CN107465641A - Based on three-tier architecture software systems and its data request method - Google Patents

Based on three-tier architecture software systems and its data request method Download PDF

Info

Publication number
CN107465641A
CN107465641A CN201610383404.2A CN201610383404A CN107465641A CN 107465641 A CN107465641 A CN 107465641A CN 201610383404 A CN201610383404 A CN 201610383404A CN 107465641 A CN107465641 A CN 107465641A
Authority
CN
China
Prior art keywords
request
data
module
client
database
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201610383404.2A
Other languages
Chinese (zh)
Other versions
CN107465641B (en
Inventor
夏其峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Sea Code Software Ltd By Share Ltd
Original Assignee
Shanghai Sea Code Software Ltd By Share Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Sea Code Software Ltd By Share Ltd filed Critical Shanghai Sea Code Software Ltd By Share Ltd
Priority to CN201610383404.2A priority Critical patent/CN107465641B/en
Publication of CN107465641A publication Critical patent/CN107465641A/en
Application granted granted Critical
Publication of CN107465641B publication Critical patent/CN107465641B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/045Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply hybrid encryption, i.e. combination of symmetric and asymmetric encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/108Network architectures or network communication protocols for network security for controlling access to devices or network resources when the policy decisions are valid for a limited amount of time
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/088Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Power Engineering (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
  • Storage Device Security (AREA)

Abstract

Present invention is disclosed one kind to be based on three-tier architecture software systems and its data request method, and the software systems include script flag module, access request module, unauthorized access judge module, access limitation module, result feedback module.Script flag module is setting the mark of database SQL script;Access request module identifies to be sent to application server corresponding to access request;Unauthorized access judge module whether there is unauthorized access to judge to correspond to client;Limitation module is accessed to transfer out database SQL script corresponding to mark automatically according to mark, its access rights is obtained according to active user's client, and volitional check user is to the access profile of database;As a result final data storehouse SQL scripts are submitted to database and performed by feedback module, return result to caller.The present invention can improve the security of system, prevent unauthorized access data.

Description

Based on three-tier architecture software systems and its data request method
Technical field
The invention belongs to computer software technical field, is related to a kind of software systems, more particularly to one kind is based on three layer frames Structure software systems;Meanwhile the invention further relates to a kind of data request method based on three-tier architecture software systems.
Background technology
With the rise of internet, increasing software all starts to provide access and application based on internet.At this In the case of kind, the framework generally used is all that " database server-application server-client application or client are clear Look at device " three-tier architecture.Wherein, application server opens to internet, so that client is accessed by way of internet.This In the case of kind, the calling of client application server and data interaction, it is necessary to ensure safe efficient.Current this calling It is divided into several ways:
(1) website mode.Application server is a Website server, and what it is to client return is webpage, and client makes Interacted and used with web browser (such as Chrome, Internet Explorer).This is also the B-S that we often say Framework.
(2) API Calls based on database statement.Client is an application program, and the application program will can need to hold Capable sentence is sent to application server, and application server submits to database server execution, returns result to caller.
(3) API Calls based on class of business.Client is an application program, and the application program needs request data When, an instruction is sent to application server, command content includes:Business operation species, relevant parameter, application server receive To after the instruction, according to the parsing to instruction, reconvert transfers to database server to perform into database statement, and result is returned To caller.
Following deficiency be present in the said goods:
(1) deficiency of website mode:The application terminal of this pattern must be web browser, the work(of many application software Species, the version influence of browser can be limited to, suitability is difficult.The characteristic of web browser also causes many behaviour of user Make convenience, client and the autgmentability of other soft and hardware interfaces to have a greatly reduced quality.
(2) deficiency of the API Calls based on database script:Because sentence by client-side program directly submits application service Device and the database server control of authority difficult to realize to become more meticulous, because sentence itself is extremely complex, are related to multiple objects, Service end is difficult whether the user for judging current request has operating rights to those objects, and low rights account passes through simulant-client journey Sequence, it is also possible to obtain the data access gone beyond one's commission.In addition, call request is all one section of complete database sql script every time, increase The capacity of request bag, wastes bandwidth resources.
(3) deficiency of the API Calls based on class of business:Application server needs to carry out largely to parse and transport to instruction Calculate, can just change into database SQL script and be submitted to database execution, expense is big, and cost is high;Client is in development of new applications During, application server renewal can be related to, renewal is inconvenient.
In view of this, nowadays there is an urgent need to design a kind of new software systems, to overcome existing for existing software systems Drawbacks described above.
The content of the invention
The technical problems to be solved by the invention are:One kind is provided and is based on three-tier architecture software systems, system can be improved Security, prevent unauthorized access data.
In addition, the present invention also provides a kind of data request method based on three-tier architecture software systems, system can be improved Security, prevent unauthorized access data.
In order to solve the above technical problems, the present invention adopts the following technical scheme that:
One kind is based on three-tier architecture software systems, and the software systems include:
Script numbering setting module, to set the numbering of database SQL script, the corresponding one group of data of each unique number Storehouse SQL scripts;
Access request module, is arranged at client, to send numbering corresponding to access request to application server, that is, counts According to numbering corresponding to the SQL scripts of storehouse;Also include relevant parameter (necessary additional filter condition parameter) in the information sent simultaneously;
Unauthorized access judge module, is arranged at application server, to judge that corresponding client whether there is unauthorized access, Judge whether subscription client there is it to send the authority of numbering correspondence database SQL scripts;
Limitation module is accessed, is arranged in application server, to transfer out data corresponding to numbering automatically according to numbering Storehouse SQL scripts, its access rights is obtained according to active user's client, and volitional check user is to the access profile of database;
Request merges calling module, and multiple request of data are merged into a request of data collection, request of data is concentrated The numbering and parameter of multiple requests are recorded, the application program of client only needs to interact with application server once, with regard to obtaining in batches Get whole result sets;
Executable script generation module, is arranged at application server, to the authority according to the user, is submitted with reference to user Parameter, the further condition of database SQL script is added, the database SQL script that finally can perform;
As a result feedback module, it is arranged in application server, is held final data storehouse SQL scripts are submitted into database OK, caller (corresponding to client) is returned result to;The result feedback module includes returning result ciphering unit, to Request data and returning result are compressed and then encrypted according to specified method;When increasing dynamic in request data instruction Between Hybrid Encryption technology, during client request data, according to the password and current time of active user, carry out MD5 Hybrid Encryptions, Result is submitted into application server;When application server receives the instruction, judge whether request time misses with current time It is no more than setting time T before and after difference, after the proving time is effective, then passes through the time and the password progress for being reserved in application service end MD5 Hybrid Encryptions, compare the result is that no consistent with the result at application service end, compare it is consistent after, just understand customer in response end Request of data;The mechanism protects client password to be not exposed in network, even if the packet asked by network interception And calling password is isolated, the effective time of the password is also only limitted in twice of setting time 2T.
One kind is based on three-tier architecture software systems, and the software systems include:
Script flag module, to set the mark of database SQL script, the corresponding one group of data of each unique mark Storehouse SQL scripts;
Access request module, is arranged at client, to send mark corresponding to access request to application server, that is, counts According to mark corresponding to the SQL scripts of storehouse;
Unauthorized access judge module, is arranged at application server, to judge that corresponding client whether there is unauthorized access, Judge whether subscription client has the authority of its transmission mark correspondence database SQL script;
Limitation module is accessed, is arranged in application server, to transfer out data corresponding to mark automatically according to mark Storehouse SQL scripts, its access rights is obtained according to active user's client, and volitional check user is to the access profile of database;
As a result feedback module, it is arranged in application server, final data storehouse SQL scripts are submitted into database performs, Return result to caller.
As a preferred embodiment of the present invention, the software systems also include executable script generation module, are arranged at Application server, to the authority according to the user, the parameter submitted with reference to user, to the further condition of database SQL script It is additional, the database SQL script that finally can perform.
As a preferred embodiment of the present invention, the software systems also include request and merge calling module, will be more Individual request of data is merged into a request of data collection, the mark and parameter of the multiple requests of request of data centralized recording, client Application program only needs to interact with application server once, with regard to getting whole result sets in batches.
As a preferred embodiment of the present invention, the script flag module setting is identified as numbering.
As a preferred embodiment of the present invention, the result feedback module includes returning result ciphering unit, to incite somebody to action Request data and returning result are compressed and then encrypted according to specified method;Increase dynamic time in request data instruction Hybrid Encryption technology, during client request data, according to the password and current time of active user, MD5 Hybrid Encryptions are carried out, will As a result application server is submitted to;When application server receives the instruction, judge request time whether with current time error It is front and rear to be no more than setting time T, after the proving time is effective, then pass through the time and the password progress for being reserved in application service end MD5 Hybrid Encryptions, compare the result is that no consistent with the result at application service end, compare it is consistent after, just understand customer in response end Request of data;The mechanism protects client password to be not exposed in network, even if the packet asked by network interception And calling password is isolated, the effective time of the password is also only limitted in twice of setting time 2T.
A kind of data request method based on three-tier architecture software systems, the data request method comprise the following steps:
Script numbering setting module sets the numbering of database SQL script, the corresponding one group of database SQL of each unique number Script;
Access request module is arranged at client, and numbering, i.e. database corresponding to access request are sent to application server Numbered corresponding to SQL scripts;
Unauthorized access judge module is arranged at application server, judges that corresponding client whether there is unauthorized access, that is, sentences Whether disconnected subscription client there is it to send the authority of numbering correspondence database SQL scripts;
Access limitation module to be arranged in application server, database SQL corresponding to numbering is transferred out automatically according to numbering Script, its access rights is obtained according to active user's client, and volitional check user is to the access profile of database;
Request merges calling module and multiple request of data is merged into a request of data collection, and request of data centralized recording is more The numbering and parameter of individual request, the application program of client only need to interact with application server once, complete with regard to getting in batches Portion's result set;
Executable script generation module is according to the authority of the user, the parameter submitted with reference to user, to database SQL script Further condition is added, the database SQL script that finally can perform;
As a result final data storehouse SQL scripts are submitted to database and performed by feedback module, return result to caller;Institute State result feedback module request data and returning result are compressed and then encrypted according to specified method;Refer in request data Increase dynamic time Hybrid Encryption technology in order, during client request data, according to the password and current time of active user, enter Row MD5 Hybrid Encryptions, application server is submitted to by result;When application server receives the instruction, judge that request time is No and current time error is front and rear to be no more than setting time T, after the proving time is effective, then by the time and is reserved in using clothes The be engaged in password at end carries out MD5 Hybrid Encryptions, compares the result is that no consistent with the result at application service end, compare it is consistent after, The request of data at meeting customer in response end;The mechanism protects client password to be not exposed in network, even if being cut by network Obtain the packet of request and isolate calling password, the effective time of the password is also only limitted in twice of setting time 2T.
A kind of data request method based on three-tier architecture software systems, the data request method comprise the following steps:
Script flag module sets the mark of database SQL script, the corresponding one group of database SQL of each unique mark Script;
Access request module is arranged at client, and mark, i.e. database corresponding to access request are sent to application server Identified corresponding to SQL scripts;
Unauthorized access judge module is arranged at application server, judges that corresponding client whether there is unauthorized access, that is, sentences Whether disconnected subscription client has the authority of its transmission mark correspondence database SQL script;
Access limitation module to be arranged in application server, database SQL corresponding to mark is transferred out automatically according to mark Script, its access rights is obtained according to active user's client, and volitional check user is to the access profile of database;
As a result final data storehouse SQL scripts are submitted to database and performed by feedback module, return result to caller.
As a preferred embodiment of the present invention, the data request method further comprises:Request merges calling module Multiple request of data are merged into a request of data collection, the mark and parameter of the multiple requests of request of data centralized recording, client The application program at end only needs to interact with application server once, with regard to getting whole result sets in batches.
As a preferred embodiment of the present invention, the data request method further comprises:Executable script generation mould Root tuber the parameter submitted with reference to user, is added to the further condition of database SQL script, obtained final according to the authority of the user Executable database SQL script.
As a preferred embodiment of the present invention, the script flag module setting is identified as numbering.
As a preferred embodiment of the present invention, the result feedback module is by request data and returning result according to specified Method be compressed then encrypt;Increase dynamic time Hybrid Encryption technology, client request number in request data instruction According to when, according to the password and current time of active user, carry out MD5 Hybrid Encryptions, result submitted into application server;Using When server receives the instruction, whether request time is judged with being no more than setting time T before and after current time error, during checking Between effectively after, then by the time and be reserved in application service end password carry out MD5 Hybrid Encryptions, compare the result is that it is no with The result at application service end is consistent, after comparing unanimously, just understands the request of data at customer in response end;The mechanism protects client close Code be not exposed in network, even if by network interception ask packet and isolate calling password, the password it is effective Time is also only limitted in twice of setting time 2T.
Present system includes:
(1) one is enclosed in application development, it is allowed to the mechanism of database SQL script and numbering is defined by application module.
(2) a set of mechanism that may determine that user in the application server and whether there is unauthorized access to current number.
(3) it is a set of in the application server, can automatically according to numbering and active user, transfer out corresponding database SQL scripts and numbering, and volitional check user is to the mechanism of the access profile of tables of data.
(4) in the application development process of application program, it is allowed to which by number and request of data is initiated in parameter, independent or merging Method.
The inventive method flow includes:
(1) in client application development process, when such as running into client operation and being related to data demand, opened in application module The database SQL script of the request of data defined in hair, and specify numbering and mandatory condition.
(2) when end user carries out this practical operation, the numbering can be submitted to application server.
(3) application server carries out authority judgement according to the module title, judges whether active user award by the module Power.
(4) application server extracts the database SQL script, root according to the module and numbering from prior definition According to active user and ambient conditions, automatic additional range limitation.Such as:The database SQL script has a definition, user's inquiry During sales figure, the sale of shops where limitation can only inquire about me.Application server will be automatically attached according to current request user Add the query context.
(5) application server is according to abovementioned steps computing, the parameter submitted according still further to end user, to database SQL pin Further condition is added for this, the database SQL script that finally can perform.
(6) final data storehouse SQL scripts are submitted to database and performed by application server, return result to caller.
The beneficial effects of the present invention are:(1) it is proposed by the present invention to be based on three-tier architecture software systems and its request of data Method, the security of system can be improved, prevent unauthorized access data.It can prevent the user of low rights from being adjusted by simulant-client With the high permissions data of access, moreover it is possible to force limitation to access part number therein according to different users same tables of data According to.Such as:In the case of there are multiple shops in a company, each shops shopkeeper can only access this shops in trading statement by limitation Sales data.
(2) invention software system is flexible, is easy to development and application.During application and development, it is only necessary to for current Module carries out the definition of request of data, after asking data, it is allowed to which client carries out the judgement of service logic according to current environment And computing, especially allow to carry out service logic computing according to the result interactively entered of operator.Developer need not additionally close The setting of heart user right.
(3) invention software systematic difference server version is unified, and development of new applications simultaneously need not update application service Device.
(4) invention software systematic difference server stress is small, because application server only needs to extract database SQL Script and the computing for carrying out authority judgement, not service logic.So application server pressure is small.The partial pressure is all scattered To large number of client, materially affect will not be produced to client substantially.
(5) in invention software system, request instruction packet is small, saves network bandwidth, it is allowed to merge request data, pole Big reduction interaction intersection number, improve user's operating experience of client.
The present invention is by safely controllable mode, the number that client application can be allowed to be deployed into server According to situation about then being selected according to these data in conjunction with the user's operation upper and lower and user mutual of client, in client Logic judgment and computing are carried out in application program.Judge and the process of computing is not related to interacting with application server.It is this Mode is greatly improved the flexibility that client application handles various complicated business scenes.
Brief description of the drawings
Fig. 1 is the composition schematic diagram of the invention based on three-tier architecture software systems.
Fig. 2 is the flow chart of the data request method of the invention based on three-tier architecture software systems.
Embodiment
The preferred embodiment that the invention will now be described in detail with reference to the accompanying drawings.
Embodiment one
Referring to Fig. 1, present invention is disclosed one kind to be based on three-tier architecture software systems, the software systems include:Script Numbering setting module 1, access request module 2, unauthorized access judge module 3, access limitation module 4, request merge calling module 5th, script generation module 6, result feedback module 7 be can perform.
For script numbering setting module 1 to set the numbering of database SQL script, each unique number corresponds to one group of data Storehouse SQL scripts.It is not necessarily numbering it is of course also possible to which the flag of database SQL script is identified for other.In visitor In the application development process of family end, when such as running into client operation and being related to data demand, the data defined in application module exploitation The database SQL script of request, and specify numbering and mandatory condition.
Access request module 2 is arranged at client, to send numbering corresponding to access request to application server, that is, counts According to numbering corresponding to the SQL scripts of storehouse;Also include relevant parameter (necessary additional filter condition parameter) in the information sent simultaneously. Such as:It is the order of all storage documents of inquiry corresponding to some database SQL script numbering data, and parameter can be then tool Some document numbering of body;The result so asked just only specifies the data of document.
Unauthorized access judge module 3 is arranged at application server, to judge that corresponding client whether there is unauthorized access, Judge whether subscription client there is it to send the authority of numbering correspondence database SQL scripts.
Access limitation module 4 to be arranged in application server, to transfer out data corresponding to numbering automatically according to numbering Storehouse SQL scripts, its access rights is obtained according to active user's client, and volitional check user is to the access profile of database. Application server extracts the database SQL script according to the module and numbering from prior definition, according to active user and Ambient conditions, automatic additional range limitation.Such as:The database SQL script has a definition, when user inquires about sales figure, The sale of shops where limitation can only inquire about me;Application server will add the inquiry model automatically according to current request user Enclose.
Request merges calling module 5 multiple request of data are merged into a request of data collection, and request of data is concentrated The numbering and parameter of multiple requests are recorded, the application program of client only needs to interact with application server once, with regard to obtaining in batches Get whole result sets.
Executable script generation module 6 is arranged at application server, to the authority according to the user, is submitted with reference to user Parameter, the further condition of database SQL script is added, the database SQL script that finally can perform.
As a result feedback module 7 is arranged in application server, is held final data storehouse SQL scripts are submitted into database OK, caller (corresponding to client) is returned result to.
Preferably, the result feedback module 7 includes returning result ciphering unit, to by request data and returning result It is compressed and then encrypts according to specified method;Increase dynamic time Hybrid Encryption technology, client in request data instruction When holding request data, according to the password and current time of active user, MD5 Hybrid Encryptions are carried out, result is submitted to using clothes Business device;When application server receives the instruction, when whether judging request time with being no more than setting before and after current time error Between T (such as 5 minutes), after the proving time is effective, then by the time be reserved in application service end password carry out MD5 mix add It is close, compare the result is that no consistent with the result at application service end, compare it is consistent after, just understand the request of data at customer in response end; The mechanism protects client password to be not exposed in network, though by network interception ask packet and isolate tune With password, the effective time of the password is also only limitted in twice of setting time 2T (10 minutes).
The composition of the invention based on three-tier architecture software systems is described above, the present invention is disclosing the same of said system When, a kind of data request method based on three-tier architecture software systems is also disclosed, referring to Fig. 2, the data request method bag Include following steps:
【Step S1】Script numbering setting module sets the numbering of database SQL script, and each unique number is corresponding one group Database SQL script;
【Step S2】Access request module is arranged at client, and numbering corresponding to access request is sent to application server, Numbered corresponding to database SQL script;
【Step S3】Unauthorized access judge module is arranged at application server, judges corresponding client with the presence or absence of visit of going beyond one's commission Ask, that is, judge whether subscription client there is it to send the authority of numbering correspondence database SQL scripts;
【Step S4】Access limitation module to be arranged in application server, number corresponding to numbering is transferred out automatically according to numbering According to storehouse SQL scripts, its access rights, and access model of the volitional check user to database are obtained according to active user's client Enclose;
【Step S5】Request merges calling module and multiple request of data is merged into a request of data collection, request of data collection The middle numbering and parameter for recording multiple requests, the application program of client only need to interact with application server once, just batch Get whole result sets;
【Step S6】Executable script generation module is according to the authority of the user, the parameter submitted with reference to user, to data The storehouse further condition of SQL scripts is added, the database SQL script that finally can perform;
【Step S7】As a result final data storehouse SQL scripts are submitted to database and performed by feedback module, are returned result to Caller;Request data and returning result are compressed and then encrypted according to specified method by the result feedback module; Increase dynamic time Hybrid Encryption technology in request data instruction, during client request data, according to the password of active user with Current time, MD5 Hybrid Encryptions are carried out, result is submitted into application server;When application server receives the instruction, judge Whether request time is with being no more than setting time T before and after current time error, after the proving time is effective, then by the time and in advance The password for staying in application service end carries out MD5 Hybrid Encryptions, compares the result is that no consistent with the result at application service end, comparison After consistent, the request of data at customer in response end is just understood;The mechanism protects client password to be not exposed in network, even if logical Cross the packet of network interception request and isolate calling password, the effective time of the password is also only limitted to twice of setting time In 2T.
Embodiment two
One kind is based on three-tier architecture software systems, and the software systems include:Script flag module, access request mould Block, unauthorized access judge module, access limitation module, result feedback module.
Script flag module, to set the mark of database SQL script, the corresponding one group of data of each unique mark Storehouse SQL scripts;
Access request module, is arranged at client, to send mark corresponding to access request to application server, that is, counts According to mark corresponding to the SQL scripts of storehouse;
Unauthorized access judge module, is arranged at application server, to judge that corresponding client whether there is unauthorized access, Judge whether subscription client has the authority of its transmission mark correspondence database SQL script;
Limitation module is accessed, is arranged in application server, to transfer out data corresponding to mark automatically according to mark Storehouse SQL scripts, its access rights is obtained according to active user's client, and volitional check user is to the access profile of database;
As a result feedback module, it is arranged in application server, final data storehouse SQL scripts are submitted into database performs, Return result to caller.
The present invention also discloses a kind of data request method based on three-tier architecture software systems, the data request method bag Include following steps:
Script flag module sets the mark of database SQL script, the corresponding one group of database SQL of each unique mark Script;
Access request module is arranged at client, and mark, i.e. database corresponding to access request are sent to application server Identified corresponding to SQL scripts;
Unauthorized access judge module is arranged at application server, judges that corresponding client whether there is unauthorized access, that is, sentences Whether disconnected subscription client has the authority of its transmission mark correspondence database SQL script;
Access limitation module to be arranged in application server, database SQL corresponding to mark is transferred out automatically according to mark Script, its access rights is obtained according to active user's client, and volitional check user is to the access profile of database;
As a result final data storehouse SQL scripts are submitted to database and performed by feedback module, return result to caller.
In summary, it is proposed by the present invention to be based on three-tier architecture software systems and its data request method, system can be improved Security, prevent unauthorized access data.It can prevent the user of low rights from being called by simulant-client to access high authority number According to, moreover it is possible to force limitation to access partial data therein according to different users same tables of data.Such as:For one There is the situation of multiple shops in company, and each shops shopkeeper can only be accessed the sales data of this shops in trading statement by limitation.
Invention software system is flexible, is easy to development and application.During application and development, it is only necessary to for current block The definition of request of data is carried out, after asking data, it is allowed to which client carries out judgement and the fortune of service logic according to current environment Calculate, especially allow to carry out service logic computing according to the result interactively entered of operator.Developer need not additionally be concerned about use The setting of family authority.
Invention software systematic difference server version is unified, and development of new applications simultaneously need not update application server. Invention software systematic difference server stress is small, because application server only needs to extract database SQL script and progress Authority judgement, the not computing of service logic.So application server pressure is small.The partial pressure is all distributed to large number of Client, substantially will not to client produce materially affect.
In invention software system, request instruction packet is small, saves network bandwidth, it is allowed to merge request data, greatly Reduction interaction intersection number, improve user's operating experience of client.
The present invention is by safely controllable mode, the number that client application can be allowed to be deployed into server According to situation about then being selected according to these data in conjunction with the user's operation upper and lower and user mutual of client, in client Logic judgment and computing are carried out in application program.Judge and the process of computing is not related to interacting with application server.It is this Mode is greatly improved the flexibility that client application handles various complicated business scenes.
Here description of the invention and application are illustrative, are not wishing to limit the scope of the invention to above-described embodiment In.The deformation and change of embodiments disclosed herein are possible, real for those skilled in the art The replacement and equivalent various parts for applying example are known.It should be appreciated by the person skilled in the art that the present invention is not being departed from Spirit or essential characteristics in the case of, the present invention can in other forms, structure, arrangement, ratio, and with other components, Material and part are realized.In the case where not departing from scope and spirit of the present invention, embodiments disclosed herein can be entered The other deformations of row and change.

Claims (10)

1. one kind is based on three-tier architecture software systems, it is characterised in that the software systems include:
Script numbering setting module, to set the numbering of database SQL script, the corresponding one group of database of each unique number SQL scripts;
Access request module, is arranged at client, to send numbering, i.e. database corresponding to access request to application server Numbered corresponding to SQL scripts;Also include necessary additional filter condition parameter in the information sent simultaneously;
Unauthorized access judge module, is arranged at application server, to judge that corresponding client whether there is unauthorized access, that is, sentences Whether disconnected subscription client there is it to send the authority of numbering correspondence database SQL scripts;
Limitation module is accessed, is arranged in application server, to transfer out database SQL corresponding to numbering automatically according to numbering Script, its access rights is obtained according to active user's client, and volitional check user is to the access profile of database;
Request merges calling module, multiple request of data are merged into a request of data collection, request of data centralized recording The numbering and parameter of multiple requests, the application program of client only needs to interact with application server once, with regard to getting in batches Whole result sets;
Executable script generation module, is arranged at application server, to the authority according to the user, the ginseng submitted with reference to user Number, is added, the database SQL script that finally can perform to the further condition of database SQL script;
As a result feedback module, it is arranged in application server, is performed final data storehouse SQL scripts are submitted into database, Return result to caller;The result feedback module includes returning result ciphering unit, to by request data and return As a result it is compressed and then encrypts according to specified method;Dynamic time Hybrid Encryption skill is added in request data instruction Art, during client request data, according to the password and current time of active user, MD5 Hybrid Encryptions are carried out, result is submitted to Application server;When application server receives the instruction, judge request time whether with being no more than before and after current time error Setting time T, after the proving time is effective, then by the time and be reserved in application service end password carry out MD5 Hybrid Encryptions, Compare the result is that no consistent with the result at application service end, compare it is consistent after, just understand the request of data at customer in response end;The machine System protect client password to be not exposed in network, even if by network interception ask packet and isolate call it is close Code, the effective time of the password are also only limitted in twice of setting time 2T.
2. one kind is based on three-tier architecture software systems, it is characterised in that the software systems include:
Script flag module, to set the mark of database SQL script, the corresponding one group of database of each unique mark SQL scripts;
Access request module, is arranged at client, to send mark, i.e. database corresponding to access request to application server Identified corresponding to SQL scripts;
Unauthorized access judge module, is arranged at application server, to judge that corresponding client whether there is unauthorized access, that is, sentences Whether disconnected subscription client has the authority of its transmission mark correspondence database SQL script;
Limitation module is accessed, is arranged in application server, to transfer out database SQL corresponding to mark automatically according to mark Script, its access rights is obtained according to active user's client, and volitional check user is to the access profile of database;
As a result feedback module, it is arranged in application server, final data storehouse SQL scripts are submitted into database performs, and will tie Fruit returns to caller.
3. according to claim 2 be based on three-tier architecture software systems, it is characterised in that:
The software systems also include executable script generation module, application server are arranged at, to the power according to the user Limit, the parameter submitted with reference to user, is added, the database SQL that finally can perform to the further condition of database SQL script Script.
4. according to claim 2 be based on three-tier architecture software systems, it is characterised in that:
The software systems also include request and merge calling module, multiple request of data are merged into a request of data Collection, the mark and parameter of the multiple requests of request of data centralized recording, the application program of client only need to hand over application server Mutually once, with regard to getting whole result sets in batches.
5. according to claim 2 be based on three-tier architecture software systems, it is characterised in that:
The result feedback module includes returning result ciphering unit, to by request data and returning result according to specified side Method is compressed and then encrypted;Increase dynamic time Hybrid Encryption technology in request data instruction, during client request data, According to the password and current time of active user, MD5 Hybrid Encryptions are carried out, result is submitted into application server;Application service When device receives the instruction, whether request time is judged with being no more than setting time T before and after current time error, the proving time has After effect, then by the time and the password progress MD5 Hybrid Encryptions for being reserved in application service end, compare the result is that no with applying The result of service end is consistent, after comparing unanimously, just understands the request of data at customer in response end;The mechanism protects client password not Can expose in a network, though by network interception ask packet and isolate calling password, the effective time of the password Also it is only limitted in twice of setting time 2T.
6. a kind of data request method based on three-tier architecture software systems, it is characterised in that the data request method includes Following steps:
Script numbering setting module sets the numbering of database SQL script, the corresponding one group of database SQL pin of each unique number This;
Access request module is arranged at client, and numbering, i.e. database SQL pin corresponding to access request are sent to application server Numbered corresponding to this;
Unauthorized access judge module is arranged at application server, judges that corresponding client whether there is unauthorized access, that is, judges to use Whether family client there is it to send the authority of numbering correspondence database SQL scripts;
Access limitation module to be arranged in application server, database SQL script corresponding to numbering transferred out automatically according to numbering, Its access rights is obtained according to active user's client, and volitional check user is to the access profile of database;
Request merges calling module and multiple request of data is merged into a request of data collection, and request of data centralized recording is multiple please The numbering and parameter asked, the application program of client only needs to interact with application server once, with regard to getting whole knots in batches Fruit collects;
Executable script generation module the parameter submitted with reference to user, enters one according to the authority of the user to database SQL script Step condition is added, the database SQL script that finally can perform;
As a result final data storehouse SQL scripts are submitted to database and performed by feedback module, return result to caller;The knot Request data and returning result are compressed and then encrypted according to specified method by fruit feedback module;In request data instruction Increase dynamic time Hybrid Encryption technology, during client request data, according to the password and current time of active user, carry out MD5 Hybrid Encryptions, result is submitted into application server;When application server receives the instruction, whether request time is judged With being no more than setting time T before and after current time error, after the proving time is effective, then by the time and application service is reserved in The password at end carries out MD5 Hybrid Encryptions, compares the result is that no consistent with the result at application service end, after comparing unanimously, just meeting The request of data at customer in response end;The mechanism protects client password to be not exposed in network, even if passing through network interception The packet of request simultaneously isolates calling password, and the effective time of the password is also only limitted in twice of setting time 2T.
7. a kind of data request method based on three-tier architecture software systems, it is characterised in that the data request method includes Following steps:
Script flag module sets the mark of database SQL script, the corresponding one group of database SQL pin of each unique mark This;
Access request module is arranged at client, and mark, i.e. database SQL pin corresponding to access request are sent to application server Identified corresponding to this;
Unauthorized access judge module is arranged at application server, judges that corresponding client whether there is unauthorized access, that is, judges to use Whether family client has the authority of its transmission mark correspondence database SQL script;
Access limitation module to be arranged in application server, database SQL script corresponding to mark transferred out automatically according to mark, Its access rights is obtained according to active user's client, and volitional check user is to the access profile of database;
As a result final data storehouse SQL scripts are submitted to database and performed by feedback module, return result to caller.
8. data request method according to claim 7, it is characterised in that:
The data request method further comprises:Multiple request of data are merged into a data by request merging calling module please Collection is sought, the mark and parameter of the multiple requests of request of data centralized recording, the application program of client only needs and application server Interact once, with regard to getting whole result sets in batches.
9. data request method according to claim 7, it is characterised in that:
The data request method further comprises:Executable script generation module carries according to the authority of the user with reference to user The parameter of friendship, the further condition of database SQL script is added, the database SQL script that finally can perform.
10. data request method according to claim 7, it is characterised in that:
The script flag module setting is identified as numbering;
Request data and returning result are compressed and then encrypted according to specified method by the result feedback module;Asking Increase dynamic time Hybrid Encryption technology in data command, during client request data, according to the password of active user with it is current Time, MD5 Hybrid Encryptions are carried out, result is submitted into application server;When application server receives the instruction, judge to ask Time whether with being no more than setting time T before and after current time error, after the proving time is effective, then by the time with being reserved in The password at application service end carries out MD5 Hybrid Encryptions, compares the result is that no consistent with the result at application service end, comparison is consistent Afterwards, the request of data at customer in response end is just understood;The mechanism protects client password to be not exposed in network, even if passing through net Network intercepts and captures the packet of request and isolates calling password, and the effective time of the password is also only limitted to twice of setting time 2T It is interior.
CN201610383404.2A 2016-06-02 2016-06-02 Software system based on three-layer architecture and data request method thereof Active CN107465641B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610383404.2A CN107465641B (en) 2016-06-02 2016-06-02 Software system based on three-layer architecture and data request method thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610383404.2A CN107465641B (en) 2016-06-02 2016-06-02 Software system based on three-layer architecture and data request method thereof

Publications (2)

Publication Number Publication Date
CN107465641A true CN107465641A (en) 2017-12-12
CN107465641B CN107465641B (en) 2020-08-18

Family

ID=60544534

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610383404.2A Active CN107465641B (en) 2016-06-02 2016-06-02 Software system based on three-layer architecture and data request method thereof

Country Status (1)

Country Link
CN (1) CN107465641B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112162996A (en) * 2020-09-23 2021-01-01 金现代信息产业股份有限公司 Database access method and system for in-station graph editor
CN113420327A (en) * 2021-06-23 2021-09-21 平安国际智慧城市科技股份有限公司 Data authority control method, system, electronic device and storage medium
CN117113326A (en) * 2023-08-31 2023-11-24 金锐软件技术(杭州)有限公司 Authorized access system based on ABAC model

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1694555A (en) * 2005-05-24 2005-11-09 北京易诚世纪科技有限公司 Dynamic cipher system and method based on mobile communication terminal
US20080319998A1 (en) * 2007-06-20 2008-12-25 Michael Bender System and method for dynamic authorization to database objects
CN103530568A (en) * 2012-07-02 2014-01-22 阿里巴巴集团控股有限公司 Authority control method, device and system
CN103716356A (en) * 2012-10-09 2014-04-09 三亚中兴软件有限责任公司 Storage process operation method, device and system based on Web
CN104243532A (en) * 2013-06-21 2014-12-24 鸿富锦精密工业(深圳)有限公司 Data access method and system
CN105094961A (en) * 2015-08-11 2015-11-25 北京思特奇信息技术股份有限公司 Task scheduling management system based on quartz frame and method thereof
CN105307172A (en) * 2015-11-13 2016-02-03 四川虹信软件有限公司 Dynamic time-based Bluetooth base station legitimacy verification method

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1694555A (en) * 2005-05-24 2005-11-09 北京易诚世纪科技有限公司 Dynamic cipher system and method based on mobile communication terminal
US20080319998A1 (en) * 2007-06-20 2008-12-25 Michael Bender System and method for dynamic authorization to database objects
CN103530568A (en) * 2012-07-02 2014-01-22 阿里巴巴集团控股有限公司 Authority control method, device and system
CN103716356A (en) * 2012-10-09 2014-04-09 三亚中兴软件有限责任公司 Storage process operation method, device and system based on Web
CN104243532A (en) * 2013-06-21 2014-12-24 鸿富锦精密工业(深圳)有限公司 Data access method and system
CN105094961A (en) * 2015-08-11 2015-11-25 北京思特奇信息技术股份有限公司 Task scheduling management system based on quartz frame and method thereof
CN105307172A (en) * 2015-11-13 2016-02-03 四川虹信软件有限公司 Dynamic time-based Bluetooth base station legitimacy verification method

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112162996A (en) * 2020-09-23 2021-01-01 金现代信息产业股份有限公司 Database access method and system for in-station graph editor
CN113420327A (en) * 2021-06-23 2021-09-21 平安国际智慧城市科技股份有限公司 Data authority control method, system, electronic device and storage medium
CN117113326A (en) * 2023-08-31 2023-11-24 金锐软件技术(杭州)有限公司 Authorized access system based on ABAC model
CN117113326B (en) * 2023-08-31 2024-03-12 金锐软件技术(杭州)有限公司 Authorized access system based on ABAC model

Also Published As

Publication number Publication date
CN107465641B (en) 2020-08-18

Similar Documents

Publication Publication Date Title
CN103198130B (en) The method and apparatus realizing the login unified with webpage at client
CN104769908B (en) Identity management system in multi-tenant cloud based on LDAP
CN101939736B (en) System and method for developing rich internet applications for remote computing devices
CN110443059A (en) Data guard method and device
CN109643285A (en) The user data transmission and storage of encryption
CN104639653A (en) Self-adaptive method and system based on cloud architecture
CN107408042A (en) For the efficient of Mobile solution and intuitively data are bound
CN102724079B (en) Method and system for auxiliary configuration of Ethernet equipment
CN106411857A (en) Private cloud GIS service access control method based on virtual isolation mechanism
CN108512666A (en) Encryption method, data interactive method and the system of API request
DE112011102129T5 (en) Security model for operations that merge secure third-party services
CN112527873B (en) Big data management application system based on chain number cube
CN107517124A (en) Method and device based on Transmission Control Protocol Remote configuration Version Management Software SVN authorities
CN107465641A (en) Based on three-tier architecture software systems and its data request method
US20190073600A1 (en) Skipping maintenance mode of applications
CN107465703A (en) The system and method for internet information interaction and push is realized based on desktop programs
CN107092478B (en) A kind of integrated system and method for software component library and component development tool
CN107423223A (en) Test and management system
CN103927167A (en) Functional-granularity highly-customizable system integration method
CN104580081A (en) Integrated SSO (single sign on) system
CN103095663B (en) Information interacting method between a kind of A non logged-on user and device
CN109033803A (en) A kind of movement based on portal APP is micro- to apply login management method
Dewailly Building a RESTful web service with spring
CN105681291B (en) A kind of realization multi-client uniform authentication method and system
US20160057254A1 (en) Context Switch of Database Connections

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP02 Change in the address of a patent holder

Address after: 201206 rooms 904, 906 and 907, building 35, Lane 2777, Jinxiu East Road, Pudong New Area, China (Shanghai) pilot Free Trade Zone, Pudong New Area, Shanghai

Patentee after: SHANGHAI HYDEE SOFTWARE Corp.,Ltd.

Address before: Room 2225, 345 Jinxiang Road, Pudong New Area, Shanghai, 20106

Patentee before: SHANGHAI HYDEE SOFTWARE Corp.,Ltd.

CP02 Change in the address of a patent holder