CN108632253B - Client data security access method and device based on mobile terminal - Google Patents

Client data security access method and device based on mobile terminal Download PDF

Info

Publication number
CN108632253B
CN108632253B CN201810294695.7A CN201810294695A CN108632253B CN 108632253 B CN108632253 B CN 108632253B CN 201810294695 A CN201810294695 A CN 201810294695A CN 108632253 B CN108632253 B CN 108632253B
Authority
CN
China
Prior art keywords
access
access object
client data
mobile terminal
authority
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810294695.7A
Other languages
Chinese (zh)
Other versions
CN108632253A (en
Inventor
刘俊廷
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ping An Technology Shenzhen Co Ltd
Original Assignee
Ping An Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ping An Technology Shenzhen Co Ltd filed Critical Ping An Technology Shenzhen Co Ltd
Priority to CN201810294695.7A priority Critical patent/CN108632253B/en
Priority to PCT/CN2018/101558 priority patent/WO2019192129A1/en
Publication of CN108632253A publication Critical patent/CN108632253A/en
Application granted granted Critical
Publication of CN108632253B publication Critical patent/CN108632253B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)

Abstract

The invention relates to a client data security access method and a device based on a mobile terminal, wherein the client data security access method based on the mobile terminal comprises the following steps: when the mobile terminal runs a customer management application, carrying out identity verification on an access object, wherein the access object requests to carry out customer data access; when the access object passes the identity authentication, requesting a server side to feed back the access authority of the access object according to the identity information of the access object; and providing client data access for the access object according to the access authority of the access object. The client data security access method based on the mobile terminal solves the problem of poor security of accessing client data by an external network in the prior art.

Description

Client data security access method and device based on mobile terminal
Technical Field
The invention relates to the technical field of computers, in particular to a client data secure access method and device based on a mobile terminal.
Background
At present, in order to ensure the security of client data access, client data is usually deployed in an intranet, and an access object can only access the intranet through a PC terminal to access the client data, which results in that the access object cannot access the client data in a non-working time period because the intranet cannot be accessed, and further cannot follow up with the client, and cannot maintain the client relationship.
In other words, the access object cannot access the client data securely through the external network, and therefore, the prior art proposes a method for accessing the client data through the external network based on a mobile terminal, which guarantees the security of accessing the client data through the external network by verifying the identity of the access object. However, the identity of the access object is vulnerable to viruses in the external network, and the security of the external network for accessing the client data cannot be sufficiently ensured.
From the above, how to safely access the client data through the external network still needs to be solved urgently.
Disclosure of Invention
In order to solve the above technical problems, an object of the present invention is to provide a method and an apparatus for secure access to client data based on a mobile terminal.
The technical scheme adopted by the invention is as follows:
in one aspect, a client data security access method based on a mobile terminal includes: when the mobile terminal runs a customer management application, carrying out identity verification on an access object, wherein the access object requests to carry out customer data access; when the access object passes the identity authentication, requesting a server side to feed back the access authority of the access object according to the identity information of the access object; and providing client data access for the access object according to the access authority of the access object.
In another aspect, a client data security access device based on a mobile terminal includes: the identity authentication module is used for authenticating the identity of an access object when the mobile terminal runs a customer management application, and the access object requests to access customer data; the authority acquisition module is used for requesting the server side to feed back the access authority of the access object according to the identity information of the access object when the access object passes the identity verification; and the data access module is used for providing client data access for the access object according to the access authority of the access object.
In an exemplary embodiment, the authentication module includes: the information acquisition unit is used for acquiring the identity information of the access object according to the operation triggered by the access object in the client management application operated by the mobile terminal; the result acquisition unit is used for requesting the server side to perform identity information matching search according to the identity information of the access object to acquire a matching search result; and the verification passing unit is used for judging that the identity information of the access object passes identity verification if the matching search result indicates that the identity information which is consistent with the identity information of the access object exists in the server.
In an exemplary embodiment, the apparatus further comprises: the authority receiving module is used for receiving the access authority reported by the PC end for the access object by the server end in the process that the access object accesses the client data through the PC end; and the relationship establishing module is used for establishing an incidence relationship between the access authority of the access object and the identity information and providing access authority feedback service through the establishment of the incidence relationship.
In an exemplary embodiment, the apparatus further comprises: the log record generating module is used for generating a log record used for indicating the access behavior of the access object in the client data access process of the access object by the PC terminal; and the authority configuration module is used for configuring the access authority of the access object according to the access behavior indicated by the log record and reporting the access authority of the access object to the server.
In an exemplary embodiment, the web page resource of the customer data is stored in a quarantine area, and the data access module includes: a request initiating unit, configured to initiate a client data access request according to the web page link address stored in the client management application; a resource requesting unit, configured to request, from the quarantine area, a web page resource of the client data through the client data access request; the data display unit is used for displaying the client data in the client management application according to the webpage resources of the client data; and the control access unit is used for controlling the access object to access the displayed client data according to the access authority.
In another aspect, a device for secure access to client data based on a mobile terminal includes a processor and a memory, where the memory stores computer-readable instructions, and the computer-readable instructions, when executed by the processor, implement the method for secure access to client data based on a mobile terminal as described above.
In another aspect, a computer readable storage medium has stored thereon a computer program which, when executed by a processor, implements a mobile terminal-based client data secure access method as described above.
In the technical scheme, the client management application is operated in the mobile terminal to perform identity authentication on an access object requesting to access client data, and when the access object passes the identity authentication, the server is requested to feed back the access right of the access object according to the identity information of the access object, so that a client data access request is initiated according to the access right of the access object, and client data access is provided for the access object by initiating the client data access request.
That is to say, the client management application running on the mobile terminal provides the external network access client data for the access object, and the security of the external network access client data is fully guaranteed based on the identity authentication and the access authority of the access object, so that the problem of poor security of the external network access client data in the prior art is solved.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the invention, as claimed.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the invention and together with the description, serve to explain the principles of the invention.
FIG. 1 is a schematic illustration of an implementation environment in accordance with the present invention.
Fig. 2 is a block diagram illustrating a hardware configuration of a mobile terminal according to an exemplary embodiment.
Fig. 3 is a flowchart illustrating a method for secure access to client data based on a mobile terminal according to an exemplary embodiment.
Fig. 4 is a flowchart illustrating another method for secure access to client data based on a mobile terminal according to an example embodiment.
FIG. 5 is a flow chart of one embodiment of step 310 in the corresponding embodiment of FIG. 3.
Fig. 6 is a flowchart illustrating another method for secure access to client data based on a mobile terminal according to an example embodiment.
FIG. 7 is a flow diagram for one embodiment of step 350 of the corresponding embodiment of FIG. 3.
Fig. 8 is a block diagram illustrating a mobile terminal based client data secure access apparatus according to an example embodiment.
While specific embodiments of the invention have been shown by way of example in the drawings and will be described in detail hereinafter, such drawings and description are not intended to limit the scope of the inventive concepts in any way, but rather to explain the inventive concepts to those skilled in the art by reference to the particular embodiments.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present invention. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the invention, as detailed in the appended claims.
Fig. 1 is a schematic diagram of an implementation environment related to a secure client data access method based on a mobile terminal. The implementation environment includes a mobile terminal 100, a server 200, and a PC 300.
The mobile terminal 100 may be a notebook computer, a tablet computer, a smart phone, or other portable electronic devices that can be used for running a customer management application, which is not limited herein.
The PC terminal 300 is a desktop computer having no portability, unlike the mobile terminal 100.
The mobile terminal 100 and the PC terminal 300 respectively establish a communication connection with the server 200, the communication connection including but not limited to a wireless network connection, a wired network connection, and the like, and further perform client data transmission through the established communication connection.
Specifically, for the mobile terminal 100, the operating client management application is used to provide the access object with extranet client data access, and for the PC terminal 300, the access object is provided with intranet client data access, thereby improving the versatility of client data access.
Referring to fig. 2, fig. 2 is a block diagram illustrating a mobile terminal according to an example embodiment.
It should be noted that the mobile terminal 100 is only an example adapted to the present invention, and should not be considered as providing any limitation to the scope of the present invention. The mobile terminal 100 should not be construed as necessarily dependent upon or having one or more components of the exemplary mobile terminal 100 illustrated in fig. 2.
As shown in fig. 2, the mobile terminal 100 includes a memory 101, a memory controller 103, one or more (only one shown in fig. 2) processors 105, a peripheral interface 107, a radio frequency module 109, a positioning module 111, a camera module 113, an audio module 115, a touch screen 117, and a key module 119. These components communicate with each other via one or more communication buses/signal lines 121.
The memory 101 may be used to store computer programs and modules, such as computer readable instructions and modules corresponding to the method and apparatus for secure access to client data based on a mobile terminal in the exemplary embodiment of the present invention, and the processor 105 executes various functions and data processing by executing the computer readable instructions stored in the memory 101, so as to complete the method for secure access to client data based on a mobile terminal.
The memory 101, as a carrier of resource storage, may be random access memory, e.g., high speed random access memory, non-volatile memory, such as one or more magnetic storage devices, flash memory, or other solid state memory. The storage means may be a transient storage or a permanent storage.
The peripheral interface 107 may include at least one wired or wireless network interface, at least one serial-to-parallel conversion interface, at least one input/output interface, at least one USB interface, and the like, for coupling various external input/output devices to the memory 101 and the processor 105, so as to realize communication with various external input/output devices.
The rf module 109 is configured to receive and transmit electromagnetic waves, and achieve interconversion between the electromagnetic waves and electrical signals, so as to communicate with other devices through a communication network. Communication networks include cellular telephone networks, wireless local area networks, or metropolitan area networks, which may use various communication standards, protocols, and technologies.
The positioning module 111 is used for acquiring the current geographic position of the mobile terminal 100. Examples of the positioning module 111 include, but are not limited to, a global positioning satellite system (GPS), a wireless local area network-based positioning technology, or a mobile communication network-based positioning technology.
The camera module 113 is attached to a camera and is used for taking pictures or videos. The shot pictures or videos can be stored in the memory 101 and also can be sent to an upper computer through the radio frequency module 109.
Audio module 115 provides an audio interface to a user, which may include one or more microphone interfaces, one or more speaker interfaces, and one or more headphone interfaces. And performing audio data interaction with other equipment through the audio interface. The audio data may be stored in the memory 101 and may also be transmitted through the radio frequency module 109.
The touch screen 117 provides an input/output interface between the mobile terminal 100 and a user. Specifically, the user may perform an input operation, such as a gesture operation, e.g., a click, a touch, a slide, etc., through the touch screen 117 to make the mobile terminal 100 respond to the input operation. The mobile terminal 100 displays and outputs output contents formed by any one or combination of text, pictures or videos to the user through the touch screen 117.
The key module 119 includes at least one key for providing an interface for a user to input to the mobile terminal 100, and the user can cause the mobile terminal 100 to perform different functions by pressing different keys. For example, the sound adjustment key may allow the user to adjust the volume of sound played by the mobile terminal 100.
It is to be understood that the configuration shown in fig. 2 is merely exemplary, and that the mobile terminal 100 may include more or fewer components than shown in fig. 2, or different components than shown in fig. 2. The components shown in fig. 2 may be implemented in hardware, software, or a combination thereof.
Referring to fig. 3, in an exemplary embodiment, a method for secure access to client data based on a mobile terminal is applied to the mobile terminal in the implementation environment shown in fig. 1, and the structure of the mobile terminal may be as shown in fig. 2.
The client data security access method based on the mobile terminal can be executed by the mobile terminal and comprises the following steps:
step 310, when the mobile terminal runs the customer management application, the identity of the access object is verified.
First, the client management application is pre-installed and deployed in the mobile terminal, and is used for providing the access object with extranet client data access. That is, as the customer management application is installed and deployed in the mobile terminal, the access object can access the external network through the customer management application to access the customer data, so as to implement customer management, i.e. follow up with the customer, maintain the customer relationship, and the like.
Secondly, in order to ensure the security of the client data access, the access object is subjected to identity authentication, and only when the access object passes the identity authentication, the access object can be accessed to an external network by virtue of the client management application to perform subsequent client data access.
Further, the authentication of the access object refers to performing validity check on the identity information of the access object. And the legality verification is to compare the identity information of the access object with the identity information of the massive access objects stored by the server one by one, and if the comparison is consistent, the access object passes the identity verification.
The identity information of the access object is a unique identifier for the access object, and includes but is not limited to: an account number, password, identification number, contact address, etc. of the access object. That is to say, the identity information of the access object realizes accurate description of the identity of the access object, that is, if the access objects are different, the identities will be different, and further, the identity information of the access objects is also different.
In a specific implementation of an embodiment, the access object is a policy marketing agent and the customer data is related to a policy purchased by the customer, including but not limited to: customer name, customer identification number, customer contact, policy number, policy payment age, policy payment amount, and the like.
The following describes a process of storing identity information of mass access objects by the server.
Specifically, in order to access client data, an access object first initiates a client data access request to a server through a PC, and when receiving the client data access request, the server extracts an identity card number from access object identity information carried in the client data access request, and performs identity authentication on the access object.
The identity authentication here is accomplished by a third-party identity authentication mechanism, for example, by an identity card number stored in the third-party identity authentication mechanism, that is, if a consistent identity card number is stored in the third-party identity authentication mechanism, the access object passes the identity authentication.
And when the access object passes the identity authentication, the server stores the identity information of the access object passing the authentication so as to subsequently realize the identity verification of the access object initiated by the mobile terminal, thereby ensuring that the client data security access based on the mobile terminal is implemented.
That is to say, the access object can realize the client data access based on the mobile terminal only after passing the identity authentication of the third-party identity authentication mechanism in the client data access process through the PC terminal, thereby providing sufficient guarantee for the security of the client data access of the external network.
Step 330, when the access object passes the identity authentication, requesting the server side to feed back the access authority of the access object according to the identity information of the access object.
The access right of the access object reflects the access behavior of the access object in the process of accessing the client data through the PC terminal. Access rights include, but are not limited to: new permissions, modified permissions, deleted permissions, and the like.
For example, the access object modifies the client data during the client data access process through the PC, and accordingly, the access right of the access object is a modification right through the access behavior of the modification data.
Furthermore, the access authority of the access object is reported to the server side by the PC side for storage.
In a specific implementation of an embodiment, as shown in fig. 4, before step 330, the method as described above may further include the following steps:
step 410, in the process that the access object accesses the client data through the PC, the server receives the access authority reported by the PC for the access object.
Step 430, establishing an association relationship between the access right of the access object and the identity information, and providing an access right feedback service through the establishment of the association relationship.
Specifically, as described above, in order to perform authentication of an access object, the server stores a large amount of identity information of the access object. At this time, the access right of the access object is also obtained in the server side through the access right reported by the PC side, so that the server side can store the access right of the access object, and establish an association relationship between the identity information of the access object and the access right, thereby realizing the association storage of the identity information of the access object and the access right, and being convenient for providing access right feedback service.
Therefore, when the access object passes the identity authentication, the access authority of the access object can be acquired through the server according to the identity information of the access object.
In the above process, for the mobile terminal, the access right of the access object is closely related to the access behavior of the access object in the PC terminal to access the client data, and it can also be understood that, no matter whether the access object is based on the client data access performed by the PC terminal or the client data access performed by the mobile terminal, the access right of the access object to the client data is always consistent, so as to provide sufficient guarantee for the secure access of the subsequent client data.
And step 350, providing client data access for the access object according to the access authority of the access object.
After obtaining the access rights of the access object, the access object can be controlled for client data access based on the access rights.
That is, the client data access based on the mobile terminal is limited by the access authority of the access object, thereby further ensuring the security of the client data access.
Through the process, the client data access of the access object through the external network access is realized by means of the client management application running on the mobile terminal, namely, the access object can access the external network at any time to access the client data by utilizing the portability of the mobile terminal, so that the access object can follow the client in real time, the client relationship is maintained, and the viscosity of the access object and the client is fully ensured.
In an application scene, in order to access client data based on a mobile terminal, a PC (personal computer) end is used for requesting a third-party identity authentication mechanism to perform first identity authentication on an access object, then a mobile terminal is used for requesting a server end to perform second identity authentication on the access object, and finally, the access object can be controlled to perform safe access on the client data according to access authority fed back by the server end, so that multiple guarantees are provided for safe access on the client data, and the safety of client data access is fully guaranteed.
Referring to FIG. 5, in an exemplary embodiment, step 310 may include the steps of:
step 311, in the client management application run by the mobile terminal, acquiring the identity information of the access object according to the operation triggered by the access object.
In order to authenticate the access object, the client management application provides an entrance for acquiring the identity information of the access object. When the access object wants to access the client data, corresponding operation is triggered in the entry, so that the client management application obtains the identity information of the access object, and further performs identity verification on the access object according to the identity information.
For example, the customer management application displays an input dialog box in the display page, and the access object can input the identity information in the input dialog box, wherein the input dialog box is a portal, and the input operation is an operation triggered by the access object for accessing customer data at the portal.
Step 313, according to the identity information of the access object, requesting the server to perform identity information matching search, and obtaining a matching search result.
As described above, the server stores the identity information of the mass access objects, and thus, the identity information matching search means that the identity information of the access objects is compared with the identity information of the mass access objects stored in the server one by one.
Therefore, through the identity information matching search, if the identity information consistent with the identity information of the access object exists in the server, the process jumps to step 315, and the access object is determined to pass the identity authentication.
On the contrary, if the identity information consistent with the identity information of the access object does not exist in the server, the access object is judged to be not authenticated, namely, the access object is an illegal visitor, and further, the access of the client data is not authorized to be carried out through the mobile terminal.
Step 315, if the matching search result indicates that the identity information consistent with the identity information of the access object exists in the server, determining that the identity information of the access object passes identity authentication.
In a specific implementation of an embodiment, for the mobile terminal, when the access object passes the authentication, the access object is allowed to log in the client management application, and further, as the access object logs in the client management application, the access object is enabled to access the external network by the client management application to perform the client data access.
Under the effect of the embodiment, only when the access object passing the identity authentication is qualified to access the external network to access the client data, the security of external network access is ensured, and the security of client data access is further improved.
Referring to fig. 6, in an exemplary embodiment, before step 410, the method as described above may further include the following steps:
step 510, the PC generates a log record for indicating the access behavior of the access object during the client data access process of the access object.
In the process of accessing the client data by the access object, a series of access behaviors are performed, for example, the client data is modified, newly added, and the like, and for this reason, the PC terminal generates log records according to the access behaviors, so that the access behaviors of the access object can be traced when a subsequent system fails.
As can be seen from the above, the log record indicates the access behavior of the access object, and it can also be understood that the log record realizes an accurate description of the access behavior of the access object.
For example, when the access object deletes the client data during the client data access process, the PC generates a corresponding log record according to the access behavior of the deleted data. The log record carries a behavior id, which uniquely identifies the access behavior of the deleted data.
And step 530, configuring the access authority of the access object according to the access behavior indicated by the log record, and reporting the access authority of the access object to the server.
After obtaining the log record indicating the access behavior of the access object, the access right configuration of the access object can be performed. For example, if the access behavior is to delete client data, the access right configured for accessing the object is a deletion right.
For the server, after the PC completes the configuration of the access right, the access right configured for the access object by the PC can be received.
Furthermore, the access right can be reported by the selection operation triggered by the access object in the PC terminal. That is, the access rights allowed to be reported to the server are selected according to the actual needs of the access object.
Preferably, the access right allowed to be reported to the server is a new-built right and a newly-added right, but does not contain a modification right and a deletion right, so that the client data is prevented from being mistakenly operated when being illegally attacked due to the access of an external network, and the security of the client data access is further ensured.
Through the cooperation of the above embodiments, the access right configuration of the access object is realized, so that the service end provides the access right feedback service to be implemented, thereby providing a reliable basis for ensuring the safe access of the client data.
In addition, the access authority of the access object can be dynamically updated through the access authority configuration performed by the log record, namely, the access authority of the access object changes along with the change of the access behavior indicated by the log record, so that even if the access authority of the access object leaks due to virus attack in the process of accessing the client data by the external network performed this time, the access authority of the access object correspondingly changes along with the change of the access behavior of the access object in the subsequent process of accessing the client data by the external network, and the access authority of the access object which leaks before is invalid, so that the risk that the external network is vulnerable to virus attack is reduced, and the security of the client data access performed by the external network is fully ensured.
Referring to FIG. 7, in an exemplary embodiment, web page resources for customer data are stored in a quarantine zone (DMZ).
It will be appreciated that access to customer data via a mobile terminal accessing an external network is likely to present a potential security risk that may result in damage to customer data, for example, by hacking.
Therefore, in this embodiment, the web page resource of the client data is stored in the isolation area, which is a network area between the external network and the internal network, so as to achieve the purpose that the external network and the internal network cannot directly communicate with each other, thereby ensuring the security of the internal network.
Further, the isolation area may be deployed in an independent server to be different from an extranet server or an intranet server, or may be deployed in a virtual machine in a server, for example, a virtual machine in an extranet server or a virtual machine in an intranet server, so as to enhance flexibility of deployment of the isolation area and be beneficial to reducing complexity of deployment of the isolation area, which is not limited in this embodiment.
It should be noted that the web page resources of the client data are stored in the isolation area, so as to facilitate the display of the client data by displaying the web page in the client management application.
Accordingly, step 350 may include the steps of:
step 351, initiating a client data access request according to the webpage link address stored by the client management application.
And the webpage link address corresponds to the webpage resource of the client data and records the storage position of the webpage resource of the client data in the isolation area.
Therefore, when the client data are different, the corresponding webpage resources stored in the isolation area are different, and further the webpage link addresses are different. Therefore, a client data access request can be initiated through different webpage link addresses to access client data of different storage positions in the isolation area.
Step 353, requesting the webpage resource of the client data from the isolation area through the client data access request.
For the isolation area, the web page link address is extracted from the client data access request, so that the web page resource of the client data at the corresponding storage position in the isolation area can be obtained, and the obtained web page resource is fed back to the mobile terminal initiating the client data access request.
That is, the isolation area stores the web page resource of the client data for the client management application, and as long as the mobile terminal interacts with the isolation area, the mobile terminal can initiate a client data access request to the isolation area through the web page link address stored by the client management application, and then the web page resource of the client data is obtained by the isolation area.
Step 355 displays the customer data in the customer management application based on the web page resources of the customer data.
And step 357, controlling the access object to access the displayed client data according to the access authority.
In the process, based on the client management application which is pre-installed and deployed in the mobile terminal, the access of the access object to the client data in the isolation area through the external network is realized, the client data access which can only be accessed to the internal network by the PC terminal is avoided, the security of the client data access is ensured, and the universality of the client data access is enhanced.
The following is an embodiment of the apparatus of the present invention, which can be used to execute the method for secure access to client data based on a mobile terminal according to the present invention. For details that are not disclosed in the embodiments of the apparatus of the present invention, please refer to the method embodiments of the secure access method for client data based on a mobile terminal according to the present invention.
Referring to fig. 8, in an exemplary embodiment, a mobile terminal based client data secure access apparatus 900 includes, but is not limited to: an authentication module 910, a rights acquisition module 930, and a data access module 950.
The identity authentication module 910 is configured to perform identity authentication on an access object when the mobile terminal runs the client management application, where the access object requests to perform client data access.
The permission obtaining module 930 is configured to request the server to feed back the access permission of the access object according to the identity information of the access object when the access object passes the identity authentication.
The data access module 950 is used for providing the client data access for the access object according to the access right of the access object.
It should be noted that, when the client data security access device based on the mobile terminal performs the client data security access processing based on the mobile terminal, only the division of the above functional modules is illustrated, and in practical applications, the above function allocation may be completed by different functional modules according to needs, that is, the internal structure of the client data security access device based on the mobile terminal is divided into different functional modules to complete all or part of the above described functions.
In addition, the mobile terminal-based client data security access apparatus provided in the foregoing embodiment and the mobile terminal-based client data security access method belong to the same concept, and specific ways for each module to perform operations have been described in detail in the method embodiment, and are not described herein again.
In an exemplary embodiment, a client data security access device based on a mobile terminal includes a processor and a memory.
Wherein, the memory stores computer readable instructions, and the computer readable instructions when executed by the processor implement the client data security access method based on the mobile terminal in the above embodiments.
In an exemplary embodiment, a computer-readable storage medium has a computer program stored thereon, and the computer program, when executed by a processor, implements the mobile terminal-based client data security access method in the above embodiments.
The above-mentioned embodiments are merely preferred examples of the present invention, and are not intended to limit the embodiments of the present invention, and those skilled in the art can easily make various changes and modifications according to the main concept and spirit of the present invention, so that the scope of the present invention should be defined by the appended claims.

Claims (8)

1. A client data security access method based on a mobile terminal is characterized by comprising the following steps:
when the mobile terminal runs a customer management application, carrying out identity verification on an access object, wherein the access object requests to carry out customer data access;
when the access object passes the identity authentication, requesting a server side to feed back the access authority of the access object according to the identity information of the access object;
providing client data access for the access object according to the access authority of the access object;
the server pre-establishes an association relationship between the access right of the access object and the identity information, and provides an access right feedback service through establishment of the association relationship, and the method specifically includes:
in the process that the access object accesses client data through a PC (personal computer) end, the PC end generates a log record for indicating the access behavior of the access object; configuring the access authority of the access object according to the access behavior indicated by the log record, and reporting the access authority of the access object to a server; the access authority is reported according to the selection operation triggered by the access object in the PC terminal, and the reported access authority is selected as a new authority or a new authority;
the server receives the access authority reported by the PC end for the access object; and establishing an incidence relation between the access authority of the access object and the identity information.
2. The method of claim 1, wherein performing authentication of the access object while the mobile terminal is running the customer management application comprises:
in a client management application operated by the mobile terminal, acquiring identity information of the access object according to an operation triggered by the access object;
requesting a server side to perform identity information matching search according to the identity information of the access object to obtain a matching search result;
and if the matching search result indicates that the server side has identity information which is consistent with the identity information of the access object, judging that the identity information of the access object passes identity authentication.
3. The method of claim 1, wherein the web page resources of the client data are stored in a quarantine area, and wherein providing client data access to the access object in accordance with the access rights of the access object comprises:
initiating a client data access request according to the webpage link address stored by the client management application;
requesting web page resources of the customer data from the quarantine area through the customer data access request;
displaying the client data in the client management application according to the webpage resources of the client data;
and controlling the access object to access the displayed client data according to the access authority.
4. A client data security access device based on a mobile terminal is characterized by comprising:
the identity authentication module is used for authenticating the identity of an access object when the mobile terminal runs a customer management application, and the access object requests to access customer data;
the authority acquisition module is used for requesting the server side to feed back the access authority of the access object according to the identity information of the access object when the access object passes the identity verification;
the data access module is used for providing client data access for the access object according to the access authority of the access object;
the server pre-establishes an association relationship between the access right of the access object and the identity information, and provides an access right feedback service through establishment of the association relationship, and the method specifically includes:
in the process that the access object accesses the client data through the PC terminal, the PC terminal generates a log record used for indicating the access behavior of the access object; configuring the access authority of the access object according to the access behavior indicated by the log record, and reporting the access authority of the access object to a server; the access authority is reported according to the selection operation triggered by the access object in the PC terminal, and the reported access authority is selected as a new authority or a new authority;
the server receives the access authority reported by the PC end for the access object; and establishing an incidence relation between the access authority of the access object and the identity information.
5. The apparatus of claim 4, wherein the authentication module comprises:
the information acquisition unit is used for acquiring the identity information of the access object according to the operation triggered by the access object in the client management application operated by the mobile terminal;
the result acquisition unit is used for requesting the server side to perform identity information matching search according to the identity information of the access object to acquire a matching search result;
and the verification passing unit is used for judging that the identity information of the access object passes identity verification if the matching search result indicates that the identity information which is consistent with the identity information of the access object exists in the server.
6. The apparatus of claim 4, wherein the web page resources of the customer data are stored in a quarantine area, the data access module comprising:
a request initiating unit, configured to initiate a client data access request according to the web page link address stored in the client management application;
a resource requesting unit, configured to request, from the quarantine area, a web page resource of the client data through the client data access request;
the data display unit is used for displaying the client data in the client management application according to the webpage resources of the client data;
and the control access unit is used for controlling the access object to access the displayed client data according to the access authority.
7. A client data security access device based on a mobile terminal is characterized by comprising:
a processor; and
a memory having stored thereon computer readable instructions which, when executed by the processor, implement the mobile terminal-based client data security access method of any one of claims 1 to 3.
8. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, implements a mobile terminal-based client data security access method according to any one of claims 1 to 3.
CN201810294695.7A 2018-04-04 2018-04-04 Client data security access method and device based on mobile terminal Active CN108632253B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201810294695.7A CN108632253B (en) 2018-04-04 2018-04-04 Client data security access method and device based on mobile terminal
PCT/CN2018/101558 WO2019192129A1 (en) 2018-04-04 2018-08-21 Customer data security access method and device based on mobile terminal

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810294695.7A CN108632253B (en) 2018-04-04 2018-04-04 Client data security access method and device based on mobile terminal

Publications (2)

Publication Number Publication Date
CN108632253A CN108632253A (en) 2018-10-09
CN108632253B true CN108632253B (en) 2021-09-10

Family

ID=63704824

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810294695.7A Active CN108632253B (en) 2018-04-04 2018-04-04 Client data security access method and device based on mobile terminal

Country Status (2)

Country Link
CN (1) CN108632253B (en)
WO (1) WO2019192129A1 (en)

Families Citing this family (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109543463B (en) * 2018-10-11 2023-12-22 平安科技(深圳)有限公司 Data security access method, device, computer equipment and storage medium
CN110351719B (en) * 2019-07-16 2023-03-14 深圳市信锐网科技术有限公司 Wireless network management method, system, electronic equipment and storage medium
CN111079182B (en) * 2019-12-18 2022-11-29 北京百度网讯科技有限公司 Data processing method, device, equipment and storage medium
CN111159673B (en) * 2019-12-31 2022-09-02 海南老白健康科技有限公司 Identity information verification method, device and equipment
CN112073504B (en) * 2020-09-03 2023-07-25 中国平安财产保险股份有限公司 Request forwarding method, device, equipment and storage medium
CN113180729B (en) * 2021-03-31 2023-07-14 上海深至信息科技有限公司 Ultrasonic data transmission method and system
CN113381915B (en) * 2021-04-27 2022-08-09 福建依时利软件股份有限公司 Method, device, equipment and medium for interconnection of internal and external networks of campus
CN113163401B (en) * 2021-04-30 2022-08-19 中国银行股份有限公司 Bank business handling method and device, electronic equipment and computer storage medium
CN113506054B (en) * 2021-06-10 2023-12-29 傲网信息科技(厦门)有限公司 Data processing system for pesticide production
CN114050903A (en) * 2021-11-23 2022-02-15 广东电网有限责任公司 Traffic management method, device, system, server and medium
CN114244598B (en) * 2021-12-14 2024-01-19 浙江太美医疗科技股份有限公司 Intranet data access control method, device, equipment and storage medium
CN114553540B (en) * 2022-02-22 2024-03-08 平安科技(深圳)有限公司 Zero trust-based Internet of things system, data access method, device and medium
CN116708580B (en) * 2023-08-08 2023-10-13 武汉华瑞测智能技术有限公司 Power plant intranet access method, equipment and medium based on network isolation device

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103646306A (en) * 2013-11-27 2014-03-19 大连创达技术交易市场有限公司 Inner-enterprise mobile phone information platform
CN106059802A (en) * 2016-05-25 2016-10-26 杭州华三通信技术有限公司 Terminal access authentication method and device

Family Cites Families (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102970276B (en) * 2012-09-28 2016-05-25 中国电力科学研究院 The implementation method of the electric power Specialised mobile terminal trouble free service based on isolation technology
CN103841130A (en) * 2012-11-21 2014-06-04 深圳市腾讯计算机系统有限公司 Verification information pushing method and device, and identity authentication method and device
CN102984159B (en) * 2012-12-05 2016-03-30 浙江省电力公司 Based on secure accessing logic control method and the Platform Server of terminal access behavior
CN103441991A (en) * 2013-08-12 2013-12-11 江苏华大天益电力科技有限公司 Mobile terminal security access platform
CN103581184B (en) * 2013-10-31 2017-01-04 中国电子科技集团公司第十五研究所 The method and system of mobile terminal accessing corporate intranet server
CN104202338B (en) * 2014-09-23 2016-01-20 中国南方电网有限责任公司 A kind of safety access method being applicable to enterprise-level Mobile solution
CN105701389A (en) * 2016-03-02 2016-06-22 深圳市智汇十方科技有限公司 Management method and system of mobile terminal
CN105871862A (en) * 2016-04-19 2016-08-17 杭州华三通信技术有限公司 Network resource accessing method and device
EP3244588B1 (en) * 2016-05-10 2021-06-23 Nokia Solutions and Networks Oy Support of dedicated core networks for wlan access
EP3261375B1 (en) * 2016-06-21 2023-07-26 Nokia Solutions and Networks Oy Access to local services by unauthenticated users
WO2018023122A1 (en) * 2016-07-29 2018-02-01 Hammel Benjamin Integrated credential data management techniques
CN107257344B (en) * 2017-07-05 2020-07-28 福建网龙计算机网络信息技术有限公司 Server access method and system

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103646306A (en) * 2013-11-27 2014-03-19 大连创达技术交易市场有限公司 Inner-enterprise mobile phone information platform
CN106059802A (en) * 2016-05-25 2016-10-26 杭州华三通信技术有限公司 Terminal access authentication method and device

Also Published As

Publication number Publication date
CN108632253A (en) 2018-10-09
WO2019192129A1 (en) 2019-10-10

Similar Documents

Publication Publication Date Title
CN108632253B (en) Client data security access method and device based on mobile terminal
US10097350B2 (en) Privacy enhanced key management for a web service provider using a converged security engine
US10091127B2 (en) Enrolling a mobile device with an enterprise mobile device management environment
EP3092775B1 (en) Method and system for determining whether a terminal logging into a website is a mobile terminal
CN107222485B (en) Authorization method and related equipment
EP2887615A1 (en) Cloud-based scalable authentication for electronic devices
CN112131021B (en) Access request processing method and device
US10992656B2 (en) Distributed profile and key management
CN112039826B (en) Login method and device applied to applet end, electronic equipment and readable medium
CN108965250B (en) Digital certificate installation method and system
CN109416800B (en) Authentication method of mobile terminal and mobile terminal
KR20160097323A (en) Near field communication authentication mechanism
EP3176719B1 (en) Methods and devices for acquiring certification document
US20190020640A1 (en) Cloud operation interface sharing method, related device, and system
US20180278611A1 (en) System and method for securing an inter-process communication via a named pipe
CN107396364B (en) Method and equipment for carrying out wireless connection pre-authorization on user equipment
WO2021129859A1 (en) Two-dimensional code processing method and device
CN113630253A (en) Login method, device, computer system and readable storage medium
CN111241523B (en) Authentication processing method, device, equipment and storage medium
CN107396362B (en) Method and equipment for carrying out wireless connection pre-authorization on user equipment
CN116015695A (en) Resource access method, system, device, terminal and storage medium
CN113821841B (en) Resource management method, computing device and readable storage medium
EP3085007B1 (en) Push-based trust model for public cloud applications
CN107396363B (en) Method and equipment for carrying out wireless connection pre-authorization on user equipment
CN112966242A (en) User name and password authentication method, device and equipment and readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant