform.
10. data request method according to claim 7, it is characterised in that:
The script flag module setting is identified as numbering;
Request data and returning result are compressed and then encrypted according to specified method by the result feedback module;Asking
Increase dynamic time Hybrid Encryption technology in data command, during client request data, according to the password of active user with it is current
Time, MD5 Hybrid Encryptions are carried out, result is submitted into application server;When application server receives the instruction, judge to ask
Time whether with being no more than setting time T before and after current time error, after the proving time is effective, then by the time with being reserved in
The password at application service end carries out MD5 Hybrid Encryptions, compares the result is that no consistent with the result at application service end, comparison is consistent
Afterwards, the request of data at customer in response end is just understood;The mechanism protects client password to be not exposed in network, even if passing through net
Network intercepts and captures the packet of request and isolates calling password, and the effective time of the password is also only limitted to twice of setting time 2T
It is interior.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610383404.2A CN107465641B (en) | 2016-06-02 | 2016-06-02 | Software system based on three-layer architecture and data request method thereof |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610383404.2A CN107465641B (en) | 2016-06-02 | 2016-06-02 | Software system based on three-layer architecture and data request method thereof |
Publications (2)
Publication Number | Publication Date |
---|---|
CN107465641A true CN107465641A (en) | 2017-12-12 |
CN107465641B CN107465641B (en) | 2020-08-18 |
Family
ID=60544534
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610383404.2A Active CN107465641B (en) | 2016-06-02 | 2016-06-02 | Software system based on three-layer architecture and data request method thereof |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107465641B (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112162996A (en) * | 2020-09-23 | 2021-01-01 | 金现代信息产业股份有限公司 | Database access method and system for in-station graph editor |
CN113420327A (en) * | 2021-06-23 | 2021-09-21 | 平安国际智慧城市科技股份有限公司 | Data authority control method, system, electronic device and storage medium |
CN117113326A (en) * | 2023-08-31 | 2023-11-24 | 金锐软件技术(杭州)有限公司 | Authorized access system based on ABAC model |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1694555A (en) * | 2005-05-24 | 2005-11-09 | 北京易诚世纪科技有限公司 | Dynamic cipher system and method based on mobile communication terminal |
US20080319998A1 (en) * | 2007-06-20 | 2008-12-25 | Michael Bender | System and method for dynamic authorization to database objects |
CN103530568A (en) * | 2012-07-02 | 2014-01-22 | 阿里巴巴集团控股有限公司 | Authority control method, device and system |
CN103716356A (en) * | 2012-10-09 | 2014-04-09 | 三亚中兴软件有限责任公司 | Storage process operation method, device and system based on Web |
CN104243532A (en) * | 2013-06-21 | 2014-12-24 | 鸿富锦精密工业(深圳)有限公司 | Data access method and system |
CN105094961A (en) * | 2015-08-11 | 2015-11-25 | 北京思特奇信息技术股份有限公司 | Task scheduling management system based on quartz frame and method thereof |
CN105307172A (en) * | 2015-11-13 | 2016-02-03 | 四川虹信软件有限公司 | Dynamic time-based Bluetooth base station legitimacy verification method |
-
2016
- 2016-06-02 CN CN201610383404.2A patent/CN107465641B/en active Active
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1694555A (en) * | 2005-05-24 | 2005-11-09 | 北京易诚世纪科技有限公司 | Dynamic cipher system and method based on mobile communication terminal |
US20080319998A1 (en) * | 2007-06-20 | 2008-12-25 | Michael Bender | System and method for dynamic authorization to database objects |
CN103530568A (en) * | 2012-07-02 | 2014-01-22 | 阿里巴巴集团控股有限公司 | Authority control method, device and system |
CN103716356A (en) * | 2012-10-09 | 2014-04-09 | 三亚中兴软件有限责任公司 | Storage process operation method, device and system based on Web |
CN104243532A (en) * | 2013-06-21 | 2014-12-24 | 鸿富锦精密工业(深圳)有限公司 | Data access method and system |
CN105094961A (en) * | 2015-08-11 | 2015-11-25 | 北京思特奇信息技术股份有限公司 | Task scheduling management system based on quartz frame and method thereof |
CN105307172A (en) * | 2015-11-13 | 2016-02-03 | 四川虹信软件有限公司 | Dynamic time-based Bluetooth base station legitimacy verification method |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112162996A (en) * | 2020-09-23 | 2021-01-01 | 金现代信息产业股份有限公司 | Database access method and system for in-station graph editor |
CN113420327A (en) * | 2021-06-23 | 2021-09-21 | 平安国际智慧城市科技股份有限公司 | Data authority control method, system, electronic device and storage medium |
CN117113326A (en) * | 2023-08-31 | 2023-11-24 | 金锐软件技术(杭州)有限公司 | Authorized access system based on ABAC model |
CN117113326B (en) * | 2023-08-31 | 2024-03-12 | 金锐软件技术(杭州)有限公司 | Authorized access system based on ABAC model |
Also Published As
Publication number | Publication date |
---|---|
CN107465641B (en) | 2020-08-18 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN103198130B (en) | The method and apparatus realizing the login unified with webpage at client | |
CN104769908B (en) | Identity management system in multi-tenant cloud based on LDAP | |
CN101939736B (en) | System and method for developing rich internet applications for remote computing devices | |
CN110443059A (en) | Data guard method and device | |
CN109643285A (en) | The user data transmission and storage of encryption | |
CN104639653A (en) | Self-adaptive method and system based on cloud architecture | |
CN107408042A (en) | For the efficient of Mobile solution and intuitively data are bound | |
CN102724079B (en) | Method and system for auxiliary configuration of Ethernet equipment | |
CN106411857A (en) | Private cloud GIS service access control method based on virtual isolation mechanism | |
CN108512666A (en) | Encryption method, data interactive method and the system of API request | |
DE112011102129T5 (en) | Security model for operations that merge secure third-party services | |
CN112527873B (en) | Big data management application system based on chain number cube | |
CN107517124A (en) | Method and device based on Transmission Control Protocol Remote configuration Version Management Software SVN authorities | |
CN107465641A (en) | Based on three-tier architecture software systems and its data request method | |
US20190073600A1 (en) | Skipping maintenance mode of applications | |
CN107465703A (en) | The system and method for internet information interaction and push is realized based on desktop programs | |
CN107092478B (en) | A kind of integrated system and method for software component library and component development tool | |
CN107423223A (en) | Test and management system | |
CN103927167A (en) | Functional-granularity highly-customizable system integration method | |
CN104580081A (en) | Integrated SSO (single sign on) system | |
CN103095663B (en) | Information interacting method between a kind of A non logged-on user and device | |
CN109033803A (en) | A kind of movement based on portal APP is micro- to apply login management method | |
Dewailly | Building a RESTful web service with spring | |
CN105681291B (en) | A kind of realization multi-client uniform authentication method and system | |
US20160057254A1 (en) | Context Switch of Database Connections |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
CP02 | Change in the address of a patent holder |
Address after: 201206 rooms 904, 906 and 907, building 35, Lane 2777, Jinxiu East Road, Pudong New Area, China (Shanghai) pilot Free Trade Zone, Pudong New Area, Shanghai Patentee after: SHANGHAI HYDEE SOFTWARE Corp.,Ltd. Address before: Room 2225, 345 Jinxiang Road, Pudong New Area, Shanghai, 20106 Patentee before: SHANGHAI HYDEE SOFTWARE Corp.,Ltd. |
|
CP02 | Change in the address of a patent holder |