CN107786551A - Access the method for intranet server and control accesses the device of intranet server - Google Patents

Access the method for intranet server and control accesses the device of intranet server Download PDF

Info

Publication number
CN107786551A
CN107786551A CN201710972239.9A CN201710972239A CN107786551A CN 107786551 A CN107786551 A CN 107786551A CN 201710972239 A CN201710972239 A CN 201710972239A CN 107786551 A CN107786551 A CN 107786551A
Authority
CN
China
Prior art keywords
intranet server
operational order
user
authority
client plug
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201710972239.9A
Other languages
Chinese (zh)
Other versions
CN107786551B (en
Inventor
于光明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alibaba China Co Ltd
Original Assignee
Guangdong Shenma Search Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangdong Shenma Search Technology Co Ltd filed Critical Guangdong Shenma Search Technology Co Ltd
Priority to CN201710972239.9A priority Critical patent/CN107786551B/en
Publication of CN107786551A publication Critical patent/CN107786551A/en
Application granted granted Critical
Publication of CN107786551B publication Critical patent/CN107786551B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/60Software deployment
    • G06F8/65Updates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Automation & Control Theory (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The present invention provides a kind of method for accessing intranet server and control accesses the device of intranet server, is related to the access technique of server.Accessing the method for intranet server includes:The operational order that client plug-in crawl user is operated to the content stored in intranet server;What whether client plug-in identification operational order was that intranet server is able to carry out legal operates effectively instruction;If so, then client plug-in sends the first instruction message to intranet server, so that intranet server performs operational order;If it is not, then client plug-in sends the second instruction message to intranet server, so that intranet server refusal performs operational order.Judge whether the operational order that intranet server receives is legal by client plug-in, whether operational order is performed further according to judged result notice intranet server, intranet server can be avoided directly to perform the operational order of user's transmission, cause the content in intranet server by the problem of arbitrarily even malice is changed.

Description

Access the method for intranet server and control accesses the device of intranet server
Technical field
The present invention relates to the access technique of server, more particularly to a kind of method for accessing intranet server and control to access The device of intranet server, belongs to internet arena.
Background technology
In-house network (Intranet) refers to the enterprises dedicated network established using Internet technologies.It is with TCP/IP Based on agreement, using Web as core application, unified and convenient information exchange platform is formed.In-house network can provide Web and go out A variety of services such as version, interaction, catalogue, Email, wide area interconnection, file management, printing and network management.Due to internal netting gear There is powerful sharing functionality, many enterprises are both provided with in-house network, and by enterprises data storage in intranet server, supply Employee consults.
Inventor has found that in the prior art, the terminal of employee is directly connected with intranet server, and intranet server can Receive the operational order that employee terminal is sent and simultaneously perform corresponding operation, accordingly, there exist because user terminal is to Intranet service Device, which sends malicious operation instruction or maloperation instruction, causes intranet server security hidden trouble to be present.
The content of the invention
The present invention provides a kind of method for accessing intranet server and control accesses the device of intranet server, passes through client Whether end plug-in unit judges whether the operational order that intranet server receives is legal, held further according to judged result notice intranet server Row operational order, intranet server can be avoided directly to perform the operational order of user's transmission, caused interior in intranet server Hold by the problem of arbitrarily even malice is changed.
The first aspect of the invention is to provide a kind of method for accessing intranet server, including:
The operational order that client plug-in crawl user is operated to the content stored in intranet server;
The client plug-in identify the operational order whether be the intranet server be able to carry out it is legal effectively Operational order;
If so, then the client plug-in sends the first instruction message to the intranet server, first instruction disappears Cease for indicating that the intranet server performs the operational order;
If it is not, then the client plug-in sends the second instruction message to the intranet server, second instruction disappears Cease for indicating that the intranet server refusal performs the operational order.
Another aspect of the present invention is to provide a kind of device for controlling and accessing intranet server, including:Handling module, use In the operational order that crawl user is operated to the content stored in intranet server;
Identification module, for identifying whether the operational order it is legal effective be that the intranet server is able to carry out Operational order;
If so, then sending module sends the first instruction message to the intranet server, the first instruction message is used for Indicate that the intranet server performs the operational order;
If it is not, then the sending module sends the second instruction message, the second instruction message to the intranet server For indicating that the intranet server refusal performs the operational order.
Method and device provided by the invention has the technical effect that:
The operational order operated by client plug-in crawl user to the content stored in intranet server, then by visitor What whether family end plug-in unit identification operational order was that intranet server is able to carry out legal operates effectively instruction;If so, then client Plug-in unit is held to send the first instruction message to intranet server, so that intranet server performs operational order;If it is not, then client is inserted Part sends the second instruction message to intranet server, so that intranet server refusal performs operational order.Use client plug-in Judge whether the operational order that user sends is legal, and instruction message is sent to intranet server according to judged result, so that interior Network server is performed according to instruction message or refusal performs corresponding operational order, it is possible to increase the safety of intranet server Property, avoid intranet server from directly performing the operational order of user's transmission, cause content in intranet server by arbitrarily even The problem of malice is changed.Meanwhile above-mentioned steps are performed by client plug-in, it can be taken not changing original user with Intranet On the basis of the flow interacted between business device, realize that limitation user carries out the function of illegal operation to intranet server, make When adjusting the function of plug-in unit, it is only necessary to change client plug-in in itself, it is not necessary to user and intranet server it Between interaction flow be modified, be more convenient for operating.
Brief description of the drawings
Fig. 1 is the flow chart of the method for the access intranet server shown in an exemplary embodiment of the invention;
Fig. 2 is the flow chart of the method for the access intranet server shown in another exemplary embodiment of the present invention;
Fig. 3 is the structure chart for being used to control the device for accessing intranet server shown in an exemplary embodiment of the invention;
Fig. 4 is the structure for being used to control the device for accessing intranet server shown in another exemplary embodiment of the present invention Figure.
Embodiment
Fig. 1 is the flow chart of the method for the access intranet server shown in an exemplary embodiment of the invention.
As shown in figure 1, the method for the access intranet server that the present embodiment provides includes:
Step 101, the operational order that client plug-in crawl user is operated to the content stored in intranet server.
Wherein, Intranet refers to the enterprises dedicated network established using Internet technologies, and enterprise therein can be Enterprises and institutions, government organs, it can also be that school etc. needs to set the department of internal private network.Intranet server refers to It is used for the server that service is provided to the terminal being attached thereto in Intranet.For example, intranet server can be used for data storage, with The terminal of intranet server connection is able to access that intranet server, so as to obtain the resource in intranet server.In addition, Intranet takes Business device can also be apps server, so that the terminal being connected with intranet server can use what intranet server provided Respective service.Specifically, intranet server can be one or more, then can between multiple servers if more , can also independent operating with annexation.
Client plug-in refers to the program that a kind of application programming interfaces for following certain specification are write out, can be in program Run under defined platform.Specifically, performing the client plug-in of the present embodiment can be arranged in intranet server, can also It is arranged in other plug-in servers being connected with intranet server, the client for accessing server can also be arranged on In end.
When user operates to the content stored in intranet server, can be sent by terminal to intranet server should The corresponding operational order of operation, if client plug-in is arranged in intranet server, client plug-in can be monitored end The operational order sent is held, for example, obtaining operational order from intranet server;If client plug-in is arranged on plug-in services In device, the plug-in server can obtain the transmission information between terminal and server by client plug-in, in operational order When sending to intranet server, the operational order is captured by client plug-in.
Specifically, operational order is the instruction for being operated to the content stored in intranet server, for example, to depositing The instruction that the file of storage is operated, such as OPEN, duplicate instructions, delete instruction, shearing instruction, modification instruction.Also It can be the instruction that the service processes in intranet server are operated, such as operation service process, stop service processes.
Step 102, whether client plug-in identification operational order is legal effective behaviour that intranet server is able to carry out Instruct.
After client plug-in grabs operational order, parse the information that includes in operational order, information include user profile, Command information;The attribute of operational order is judged further according to the information of parsing, the attribute of operational order refer to legal attribute, It is non-attribute.
Further, it can judge whether operational order is legal according to the authority information of user, be performed if user has The authority of operation is stated, then the operational order is legal, otherwise illegally.
It can also judge whether operational order is legal according to existing instruction database, because some operational orders are to Intranet service Device is very harmful, if intranet server performs corresponding instruction, may result in server can not normal operation even paralysis The consequence of paralysis, therefore, this kind of operational order should be marked as illegally instructing.
Client plug-in sends instruction message according to whether operational order is legal to intranet server.
, can be by the communication mode inside intranet server to place if client plug-in is arranged in intranet server Manage device and send instruction message;If client plug-in be arranged on independent plug-in server in, can by plug-in server to Intranet server sends instruction message.
During practical application, if operational order be it is legal operate effectively instruction, step 103 is performed, if operational order is not It is legal effective, then performs step 104.
Step 103, client plug-in sends the first instruction message to intranet server, and the first instruction message is in indicating Network server performs operational order.
If operational order is legal effective, that is, intranet server can perform corresponding operational order, then inwardly Network server sends the first instruction message, so that intranet server performs operational order.Intranet server performs operational order Afterwards, corresponding operating result is fed back to the terminal for sending operational order.User is when accessing intranet server, valid operation instruction It can be sent directly in intranet server and be fed back accordingly, so as to not influence original user's access Intranet service On the basis of the flow of device, the operational order sent to user judges, when user sends legal operational order, uses Family does not feel as the presence of client plug-in, so as to improve Consumer's Experience.
Step 104, client plug-in sends the second instruction message to intranet server, and the second instruction message is in indicating Network server refusal performs operational order.
Wherein, if the operational order that user sends is not legal effective, client plug-in is sent out to intranet server The second instruction message is sent, so that intranet server refusal performs above-mentioned illegal operational order.For example, the operation that user sends refers to Order be delete a vital document, and the user do not possess delete the vital document authority, then it is assumed that user send this It is illegal to delete the operational order of vital document, and then notifies intranet server refusal to perform this operational order, so as to protect Demonstrate,prove the file security in intranet server.
Specifically, client plug-in can also record the user for sending illegal operational order and its operation sent refers to The information of order, and form is periodically generated according to the information of record, send to the director of intranet server.Further, may be used also After judging that operational order is illegal operational order, the 3rd instruction message is sent to intranet server, so that Intranet takes Business device prompts the user with the authority for not possessing corresponding operating.
Wherein, the execution sequence of step 103, step 104 is not limited.
The method for the access intranet server that the present embodiment provides, user is captured in intranet server by client plug-in The operational order that the content of storage is operated, then identify whether operational order is that intranet server can be held by client plug-in It is capable legal to operate effectively instruction;If so, then client plug-in sends the first instruction message to intranet server, so that Intranet Server performs operational order;If it is not, then client plug-in sends the second instruction message to intranet server, so that Intranet service Device refusal performs operational order.Judge whether the operational order that user sends is legal using client plug-in, and tied according to judgement Fruit sends instruction message to intranet server, so that intranet server is performed according to instruction message or refusal performs corresponding behaviour Instruct, it is possible to increase the security of intranet server, avoid intranet server from directly performing the operational order of user's transmission, make The problem of arbitrarily even maliciously being changed into the content in intranet server.Meanwhile above-mentioned steps are performed by client plug-in, It can realize that limitation user is internal on the basis of the flow interacted between original user and intranet server is not changed Network server carries out the function of illegal operation so that when adjusting the function of plug-in unit, it is only necessary to change client plug-in in itself i.e. Can, it is not necessary to the interaction flow between user and intranet server is modified, is more convenient for operating.
Fig. 2 is the flow chart of the method for the access intranet server shown in another exemplary embodiment of the present invention.
As shown in Fig. 2 the method for the access intranet server that the present embodiment provides, including:
Step 201, client plug-in monitoring user logs in the behavior of intranet server.
Wherein, client plug-in can monitor all users by checking or obtaining the log-on message in intranet server Log in the behavior of intranet server.
Specifically, client plug-in may also listen for the landing request information that user terminal is sent to intranet server, when After user terminal have sent landing request information, obtain intranet server in log-on message, so that it is determined that user terminal whether Success is recorded to intranet server.
Step 202, client plug-in obtains the accounts information of user it is determined that after user's login intranet server.
Further, the log-on message in intranet server can be obtained, so that it is determined that logging on to the use of intranet server The accounts information at family.It can include in accounts information:User identity information.
Step 203, client plug-in obtains access rights of the user to intranet server according to the accounts information of user.
During practical application, rights database can be set in intranet server or plug-in server, be used for recording The access rights at family, specifically, preserving the corresponding access rights of each user's mark in rights database.
Client plug-in, specifically can be according to the identification information of user, in rights database according to the accounts information of user It is middle to obtain access rights of the user to intranet server.
Step 204, client plug-in shows the access page of storage content in intranet server to user according to access rights Face.
Wherein it is possible to the content setting rank stored in intranet server, when user logs in intranet server, Xiang Qi The display content corresponding with its rank.For example, when the access rights of user are merely able to access the storage content of lowest level, The low level content that is stored in intranet server and the file for including low level storage content can be displayed to, when with When above-mentioned file is opened at family, the low level storage content in file is also only shown.Shown to user corresponding with its authority Storage content, it is possible to increase the confidentiality of intranet server, so as to improve the level of security of storage content in intranet server.
Step 205, client plug-in identification user grasps on accession page to the content stored in intranet server The operational order of work.
User can in the accession page of display to intranet server in the content that stores operate, client plug-in User's operational order performed in accession page can be identified.The content of identification can be pair that the operational order performs As action for specifically being performed in, operational order etc..Such as can be " customer information " to a filename word document The operation that the content of power is modified, wherein, the object of execution is the word document that filename is " customer information ", and execution is moved Work is modification content.
Step 206, for client plug-in according to default recognition rule, whether identification operational order is that intranet server can The legal of execution operates effectively instruction.If so, step 207 is then performed, if it is not, then performing step 211.
Wherein, recognition rule refers to the rule whether legal for judging operational order, if meeting wanting for recognition rule Ask, then judge that operational order is legal, otherwise, judge that operational order is illegal.
Recognition rule includes at least one of following rules:
Whether user has the authority for performing operational order;Whether operational order is legal finger marked in instruction database Order.
Wherein, authority includes:The access rights of content operated by the execution authority and/or operational order of operational order.
Specifically, the execution authority of operational order, including at least one of following authorities:
Delete authority, modification authority, newly-built authority, copy authority, shearing authority, Share Permissions, sending permission, the power of checking Limit.
Wherein, the execution authority of operational order refers to whether there is the authority for performing corresponding operating instruction, such as deletes power Limit refers to the authority for deleting the content stored in intranet server, such as, delete the file or text in intranet server Part, if user, which has, deletes authority, judge that the deletion action instruction that user sends is valid instruction.
Specifically, the access rights of the content operated by operational order, including at least one of following authorities:
Addressable storage region authority, the classification authority of addressable content.
Further, addressable storage region authority refers to that user is able to access that the authority of storage region.Can be internal The storage region of network server carries out subregion, and the content corresponding with the subregion is stored up in each partitioned storage, works as user When the operational order of transmission is the content being directed in one of partition holding, judge whether user has the power for accessing the subregion Limit, if so, then judging that the operational order that the user sends is valid instruction, otherwise it is judged as illegally instructing.For example, shared A, B, tri- subregions of C, the addressable storage region authority of user is only is able to access that A memory blocks, when the operation that user sends refers to When being the content for being stored in B memory blocks or C memory blocks, judge that operational order is illegal.
During practical application, the classification authority of addressable content can also be included, wherein, will can to addressable content The multi-mode operation of execution is classified, and different classification authorities includes different operational orders.If the operational order that user sends Belong to the classification authority of the user, then judge that the operational order that user sends is valid instruction, be otherwise judged as illegally instructing.Example Such as, will check and be classified as 3rd level, it is newly-built, replicate, send, it is shared be classified as the 2nd grade, delete, shearing is classified as the 1st grade.With the 3rd pole The user of authority is merely able to perform the operational order of 3rd level, and the user with the 2nd grade of authority is able to carry out the 2nd, 3 grade of operation Instruction, the user with the 1st grade of authority are able to carry out the 1st, 2,3 grade of operational order.If user has 3rd level authority, still The operational order of transmission belongs to the 1st or 2 grade, then judges that the instruction that user sends instructs to be illegal.
Wherein, instruction database refers to the database for being stored with operational order, wherein, rower is entered to operational order in database Note, the operational order for allowing intranet server to perform is arranged to valid instruction, does not allow the operation that intranet server performs to refer to Order is arranged to illegally instruct.
If the operational order that user sends is not stored in database, client plug-in can preserve the operation and refer to Order, and the intranet server temporary respite operational order is notified, meanwhile, send the operational order to the manager of intranet server Content, the property of this operational order is determined by manager.If manager thinks that this operational order is legal, to visitor Family end plug-in unit sends legal instruction, and client plug-in is saved to instruction database, and labeled as legal.If manager recognizes It is illegal for this operational order, execution step is similar to above, repeats no more.
Further, can also be to recognition rule prioritization, for example, whether can be in instruction database by operational order Recognition rule of the marked valid instruction as limit priority, the execution authority of operational order is arranged to the second priority Recognition rule, the recognition rule using addressable storage region authority as third priority, by addressable content point Recognition rule of the level authority as the 4th priority.According to priority orders from high to low according to recognition rule successively to operation Instruction judged, if according to the other recognition rule of high one-level judge operational order be it is illegal, without according to continue its His recognition rule continues to judge, avoids client plug-in from judging every time when whether operational order is valid instruction, it is necessary to take turns All recognition rules are ask, cause client plug-in operationally to take excessive internal memory.For example client plug-in identifies that operation refers to After order, first determine whether the operational order is valid instruction marked in instruction database, if it is not, then being sent to intranet server Second instruction message, otherwise, judge whether user has the execution authority for performing corresponding operational order, if it is not, then to Intranet Server sends the second instruction message, otherwise, judges whether the object operated by operational order belongs to the storage of user-accessible Content in region, if it is not, then sending the second instruction message to intranet server, otherwise, judging whether user has pair can visit The content asked performs the authority of corresponding operating instruction, if it is not, then sending the second instruction message to intranet server, otherwise, inwardly Network server sends the first instruction message.
Step 207, client plug-in sends the first instruction message to intranet server, and the first instruction message is in indicating Network server performs operational order.
Step 208, client plug-in obtains the implementing result that intranet server performs operational order.
Wherein, client plug-in can monitor the state of the content stored in intranet server, perform operational order Afterwards, monitor in intranet server outside the content of division operation command operating, whether the content of other storages is modified.For example, other Whether the attribute of the content of storage is modified, and whether the process run in intranet server is closed by force etc..
Step 209, client plug-in judges whether operational order is legal according to implementing result.
A database can be established, records illegal operation wherein, in being stored in mass change intranet server The form of appearance, the process of operation are closed etc. by force, if client plug-in is monitored in intranet server, there occurs in database The illegal operation of record, then may determine that the operational order before illegal operation is produced is not legal operational order.
If it is not legal operational order to judge operational order, step 210 is performed.
Step 210, operational order is labeled as illegal by client plug-in in instruction database.
Specifically, can be illegal directly by the aforesaid operations cue mark included in instruction database.
Step 211, client plug-in sends the second instruction message to intranet server, and the second instruction message is in indicating Network server refusal performs operational order.
Optionally, the method for the access intranet server that the present embodiment provides, can also comprise the following steps:
Client plug-in receives the more new command that intranet server is sent, and more new command is used to update recognition rule.
Wherein, client plug-in can be updated according to the instruction of intranet server to recognition rule, can be changed Some recognition rules, make existing recognition rule more perfect, new recognition rule can also be increased.
Furthermore it is also possible to which the more new command for making client plug-in only be sent according to intranet server is updated, it is avoided His terminal sends more new command to client plug-in, the problem of making the function of client plug-in destroyed.
The method for the access intranet server that the present embodiment provides, can be displayed to and its authority according to the authority of user Corresponding storage content, so as to improve the level of security of intranet server, operation can also be performed by the way that whether user has Whether legal two aspects judge whether operational order is legal in itself for the authority of instruction and instruction, so as to more reasonably to behaviour Judged as instruction the operational order received whether is performed further according to judged result notice intranet server, avoids Intranet Server directly performs the operational order of reception, and the content for causing to store in intranet server is asked by random or malicious modification Topic.
Fig. 3 is the structure chart for being used to control the device for accessing intranet server shown in an exemplary embodiment of the invention.
As shown in figure 3, the device that the present embodiment provides, including:
Handling module 31, the operational order operated for capturing user to the content stored in intranet server;
Identification module 32, legal finger is operated effectively for identify whether operational order is that intranet server is able to carry out Order;
If so, then sending module 33 sends the first instruction message to intranet server, the first instruction message is in indicating Network server performs operational order;
If it is not, then sending module 33 sends the second instruction message to intranet server, the second instruction message is in indicating Network server refusal performs operational order.
Wherein, handling module 31 is connected with identification module 32, and identification module 32 is connected with sending module 33.
What the present embodiment provided is used to control the device for accessing intranet server, and user is captured to Intranet by client plug-in The operational order that the content stored on server is operated, then identify whether operational order is Intranet service by client plug-in What device was able to carry out legal operates effectively instruction;If so, then client plug-in sends the first instruction message to intranet server, So that intranet server performs operational order;If it is not, then client plug-in sends the second instruction message to intranet server, so that Intranet server refusal performs operational order.Judge whether the operational order that user sends is legal using client plug-in, and root It is judged that result sends instruction message to intranet server, so that intranet server is performed according to instruction message or refusal performs Corresponding operational order, it is possible to increase the security of intranet server, avoid intranet server from directly performing the behaviour of user's transmission Instruct, cause the content in intranet server by the problem of arbitrarily even malice is changed.Meanwhile performed by client plug-in Above-mentioned steps, limit can be realized on the basis of the flow interacted between original user and intranet server is not changed User processed carries out the function of illegal operation to intranet server so that when adjusting the function of plug-in unit, it is only necessary to change client Plug-in unit is in itself, it is not necessary to the interaction flow between user and intranet server is modified, is more convenient for operating.
The present embodiment provide determination hole tortuosity device concrete principle and implementation with the reality shown in Fig. 1 It is similar to apply example, here is omitted.
Fig. 4 is the structure for being used to control the device for accessing intranet server shown in another exemplary embodiment of the present invention Figure.
As shown in figure 4, on the basis of above-described embodiment, what the present embodiment provided is used to control access intranet server Device, identification module 32 are specifically used for according to default recognition rule, and whether identification operational order is that intranet server can be held It is capable legal to operate effectively instruction;
Wherein, recognition rule, including at least one of following rules:
Whether user has the authority for performing operational order;
Whether operational order is valid instruction marked in instruction database.
Specifically, authority includes:The access right of content operated by the execution authority and/or operational order of operational order Limit;
Wherein, the execution authority of operational order, including at least one of following authorities:
Delete authority, modification authority, newly-built authority, copy authority, shearing authority, Share Permissions, sending permission, the power of checking Limit;
The access rights of content operated by operational order, including at least one of following authorities:
Addressable storage region authority, the classification authority of addressable content.
The device that the present embodiment provides, in addition to:First acquisition module 34, refer to for obtaining intranet server execution operation The implementing result of order;
Judge module 35, for judging whether operational order is legal according to implementing result;
If it is not, then operational order is labeled as illegally by mark module 36 in instruction database.
Wherein, the first acquisition module 34, judge module 35, mark module 36 are sequentially connected, mark module 36 also with identification Module 32 connects.
The device that the present embodiment provides, in addition to:Update module 37, the renewal for receiving intranet server transmission refer to Order, more new command are used to update recognition rule.
Specifically, update module 37 can be connected with identification module 32.
The device that the present embodiment provides, in addition to:
Monitoring module 38, the behavior of intranet server is logged in for monitoring user;
Second acquisition module 39, for, it is determined that after user's login intranet server, obtaining user in monitoring module 38 Accounts information;
Second acquisition module 39 is additionally operable to the accounts information according to user, obtains access right of the user to intranet server Limit;
Display module 40, for according to access rights, the accession page of storage content in intranet server to be shown to user;
Accordingly, handling module 311 also includes recognition unit 311, and Intranet is taken on accession page for identifying user The operational order that the content stored on business device is operated.
Wherein, monitoring module 38, the second acquisition module 39, display module 40 are sequentially connected, display module 40 also with identification Unit 311 connects.
What the present embodiment provided is used to control the device for accessing intranet server, can be displayed to according to the authority of user The storage content corresponding with its authority, so as to improve the level of security of intranet server, whether can also have by user Whether legal two aspects judge whether operational order is legal in itself for the authority of execution operational order and instruction, so as to more adduction Reason is judged operational order, notifies whether intranet server performs the operational order received further according to judged result, Intranet server is avoided directly to perform the operational order of reception, the content for causing to store in intranet server arbitrarily or is maliciously repaiied The problem of changing.
The concrete principle and implementation for the device that the present embodiment provides are similar with the embodiment shown in Fig. 2, herein not Repeat again.
One of ordinary skill in the art will appreciate that:Realizing all or part of step of above-mentioned each method embodiment can lead to The related hardware of programmed instruction is crossed to complete.Foregoing program can be stored in a computer read/write memory medium.The journey Sequence upon execution, execution the step of including above-mentioned each method embodiment;And foregoing storage medium includes:ROM, RAM, magnetic disc or Person's CD etc. is various can be with the medium of store program codes.
Finally it should be noted that:Various embodiments above is merely illustrative of the technical solution of the present invention, rather than its limitations;To the greatest extent The present invention is described in detail with reference to foregoing embodiments for pipe, it will be understood by those within the art that:Its according to The technical scheme described in foregoing embodiments can so be modified, either which part or all technical characteristic are entered Row equivalent substitution;And these modifications or replacement, the essence of appropriate technical solution is departed from various embodiments of the present invention technology The scope of scheme.

Claims (14)

  1. A kind of 1. method for accessing intranet server, it is characterised in that including:
    The operational order that client plug-in crawl user is operated to the content stored in intranet server;
    The client plug-in identifies whether the operational order is legal effective behaviour that the intranet server is able to carry out Instruct;
    If so, then the client plug-in sends the first instruction message to the intranet server, the first instruction message is used The operational order is performed in the instruction intranet server;
    If it is not, then the client plug-in sends the second instruction message to the intranet server, the second instruction message is used The operational order is performed in the instruction intranet server refusal.
  2. 2. according to the method for claim 1, it is characterised in that the client plug-in identify the operational order whether be The intranet server be able to carry out it is legal operate effectively instruction, including:
    The client plug-in identifies whether the operational order is that the intranet server can according to default recognition rule The legal of execution operates effectively instruction;
    Wherein, the recognition rule, including at least one of following rules:
    Whether the user has the authority for performing the operational order;
    Whether the operational order is valid instruction marked in instruction database.
  3. 3. according to the method for claim 2, it is characterised in that the authority includes:The execution authority of operational order and/or The access rights of content operated by operational order.
  4. 4. according to the method for claim 3, it is characterised in that the execution authority of the operational order, including following authorities At least one of:
    Delete authority, modification authority, newly-built authority, copy authority, shearing authority, Share Permissions, sending permission, check authority.
  5. 5. according to the method for claim 3, it is characterised in that the access rights of the content operated by the operational order, Including at least one of following authorities:
    Addressable storage region authority, the classification authority of addressable content.
  6. 6. the method according to any one of claim 2~5, it is characterised in that also include:
    The client plug-in obtains the implementing result that the intranet server performs the operational order;
    The client plug-in judges whether the operational order is legal according to the implementing result;
    If it is not, then the operational order is labeled as illegally by the client plug-in in the instruction database.
  7. 7. the method according to any one of claim 2~5, it is characterised in that also include:
    The client plug-in receives the more new command that the intranet server is sent, and the more new command is used to update the knowledge Not rule.
  8. 8. according to the method described in any one of Claims 1 to 5 claim, it is characterised in that the client plug-in is grabbed Before taking the operational order that family is operated to the content stored in intranet server, in addition to:
    The client plug-in monitoring user logs in the behavior of the intranet server;
    The client plug-in obtains the account letter of the user it is determined that after the user login intranet server Breath;
    The client plug-in obtains access right of the user to the intranet server according to the accounts information of the user Limit;
    The client plug-in shows the access page of storage content in intranet server to the user according to the access rights Face;
    Accordingly, the operational order that the client plug-in crawl user is operated to the content stored in intranet server, Including:
    The client plug-in identifies that the user grasps on the accession page to the content stored in intranet server The operational order of work.
  9. 9. a kind of be used to control the device for accessing intranet server, it is characterised in that including:
    Handling module, the operational order operated for capturing user to the content stored in intranet server;
    Identification module, legal operated effectively for identify whether the operational order is that the intranet server is able to carry out Instruction;
    If so, then sending module sends the first instruction message to the intranet server, the first instruction message is used to indicate The intranet server performs the operational order;
    If it is not, then the sending module sends the second instruction message to the intranet server, the second instruction message is used for Indicate that the intranet server refusal performs the operational order.
  10. 10. device according to claim 9, it is characterised in that the identification module is specifically used for according to default identification Rule, identify whether the operational order is that the intranet server is able to carry out legal operates effectively instruction;
    Wherein, the recognition rule, including at least one of following rules:
    Whether the user has the authority for performing the operational order;
    Whether the operational order is valid instruction marked in instruction database.
  11. 11. device according to claim 10, it is characterised in that the authority includes:The execution authority of operational order and/ Or the access rights of the content operated by operational order;
    Wherein, the execution authority of the operational order, including at least one of following authorities:
    Delete authority, modification authority, newly-built authority, copy authority, shearing authority, Share Permissions, sending permission, check authority;
    The access rights of content operated by the operational order, including at least one of following authorities:
    Addressable storage region authority, the classification authority of addressable content.
  12. 12. the device according to claim 10 or 11, it is characterised in that also include:
    First acquisition module, the implementing result of the operational order is performed for obtaining the intranet server;
    Judge module, for judging whether the operational order is legal according to the implementing result;
    If it is not, then the operational order is labeled as illegally by mark module in the instruction database.
  13. 13. the device according to claim 10 or 11, it is characterised in that also include:Update module, for receiving in described The more new command that network server is sent, the more new command are used to update the recognition rule.
  14. 14. according to the device described in any one of claim 9~11 claim, it is characterised in that also include:
    Monitoring module, the behavior of the intranet server is logged in for monitoring user;
    Second acquisition module, for, it is determined that after the user login intranet server, being obtained in the monitoring module The accounts information of the user;
    Second acquisition module is additionally operable to the accounts information according to the user, obtains the user to the intranet server Access rights;
    Display module, for according to the access rights, the access page of storage content in intranet server to be shown to the user Face;
    Accordingly, the handling module also includes recognition unit, for identifying the user on the accession page to Intranet The operational order that the content stored on server is operated.
CN201710972239.9A 2017-10-18 2017-10-18 Method for accessing intranet server and device for controlling access to intranet server Expired - Fee Related CN107786551B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710972239.9A CN107786551B (en) 2017-10-18 2017-10-18 Method for accessing intranet server and device for controlling access to intranet server

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710972239.9A CN107786551B (en) 2017-10-18 2017-10-18 Method for accessing intranet server and device for controlling access to intranet server

Publications (2)

Publication Number Publication Date
CN107786551A true CN107786551A (en) 2018-03-09
CN107786551B CN107786551B (en) 2020-04-28

Family

ID=61434617

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710972239.9A Expired - Fee Related CN107786551B (en) 2017-10-18 2017-10-18 Method for accessing intranet server and device for controlling access to intranet server

Country Status (1)

Country Link
CN (1) CN107786551B (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108989290A (en) * 2018-06-21 2018-12-11 上海二三四五网络科技有限公司 A kind of control method and control device for realizing server network access limitation in outer net
CN110247906A (en) * 2019-06-10 2019-09-17 平安科技(深圳)有限公司 A kind of method for monitoring network and device, equipment, storage medium
CN110611642A (en) * 2018-06-15 2019-12-24 互联安睿资通股份有限公司 Communication device, security service control element and security service control method
CN111414423A (en) * 2020-03-20 2020-07-14 北京金山云网络技术有限公司 MongoDB database operation method and device and server
CN112395020A (en) * 2019-08-15 2021-02-23 奇安信安全技术(珠海)有限公司 Safety protection method of intranet, client, target server and storage medium

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060005030A1 (en) * 2003-04-03 2006-01-05 Web Bindery Llc System and method for managing copyright information of electronic content
CN102984159A (en) * 2012-12-05 2013-03-20 浙江省电力公司 Secure access logic control method based on terminal access behavior and platform server
CN103166977A (en) * 2013-04-16 2013-06-19 福建伊时代信息科技股份有限公司 Method, terminal, server and system for accessing website
CN103581184A (en) * 2013-10-31 2014-02-12 中国电子科技集团公司第十五研究所 Method and system for mobile terminal to get access to intranet server
CN103617381A (en) * 2013-11-21 2014-03-05 北京奇虎科技有限公司 Permission configuration method and permission configuration system of equipment
CN104486292A (en) * 2014-11-24 2015-04-01 东软集团股份有限公司 Enterprise-resource safety-access control method, device and system
US20170039376A1 (en) * 2015-08-05 2017-02-09 Dell Products L.P. Systems and methods for providing secure data

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060005030A1 (en) * 2003-04-03 2006-01-05 Web Bindery Llc System and method for managing copyright information of electronic content
CN102984159A (en) * 2012-12-05 2013-03-20 浙江省电力公司 Secure access logic control method based on terminal access behavior and platform server
CN103166977A (en) * 2013-04-16 2013-06-19 福建伊时代信息科技股份有限公司 Method, terminal, server and system for accessing website
CN103581184A (en) * 2013-10-31 2014-02-12 中国电子科技集团公司第十五研究所 Method and system for mobile terminal to get access to intranet server
CN103617381A (en) * 2013-11-21 2014-03-05 北京奇虎科技有限公司 Permission configuration method and permission configuration system of equipment
CN104486292A (en) * 2014-11-24 2015-04-01 东软集团股份有限公司 Enterprise-resource safety-access control method, device and system
US20170039376A1 (en) * 2015-08-05 2017-02-09 Dell Products L.P. Systems and methods for providing secure data

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110611642A (en) * 2018-06-15 2019-12-24 互联安睿资通股份有限公司 Communication device, security service control element and security service control method
CN108989290A (en) * 2018-06-21 2018-12-11 上海二三四五网络科技有限公司 A kind of control method and control device for realizing server network access limitation in outer net
CN110247906A (en) * 2019-06-10 2019-09-17 平安科技(深圳)有限公司 A kind of method for monitoring network and device, equipment, storage medium
CN112395020A (en) * 2019-08-15 2021-02-23 奇安信安全技术(珠海)有限公司 Safety protection method of intranet, client, target server and storage medium
CN111414423A (en) * 2020-03-20 2020-07-14 北京金山云网络技术有限公司 MongoDB database operation method and device and server
CN111414423B (en) * 2020-03-20 2023-07-25 北京金山云网络技术有限公司 Method, device and server for operating MongoDB database

Also Published As

Publication number Publication date
CN107786551B (en) 2020-04-28

Similar Documents

Publication Publication Date Title
CN107786551A (en) Access the method for intranet server and control accesses the device of intranet server
AU2019206006B2 (en) System and method for biometric protocol standards
Ahmed et al. Scada systems: Challenges for forensic investigators
CN101841537B (en) Method and system for realizing file sharing access control based on protocol proxy
CN109670768A (en) Right management method, device, platform and the readable storage medium storing program for executing in multi-service domain
US20120180120A1 (en) System for data leak prevention from networks using context sensitive firewall
DE112005002955T5 (en) Electrical transmission system in a secret environment between virtual disks and associated electrical transmission method
CN104253810B (en) Safe login method and system
CN109005161A (en) A kind of data safety monitoring system and its access monitoring method
CN114003943B (en) Safe double-control management platform for computer room trusteeship management
CN102006286A (en) Access management method, device and system as well as access device for information system
US10192262B2 (en) System for periodically updating backings for resource requests
JP2005234729A (en) Unauthorized access protection system and its method
Rianafirin et al. Design network security infrastructure cabling using network development life cycle methodology and ISO/IEC 27000 series in Yayasan Kesehatan (Yakes) Telkom Bandung
CN113961892A (en) Account security control method and system, readable storage medium and computer equipment
CN105162763A (en) Method and device for processing communication data
US10013237B2 (en) Automated approval
CN114244568B (en) Security access control method, device and equipment based on terminal access behavior
WO2003025758A2 (en) Device and method for establishing a security policy in a distributed system
CN109600395A (en) A kind of device and implementation method of terminal network access control system
CN109977644A (en) Right management method is classified under a kind of Android platform
Kott et al. The fog of war in cyberspace
CN108933678A (en) O&M auditing system
CN111414340A (en) File sharing method and device, computer equipment and storage medium
CN106534223A (en) Key algorithm and log auditing based Openstack access control method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20200420

Address after: 310052 room 508, floor 5, building 4, No. 699, Wangshang Road, Changhe street, Binjiang District, Hangzhou City, Zhejiang Province

Patentee after: Alibaba (China) Co.,Ltd.

Address before: 510627 Guangdong city of Guangzhou province Whampoa Tianhe District Road No. 163 Xiping Yun Lu Yun Ping square B radio tower 13 layer self unit 01

Patentee before: GUANGZHOU SHENMA MOBILE INFORMATION TECHNOLOGY Co.,Ltd.

TR01 Transfer of patent right
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20200428

Termination date: 20201018

CF01 Termination of patent right due to non-payment of annual fee