CN107465641B - Software system based on three-layer architecture and data request method thereof - Google Patents

Software system based on three-layer architecture and data request method thereof Download PDF

Info

Publication number
CN107465641B
CN107465641B CN201610383404.2A CN201610383404A CN107465641B CN 107465641 B CN107465641 B CN 107465641B CN 201610383404 A CN201610383404 A CN 201610383404A CN 107465641 B CN107465641 B CN 107465641B
Authority
CN
China
Prior art keywords
application server
client
module
database
access
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201610383404.2A
Other languages
Chinese (zh)
Other versions
CN107465641A (en
Inventor
夏其峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Hydee Software Corp ltd
Original Assignee
Shanghai Hydee Software Corp ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Hydee Software Corp ltd filed Critical Shanghai Hydee Software Corp ltd
Priority to CN201610383404.2A priority Critical patent/CN107465641B/en
Publication of CN107465641A publication Critical patent/CN107465641A/en
Application granted granted Critical
Publication of CN107465641B publication Critical patent/CN107465641B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/045Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply hybrid encryption, i.e. combination of symmetric and asymmetric encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/108Network architectures or network communication protocols for network security for controlling access to devices or network resources when the policy decisions are valid for a limited amount of time
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/088Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms

Abstract

The invention discloses a software system based on a three-layer architecture and a data request method thereof. The script identification setting module is used for setting the identification of the database SQL script; the access request module is used for sending an identifier corresponding to the access request to the application server; the unauthorized access judging module is used for judging whether the corresponding client has unauthorized access; the access limiting module is used for automatically calling a database SQL script corresponding to the identifier according to the identifier, acquiring the access authority of the client according to the current user client and automatically limiting the access range of the user to the database; and the result feedback module submits the final database SQL script to a database for execution and returns the result to the caller. The invention can improve the safety of the system and prevent unauthorized access to data.

Description

Software system based on three-layer architecture and data request method thereof
Technical Field
The invention belongs to the technical field of computer software, and relates to a software system, in particular to a software system based on a three-layer architecture; meanwhile, the invention also relates to a data request method based on the three-layer architecture software system.
Background
With the rise of the internet, more and more software is beginning to provide internet-based access and applications. In this case, the architecture that is commonly adopted is a three-tier architecture of "database server-application server-client application program or client browser". The application server is opened to the Internet so that the client can access the application server through the Internet. In this case, the client calls and data interaction with the application server must ensure safety and high efficiency. Currently, such calls are classified into several ways:
(1) a website mode. The application server is a website server, and returns a web page to the client, and the client uses a web browser (such as Chrome, Internet Explorer) to interact and use. This is also what we often say as the B-S architecture.
(2) API calls based on database statements. The client is an application program, the application program sends statements to be executed to the application server, the application server submits the statements to the database server for execution, and the result is returned to the caller.
(3) API calls based on the traffic class. The client is an application program, when the application program needs to request data, an instruction is sent to the application server, and the instruction content comprises: after the application server receives the instruction, the operation type and the related parameters are converted into database statements according to the analysis of the instruction and are sent to the database server for execution, and the result is returned to the caller.
The above product has the following disadvantages:
(1) the insufficiency of the website mode: the application terminal in this mode must be a web browser, and the functions of many application software are limited by the kind and version of the browser, so that the adaptability is difficult. The characteristics of the web browser also make many operations convenient for users and the expansibility of the client and other software and hardware interfaces greatly reduced.
(2) Deficiencies of database script based API calls: because the statement is directly submitted to the application server and the database server by the client program, the fine authority control is difficult to realize, because the statement is very complicated and relates to a plurality of objects, the server end is difficult to judge whether the user who requests currently has the operation right to the objects, and the low-authority account can obtain the unauthorized data access by simulating the client program. In addition, each calling request is a complete database sql script, the capacity of a request packet is increased, and bandwidth resources are wasted.
(3) Deficiencies of service class based API calls: the application server needs to carry out a large amount of analysis and operation on the instructions to convert the instructions into a database SQL script to be submitted to a database for execution, so that the cost is high and the cost is high; in the process of developing a new application, the client can involve updating of the application server, and the updating is inconvenient.
In view of the above, there is a need to design a new software system to overcome the above-mentioned shortcomings of the existing software systems.
Disclosure of Invention
The technical problem to be solved by the invention is as follows: a software system based on three-layer architecture is provided, which can improve the security of the system and prevent unauthorized access to data.
In addition, the invention also provides a data request method based on the three-layer architecture software system, which can improve the safety of the system and prevent unauthorized access to data.
In order to solve the technical problems, the invention adopts the following technical scheme:
a three-tier architecture based software system, the software system comprising:
the script number setting module is used for setting the numbers of the database SQL scripts, and each unique number corresponds to one group of database SQL scripts;
the access request module is arranged at the client and used for sending a number corresponding to the access request, namely a number corresponding to the database SQL script, to the application server; the information transmitted at the same time also comprises related parameters (necessary additional filtering condition parameters);
the unauthorized access judging module is arranged on the application server and used for judging whether the corresponding client has unauthorized access or not, namely judging whether the user client has the authority of sending the database SQL script corresponding to the serial number;
the access limiting module is arranged in the application server and used for automatically calling the database SQL script corresponding to the serial number according to the serial number, acquiring the access authority of the current user client according to the current user client and automatically limiting the access range of the user to the database;
the request merging and calling module is used for merging a plurality of data requests into a data request set, the data request set records the serial numbers and parameters of the plurality of requests, and the application program of the client side only needs to interact with the application server once to obtain all result sets in batches;
the executable script generation module is arranged on the application server and used for further conditionally adding the database SQL script according to the authority of the user and the parameters submitted by the user to obtain the final executable database SQL script;
the result feedback module is arranged in the application server and used for submitting the final database SQL script to the database for execution and returning the result to a caller (namely a corresponding client); the result feedback module comprises a return result encryption unit, which is used for compressing and then encrypting the request data and the return result according to a specified method; adding a dynamic time hybrid encryption technology in a data request instruction, when a client requests data, performing MD5 hybrid encryption according to the password of a current user and the current time, and submitting a result to an application server; when the application server receives the instruction, judging whether the request time is not more than a set time T before or after the error of the current time, after the verification time is valid, performing MD5 mixed encryption by the time and a password reserved at the application server, and if the comparison result is consistent with the result of the application server, responding to the data request of the client; the mechanism protects the client password from being exposed in the network, and even if the requested data packet is intercepted and the calling password is separated through the network, the valid time of the password is limited to be within two times of the set time 2T.
A three-tier architecture based software system, the software system comprising:
the script identification setting module is used for setting the identification of the database SQL script, and each unique identification corresponds to one group of database SQL scripts;
the access request module is arranged at the client and used for sending an identifier corresponding to the access request, namely an identifier corresponding to the database SQL script, to the application server;
the unauthorized access judging module is arranged on the application server and used for judging whether the corresponding client has unauthorized access or not, namely judging whether the user client has the authority of sending the database SQL script corresponding to the identifier;
the access limiting module is arranged in the application server and used for automatically calling a database SQL script corresponding to the identifier according to the identifier, acquiring the access authority of the client according to the current user and automatically limiting the access range of the user to the database;
and the result feedback module is arranged in the application server, submits the final database SQL script to the database for execution and returns the result to the caller.
As a preferred scheme of the present invention, the software system further includes an executable script generation module, which is disposed in the application server and is configured to add further conditions to the database SQL script according to the authority of the user and in combination with the parameters submitted by the user, so as to obtain a final executable database SQL script.
As a preferred scheme of the present invention, the software system further includes a request merging and calling module, which is configured to merge a plurality of data requests into one data request set, where the data request set records identifiers and parameters of the plurality of requests, and an application program of the client needs to interact with the application server only once to obtain all result sets in batch.
As a preferable aspect of the present invention, the identifier set by the script identifier setting module is a number.
As a preferred scheme of the present invention, the result feedback module includes a returned result encryption unit, configured to compress and then encrypt the request data and the returned result according to a specified method; adding a dynamic time hybrid encryption technology in a data request instruction, when a client requests data, performing MD5 hybrid encryption according to the password of a current user and the current time, and submitting a result to an application server; when the application server receives the instruction, judging whether the request time is not more than a set time T before or after the error of the current time, after the verification time is valid, performing MD5 mixed encryption by the time and a password reserved at the application server, and if the comparison result is consistent with the result of the application server, responding to the data request of the client; the mechanism protects the client password from being exposed in the network, and even if the requested data packet is intercepted and the calling password is separated through the network, the valid time of the password is limited to be within two times of the set time 2T.
A data request method based on a three-layer architecture software system comprises the following steps:
the script number setting module sets the numbers of the database SQL scripts, and each unique number corresponds to one group of database SQL scripts;
the access request module is arranged at the client and sends a number corresponding to the access request, namely a number corresponding to the database SQL script, to the application server;
the unauthorized access judging module is arranged on the application server and is used for judging whether the corresponding client has unauthorized access or not, namely judging whether the user client has the authority of sending the database SQL script corresponding to the serial number;
the access limiting module is arranged in the application server, automatically calls out the database SQL script corresponding to the serial number according to the serial number, acquires the access authority according to the current user client and automatically limits the access range of the user to the database;
the request merging and calling module merges a plurality of data requests into a data request set, the data request set records the serial numbers and parameters of the requests, and the application program of the client side only needs to interact with the application server once to obtain all result sets in batch;
the executable script generation module is used for further conditionally appending the database SQL script according to the authority of the user and in combination with the parameters submitted by the user to obtain a final executable database SQL script;
the result feedback module submits the final database SQL script to a database for execution and returns the result to the caller; the result feedback module compresses and encrypts the request data and the return result according to a specified method; adding a dynamic time hybrid encryption technology in a data request instruction, when a client requests data, performing MD5 hybrid encryption according to the password of a current user and the current time, and submitting a result to an application server; when the application server receives the instruction, judging whether the request time is not more than a set time T before or after the error of the current time, after the verification time is valid, performing MD5 mixed encryption by the time and a password reserved at the application server, and if the comparison result is consistent with the result of the application server, responding to the data request of the client; the mechanism protects the client password from being exposed in the network, and even if the requested data packet is intercepted and the calling password is separated through the network, the valid time of the password is limited to be within two times of the set time 2T.
A data request method based on a three-layer architecture software system comprises the following steps:
the script identification setting module sets the identification of the database SQL script, and each unique identification corresponds to one group of database SQL scripts;
the access request module is arranged at the client and sends an identifier corresponding to the access request, namely an identifier corresponding to the database SQL script, to the application server;
the unauthorized access judging module is arranged on the application server and is used for judging whether the corresponding client has unauthorized access or not, namely judging whether the user client has the authority of sending the database SQL script corresponding to the identifier;
the access limiting module is arranged in the application server, automatically calls a database SQL script corresponding to the identifier according to the identifier, acquires the access authority according to the current user client and automatically limits the access range of the user to the database;
and the result feedback module submits the final database SQL script to a database for execution and returns the result to the caller.
As a preferable aspect of the present invention, the data requesting method further includes: the request merging and calling module merges a plurality of data requests into a data request set, the data request set records the identification and the parameters of the plurality of requests, and the application program of the client side only needs to interact with the application server once to obtain all result sets in batch.
As a preferable aspect of the present invention, the data requesting method further includes: and the executable script generation module is used for further conditionally adding the database SQL script according to the permission of the user and the parameters submitted by the user to obtain the final executable database SQL script.
As a preferable aspect of the present invention, the identifier set by the script identifier setting module is a number.
As a preferred scheme of the invention, the result feedback module compresses and then encrypts the request data and the return result according to a specified method; adding a dynamic time hybrid encryption technology in a data request instruction, when a client requests data, performing MD5 hybrid encryption according to the password of a current user and the current time, and submitting a result to an application server; when the application server receives the instruction, judging whether the request time is not more than a set time T before or after the error of the current time, after the verification time is valid, performing MD5 mixed encryption by the time and a password reserved at the application server, and if the comparison result is consistent with the result of the application server, responding to the data request of the client; the mechanism protects the client password from being exposed in the network, and even if the requested data packet is intercepted and the calling password is separated through the network, the valid time of the password is limited to be within two times of the set time 2T.
The system of the invention comprises:
(1) a set of mechanisms in application development that allow database SQL scripts and numbering to be defined per application module.
(2) A mechanism for determining whether the user has unauthorized access to the current number in the application server.
(3) And a mechanism which is arranged in the application server and can automatically call out the corresponding database SQL script and the serial number according to the serial number and the current user and automatically limit the access range of the user to the data table.
(4) In the application development process of the application program, the method for initiating the data request is allowed to be singly or combined according to the number and the parameters.
The method comprises the following steps:
(1) in the process of developing the client application, if the client operation relates to data requirements, defining a database SQL script of the data request in the development of an application module, and specifying a number and a mandatory condition.
(2) When the end user performs the actual operation, the number is submitted to the application server.
(3) And the application server judges the authority according to the module name and judges whether the current user has the module authorization.
(4) The application server extracts the database SQL script from the prior definition according to the module and the serial number, and automatically attaches the range limit according to the current user and environment conditions. For example: the database SQL script has a definition, and when a user inquires the sales record, the user is limited to inquire the sales of the store where the user is located. The application server will automatically append the query scope to the user based on the current request.
(5) And the application server calculates according to the steps and further conditionally attaches the database SQL script according to the parameters submitted by the final user to obtain the final executable database SQL script.
(6) And the application server submits the final database SQL script to a database for execution and returns the result to the caller.
The invention has the beneficial effects that: (1) the software system based on the three-layer architecture and the data request method thereof can improve the safety of the system and prevent unauthorized data access. The method can prevent the user with low authority from calling and accessing the data with high authority through the simulation client, and can also forcibly limit the same data table to access only part of the data according to different users. For example: in the case where a company has a plurality of stores, each store manager is restricted to accessing only the sales data of the store in the sales table.
(2) The software system of the invention is flexible and easy to develop and apply. In the process of application development, only the definition of a data request needs to be carried out for a current module, and after the data is requested, a client is allowed to carry out judgment and operation of business logic according to the current environment, particularly business logic operation is allowed to be carried out according to the interactive input result of an operator. The developer does not have to be concerned additionally with the setting of the user rights.
(3) The software system of the invention has uniform application server version, and the application server is not required to be updated for developing new application.
(4) The application server of the software system has low pressure, and the application server only needs to extract the SQL script of the database and judge the authority, and does not have operation of business logic. The application server pressure is small. The partial pressure is distributed to a plurality of clients, and basically has no substantial influence on the clients.
(5) In the software system, the request instruction data packet is small, the network bandwidth is saved, the request data is allowed to be combined, the interactive interaction number is greatly reduced, and the user operation experience of the client is improved.
The invention can allow the client application program to call the data in the server in a safe and controllable way, and then carry out logic judgment and operation in the client application program according to the data and the conditions of the upper part and the lower part of the user operation of the client and the interactive selection of the user. The process of judgment and calculation does not involve interaction with the application server. The method greatly improves the flexibility of processing various complex business scenes by the client application program.
Drawings
FIG. 1 is a schematic diagram of a three-layer software system according to the present invention.
FIG. 2 is a flowchart of a data request method based on a three-tier architecture software system according to the present invention.
Detailed Description
Preferred embodiments of the present invention will be described in detail below with reference to the accompanying drawings.
Example one
Referring to fig. 1, the present invention discloses a software system based on three-layer architecture, the software system includes: the system comprises a script number setting module 1, an access request module 2, an unauthorized access judging module 3, an access limiting module 4, a request merging and calling module 5, an executable script generating module 6 and a result feedback module 7.
The script number setting module 1 is used for setting the number of the database SQL script, and each unique number corresponds to one group of database SQL scripts. Of course, the identifier of the database SQL script may be set to another identifier, and is not necessarily a number. In the process of developing the client application, if the client operation relates to data requirements, defining a database SQL script of the data request in the development of an application module, and specifying a number and a mandatory condition.
The access request module 2 is arranged at the client and used for sending a number corresponding to the access request, namely a number corresponding to the database SQL script, to the application server; the information transmitted at the same time also includes relevant parameters (necessary additional filter condition parameters). For example: the SQL script serial number data of a certain database corresponds to a command for inquiring all documents put in storage, and the parameter can be a specific document serial number; so that the result of the request is only data specifying the document.
The unauthorized access judging module 3 is arranged in the application server and used for judging whether the corresponding client has unauthorized access or not, namely judging whether the user client has the authority of sending the database SQL script corresponding to the serial number.
The access limiting module 4 is arranged in the application server and used for automatically calling the database SQL script corresponding to the serial number according to the serial number, acquiring the access authority of the current user client according to the current user client and automatically limiting the access range of the user to the database. The application server extracts the database SQL script from the prior definition according to the module and the serial number, and automatically attaches the range limit according to the current user and environment conditions. For example: the database SQL script has a definition, and when a user inquires a sales record, the user is limited to only inquire sales of a store where the user is located; the application server will automatically append the query scope to the user based on the current request.
The request merging and calling module 5 is used for merging a plurality of data requests into a data request set, the data request set records the numbers and parameters of the plurality of requests, and the application program of the client side only needs to interact with the application server once to obtain all result sets in batch.
The executable script generating module 6 is arranged in the application server and is used for further conditionally adding the database SQL script according to the authority of the user and the parameters submitted by the user to obtain the final executable database SQL script.
The result feedback module 7 is disposed in the application server, and is configured to submit the final database SQL script to the database for execution, and return the result to the caller (i.e., the corresponding client).
Preferably, the result feedback module 7 includes a returned result encryption unit, configured to compress and then encrypt the request data and the returned result according to a specified method; adding a dynamic time hybrid encryption technology in a data request instruction, when a client requests data, performing MD5 hybrid encryption according to the password of a current user and the current time, and submitting a result to an application server; when the application server receives the instruction, judging whether the request time and the current time do not exceed a set time T (such as 5 minutes) before and after the error, carrying out MD5 mixed encryption by the time and a password reserved at the application server after the verification time is valid, and responding to the data request of the client after the comparison result is consistent with the result of the application server; the mechanism protects the client password from being exposed in the network, and even if the requested data packet is intercepted and the calling password is separated through the network, the valid time of the password is limited to two times of the set time 2T (10 minutes).
The present invention discloses the above system and also discloses a data request method based on the three-layer architecture software system, please refer to fig. 2, wherein the data request method comprises the following steps:
step S1, the script number setting module sets the number of the database SQL script, and each unique number corresponds to one group of database SQL scripts;
step S2, the access request module is configured to the client, and send a number corresponding to the access request, that is, a number corresponding to the database SQL script, to the application server;
step S3, the unauthorized access determination module is disposed in the application server, and determines whether the corresponding client has unauthorized access, that is, whether the user client has the authority to send the database SQL script corresponding to the number;
step S4, the access limiting module is arranged in the application server, automatically calls out the database SQL script corresponding to the serial number according to the serial number, obtains the access authority according to the current user client, and automatically limits the access range of the user to the database;
step S5, the request merge call module merges the multiple data requests into one data request set, the data request set records the numbers and parameters of the multiple requests, and the application program of the client needs to interact with the application server only once to obtain all result sets in batch;
step S6, the executable script generation module further conditionally attaches the database SQL script according to the authority of the user in combination with the parameters submitted by the user, to obtain a final executable database SQL script;
step S7, the result feedback module submits the final database SQL script to the database for execution and returns the result to the caller; the result feedback module compresses and encrypts the request data and the return result according to a specified method; adding a dynamic time hybrid encryption technology in a data request instruction, when a client requests data, performing MD5 hybrid encryption according to the password of a current user and the current time, and submitting a result to an application server; when the application server receives the instruction, judging whether the request time is not more than a set time T before or after the error of the current time, after the verification time is valid, performing MD5 mixed encryption by the time and a password reserved at the application server, and if the comparison result is consistent with the result of the application server, responding to the data request of the client; the mechanism protects the client password from being exposed in the network, and even if the requested data packet is intercepted and the calling password is separated through the network, the valid time of the password is limited to be within two times of the set time 2T.
Example two
A three-tier architecture based software system, the software system comprising: the device comprises a script identifier setting module, an access request module, an unauthorized access judging module, an access limiting module and a result feedback module.
The script identification setting module is used for setting the identification of the database SQL script, and each unique identification corresponds to one group of database SQL scripts;
the access request module is arranged at the client and used for sending an identifier corresponding to the access request, namely an identifier corresponding to the database SQL script, to the application server;
the unauthorized access judging module is arranged on the application server and used for judging whether the corresponding client has unauthorized access or not, namely judging whether the user client has the authority of sending the database SQL script corresponding to the identifier;
the access limiting module is arranged in the application server and used for automatically calling a database SQL script corresponding to the identifier according to the identifier, acquiring the access authority of the client according to the current user and automatically limiting the access range of the user to the database;
and the result feedback module is arranged in the application server, submits the final database SQL script to the database for execution and returns the result to the caller.
The invention also discloses a data request method based on the three-layer architecture software system, which comprises the following steps:
the script identification setting module sets the identification of the database SQL script, and each unique identification corresponds to one group of database SQL scripts;
the access request module is arranged at the client and sends an identifier corresponding to the access request, namely an identifier corresponding to the database SQL script, to the application server;
the unauthorized access judging module is arranged on the application server and is used for judging whether the corresponding client has unauthorized access or not, namely judging whether the user client has the authority of sending the database SQL script corresponding to the identifier;
the access limiting module is arranged in the application server, automatically calls a database SQL script corresponding to the identifier according to the identifier, acquires the access authority according to the current user client and automatically limits the access range of the user to the database;
and the result feedback module submits the final database SQL script to a database for execution and returns the result to the caller.
In summary, the software system based on the three-layer architecture and the data request method thereof provided by the invention can improve the security of the system and prevent unauthorized access to data. The method can prevent the user with low authority from calling and accessing the data with high authority through the simulation client, and can also forcibly limit the same data table to access only part of the data according to different users. For example: in the case where a company has a plurality of stores, each store manager is restricted to accessing only the sales data of the store in the sales table.
The software system of the invention is flexible and easy to develop and apply. In the process of application development, only the definition of a data request needs to be carried out for a current module, and after the data is requested, a client is allowed to carry out judgment and operation of business logic according to the current environment, particularly business logic operation is allowed to be carried out according to the interactive input result of an operator. The developer does not have to be concerned additionally with the setting of the user rights.
The software system of the invention has uniform application server version, and the application server is not required to be updated for developing new application. The application server of the software system has low pressure, and the application server only needs to extract the SQL script of the database and judge the authority, and does not have operation of business logic. The application server pressure is small. The partial pressure is distributed to a plurality of clients, and basically has no substantial influence on the clients.
In the software system, the request instruction data packet is small, the network bandwidth is saved, the request data is allowed to be combined, the interactive interaction number is greatly reduced, and the user operation experience of the client is improved.
The invention can allow the client application program to call the data in the server in a safe and controllable way, and then carry out logic judgment and operation in the client application program according to the data and the conditions of the upper part and the lower part of the user operation of the client and the interactive selection of the user. The process of judgment and calculation does not involve interaction with the application server. The method greatly improves the flexibility of processing various complex business scenes by the client application program.
The description and applications of the invention herein are illustrative and are not intended to limit the scope of the invention to the embodiments described above. Variations and modifications of the embodiments disclosed herein are possible, and alternative and equivalent various components of the embodiments will be apparent to those skilled in the art. It will be clear to those skilled in the art that the present invention may be embodied in other forms, structures, arrangements, proportions, and with other components, materials, and parts, without departing from the spirit or essential characteristics thereof. Other variations and modifications of the embodiments disclosed herein may be made without departing from the scope and spirit of the invention.

Claims (2)

1. A three-tier architecture based software system, the software system comprising:
the script number setting module is used for setting the numbers of the database SQL scripts, and each unique number corresponds to one group of database SQL scripts;
the access request module is arranged at the client and used for sending a number corresponding to the access request, namely a number corresponding to the database SQL script, to the application server; the information sent at the same time also comprises necessary additional filtering condition parameters;
the unauthorized access judging module is arranged on the application server and used for judging whether the corresponding client has unauthorized access or not, namely judging whether the user client has the authority of sending the database SQL script corresponding to the serial number;
the access limiting module is arranged in the application server and used for automatically calling the database SQL script corresponding to the serial number according to the serial number, acquiring the access authority of the current user client according to the current user client and automatically limiting the access range of the user to the database;
the request merging and calling module is used for merging a plurality of data requests into a data request set, the data request set records the serial numbers and parameters of the plurality of requests, and the application program of the client side only needs to interact with the application server once to obtain all result sets in batches;
the executable script generation module is arranged on the application server and used for further conditionally adding the database SQL script according to the authority of the user and the parameters submitted by the user to obtain the final executable database SQL script;
the result feedback module is arranged in the application server and used for submitting the final database SQL script to the database for execution and returning the result to the caller; the result feedback module comprises a return result encryption unit, which is used for compressing and then encrypting the request data and the return result according to a specified method; a dynamic time hybrid encryption technology is added in a data request instruction, when a client requests data, MD5 hybrid encryption is carried out according to the password of a current user and the current time, and the result is submitted to an application server; when the application server receives the instruction, judging whether the request time is not more than a set time T before or after the error of the current time, after the verification time is valid, performing MD5 mixed encryption by the time and a password reserved at the application server, and if the comparison result is consistent with the result of the application server, responding to the data request of the client; the client password is protected from being exposed in the network, and even if the requested data packet is intercepted through the network and the calling password is separated out, the valid time of the password is limited to be within two times of the set time 2T.
2. A data request method based on a three-layer architecture software system is characterized by comprising the following steps:
the script number setting module sets the numbers of the database SQL scripts, and each unique number corresponds to one group of database SQL scripts;
the access request module is arranged at the client and sends a number corresponding to the access request, namely a number corresponding to the database SQL script, to the application server;
the unauthorized access judging module is arranged on the application server and is used for judging whether the corresponding client has unauthorized access or not, namely judging whether the user client has the authority of sending the database SQL script corresponding to the serial number;
the access limiting module is arranged in the application server, automatically calls out the database SQL script corresponding to the serial number according to the serial number, acquires the access authority according to the current user client and automatically limits the access range of the user to the database;
the request merging and calling module merges a plurality of data requests into a data request set, the data request set records the serial numbers and parameters of the requests, and the application program of the client side only needs to interact with the application server once to obtain all result sets in batch;
the executable script generation module is used for further conditionally appending the database SQL script according to the authority of the user and in combination with the parameters submitted by the user to obtain a final executable database SQL script;
the result feedback module submits the final database SQL script to a database for execution and returns the result to the caller; the result feedback module compresses and encrypts the request data and the return result according to a specified method; adding a dynamic time hybrid encryption technology in a data request instruction, when a client requests data, performing MD5 hybrid encryption according to the password of a current user and the current time, and submitting a result to an application server; when the application server receives the instruction, judging whether the request time is not more than a set time T before or after the error of the current time, after the verification time is valid, performing MD5 mixed encryption by the time and a password reserved at the application server, and if the comparison result is consistent with the result of the application server, responding to the data request of the client; the client password is protected from being exposed in the network, and even if the requested data packet is intercepted through the network and the calling password is separated out, the valid time of the password is limited to be within two times of the set time 2T.
CN201610383404.2A 2016-06-02 2016-06-02 Software system based on three-layer architecture and data request method thereof Active CN107465641B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610383404.2A CN107465641B (en) 2016-06-02 2016-06-02 Software system based on three-layer architecture and data request method thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610383404.2A CN107465641B (en) 2016-06-02 2016-06-02 Software system based on three-layer architecture and data request method thereof

Publications (2)

Publication Number Publication Date
CN107465641A CN107465641A (en) 2017-12-12
CN107465641B true CN107465641B (en) 2020-08-18

Family

ID=60544534

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610383404.2A Active CN107465641B (en) 2016-06-02 2016-06-02 Software system based on three-layer architecture and data request method thereof

Country Status (1)

Country Link
CN (1) CN107465641B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112162996A (en) * 2020-09-23 2021-01-01 金现代信息产业股份有限公司 Database access method and system for in-station graph editor
CN117113326B (en) * 2023-08-31 2024-03-12 金锐软件技术(杭州)有限公司 Authorized access system based on ABAC model

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100518411C (en) * 2005-05-24 2009-07-22 北京宇信易诚科技有限公司 Dynamic cipher system and method based on mobile communication terminal
US20080319998A1 (en) * 2007-06-20 2008-12-25 Michael Bender System and method for dynamic authorization to database objects
CN103530568B (en) * 2012-07-02 2016-01-20 阿里巴巴集团控股有限公司 Authority control method, Apparatus and system
CN103716356B (en) * 2012-10-09 2018-02-27 三亚中兴软件有限责任公司 Storing process operating method, device and system based on web
CN104243532A (en) * 2013-06-21 2014-12-24 鸿富锦精密工业(深圳)有限公司 Data access method and system
CN105094961A (en) * 2015-08-11 2015-11-25 北京思特奇信息技术股份有限公司 Task scheduling management system based on quartz frame and method thereof
CN105307172B (en) * 2015-11-13 2018-11-23 四川虹信软件有限公司 Bluetooth base. station legality identification method based on dynamic time

Also Published As

Publication number Publication date
CN107465641A (en) 2017-12-12

Similar Documents

Publication Publication Date Title
CN108920494B (en) Isolated access method of multi-tenant database, server and storage medium
KR102514325B1 (en) Model training system and method, storage medium
US10484385B2 (en) Accessing an application through application clients and web browsers
CN110442326B (en) Method and system for simplifying front-end and back-end separation authority control based on Vue
CA2930253C (en) Single set of credentials for accessing multiple computing resource services
CN102984159B (en) Based on secure accessing logic control method and the Platform Server of terminal access behavior
US10091179B2 (en) User authentication framework
CN102724221A (en) Enterprise information system using cloud computing and method for setting user authority thereof
CN104255007A (en) Oauth framework
CN108712372B (en) Method and system for accessing WEB third party login by client
CN104283875A (en) Cloud disk authority management method
JP2015505387A (en) Dynamic service integration system and method
CN111414381B (en) Data processing method and device, electronic equipment and storage medium
JP2017503231A (en) Identity pool bridging for managed directory services
WO2021013056A1 (en) Microservice-based data processing method and apparatus, and device and readable storage medium
CN113271289B (en) Method, system and computer storage medium for resource authorization and access
CN109962892A (en) A kind of authentication method and client, server logging in application
CN107483477B (en) Account management method and account management system
CN107465641B (en) Software system based on three-layer architecture and data request method thereof
US20220255914A1 (en) Identity information linking
CN112541828B (en) System, method, device, processor and storage medium for realizing open securities management and open securities API access control
US20140007197A1 (en) Delegation within a computing environment
US10735399B2 (en) System, service providing apparatus, control method for system, and storage medium
CN106067881B (en) Data Access Security control method based on OS/400, apparatus and system
CN111193776B (en) Method, device, equipment and medium for automatically logging in client under cloud desktop environment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP02 Change in the address of a patent holder

Address after: 201206 rooms 904, 906 and 907, building 35, Lane 2777, Jinxiu East Road, Pudong New Area, China (Shanghai) pilot Free Trade Zone, Pudong New Area, Shanghai

Patentee after: SHANGHAI HYDEE SOFTWARE Corp.,Ltd.

Address before: Room 2225, 345 Jinxiang Road, Pudong New Area, Shanghai, 20106

Patentee before: SHANGHAI HYDEE SOFTWARE Corp.,Ltd.

CP02 Change in the address of a patent holder