CN109246089B - Role-based front-end and back-end separation architecture access control system and method - Google Patents

Role-based front-end and back-end separation architecture access control system and method Download PDF

Info

Publication number
CN109246089B
CN109246089B CN201810948658.3A CN201810948658A CN109246089B CN 109246089 B CN109246089 B CN 109246089B CN 201810948658 A CN201810948658 A CN 201810948658A CN 109246089 B CN109246089 B CN 109246089B
Authority
CN
China
Prior art keywords
module
role
routing
access control
authority
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810948658.3A
Other languages
Chinese (zh)
Other versions
CN109246089A (en
Inventor
王健
吕少华
杨茵淇
和旭东
于洋
刘吉强
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Jiaotong University
Original Assignee
Beijing Jiaotong University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Jiaotong University filed Critical Beijing Jiaotong University
Priority to CN201810948658.3A priority Critical patent/CN109246089B/en
Publication of CN109246089A publication Critical patent/CN109246089A/en
Application granted granted Critical
Publication of CN109246089B publication Critical patent/CN109246089B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The invention provides a front-end and back-end separation architecture access control system and a method based on roles, wherein the system comprises the following steps: the system comprises an authority role correlation module, a routing authority role registration module, a routing system, an access control module, a routing monitoring module, an identity authentication module and a data access module; the authority role correlation module is respectively connected with the routing authority role registration module and the data access module, the routing authority role registration module is connected with the routing system, the identity authentication module is respectively connected with the data access module and the routing monitoring module, the routing monitoring module is respectively connected with the routing system and the access control module, and the access control module is respectively connected with the data access module and the routing system; the invention mainly solves the problem of front-end limited resource access control in a front-end and back-end separation framework, enhances the front-end authority control capability, limits illegal interface requests and perfects user interaction logic.

Description

一种基于角色的前后端分离架构访问控制系统及方法A role-based front-end and back-end separation architecture access control system and method

技术领域technical field

本发明涉及前后端架构开发SPA应用中前后端数据交互和前端表示层渲染以及用户行为控制管理问题,特别涉及一种前后端分离技术中对前端视图组件访问控制的系统及方法。The invention relates to front-end and back-end data interaction, front-end presentation layer rendering and user behavior control management issues in front-end and back-end architecture development SPA applications, in particular to a system and method for access control of front-end view components in front-end and back-end separation technology.

背景技术Background technique

前后端分离的应用程序是将视图组件的渲染交付给客户端浏览器处理,后台服务器专一负责数据处理。这样的架构一方面实现数据展示层以及用户交互层与业务逻辑层的解耦,另一方面,使B/S架构的应用运行达到传统C/S架构所达不到的流畅交互的效果。The front-end and back-end separated applications deliver the rendering of the view components to the client browser for processing, and the back-end server is solely responsible for data processing. On the one hand, such an architecture realizes the decoupling of the data presentation layer, the user interaction layer and the business logic layer;

但是,采用前后端分离架构需要面临一系列权限控制问题。传统混合开发模式下,在使用后端模板引擎渲染页面的时候,后端语言可以根据用户权限有选择地渲染发送一些受限的视图元素。而在前后端分离架构中,前端视图组件在应用启动时全部加载至前端,渲染由前端脚本语言控制,数据服务器并不渲染任何视图组件。前后端通过无状态的REST接口完成数据交互,此种情况下,如何判断用户权限控制前端视图模块渲染是关键要素。由于应用的全部视图已经加载至前端内存,需要对不同权限的用户做选择性的视图渲染,防止其访问受限的数据资源。However, adopting the front-end and back-end separation architecture needs to face a series of permission control problems. In the traditional hybrid development mode, when using a back-end template engine to render a page, the back-end language can selectively render and send some restricted view elements according to user permissions. In the front-end and back-end separation architecture, the front-end view components are all loaded to the front-end when the application starts, the rendering is controlled by the front-end scripting language, and the data server does not render any view components. The front-end and back-end complete data interaction through a stateless REST interface. In this case, how to judge the user's authority to control the rendering of the front-end view module is the key element. Since all the views of the application have been loaded into the front-end memory, it is necessary to selectively render views to users with different permissions to prevent them from accessing restricted data resources.

因此,需要一套完善的前端资源访问控制方案解决该问题,使得前后端分离架构应用能够很好的判断访问用户身份,并合理渲染用户合法权限范围内的视图资源,同时限制系统资源接口的非法调用。Therefore, a complete front-end resource access control solution is needed to solve this problem, so that the front-end and back-end separated architecture applications can well determine the identity of the access user, and reasonably render the view resources within the scope of the user's legal authority, while limiting the illegality of the system resource interface. transfer.

发明内容SUMMARY OF THE INVENTION

本发明为了解决现有技术缺陷,实现了基于角色的前后端分离架构访问控制方案,将部分权限认证提升至前端进行。保证后台接口的正常调度,减少无意义的接口调用和恶意接口请求。减少后台服务器请求压力以及冗余的权限认证。同时实现应用数据展示视图的安全渲染和完美的用户交互,提升用户体验。In order to solve the defects of the prior art, the present invention implements a role-based front-end and back-end separation architecture access control scheme, and upgrades part of the authority authentication to the front end. Ensure the normal scheduling of background interfaces and reduce meaningless interface calls and malicious interface requests. Reduce background server request pressure and redundant authorization authentication. At the same time, it realizes the safe rendering of the application data display view and perfect user interaction to improve the user experience.

为达到以上目的,本发明采取的技术方案是:In order to achieve the above purpose, the technical scheme adopted in the present invention is:

一种基于角色的前后端分离架构访问控制系统,包括:权限角色关联模块、路由权限角色注册模块、路由系统、访问控制模块、路由监听模块、身份认证模块和数据存取模块;A role-based front-end and back-end separation architecture access control system, comprising: a permission role association module, a routing permission role registration module, a routing system, an access control module, a routing monitoring module, an identity authentication module and a data access module;

权限角色关联模块分别与路由权限角色注册模块和数据存取模块连接,路由权限角色注册模块与路由系统连接,身份认证模块分别与数据存取模块和路由监听模块连接,路由监听模块分别与路由系统和访问控制模块连接,访问控制模块分别与数据存取模块和路由系统连接;The authority role association module is respectively connected with the routing authority role registration module and the data access module, the routing authority role registration module is connected with the routing system, the identity authentication module is respectively connected with the data access module and the routing monitoring module, and the routing monitoring module is respectively connected with the routing system connected with the access control module, and the access control module is respectively connected with the data access module and the routing system;

所述权限角色关联模块用于根据系统开发人员指定的策略对系统资源进行权限划分,并分配角色不同的权限,实现角色与系统资源访问权限的关联关系;The authority-role association module is used for dividing the authority of the system resources according to the strategy specified by the system developer, and assigning authority with different roles, so as to realize the association relationship between the roles and the access authority of the system resources;

所述权限角色关联模块包括权限角色表存储模块和权限角色更新模块;所述权限角色表存储模块用于选择关系数据库、存储权限角色关联表,保证权限角色关联表快速检索;所述权限角色更新模块用于提供灵活的权限角色配置接口,包括增加角色,为角色增删相关权限;The permission role association module includes a permission role table storage module and a permission role update module; the permission role table storage module is used to select a relational database and store the permission role association table to ensure fast retrieval of the permission role association table; the permission role update The module is used to provide a flexible permission role configuration interface, including adding roles, adding and deleting related permissions for roles;

所述权限角色表存储模块与路由权限角色注册模块连接,The permission role table storage module is connected with the routing permission role registration module,

所述路由权限角色注册模块用于在路由系统中添加路由对应的前端视图和控制器,并根据权限角色关联表注册具有该路由资源访问权限的角色;The routing authority role registration module is used to add a front-end view and a controller corresponding to the routing in the routing system, and register a role with the routing resource access authority according to the authority role association table;

所述路由系统用于控制前端视图和控制器之间的关联关系,同时指定前端视图之间的跳转交互逻辑;The routing system is used to control the association between the front-end views and the controller, and at the same time specify the jump interaction logic between the front-end views;

所述访问控制模块用于根据设置的访问控制策略中间件判断请求合法性并发生相应动作;The access control module is used for judging the validity of the request according to the set access control policy middleware and taking corresponding actions;

所述路由监听模块在应用程序启动阶段注册,用于监听路由变化,劫持用户资源访问请求动作,触发访问控制模块执行;The route monitoring module is registered in the application program startup phase, and is used for monitoring the route change, hijacking the user resource access request action, and triggering the execution of the access control module;

所述身份认证模块用于结合RESTFUL接口编程通用的JWT标准实现对访问请求的用户进行身份鉴别,并获取用户的相关身份信息,然后根据用户身份信息重新渲染前端视图;The identity authentication module is used to realize the identity authentication of the user of the access request in combination with the general JWT standard of RESTFUL interface programming, and obtain the relevant identity information of the user, and then re-render the front-end view according to the user identity information;

所述数据存取模块结合前后端分离架构开发框架,封装全局服务组件,用于提供用户信息和权限角色关联信息的存储接口、读取接口和销毁接口,利用浏览器或本地内存进行信息存储。The data access module combines the front-end and back-end separation architecture development framework, encapsulates the global service component, provides storage interface, read interface and destruction interface of user information and authority role related information, and uses browser or local memory for information storage.

在上述方案的基础上,所述身份认证模块包括用户认证模块和身份注销模块;On the basis of the above scheme, the identity authentication module includes a user authentication module and an identity cancellation module;

所述用户认证模块用于将用户识别信息发送后台认证,并设置前端全局用户身份标识,同时触发前端视图重新渲染,更新界面;The user authentication module is used to send the user identification information to the background for authentication, set the front-end global user identity, and trigger the front-end view to re-render and update the interface at the same time;

所述身份注销模块用于销毁前端全局用户身份标识,同时触发前端视图重新渲染,更新界面。The identity cancellation module is used to destroy the front-end global user identity, and at the same time trigger the front-end view to re-render and update the interface.

在上述方案的基础上,所述数据存取模块包括数据加密模块、数据共享模块和数据销毁模块;On the basis of the above scheme, the data access module includes a data encryption module, a data sharing module and a data destruction module;

所述数据加密模块用于对用户信息,权限角色等相关信息进行加密存储;The data encryption module is used to encrypt and store relevant information such as user information, authority roles, etc.;

所述数据共享模块用于多标签下sessionStorage存储数据共享;The data sharing module is used for sessionStorage storage data sharing under multiple tags;

所述数据销毁模块用于销毁指定或全局存储信息。The data destruction module is used for destroying specified or global storage information.

在上述方案的基础上,所述访问控制模块包括权限认证模块、访问控制策略注册模块和策略响应模块;On the basis of the above scheme, the access control module includes a rights authentication module, an access control policy registration module and a policy response module;

所述权限认证模块用于判断资源访问请求用户是否具备资源访问资格;The authority authentication module is used for judging whether the resource access requesting user has the resource access qualification;

所述访问控制策略注册模块用于注册各种不同的访问控制策略中间件;The access control policy registration module is used to register various access control policy middleware;

所述策略响应模块用于根据权限认证结果实施相关响应策略,包括路由重定向,请求放行等动作。The policy response module is used to implement relevant response policies according to the authority authentication result, including actions such as route redirection and request release.

一种基于角色的前后端分离架构访问控制方法,应用上述的基于角色的前后端分离架构访问控制系统,包括以下步骤:A role-based front-end and back-end separation architecture access control method, applying the above-mentioned role-based front-end and back-end separation architecture access control system, comprising the following steps:

步骤1、应用程序启动时,从权限角色关联模块获得权限角色关联表,然后将权限角色关联表发送至前端架构中的路由权限角色注册模块,并通过数据存取模块将权限角色关联表存储于浏览器或本地内存,由路由权限角色注册模块将路由和路由对应的前端视图以及控制器的可访问角色列表和相关权限注册进路由系统中,用于确定路由、角色的对应关系,同时,在应用程序中注册身份认证模块,用于完成用户身份鉴定和注销;路由监听模块用于监听路由状态变化;访问控制模块用于配置系列访问控制策略;Step 1. When the application starts, obtain the permission role association table from the permission role association module, then send the permission role association table to the routing permission role registration module in the front-end architecture, and store the permission role association table in the data access module through the data access module. In the browser or local memory, the routing permission role registration module registers the front-end view corresponding to routing and routing, as well as the accessible role list and related permissions of the controller into the routing system to determine the corresponding relationship between routing and roles. The identity authentication module is registered in the application to complete user identity authentication and logout; the route monitoring module is used to monitor changes in the routing state; the access control module is used to configure a series of access control policies;

步骤2、用户发起应用程序资源访问请求时,首先由身份认证模块对用户进行身份认证,对于认证失败请求,拒绝其后续访问,并将其重定向至身份认证模块,对于认证成功请求,身份认证模块从数据存取模块中读取用户信息和权限角色关联信息,并将用户信息、权限角色关联信息和访问请求交给路由监听模块,路由监听模块获取访问请求中所要访问的路由信息,然后从路由系统中读取该路由的可访问角色列表,将访问请求和可访问角色列表发送给访问控制模块,访问控制模块首先将用户信息、权限角色关联信息与可访问角色列表取交集,若结果为空,则执行访问控制模块中的策略响应模块,将访问请求拒绝并做后续的处理,若结果不为空,则进一步获取相关权限,根据访问控制模块中的访问控制策略进行进一步的请求处理动作,之后通过请求,完成资源的合法请求,获取后台数据完成前端视图渲染。Step 2. When a user initiates an application resource access request, the identity authentication module first authenticates the user. For the authentication failure request, the subsequent access is rejected and redirected to the identity authentication module. For the authentication successful request, the identity authentication The module reads the user information and permission role association information from the data access module, and passes the user information, permission role association information and access request to the routing monitoring module. The routing monitoring module obtains the routing information to be accessed in the access request, and then from The routing system reads the list of accessible roles for the route, and sends the access request and the list of accessible roles to the access control module. The access control module first takes the intersection of user information, permission role related information and the list of accessible roles, if the result is If it is empty, execute the policy response module in the access control module, reject the access request and do subsequent processing. If the result is not empty, obtain further relevant permissions, and perform further request processing actions according to the access control policy in the access control module. , and then complete the legal request for resources through the request, and obtain the background data to complete the front-end view rendering.

在上述方案的基础上,身份认证模块对用户进行身份认证的具体过程为:首先用户发送用户名和密码至服务器,服务器验证用户身份后将用户身份信息用密钥加密后生成token返回前端,前端后续访问服务器时携带token作为身份标识,服务器验证token后将访问的资源返回前端。On the basis of the above scheme, the specific process for the identity authentication module to authenticate the user is as follows: first, the user sends the user name and password to the server, the server verifies the user identity, encrypts the user identity information with a key, generates a token and returns it to the front end, and the front end follows up. When accessing the server, the token is used as an identity identifier. After the server verifies the token, the accessed resource is returned to the front end.

本发明的有益效果如下:The beneficial effects of the present invention are as follows:

本发明所述的技术方案提供了一种面向前后端分离架构应用的资源访问控制,用户身份认证,前端交互的完整高效的实现方案。主要特色体现于使用基于角色的访问控制,在应用程序中注册劫持用户访问动作的路由监听模块,访问控制模块,数据存取模块以及各种模块中各种技术的综合应用,实现了以下有益效果:The technical scheme of the present invention provides a complete and efficient implementation scheme of resource access control, user identity authentication, and front-end interaction oriented to front-end and back-end separated architecture applications. The main features are reflected in the use of role-based access control, registering the routing monitoring module that hijacks user access actions in the application program, the access control module, the data access module and the comprehensive application of various technologies in various modules, which achieves the following beneficial effects :

(1)前端资源访问控制:利用各种模块综合工作,保证前端资源的安全访问。(1) Front-end resource access control: use various modules to comprehensively work to ensure secure access to front-end resources.

(2)灵活配置:采用中间件注册模式,灵活配置添加各种权限认证策略。(2) Flexible configuration: The middleware registration mode is adopted to flexibly configure and add various authorization authentication policies.

(3)多标签页数据共享:利用localStorage事件跨标签页共享sessionStorage。(3) Multi-tab data sharing: Use localStorage events to share sessionStorage across tabs.

(4)后台接口合法访问:通过对控制器的访问控制。(4) Legal access to the background interface: through the access control to the controller.

(5)安全传输:前端加密保证数据可靠传输,防止中间人窃听敏感数据。(5) Secure transmission: Front-end encryption ensures reliable data transmission and prevents middlemen from eavesdropping on sensitive data.

本发明所述技术方案可用于采用前后端分离架构研发应用的技术公司。The technical solution described in the present invention can be used for technology companies that adopt a front-end and back-end separation structure to develop applications.

附图说明Description of drawings

本发明有如下附图:The present invention has the following accompanying drawings:

图1示出实施例1提供的整体架构图。FIG. 1 shows the overall architecture diagram provided by Embodiment 1.

图2示出结合JWT技术的身份认证的基本原理图。Figure 2 shows a basic schematic diagram of identity authentication combined with JWT technology.

图3示出实施例1提供的一种基于角色的前后端分离架构访问控制方法的实施流程图。FIG. 3 shows an implementation flowchart of a role-based front-end and back-end separation architecture access control method provided in Embodiment 1. As shown in FIG.

具体实施方式Detailed ways

以下结合附图对本发明作进一步详细说明。The present invention will be further described in detail below with reference to the accompanying drawings.

实施例1Example 1

如图1所示,本实施例提供的一种基于角色的前后端分离架构访问控制系统,包括:权限角色关联模块、路由权限角色注册模块、路由系统、访问控制模块、路由监听模块、身份认证模块和数据存取模块;As shown in FIG. 1 , a role-based front-end and back-end separation architecture access control system provided by this embodiment includes: a permission role association module, a routing permission role registration module, a routing system, an access control module, a routing monitoring module, and an identity authentication module. modules and data access modules;

权限角色关联模块分别与路由权限角色注册模块和数据存取模块连接,路由权限角色注册模块与路由系统连接,身份认证模块分别与数据存取模块和路由监听模块连接,路由监听模块分别与路由系统和访问控制模块连接,访问控制模块分别与数据存取模块和路由系统连接;The authority role association module is respectively connected with the routing authority role registration module and the data access module, the routing authority role registration module is connected with the routing system, the identity authentication module is respectively connected with the data access module and the routing monitoring module, and the routing monitoring module is respectively connected with the routing system connected with the access control module, and the access control module is respectively connected with the data access module and the routing system;

权限角色关联模块用于根据系统开发人员指定的策略对系统资源进行权限划分,并分配系统角色不同的权限,实现角色与系统资源访问权限的关联关系;The permission role association module is used to divide the permissions of system resources according to the policy specified by the system developer, and assign different permissions of system roles to realize the association relationship between roles and system resource access permissions;

所述权限角色关联模块包括权限角色表存储模块和权限角色更新模块;所述权限角色表存储模块用于选择关系数据库、存储权限角色关联表,保证权限角色关联表快速检索;所述权限角色更新模块用于提供灵活的权限角色配置接口,包括增加角色,为角色增删相关权限;The permission role association module includes a permission role table storage module and a permission role update module; the permission role table storage module is used to select a relational database and store the permission role association table to ensure fast retrieval of the permission role association table; the permission role update The module is used to provide a flexible permission role configuration interface, including adding roles, adding and deleting related permissions for roles;

所述权限角色表存储模块与路由权限角色注册模块连接,The permission role table storage module is connected with the routing permission role registration module,

所述路由权限角色注册模块用于在前后端分离应用的路由系统中添加路由对应的前端视图和控制器,并根据权限角色关联表注册具有该路由资源访问权限的角色。The routing authority role registration module is used for adding a front-end view and a controller corresponding to a route in the routing system of the front-end and back-end separated applications, and registering a role with access authority to the routing resource according to the authority-role association table.

所述路由系统用于控制前端视图和控制器之间的关联关系,同时指定前端视图之间的跳转交互逻辑;The routing system is used to control the association between the front-end views and the controller, and at the same time specify the jump interaction logic between the front-end views;

身份认证模块用于结合RESTFUL接口编程通用的JWT标准实现对访问请求的用户进行身份鉴别,并获取用户相关身份信息,然后根据用户身份信息重新渲染前端视图;The identity authentication module is used to identify the user of the access request in combination with the general JWT standard of RESTFUL interface programming, and obtain the relevant identity information of the user, and then re-render the front-end view according to the user identity information;

路由监听模块,应用启动阶段注册,用于监听路由变化,劫持用户资源访问请求动作,触发访问控制模块执行;Route monitoring module, registered in the application startup phase, used to monitor route changes, hijack user resource access request actions, and trigger the execution of the access control module;

数据存取模块,结合前后端分离架构开发框架,封装全局服务组件,用于提供用户信息和权限角色关联信息的存储接口、读取接口和销毁接口,利用浏览器或本地内存进行信息存储;The data access module, combined with the front-end and back-end separation architecture development framework, encapsulates the global service component, and is used to provide the storage interface, read interface and destruction interface of user information and permission role related information, and use the browser or local memory for information storage;

访问控制模块用于根据设置的访问控制策略中间件判断请求合法性并发生相应动作。The access control module is used to judge the validity of the request according to the set access control policy middleware and take corresponding actions.

在上述方案的基础上,所述身份认证模块包括用户认证模块和身份注销模块,On the basis of the above scheme, the identity authentication module includes a user authentication module and an identity cancellation module,

用户认证模块,将用户识别信息发送后台认证,并设置前端全局用户身份标识,同时触发前端视图重新渲染,更新界面;The user authentication module sends the user identification information to the background for authentication, sets the front-end global user identity, and triggers the front-end view to re-render and update the interface;

身份注销模块:销毁前端全局用户身份标识,同时触发前端视图重新渲染,更新界面。Identity logout module: Destroy the front-end global user identity, and trigger the front-end view to re-render and update the interface.

在上述方案的基础上,所述数据存储模块包括数据加密模块、数据共享模块和数据销毁模块,On the basis of the above scheme, the data storage module includes a data encryption module, a data sharing module and a data destruction module,

数据加密模块,对用户信息,权限角色等相关信息进行加密存储;The data encryption module encrypts and stores user information, permission roles and other related information;

数据共享模块,用于多标签下sessionStorage存储数据共享Data sharing module for sessionStorage storage data sharing under multiple tags

数据销毁模块,销毁指定或全局存储信息。Data destruction module, destroys specified or global storage information.

在上述方案的基础上,访问控制模块包括权限认证模块、访问控制策略注册模块和策略响应模块;On the basis of the above scheme, the access control module includes an authority authentication module, an access control policy registration module and a policy response module;

权限认证模块,判断资源访问请求用户是否具备资源访问资格;The authority authentication module determines whether the resource access requesting user has the resource access qualification;

访问控制策略注册模块:注册各种不同的访问控制策略中间件;Access control policy registration module: register various access control policy middleware;

策略响应模块,根据权限认证结果实施相关响应策略,包括路由重定向,请求放行等动作。The policy response module implements relevant response policies according to the authority authentication result, including actions such as route redirection and request release.

其中,in,

各模块的工作流程如下:应用程序启动时,从权限角色关联模块获得权限角色关联表,然后将权限角色关联表发送至前端架构中的路由权限角色注册模块,并通过数据存取模块将权限角色关联表存储于浏览器或本地内存,由路由权限角色注册模块将前端路由和路由对应的前端视图以及访问后台接口的控制器的可访问角色列表和相关权限注册进路由系统中,用于确定路由、角色的对应关系,同时,在应用程序中注册身份认证模块,用于完成用户身份鉴定和注销;路由监听模块,监听路由状态变化;访问控制模块,配置系列访问控制策略。The workflow of each module is as follows: when the application starts, the permission role association table is obtained from the permission role association module, and then the permission role association table is sent to the routing permission role registration module in the front-end architecture, and the permission role is transferred through the data access module. The association table is stored in the browser or local memory, and the routing permission role registration module registers the front-end routing and the front-end view corresponding to the routing, as well as the accessible role list and related permissions of the controller accessing the back-end interface into the routing system to determine the routing. , the corresponding relationship of roles, and at the same time, the identity authentication module is registered in the application program to complete the user identity authentication and logout; the routing monitoring module, monitoring the change of routing status; the access control module, configuring a series of access control policies.

用户发起应用程序资源访问请求时,首先由身份认证模块对用户进行身份认证,JWT认证过程具体如下,如图2所示:首先用户发送用户名和密码至服务器,服务器验证用户身份后将用户身份信息用密钥加密后生成token返回前端,前端后续访问服务器时携带token作为身份标识。服务器验证token后将访问的资源返回前端。对于认证失败请求,拒绝其后续访问,并将其重定向至身份认证模块,对于认证成功请求,身份认证模块从数据存取模块中读取用户信息和权限角色关联信息,并将用户信息、权限角色关联信息和访问请求交给路由监听模块,路由监听模块获取访问请求中所要访问的路由信息,然后从路由系统中读取该路由的可访问角色列表,将访问请求和可访问角色列表发送给访问控制模块,访问控制模块首先将用户信息、权限角色关联信息与可访问角色列表取交集,若结果为空,则执行访问控制模块中的策略响应模块,将访问请求拒绝并做后续的处理,若结果不为空,则进一步获取相关权限,根据访问控制模块中的访问控制策略进行进一步的请求处理动作,之后通过请求,完成资源的合法请求,获取后台数据完成视图渲染。When a user initiates an application resource access request, the identity authentication module first authenticates the user. The JWT authentication process is as follows, as shown in Figure 2: First, the user sends the user name and password to the server, and the server verifies the user's identity. After encrypting with the key, a token is generated and returned to the front-end, and the front-end will carry the token as an identity when it subsequently accesses the server. After the server validates the token, it returns the accessed resource to the front end. For the authentication failure request, deny its subsequent access and redirect it to the identity authentication module. For the authentication successful request, the identity authentication module reads the user information and permission role association information from the data access module, and converts the user information, permission The role association information and access request are handed over to the routing monitoring module. The routing monitoring module obtains the routing information to be accessed in the access request, and then reads the accessible role list of the route from the routing system, and sends the access request and accessible role list to the Access control module, the access control module first intersects the user information, permission role related information and the list of accessible roles, if the result is empty, executes the policy response module in the access control module, rejects the access request and performs subsequent processing, If the result is not empty, further obtain relevant permissions, perform further request processing actions according to the access control policy in the access control module, and then complete the legal request for the resource through the request, and obtain the background data to complete the view rendering.

如图3所示,本实施例提供的一种基于角色的前后端分离架构访问控制方法的工作流程,包括以下步骤:As shown in FIG. 3 , the workflow of a role-based front-end and back-end separation architecture access control method provided by this embodiment includes the following steps:

步骤1、确定系统中所有的角色,确定系统资源的权限,以及确立权限和角色对应关系,并提供给前端程序;Step 1. Determine all roles in the system, determine the permissions of system resources, and establish the corresponding relationship between permissions and roles, and provide them to the front-end program;

步骤2、在路由系统中注册该条路由和响应的视图,控制器对应关系,以及可以合法访问该路由的角色;Step 2. Register the route and the response view in the routing system, the controller correspondence, and the roles that can legally access the route;

步骤3、设计并完成身份认证模块,结合JWT实现用户的认证和角色权限信息的获取;Step 3. Design and complete the identity authentication module, and realize the user authentication and the acquisition of role permission information in combination with JWT;

步骤4、完成数据存取模块接口编写,包括底层API封装,和全局通用服务组件的完成;Step 4. Complete the data access module interface writing, including the underlying API encapsulation, and the completion of the global general service component;

步骤5、部署路由监听模块;Step 5. Deploy the routing monitoring module;

步骤6、部署访问控制模块,配置相关访问控制策略。Step 6. Deploy the access control module and configure related access control policies.

以前后端分离常用的开发框架angularjs为例展示上述各个步骤的代码,Take angularjs, a commonly used development framework for front-end separation, as an example to show the code of each of the above steps.

所述步骤1、包括app.run中发送ajax请求获取后台相关角色权限关联信息,app.constant定义请求到的角色常量,调用html5的window.sesssionStorage.setItem本地存储接口将常量存储,主要代码片段:The step 1 includes sending an ajax request in app.run to obtain background-related role permission association information, app.constant defines the requested role constant, and calls the window.sessionStorage.setItem local storage interface of html5 to store the constant, the main code snippet:

Figure BDA0001770928140000091
Figure BDA0001770928140000091

所述步骤2、路由角色注册模块,代码片段The step 2, routing role registration module, code snippet

Figure BDA0001770928140000092
Figure BDA0001770928140000092

所述步骤3、代码片段,根据userSession服务提供的用户角色信息判断用户合法性Described step 3, code fragment, judge user legitimacy according to user role information provided by userSession service

Figure BDA0001770928140000093
Figure BDA0001770928140000093

所述步骤4、代码片段,将认证后的用户信息存储于全局服务组件中,并提供读取和销毁接口Described step 4, the code fragment, the user information after authentication is stored in the global service component, and the interface for reading and destroying is provided

Figure BDA0001770928140000101
Figure BDA0001770928140000101

所述步骤5、路由监听模块代码片段The step 5, routing monitoring module code snippet

Figure BDA0001770928140000102
Figure BDA0001770928140000102

步骤6、访问控制模块代码片段Step 6. Access control module code snippet

Figure BDA0001770928140000111
Figure BDA0001770928140000111

显然,本发明的上述实施例仅仅是为清楚地说明本发明所作的举例,而并非是对本发明的实施方式的限定,对于所属领域的普通技术人员来说,在上述说明的基础上还可以做出其它不同形式的变化或变动,这里无法对所有的实施方式予以穷举,凡是属于本发明的技术方案所引伸出的显而易见的变化或变动仍处于本发明的保护范围之列。Obviously, the above-mentioned embodiments of the present invention are only examples for clearly illustrating the present invention, and are not intended to limit the embodiments of the present invention. Changes or changes in other different forms cannot be exhausted here, and all obvious changes or changes derived from the technical solutions of the present invention are still within the protection scope of the present invention.

相关名词解释Explanation of related terms

SPA应用:SPA应用即单页面应用,与传统web应用不同,单页面应用将所有视图渲染和数据加载在一个网页中完成。在应用启动时将所有相关资源加载至前端,一切用户交互逻辑通过脚本语言监听web路由hash变化动态加载视图模板渲染完成。SPA applications: SPA applications are single-page applications. Different from traditional web applications, single-page applications complete all view rendering and data loading in one web page. When the application starts, all relevant resources are loaded to the front end, and all user interaction logic monitors the web routing hash changes through the scripting language, dynamically loads the view template and renders it.

JWT标准:全称是JSON WEB TOKEN前后端分离架构中解决用户身份认证的一种方案,主要解决由前后端REST接口通讯可能造成的跨域问题,其构成主要包括JWT头部,载荷和签证信息三部分构成。JWT standard: the full name is a solution to user identity authentication in the front-end and back-end separation architecture of JSON WEB TOKEN. It mainly solves the cross-domain problems that may be caused by the front-end and back-end REST interface communication. Its composition mainly includes JWT header, payload and visa information three Partial composition.

本说明书中未作详细描述的内容属于本领域专业技术人员公知的现有技术。Contents not described in detail in this specification belong to the prior art known to those skilled in the art.

Claims (3)

1. A role-based front-end and back-end separated architecture access control system, comprising: the system comprises an authority role correlation module, a routing authority role registration module, a routing system, an access control module, a routing monitoring module, an identity authentication module and a data access module;
the authority role correlation module is respectively connected with the routing authority role registration module and the data access module, the routing authority role registration module is connected with the routing system, the identity authentication module is respectively connected with the data access module and the routing monitoring module, the routing monitoring module is respectively connected with the routing system and the access control module, and the access control module is respectively connected with the data access module and the routing system;
the authority role association module is used for carrying out authority division on system resources according to a strategy designated by a system developer, distributing different authorities of roles and realizing the association relation between the roles and the access authorities of the system resources;
the authority role association module comprises an authority role table storage module and an authority role updating module; the authority role association table storage module is used for selecting a relational database, storing an authority role association table and ensuring the fast retrieval of the authority role association table; the authority role updating module is used for providing a flexible authority role configuration interface, including adding roles and adding and deleting related authorities for the roles;
the authority role table storage module is connected with the routing authority role registration module,
the routing authority role registration module is used for adding a front end view and a controller corresponding to a route in a routing system and registering a role with the access authority of the routing resource according to an authority role association table;
the routing system is used for controlling the incidence relation between the front end view and the controller and simultaneously appointing the jump interaction logic between the front end views;
the access control module is used for judging the request validity according to the set access control strategy middleware and generating corresponding actions;
the route monitoring module is registered at the starting stage of the application program and is used for monitoring route change, hijacking user resource access request actions and triggering the access control module to execute the route monitoring module;
the identity authentication module is used for carrying out identity authentication on the user with the access request by combining with a JWT standard universal for RESTFUL interface programming, acquiring the related identity information of the user and then re-rendering the front end view according to the identity information of the user;
the data access module is combined with a front-end and rear-end separation framework development framework, encapsulates a global service assembly, is used for providing a storage interface, a reading interface and a destruction interface of user information and authority role associated information, and utilizes a browser or a local memory to store information;
the identity authentication module comprises a user authentication module and an identity logout module;
the user authentication module is used for sending the user identification information to background authentication, setting a front end overall user identity, triggering a front end view to render again and updating an interface;
the identity logout module is used for destroying the global user identity at the front end, triggering the front end view to render again and updating the interface;
the data access module comprises a data encryption module, a data sharing module and a data destruction module;
the data encryption module is used for encrypting and storing user information and authority role related information;
the data sharing module is used for sharing sessionStorage storage data under multiple tags;
the data destruction module is used for destroying designated or global storage information;
the access control module comprises an authority authentication module, an access control strategy registration module and a strategy response module;
the authority authentication module is used for judging whether the resource access request user has the resource access qualification;
the access control strategy registration module is used for registering various access control strategy middleware;
the strategy response module is used for implementing relevant response strategies including route redirection and request releasing action according to the authority authentication result.
2. A role-based front-back end separation architecture access control method, to which the role-based front-back end separation architecture access control system of claim 1 is applied, comprising the steps of:
step 1, when an application program is started, acquiring a permission role association table from a permission role association module, then sending the permission role association table to a routing permission role registration module in a front-end framework, storing the permission role association table in a browser or a local memory through a data access module, registering a front end view corresponding to routing and routing, an accessible role list of a controller and related permissions into a routing system by the routing permission role registration module, and determining the corresponding relation between the routing and the roles, and meanwhile, registering an identity authentication module in the application program for finishing user identity authentication and logout; the route monitoring module is used for monitoring the change of the route state; the access control module is used for configuring an access control strategy;
step 2, when the user initiates the application program resource access request, firstly, the identity authentication module authenticates the user, refuses the subsequent access to the authentication failure request, and redirects the authentication to the identity authentication module, for the authentication success request, the identity authentication module reads the user information and the authority role associated information from the data access module, and hands the user information, the authority role associated information and the access request to the route monitoring module, the route monitoring module obtains the route information to be accessed in the access request, then reads the accessible role list of the route from the routing system, and sends the access request and the accessible role list to the access control module, the access control module firstly takes the intersection of the user information, the authority role associated information and the accessible role list, if the result is empty, the strategy response module in the access control module is executed, and refusing the access request and performing subsequent processing, if the result is not empty, further acquiring the related authority, performing further request processing action according to an access control strategy in the access control module, then completing legal request of resources through the request, and acquiring background data to complete front end view rendering.
3. The role-based front-back end separation architecture access control method according to claim 2, wherein the specific process of the identity authentication module for performing identity authentication on the user is as follows: firstly, a user sends a user name and a password to a server, the server encrypts user identity information by using a secret key after verifying the user identity to generate a token to be returned to the front end, the token is carried by the front end when the front end subsequently accesses the server to be used as an identity identifier, and the server returns accessed resources to the front end after verifying the token.
CN201810948658.3A 2018-08-20 2018-08-20 Role-based front-end and back-end separation architecture access control system and method Active CN109246089B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810948658.3A CN109246089B (en) 2018-08-20 2018-08-20 Role-based front-end and back-end separation architecture access control system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810948658.3A CN109246089B (en) 2018-08-20 2018-08-20 Role-based front-end and back-end separation architecture access control system and method

Publications (2)

Publication Number Publication Date
CN109246089A CN109246089A (en) 2019-01-18
CN109246089B true CN109246089B (en) 2020-06-30

Family

ID=65071789

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810948658.3A Active CN109246089B (en) 2018-08-20 2018-08-20 Role-based front-end and back-end separation architecture access control system and method

Country Status (1)

Country Link
CN (1) CN109246089B (en)

Families Citing this family (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109936575B (en) * 2019-03-07 2021-11-12 北京融链科技有限公司 Page access method, device, storage medium and processor
CN110069730A (en) * 2019-03-15 2019-07-30 平安城市建设科技(深圳)有限公司 Front end page display control method, device, equipment and readable storage medium storing program for executing
CN112241266B (en) * 2019-07-17 2024-12-31 腾讯科技(北京)有限公司 Permission control method, device, equipment and storage medium in front-end rendering scenario
CN110442326B (en) * 2019-08-11 2023-07-14 西藏宁算科技集团有限公司 Method and system for simplifying front-end and back-end separation authority control based on Vue
CN110493239B (en) * 2019-08-26 2021-11-12 京东数字科技控股有限公司 Authentication method and device
CN110768974B (en) * 2019-10-21 2022-02-08 成都安恒信息技术有限公司 Control method for single-page application real-time view authority
CN110933037B (en) * 2019-10-31 2020-11-06 贝壳找房(北京)科技有限公司 User authority verification method and authority management system
CN111240863B (en) * 2020-01-10 2024-02-06 无锡华云数据技术服务有限公司 Data communication method, device, micro front-end system and storage medium
CN111343172A (en) * 2020-02-20 2020-06-26 中国建设银行股份有限公司 Network access authority dynamic processing method and device
CN111414591B (en) * 2020-03-02 2024-02-20 中国建设银行股份有限公司 Workflow management method and device
CN112487392A (en) * 2020-12-08 2021-03-12 浪潮云信息技术股份公司 Method for realizing authority control of management system by front end
CN113268720B (en) * 2021-06-01 2023-05-26 广州欢网科技有限责任公司 Front-end and back-end separation system operation method and device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101321064A (en) * 2008-07-17 2008-12-10 上海众恒信息产业有限公司 Information system access control method and apparatus based on digital certificate technique
CN101751712A (en) * 2008-11-27 2010-06-23 航天信息股份有限公司 Centralized invoice authentification system and authentification method
CN101778109A (en) * 2010-01-13 2010-07-14 苏州国华科技有限公司 Construction method for access control policy and system thereof
CN102457377A (en) * 2011-08-08 2012-05-16 中标软件有限公司 Role-Based Web Remote Authentication and Authorization Method and System

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8239325B2 (en) * 2007-01-18 2012-08-07 Paymentone Corporation Method and system to verify the identity of a user

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101321064A (en) * 2008-07-17 2008-12-10 上海众恒信息产业有限公司 Information system access control method and apparatus based on digital certificate technique
CN101751712A (en) * 2008-11-27 2010-06-23 航天信息股份有限公司 Centralized invoice authentification system and authentification method
CN101778109A (en) * 2010-01-13 2010-07-14 苏州国华科技有限公司 Construction method for access control policy and system thereof
CN102457377A (en) * 2011-08-08 2012-05-16 中标软件有限公司 Role-Based Web Remote Authentication and Authorization Method and System

Also Published As

Publication number Publication date
CN109246089A (en) 2019-01-18

Similar Documents

Publication Publication Date Title
CN109246089B (en) Role-based front-end and back-end separation architecture access control system and method
US11647005B2 (en) Systems and methods for application pre-launch
US11558484B2 (en) Systems and methods for secure peer-to-peer caching
US20200218583A1 (en) Systems and methods for intercepting and enhancing saas application calls via embedded browser
US20200374324A1 (en) Systems and methods for establishing a channel between multiple devices
US8479264B2 (en) Architecture for virtual security module
US11888980B2 (en) Stateless service-mediated security module
CN112805982B (en) Application scripts for cross-domain applications
EP3961456B1 (en) Data authorization information acquisition methods, apparatuses, and devices
US10331599B2 (en) Employing session level restrictions to limit access to a redirected interface of a composite device
US20200099738A1 (en) Systems and methods for bridge protocol between diverse applications
JP7076641B2 (en) Systems and methods for push delivery notification services for SAAS applications
US20150341362A1 (en) Method and system for selectively permitting non-secure application to communicate with secure application
US12113796B2 (en) Secured data access in virtual data processing
JP6994607B1 (en) Systems and methods for intellisense for SAAS applications
JP2005100358A (en) Moving principal across security boundary without interrupting service
US11006278B2 (en) Managing network resource permissions for applications using an application catalog
EP3961450B1 (en) Identity registration methods, apparatuses, and devices
CN116155528A (en) Cloud key management for system management
US9501658B1 (en) Avoiding file content reading using machine information
US20240275819A1 (en) Secure system for hiding registration rules for dynamic client registration
Tamrakar et al. On rehoming the electronic id to TEEs
KR20240110793A (en) System and method for providing dual endpoint access control for remote cloud-storage resources
CN119089462A (en) A method, device and electronic device for processing sensitive information

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant