CN107465641B - Software system based on three-layer architecture and data request method thereof - Google Patents
Software system based on three-layer architecture and data request method thereof Download PDFInfo
- Publication number
- CN107465641B CN107465641B CN201610383404.2A CN201610383404A CN107465641B CN 107465641 B CN107465641 B CN 107465641B CN 201610383404 A CN201610383404 A CN 201610383404A CN 107465641 B CN107465641 B CN 107465641B
- Authority
- CN
- China
- Prior art keywords
- application server
- client
- module
- database
- access
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/045—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply hybrid encryption, i.e. combination of symmetric and asymmetric encryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/108—Network architectures or network communication protocols for network security for controlling access to devices or network resources when the policy decisions are valid for a limited amount of time
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0643—Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/088—Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms
Abstract
The invention discloses a software system based on a three-layer architecture and a data request method thereof. The script identification setting module is used for setting the identification of the database SQL script; the access request module is used for sending an identifier corresponding to the access request to the application server; the unauthorized access judging module is used for judging whether the corresponding client has unauthorized access; the access limiting module is used for automatically calling a database SQL script corresponding to the identifier according to the identifier, acquiring the access authority of the client according to the current user client and automatically limiting the access range of the user to the database; and the result feedback module submits the final database SQL script to a database for execution and returns the result to the caller. The invention can improve the safety of the system and prevent unauthorized access to data.
Description
Technical Field
The invention belongs to the technical field of computer software, and relates to a software system, in particular to a software system based on a three-layer architecture; meanwhile, the invention also relates to a data request method based on the three-layer architecture software system.
Background
With the rise of the internet, more and more software is beginning to provide internet-based access and applications. In this case, the architecture that is commonly adopted is a three-tier architecture of "database server-application server-client application program or client browser". The application server is opened to the Internet so that the client can access the application server through the Internet. In this case, the client calls and data interaction with the application server must ensure safety and high efficiency. Currently, such calls are classified into several ways:
(1) a website mode. The application server is a website server, and returns a web page to the client, and the client uses a web browser (such as Chrome, Internet Explorer) to interact and use. This is also what we often say as the B-S architecture.
(2) API calls based on database statements. The client is an application program, the application program sends statements to be executed to the application server, the application server submits the statements to the database server for execution, and the result is returned to the caller.
(3) API calls based on the traffic class. The client is an application program, when the application program needs to request data, an instruction is sent to the application server, and the instruction content comprises: after the application server receives the instruction, the operation type and the related parameters are converted into database statements according to the analysis of the instruction and are sent to the database server for execution, and the result is returned to the caller.
The above product has the following disadvantages:
(1) the insufficiency of the website mode: the application terminal in this mode must be a web browser, and the functions of many application software are limited by the kind and version of the browser, so that the adaptability is difficult. The characteristics of the web browser also make many operations convenient for users and the expansibility of the client and other software and hardware interfaces greatly reduced.
(2) Deficiencies of database script based API calls: because the statement is directly submitted to the application server and the database server by the client program, the fine authority control is difficult to realize, because the statement is very complicated and relates to a plurality of objects, the server end is difficult to judge whether the user who requests currently has the operation right to the objects, and the low-authority account can obtain the unauthorized data access by simulating the client program. In addition, each calling request is a complete database sql script, the capacity of a request packet is increased, and bandwidth resources are wasted.
(3) Deficiencies of service class based API calls: the application server needs to carry out a large amount of analysis and operation on the instructions to convert the instructions into a database SQL script to be submitted to a database for execution, so that the cost is high and the cost is high; in the process of developing a new application, the client can involve updating of the application server, and the updating is inconvenient.
In view of the above, there is a need to design a new software system to overcome the above-mentioned shortcomings of the existing software systems.
Disclosure of Invention
The technical problem to be solved by the invention is as follows: a software system based on three-layer architecture is provided, which can improve the security of the system and prevent unauthorized access to data.
In addition, the invention also provides a data request method based on the three-layer architecture software system, which can improve the safety of the system and prevent unauthorized access to data.
In order to solve the technical problems, the invention adopts the following technical scheme:
a three-tier architecture based software system, the software system comprising:
the script number setting module is used for setting the numbers of the database SQL scripts, and each unique number corresponds to one group of database SQL scripts;
the access request module is arranged at the client and used for sending a number corresponding to the access request, namely a number corresponding to the database SQL script, to the application server; the information transmitted at the same time also comprises related parameters (necessary additional filtering condition parameters);
the unauthorized access judging module is arranged on the application server and used for judging whether the corresponding client has unauthorized access or not, namely judging whether the user client has the authority of sending the database SQL script corresponding to the serial number;
the access limiting module is arranged in the application server and used for automatically calling the database SQL script corresponding to the serial number according to the serial number, acquiring the access authority of the current user client according to the current user client and automatically limiting the access range of the user to the database;
the request merging and calling module is used for merging a plurality of data requests into a data request set, the data request set records the serial numbers and parameters of the plurality of requests, and the application program of the client side only needs to interact with the application server once to obtain all result sets in batches;
the executable script generation module is arranged on the application server and used for further conditionally adding the database SQL script according to the authority of the user and the parameters submitted by the user to obtain the final executable database SQL script;
the result feedback module is arranged in the application server and used for submitting the final database SQL script to the database for execution and returning the result to a caller (namely a corresponding client); the result feedback module comprises a return result encryption unit, which is used for compressing and then encrypting the request data and the return result according to a specified method; adding a dynamic time hybrid encryption technology in a data request instruction, when a client requests data, performing MD5 hybrid encryption according to the password of a current user and the current time, and submitting a result to an application server; when the application server receives the instruction, judging whether the request time is not more than a set time T before or after the error of the current time, after the verification time is valid, performing MD5 mixed encryption by the time and a password reserved at the application server, and if the comparison result is consistent with the result of the application server, responding to the data request of the client; the mechanism protects the client password from being exposed in the network, and even if the requested data packet is intercepted and the calling password is separated through the network, the valid time of the password is limited to be within two times of the set time 2T.
A three-tier architecture based software system, the software system comprising:
the script identification setting module is used for setting the identification of the database SQL script, and each unique identification corresponds to one group of database SQL scripts;
the access request module is arranged at the client and used for sending an identifier corresponding to the access request, namely an identifier corresponding to the database SQL script, to the application server;
the unauthorized access judging module is arranged on the application server and used for judging whether the corresponding client has unauthorized access or not, namely judging whether the user client has the authority of sending the database SQL script corresponding to the identifier;
the access limiting module is arranged in the application server and used for automatically calling a database SQL script corresponding to the identifier according to the identifier, acquiring the access authority of the client according to the current user and automatically limiting the access range of the user to the database;
and the result feedback module is arranged in the application server, submits the final database SQL script to the database for execution and returns the result to the caller.
As a preferred scheme of the present invention, the software system further includes an executable script generation module, which is disposed in the application server and is configured to add further conditions to the database SQL script according to the authority of the user and in combination with the parameters submitted by the user, so as to obtain a final executable database SQL script.
As a preferred scheme of the present invention, the software system further includes a request merging and calling module, which is configured to merge a plurality of data requests into one data request set, where the data request set records identifiers and parameters of the plurality of requests, and an application program of the client needs to interact with the application server only once to obtain all result sets in batch.
As a preferable aspect of the present invention, the identifier set by the script identifier setting module is a number.
As a preferred scheme of the present invention, the result feedback module includes a returned result encryption unit, configured to compress and then encrypt the request data and the returned result according to a specified method; adding a dynamic time hybrid encryption technology in a data request instruction, when a client requests data, performing MD5 hybrid encryption according to the password of a current user and the current time, and submitting a result to an application server; when the application server receives the instruction, judging whether the request time is not more than a set time T before or after the error of the current time, after the verification time is valid, performing MD5 mixed encryption by the time and a password reserved at the application server, and if the comparison result is consistent with the result of the application server, responding to the data request of the client; the mechanism protects the client password from being exposed in the network, and even if the requested data packet is intercepted and the calling password is separated through the network, the valid time of the password is limited to be within two times of the set time 2T.
A data request method based on a three-layer architecture software system comprises the following steps:
the script number setting module sets the numbers of the database SQL scripts, and each unique number corresponds to one group of database SQL scripts;
the access request module is arranged at the client and sends a number corresponding to the access request, namely a number corresponding to the database SQL script, to the application server;
the unauthorized access judging module is arranged on the application server and is used for judging whether the corresponding client has unauthorized access or not, namely judging whether the user client has the authority of sending the database SQL script corresponding to the serial number;
the access limiting module is arranged in the application server, automatically calls out the database SQL script corresponding to the serial number according to the serial number, acquires the access authority according to the current user client and automatically limits the access range of the user to the database;
the request merging and calling module merges a plurality of data requests into a data request set, the data request set records the serial numbers and parameters of the requests, and the application program of the client side only needs to interact with the application server once to obtain all result sets in batch;
the executable script generation module is used for further conditionally appending the database SQL script according to the authority of the user and in combination with the parameters submitted by the user to obtain a final executable database SQL script;
the result feedback module submits the final database SQL script to a database for execution and returns the result to the caller; the result feedback module compresses and encrypts the request data and the return result according to a specified method; adding a dynamic time hybrid encryption technology in a data request instruction, when a client requests data, performing MD5 hybrid encryption according to the password of a current user and the current time, and submitting a result to an application server; when the application server receives the instruction, judging whether the request time is not more than a set time T before or after the error of the current time, after the verification time is valid, performing MD5 mixed encryption by the time and a password reserved at the application server, and if the comparison result is consistent with the result of the application server, responding to the data request of the client; the mechanism protects the client password from being exposed in the network, and even if the requested data packet is intercepted and the calling password is separated through the network, the valid time of the password is limited to be within two times of the set time 2T.
A data request method based on a three-layer architecture software system comprises the following steps:
the script identification setting module sets the identification of the database SQL script, and each unique identification corresponds to one group of database SQL scripts;
the access request module is arranged at the client and sends an identifier corresponding to the access request, namely an identifier corresponding to the database SQL script, to the application server;
the unauthorized access judging module is arranged on the application server and is used for judging whether the corresponding client has unauthorized access or not, namely judging whether the user client has the authority of sending the database SQL script corresponding to the identifier;
the access limiting module is arranged in the application server, automatically calls a database SQL script corresponding to the identifier according to the identifier, acquires the access authority according to the current user client and automatically limits the access range of the user to the database;
and the result feedback module submits the final database SQL script to a database for execution and returns the result to the caller.
As a preferable aspect of the present invention, the data requesting method further includes: the request merging and calling module merges a plurality of data requests into a data request set, the data request set records the identification and the parameters of the plurality of requests, and the application program of the client side only needs to interact with the application server once to obtain all result sets in batch.
As a preferable aspect of the present invention, the data requesting method further includes: and the executable script generation module is used for further conditionally adding the database SQL script according to the permission of the user and the parameters submitted by the user to obtain the final executable database SQL script.
As a preferable aspect of the present invention, the identifier set by the script identifier setting module is a number.
As a preferred scheme of the invention, the result feedback module compresses and then encrypts the request data and the return result according to a specified method; adding a dynamic time hybrid encryption technology in a data request instruction, when a client requests data, performing MD5 hybrid encryption according to the password of a current user and the current time, and submitting a result to an application server; when the application server receives the instruction, judging whether the request time is not more than a set time T before or after the error of the current time, after the verification time is valid, performing MD5 mixed encryption by the time and a password reserved at the application server, and if the comparison result is consistent with the result of the application server, responding to the data request of the client; the mechanism protects the client password from being exposed in the network, and even if the requested data packet is intercepted and the calling password is separated through the network, the valid time of the password is limited to be within two times of the set time 2T.
The system of the invention comprises:
(1) a set of mechanisms in application development that allow database SQL scripts and numbering to be defined per application module.
(2) A mechanism for determining whether the user has unauthorized access to the current number in the application server.
(3) And a mechanism which is arranged in the application server and can automatically call out the corresponding database SQL script and the serial number according to the serial number and the current user and automatically limit the access range of the user to the data table.
(4) In the application development process of the application program, the method for initiating the data request is allowed to be singly or combined according to the number and the parameters.
The method comprises the following steps:
(1) in the process of developing the client application, if the client operation relates to data requirements, defining a database SQL script of the data request in the development of an application module, and specifying a number and a mandatory condition.
(2) When the end user performs the actual operation, the number is submitted to the application server.
(3) And the application server judges the authority according to the module name and judges whether the current user has the module authorization.
(4) The application server extracts the database SQL script from the prior definition according to the module and the serial number, and automatically attaches the range limit according to the current user and environment conditions. For example: the database SQL script has a definition, and when a user inquires the sales record, the user is limited to inquire the sales of the store where the user is located. The application server will automatically append the query scope to the user based on the current request.
(5) And the application server calculates according to the steps and further conditionally attaches the database SQL script according to the parameters submitted by the final user to obtain the final executable database SQL script.
(6) And the application server submits the final database SQL script to a database for execution and returns the result to the caller.
The invention has the beneficial effects that: (1) the software system based on the three-layer architecture and the data request method thereof can improve the safety of the system and prevent unauthorized data access. The method can prevent the user with low authority from calling and accessing the data with high authority through the simulation client, and can also forcibly limit the same data table to access only part of the data according to different users. For example: in the case where a company has a plurality of stores, each store manager is restricted to accessing only the sales data of the store in the sales table.
(2) The software system of the invention is flexible and easy to develop and apply. In the process of application development, only the definition of a data request needs to be carried out for a current module, and after the data is requested, a client is allowed to carry out judgment and operation of business logic according to the current environment, particularly business logic operation is allowed to be carried out according to the interactive input result of an operator. The developer does not have to be concerned additionally with the setting of the user rights.
(3) The software system of the invention has uniform application server version, and the application server is not required to be updated for developing new application.
(4) The application server of the software system has low pressure, and the application server only needs to extract the SQL script of the database and judge the authority, and does not have operation of business logic. The application server pressure is small. The partial pressure is distributed to a plurality of clients, and basically has no substantial influence on the clients.
(5) In the software system, the request instruction data packet is small, the network bandwidth is saved, the request data is allowed to be combined, the interactive interaction number is greatly reduced, and the user operation experience of the client is improved.
The invention can allow the client application program to call the data in the server in a safe and controllable way, and then carry out logic judgment and operation in the client application program according to the data and the conditions of the upper part and the lower part of the user operation of the client and the interactive selection of the user. The process of judgment and calculation does not involve interaction with the application server. The method greatly improves the flexibility of processing various complex business scenes by the client application program.
Drawings
FIG. 1 is a schematic diagram of a three-layer software system according to the present invention.
FIG. 2 is a flowchart of a data request method based on a three-tier architecture software system according to the present invention.
Detailed Description
Preferred embodiments of the present invention will be described in detail below with reference to the accompanying drawings.
Example one
Referring to fig. 1, the present invention discloses a software system based on three-layer architecture, the software system includes: the system comprises a script number setting module 1, an access request module 2, an unauthorized access judging module 3, an access limiting module 4, a request merging and calling module 5, an executable script generating module 6 and a result feedback module 7.
The script number setting module 1 is used for setting the number of the database SQL script, and each unique number corresponds to one group of database SQL scripts. Of course, the identifier of the database SQL script may be set to another identifier, and is not necessarily a number. In the process of developing the client application, if the client operation relates to data requirements, defining a database SQL script of the data request in the development of an application module, and specifying a number and a mandatory condition.
The access request module 2 is arranged at the client and used for sending a number corresponding to the access request, namely a number corresponding to the database SQL script, to the application server; the information transmitted at the same time also includes relevant parameters (necessary additional filter condition parameters). For example: the SQL script serial number data of a certain database corresponds to a command for inquiring all documents put in storage, and the parameter can be a specific document serial number; so that the result of the request is only data specifying the document.
The unauthorized access judging module 3 is arranged in the application server and used for judging whether the corresponding client has unauthorized access or not, namely judging whether the user client has the authority of sending the database SQL script corresponding to the serial number.
The access limiting module 4 is arranged in the application server and used for automatically calling the database SQL script corresponding to the serial number according to the serial number, acquiring the access authority of the current user client according to the current user client and automatically limiting the access range of the user to the database. The application server extracts the database SQL script from the prior definition according to the module and the serial number, and automatically attaches the range limit according to the current user and environment conditions. For example: the database SQL script has a definition, and when a user inquires a sales record, the user is limited to only inquire sales of a store where the user is located; the application server will automatically append the query scope to the user based on the current request.
The request merging and calling module 5 is used for merging a plurality of data requests into a data request set, the data request set records the numbers and parameters of the plurality of requests, and the application program of the client side only needs to interact with the application server once to obtain all result sets in batch.
The executable script generating module 6 is arranged in the application server and is used for further conditionally adding the database SQL script according to the authority of the user and the parameters submitted by the user to obtain the final executable database SQL script.
The result feedback module 7 is disposed in the application server, and is configured to submit the final database SQL script to the database for execution, and return the result to the caller (i.e., the corresponding client).
Preferably, the result feedback module 7 includes a returned result encryption unit, configured to compress and then encrypt the request data and the returned result according to a specified method; adding a dynamic time hybrid encryption technology in a data request instruction, when a client requests data, performing MD5 hybrid encryption according to the password of a current user and the current time, and submitting a result to an application server; when the application server receives the instruction, judging whether the request time and the current time do not exceed a set time T (such as 5 minutes) before and after the error, carrying out MD5 mixed encryption by the time and a password reserved at the application server after the verification time is valid, and responding to the data request of the client after the comparison result is consistent with the result of the application server; the mechanism protects the client password from being exposed in the network, and even if the requested data packet is intercepted and the calling password is separated through the network, the valid time of the password is limited to two times of the set time 2T (10 minutes).
The present invention discloses the above system and also discloses a data request method based on the three-layer architecture software system, please refer to fig. 2, wherein the data request method comprises the following steps:
step S1, the script number setting module sets the number of the database SQL script, and each unique number corresponds to one group of database SQL scripts;
step S2, the access request module is configured to the client, and send a number corresponding to the access request, that is, a number corresponding to the database SQL script, to the application server;
step S3, the unauthorized access determination module is disposed in the application server, and determines whether the corresponding client has unauthorized access, that is, whether the user client has the authority to send the database SQL script corresponding to the number;
step S4, the access limiting module is arranged in the application server, automatically calls out the database SQL script corresponding to the serial number according to the serial number, obtains the access authority according to the current user client, and automatically limits the access range of the user to the database;
step S5, the request merge call module merges the multiple data requests into one data request set, the data request set records the numbers and parameters of the multiple requests, and the application program of the client needs to interact with the application server only once to obtain all result sets in batch;
step S6, the executable script generation module further conditionally attaches the database SQL script according to the authority of the user in combination with the parameters submitted by the user, to obtain a final executable database SQL script;
step S7, the result feedback module submits the final database SQL script to the database for execution and returns the result to the caller; the result feedback module compresses and encrypts the request data and the return result according to a specified method; adding a dynamic time hybrid encryption technology in a data request instruction, when a client requests data, performing MD5 hybrid encryption according to the password of a current user and the current time, and submitting a result to an application server; when the application server receives the instruction, judging whether the request time is not more than a set time T before or after the error of the current time, after the verification time is valid, performing MD5 mixed encryption by the time and a password reserved at the application server, and if the comparison result is consistent with the result of the application server, responding to the data request of the client; the mechanism protects the client password from being exposed in the network, and even if the requested data packet is intercepted and the calling password is separated through the network, the valid time of the password is limited to be within two times of the set time 2T.
Example two
A three-tier architecture based software system, the software system comprising: the device comprises a script identifier setting module, an access request module, an unauthorized access judging module, an access limiting module and a result feedback module.
The script identification setting module is used for setting the identification of the database SQL script, and each unique identification corresponds to one group of database SQL scripts;
the access request module is arranged at the client and used for sending an identifier corresponding to the access request, namely an identifier corresponding to the database SQL script, to the application server;
the unauthorized access judging module is arranged on the application server and used for judging whether the corresponding client has unauthorized access or not, namely judging whether the user client has the authority of sending the database SQL script corresponding to the identifier;
the access limiting module is arranged in the application server and used for automatically calling a database SQL script corresponding to the identifier according to the identifier, acquiring the access authority of the client according to the current user and automatically limiting the access range of the user to the database;
and the result feedback module is arranged in the application server, submits the final database SQL script to the database for execution and returns the result to the caller.
The invention also discloses a data request method based on the three-layer architecture software system, which comprises the following steps:
the script identification setting module sets the identification of the database SQL script, and each unique identification corresponds to one group of database SQL scripts;
the access request module is arranged at the client and sends an identifier corresponding to the access request, namely an identifier corresponding to the database SQL script, to the application server;
the unauthorized access judging module is arranged on the application server and is used for judging whether the corresponding client has unauthorized access or not, namely judging whether the user client has the authority of sending the database SQL script corresponding to the identifier;
the access limiting module is arranged in the application server, automatically calls a database SQL script corresponding to the identifier according to the identifier, acquires the access authority according to the current user client and automatically limits the access range of the user to the database;
and the result feedback module submits the final database SQL script to a database for execution and returns the result to the caller.
In summary, the software system based on the three-layer architecture and the data request method thereof provided by the invention can improve the security of the system and prevent unauthorized access to data. The method can prevent the user with low authority from calling and accessing the data with high authority through the simulation client, and can also forcibly limit the same data table to access only part of the data according to different users. For example: in the case where a company has a plurality of stores, each store manager is restricted to accessing only the sales data of the store in the sales table.
The software system of the invention is flexible and easy to develop and apply. In the process of application development, only the definition of a data request needs to be carried out for a current module, and after the data is requested, a client is allowed to carry out judgment and operation of business logic according to the current environment, particularly business logic operation is allowed to be carried out according to the interactive input result of an operator. The developer does not have to be concerned additionally with the setting of the user rights.
The software system of the invention has uniform application server version, and the application server is not required to be updated for developing new application. The application server of the software system has low pressure, and the application server only needs to extract the SQL script of the database and judge the authority, and does not have operation of business logic. The application server pressure is small. The partial pressure is distributed to a plurality of clients, and basically has no substantial influence on the clients.
In the software system, the request instruction data packet is small, the network bandwidth is saved, the request data is allowed to be combined, the interactive interaction number is greatly reduced, and the user operation experience of the client is improved.
The invention can allow the client application program to call the data in the server in a safe and controllable way, and then carry out logic judgment and operation in the client application program according to the data and the conditions of the upper part and the lower part of the user operation of the client and the interactive selection of the user. The process of judgment and calculation does not involve interaction with the application server. The method greatly improves the flexibility of processing various complex business scenes by the client application program.
The description and applications of the invention herein are illustrative and are not intended to limit the scope of the invention to the embodiments described above. Variations and modifications of the embodiments disclosed herein are possible, and alternative and equivalent various components of the embodiments will be apparent to those skilled in the art. It will be clear to those skilled in the art that the present invention may be embodied in other forms, structures, arrangements, proportions, and with other components, materials, and parts, without departing from the spirit or essential characteristics thereof. Other variations and modifications of the embodiments disclosed herein may be made without departing from the scope and spirit of the invention.
Claims (2)
1. A three-tier architecture based software system, the software system comprising:
the script number setting module is used for setting the numbers of the database SQL scripts, and each unique number corresponds to one group of database SQL scripts;
the access request module is arranged at the client and used for sending a number corresponding to the access request, namely a number corresponding to the database SQL script, to the application server; the information sent at the same time also comprises necessary additional filtering condition parameters;
the unauthorized access judging module is arranged on the application server and used for judging whether the corresponding client has unauthorized access or not, namely judging whether the user client has the authority of sending the database SQL script corresponding to the serial number;
the access limiting module is arranged in the application server and used for automatically calling the database SQL script corresponding to the serial number according to the serial number, acquiring the access authority of the current user client according to the current user client and automatically limiting the access range of the user to the database;
the request merging and calling module is used for merging a plurality of data requests into a data request set, the data request set records the serial numbers and parameters of the plurality of requests, and the application program of the client side only needs to interact with the application server once to obtain all result sets in batches;
the executable script generation module is arranged on the application server and used for further conditionally adding the database SQL script according to the authority of the user and the parameters submitted by the user to obtain the final executable database SQL script;
the result feedback module is arranged in the application server and used for submitting the final database SQL script to the database for execution and returning the result to the caller; the result feedback module comprises a return result encryption unit, which is used for compressing and then encrypting the request data and the return result according to a specified method; a dynamic time hybrid encryption technology is added in a data request instruction, when a client requests data, MD5 hybrid encryption is carried out according to the password of a current user and the current time, and the result is submitted to an application server; when the application server receives the instruction, judging whether the request time is not more than a set time T before or after the error of the current time, after the verification time is valid, performing MD5 mixed encryption by the time and a password reserved at the application server, and if the comparison result is consistent with the result of the application server, responding to the data request of the client; the client password is protected from being exposed in the network, and even if the requested data packet is intercepted through the network and the calling password is separated out, the valid time of the password is limited to be within two times of the set time 2T.
2. A data request method based on a three-layer architecture software system is characterized by comprising the following steps:
the script number setting module sets the numbers of the database SQL scripts, and each unique number corresponds to one group of database SQL scripts;
the access request module is arranged at the client and sends a number corresponding to the access request, namely a number corresponding to the database SQL script, to the application server;
the unauthorized access judging module is arranged on the application server and is used for judging whether the corresponding client has unauthorized access or not, namely judging whether the user client has the authority of sending the database SQL script corresponding to the serial number;
the access limiting module is arranged in the application server, automatically calls out the database SQL script corresponding to the serial number according to the serial number, acquires the access authority according to the current user client and automatically limits the access range of the user to the database;
the request merging and calling module merges a plurality of data requests into a data request set, the data request set records the serial numbers and parameters of the requests, and the application program of the client side only needs to interact with the application server once to obtain all result sets in batch;
the executable script generation module is used for further conditionally appending the database SQL script according to the authority of the user and in combination with the parameters submitted by the user to obtain a final executable database SQL script;
the result feedback module submits the final database SQL script to a database for execution and returns the result to the caller; the result feedback module compresses and encrypts the request data and the return result according to a specified method; adding a dynamic time hybrid encryption technology in a data request instruction, when a client requests data, performing MD5 hybrid encryption according to the password of a current user and the current time, and submitting a result to an application server; when the application server receives the instruction, judging whether the request time is not more than a set time T before or after the error of the current time, after the verification time is valid, performing MD5 mixed encryption by the time and a password reserved at the application server, and if the comparison result is consistent with the result of the application server, responding to the data request of the client; the client password is protected from being exposed in the network, and even if the requested data packet is intercepted through the network and the calling password is separated out, the valid time of the password is limited to be within two times of the set time 2T.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610383404.2A CN107465641B (en) | 2016-06-02 | 2016-06-02 | Software system based on three-layer architecture and data request method thereof |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610383404.2A CN107465641B (en) | 2016-06-02 | 2016-06-02 | Software system based on three-layer architecture and data request method thereof |
Publications (2)
Publication Number | Publication Date |
---|---|
CN107465641A CN107465641A (en) | 2017-12-12 |
CN107465641B true CN107465641B (en) | 2020-08-18 |
Family
ID=60544534
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610383404.2A Active CN107465641B (en) | 2016-06-02 | 2016-06-02 | Software system based on three-layer architecture and data request method thereof |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107465641B (en) |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112162996A (en) * | 2020-09-23 | 2021-01-01 | 金现代信息产业股份有限公司 | Database access method and system for in-station graph editor |
CN117113326B (en) * | 2023-08-31 | 2024-03-12 | 金锐软件技术(杭州)有限公司 | Authorized access system based on ABAC model |
Family Cites Families (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN100518411C (en) * | 2005-05-24 | 2009-07-22 | 北京宇信易诚科技有限公司 | Dynamic cipher system and method based on mobile communication terminal |
US20080319998A1 (en) * | 2007-06-20 | 2008-12-25 | Michael Bender | System and method for dynamic authorization to database objects |
CN103530568B (en) * | 2012-07-02 | 2016-01-20 | 阿里巴巴集团控股有限公司 | Authority control method, Apparatus and system |
CN103716356B (en) * | 2012-10-09 | 2018-02-27 | 三亚中兴软件有限责任公司 | Storing process operating method, device and system based on web |
CN104243532A (en) * | 2013-06-21 | 2014-12-24 | 鸿富锦精密工业(深圳)有限公司 | Data access method and system |
CN105094961A (en) * | 2015-08-11 | 2015-11-25 | 北京思特奇信息技术股份有限公司 | Task scheduling management system based on quartz frame and method thereof |
CN105307172B (en) * | 2015-11-13 | 2018-11-23 | 四川虹信软件有限公司 | Bluetooth base. station legality identification method based on dynamic time |
-
2016
- 2016-06-02 CN CN201610383404.2A patent/CN107465641B/en active Active
Also Published As
Publication number | Publication date |
---|---|
CN107465641A (en) | 2017-12-12 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108920494B (en) | Isolated access method of multi-tenant database, server and storage medium | |
KR102514325B1 (en) | Model training system and method, storage medium | |
US10484385B2 (en) | Accessing an application through application clients and web browsers | |
CN110442326B (en) | Method and system for simplifying front-end and back-end separation authority control based on Vue | |
CA2930253C (en) | Single set of credentials for accessing multiple computing resource services | |
CN102984159B (en) | Based on secure accessing logic control method and the Platform Server of terminal access behavior | |
US10091179B2 (en) | User authentication framework | |
CN102724221A (en) | Enterprise information system using cloud computing and method for setting user authority thereof | |
CN104255007A (en) | Oauth framework | |
CN108712372B (en) | Method and system for accessing WEB third party login by client | |
CN104283875A (en) | Cloud disk authority management method | |
JP2015505387A (en) | Dynamic service integration system and method | |
CN111414381B (en) | Data processing method and device, electronic equipment and storage medium | |
JP2017503231A (en) | Identity pool bridging for managed directory services | |
WO2021013056A1 (en) | Microservice-based data processing method and apparatus, and device and readable storage medium | |
CN113271289B (en) | Method, system and computer storage medium for resource authorization and access | |
CN109962892A (en) | A kind of authentication method and client, server logging in application | |
CN107483477B (en) | Account management method and account management system | |
CN107465641B (en) | Software system based on three-layer architecture and data request method thereof | |
US20220255914A1 (en) | Identity information linking | |
CN112541828B (en) | System, method, device, processor and storage medium for realizing open securities management and open securities API access control | |
US20140007197A1 (en) | Delegation within a computing environment | |
US10735399B2 (en) | System, service providing apparatus, control method for system, and storage medium | |
CN106067881B (en) | Data Access Security control method based on OS/400, apparatus and system | |
CN111193776B (en) | Method, device, equipment and medium for automatically logging in client under cloud desktop environment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
CP02 | Change in the address of a patent holder |
Address after: 201206 rooms 904, 906 and 907, building 35, Lane 2777, Jinxiu East Road, Pudong New Area, China (Shanghai) pilot Free Trade Zone, Pudong New Area, Shanghai Patentee after: SHANGHAI HYDEE SOFTWARE Corp.,Ltd. Address before: Room 2225, 345 Jinxiang Road, Pudong New Area, Shanghai, 20106 Patentee before: SHANGHAI HYDEE SOFTWARE Corp.,Ltd. |
|
CP02 | Change in the address of a patent holder |