CN110086813A - Access right control method and device - Google Patents

Access right control method and device Download PDF

Info

Publication number
CN110086813A
CN110086813A CN201910359647.6A CN201910359647A CN110086813A CN 110086813 A CN110086813 A CN 110086813A CN 201910359647 A CN201910359647 A CN 201910359647A CN 110086813 A CN110086813 A CN 110086813A
Authority
CN
China
Prior art keywords
service
access request
service access
client
authorized user
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910359647.6A
Other languages
Chinese (zh)
Inventor
窦本君
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Big Data Technologies Co Ltd
Original Assignee
New H3C Big Data Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Big Data Technologies Co Ltd filed Critical New H3C Big Data Technologies Co Ltd
Priority to CN201910359647.6A priority Critical patent/CN110086813A/en
Publication of CN110086813A publication Critical patent/CN110086813A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/133Protocols for remote procedure calls [RPC]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • H04L9/0625Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation with splitting of the data block into left and right halves, e.g. Feistel based algorithms, DES, FEAL, IDEA or KASUMI

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Storage Device Security (AREA)

Abstract

Present disclose provides a kind of access right control method and devices;Wherein, this method is applied to system server;Creation has management user and authorized user in the system of system server operation;This method comprises: receiving the service access request from client;The authorization code carried in analysis service access request, the account information of authorized user;Judge whether the corresponding authorized user of account information that parsing obtains has the permission for accessing service access request corresponding with service;Wherein, corresponding authorized user is serviced by management user setting;Service the permission that corresponding authorized user has access service;If it has, returning to the corresponding service data of service access request to client.Security of system can be improved in the disclosure.

Description

Access right control method and device
Technical field
This disclosure relates to technical field of system security, more particularly, to a kind of access right control method and device.
Background technique
In the mandated program of relevant service system, client needs the account using certification account when requesting service Name and password login system, and then the legitimacy for the authorization code that client is sent is verified, to determine whether that the client is visited It asks.Should during, for client access service certification account be exactly it is that client is registered in systems, can be with login system Account, and the account have modification system permission, such as all kinds of services in modification system;Thus, when account leaks When, other users may usurp the Account Logon system of leakage, easily lead to system data leakage or be tampered.
Summary of the invention
The disclosure is designed to provide a kind of access right control method and device, to improve security of system.
To achieve the goals above, the disclosure the technical solution adopted is as follows:
In a first aspect, this method is applied to system server present disclose provides a kind of access right control method;System Creation has management user and authorized user in the system of server operation;Manage the power that user has login system and management service Limit;This method comprises: receiving the service access request from client;The authorization code carried in analysis service access request, obtains To the account information of authorized user;Whether the corresponding authorized user of account information for judging that parsing obtains has access service access Request the permission of corresponding with service;Wherein, corresponding authorized user is serviced by management user setting;Service corresponding authorized user's tool The permission for thering is access to service;If it has, returning to the corresponding service data of service access request to client.
Second aspect, present disclose provides a kind of address control set, which is set to system server;System Creation has management user and authorized user in the system of server operation;Manage the power that user has login system and management service Limit;The device includes: request receiving module, for receiving the service access request from client;Authorization code parsing module is used The authorization code carried in analysis service access request, the account information of authorized user;Judgment module, for judging parsing Whether the corresponding authorized user of obtained account information has the permission of access service access request corresponding with service;Wherein, it services Corresponding authorized user is by management user setting;Service the permission that corresponding authorized user has access service;Data return to mould Block is used for if it has, returning to the corresponding service data of service access request to client.
The third aspect, it is machine readable present disclose provides a kind of server, including processor and machine readable storage medium Storage medium is stored with the machine-executable instruction that can be executed by processor, and processor executes machine-executable instruction to realize Above-mentioned access right control method.
Fourth aspect, present disclose provides a kind of machine readable storage medium, machine readable storage medium is stored with machine Executable instruction, for machine-executable instruction when being called and being executed by processor, machine-executable instruction promotes processor to realize Above-mentioned access right control method.
Above-mentioned access right control method, device, server and machine readable storage medium, system server operation are Creation has management user and authorized user in system, and management user has the permission of login system and management service;When receiving When the service access request that client is sent, the authorization code carried in analysis service access request obtains account information;And then sentence Whether the disconnected corresponding authorized user of account information has the permission of access service access request corresponding with service;If it has, to Client returns to the corresponding service data of service access request.In which, services corresponding authorized user and set by managing user It sets, and services the permission that corresponding authorized user has access service, log in system since the account information of authorized user does not have System and management service permission, only have the function of verifying client access authority, thus even if authorized user account information It is leaked, system will not be distorted arbitrarily, to improve security of system.
Other feature and advantage of the disclosure will illustrate in the following description, alternatively, Partial Feature and advantage can be with Deduce from specification or unambiguously determine, or by implement the disclosure above-mentioned technology it can be learnt that.
To enable the above objects, features, and advantages of the disclosure to be clearer and more comprehensible, better embodiment is cited below particularly, and match Appended attached drawing is closed, is described in detail below.
Detailed description of the invention
It, below will be to specific in order to illustrate more clearly of disclosure specific embodiment or technical solution in the prior art Embodiment or attached drawing needed to be used in the description of the prior art be briefly described, it should be apparent that, it is described below Attached drawing is some embodiments of the disclosure, for those of ordinary skill in the art, before not making the creative labor It puts, is also possible to obtain other drawings based on these drawings.
Fig. 1 is a kind of application scenarios schematic diagram for access right control method that disclosure embodiment provides;
Fig. 2 is the application scenarios schematic diagram for another access right control method that disclosure embodiment provides;
Fig. 3 is a kind of flow chart for access right control method that disclosure embodiment provides;
Fig. 4 is the flow chart for another access right control method that disclosure embodiment provides;
Fig. 5 is a kind of structural schematic diagram for address control set that disclosure embodiment provides;
Fig. 6 is a kind of structural schematic diagram for server that disclosure embodiment provides.
Specific embodiment
It is clearly and completely described below in conjunction with technical solution of the embodiment to the disclosure, it is clear that described Embodiment is a part of embodiment of the disclosure, rather than whole embodiments.Based on the embodiment in the disclosure, originally Field those of ordinary skill every other embodiment obtained without making creative work, belongs to this public affairs Open the range of protection.
In order to make it easy to understand, a kind of application scenarios of access right control method are described first below, as shown in Figure 1, being System server can run various systems or platform, as (Data Services Generator, data service generate flat DSG Platform) system, data query system or other data services offer system;User can be registered and be stepped in system by client Record, after logining successfully, user is the respective services that can be used in system.
By taking DSG system as an example, DSG system can be by various data sources, such as RDBMS (Relational Database Management System, relational database management system), DataEngine (data engine) etc., issue into Web Service web service;By DSG system, user is the number that may have access in above-mentioned data source using the browser in client According to.But current big multisystem lacks the controlling mechanism of access privilege, it, can be with random access after logging in system by user Respective services in system, it might even be possible to the respective services in modification system;If account information (account name, password of user Deng) be leaked, the illegal login system of the account information being leaked can be used in other users, or even distorts every clothes in system Business, this not only results in system data and is leaked, and the safety for also easily leading to system is lower.
Based on the above issues, disclosure embodiment provides a kind of access right control method first;As shown in Fig. 2, being Creation has management user and authorized user in the system of system server operation;During creation, management user, which is arranged, to be had The permission of login system and management service, such as generate service, modify the data serviced, in more new demand servicing;Meanwhile authorization is set User does not have the permission of login system, certainly can not service in management system.The account information of authorized user can be pre- It is first sent to legal client, for client when accessing service, system determines the visitor by the account information that client is sent Whether family end is authorized user, and then determines the whether accessible service of the client.
Based on the Partition of role of above-mentioned management user and authorized user, a kind of access privilege control side shown in Figure 3 The flow chart of method;This method comprises the following steps:
Step S302 receives the service access request from client;
Two roles of user and authorized user are managed due to having created in the present embodiment, in system, thus In present embodiment, client is referred to as third party's client.It, can when user sends service access request using client To click the button of corresponding with service on the Webpage of client, client sends the corresponding clothes of the button to system server The service access request of business.
Step S304, the authorization code carried in analysis service access request, the account information of authorized user;
The account information of above-mentioned authorized user can wrap containing information such as authorized user's name, passwords;System server is from clothes After getting the account information of authorized user in business access request, authorization code is generated based on account information;It can specifically adopt The authorization code is calculated with multiple encryption algorithms, data conversion algorithm etc., and then the authorization code is back to client again.
After client receives above-mentioned authorization code, service access request can be sent to system server again, i.e., it is above-mentioned Service access request in step, and the authorization code received is carried to service access request and is sent to system service together Device.Since authorization code is generated based on the account information of account with power of attorney, server can be by generating the used algorithm of authorization code Inverse operation parses the account information of authorized account from authorization code.
Whether step S306, the corresponding authorized user of account information for judging that parsing obtains have access service access request The permission of corresponding with service;Wherein, corresponding authorized user is serviced by management user setting;Servicing corresponding authorized user has visit Ask the permission of service;
The account information of the authorized user created is usually preserved in system server, if the account letter that parsing obtains Breath can be found from the account information saved, can confirm that there is the corresponding authorized user of the client access service to visit Ask the permission of request corresponding with service.In addition, user is when sending service access request by client, the button of click is usually right There should be address of service, therefore, the address of service wanted access in service access request and above-mentioned service access request comprising user; Which service system server will access by the i.e. knowable client wants in address of service for including in service access request.
Corresponding authorized user can be serviced using various ways setting by managing user;In one way in which, institute is set Some accessible all services of authorized user, such as tool is there are three types of service in system, for authorized user A, which can To access these three services.In another way, corresponding authorized user can be set for each service, only under the service Authorized user have permission to access the service.
Step S308, if it has, returning to the corresponding service data of service access request to client.
As described above, include address of service in service access request and service access request, system server according to The address of service can be inquired from data source in corresponding service data, and then again return to the service data inquired To client.
Above-mentioned access right control method, creation has management user and authorized user in the system of system server operation, Management user has the permission of login system and management service;But when receiving the service access request of client transmission, solution The authorization code carried in analysis service access request, obtains account information;And then judge that the corresponding authorized user of account information is The no permission with access service access request corresponding with service;If it has, it is corresponding to return to service access request to client Service data.In which, corresponding authorized user is serviced by management user setting, and services corresponding authorized user there is visit The permission for asking service only has verifying since the account information of authorized user does not have the permission of login system and management service The function of client access authority, thus even if the account information of authorized user is leaked, system will not be distorted arbitrarily, from And improve security of system.
Disclosure embodiment also provides another access right control method, and this method provides one kind and more specifically sentences Whether disconnected authorized user has the mode of access Service Privileges, to realize that the authorized user's between different services is mutually isolated; As shown in figure 4, this method comprises the following steps:
Step S402 receives the service access request from client.
Step S404, judges whether the corresponding service of service access request needs access privilege control;If it is not needed, holding Row step S406;If desired, executing step S408;
Step S406 returns to the corresponding service data of service access request to client.Terminate.
The service interface that client can be issued by system sends above-mentioned service access request, to request resource.It is above-mentioned The service of the corresponding service of service access request, i.e. client request access, according to the address of service in service access request, i.e., It can determine which service is client request access.It can be provided in system server there are many service, some services need to access Permission control, some services do not need access privilege control;For not needing the service of access privilege control, directly to client Return to the corresponding service data of service access request.Therefore, when service access request, need to judge that the service access is asked Ask whether corresponding service needs access privilege control.
Specifically, whether access privilege control can will be needed to be set as the attribute serviced, by inquiring the category The attribute value of property determines whether current service needs the permission control that accesses;In another mode, power can be will need access The service of limit control saves in lists, when receiving service access request, if the corresponding service of the request can be from above-mentioned It is inquired in list, that is, can determine that the service needs to access permission control.
Step S408 judges whether carry authorization code in above-mentioned service access request;If not, executing step S410; If so, executing step S412;
Step S410 generates authorization code according to the account information of the authorized user carried in service access request, this is awarded Weighted code is sent to client, so that client carries authorization code into service access request.Terminate.
In order to identify the client with service access permission, user is managed in advance to the visitor with service access permission Family end sends the account information of an authorized user, and is saved by client.It is visited when client sends service to system server When asking request, the account information of authorized user is carried into the service access request, is sent to system server together.When being When system server receives service access request, the account information of authorized user can be extracted from the request, if extracted Information be authorized user legal in system account information, then to the request carry out subsequent processing;If the letter extracted Breath is not the account information of authorized user legal in system, or is obtained less than relevant account information, then no longer asks to this Carry out subsequent processing is sought, or returns to the information of denied access to the client.
Step S412, the authorization code carried in analysis service access request, obtains account information.
Step S414 obtains the account with power of attorney list of service access request corresponding with service;The account with power of attorney list includes tool The account information of the authorized user for the permission for thering is access to service;
Whether step S416, the account information for judging that parsing obtains are stored in account with power of attorney list;It is awarded if be stored in It weighs in account list, executes step S418;If be not stored in account with power of attorney list, step S420 is executed;
In actual implementation, which can be realized by two deterministic processes, first determine whether the authorization account of account information Whether name in an account book is stored in above-mentioned account with power of attorney list, then judge account information account with power of attorney password whether the authorization with preservation The corresponding password of account name is consistent, if being to be, can determine that the account information that parsing obtains is stored in account with power of attorney column In table.
Step S418 determines that client has the permission of access service access request corresponding with service;It returns and takes to client The corresponding service data of access request of being engaged in.Terminate.
Step S420, the client that refusal sends service access request access service.
It in systems, can be with configuration management user and authorized user both roles to not by spring-security With the access authority in path, so that management user has the permission of login system and management service, does not have authorized user and step on The permission of recording system, Spring Security therein, which is one, to provide sound for the enterprise application system based on Spring The security framework of the safe access control solution of Ming Dynasty style.
User is managed when generating service, it can be by system interface for the database table editor under different data sources Then this sql sentence is issued and is serviced at one, and provides a service access address by sql sentence, while providing this clothes The input/output argument of business, user can get what sql sentence in the service of publication checked out by service access address As a result.After service is generated, management user is that access control switch is opened in the service, so that it may establish an authorization for the user Account list, the authorized user saved in the list have the permission for accessing the service.The account information of above-mentioned authorized user is logical It often include the information such as authorized user's name, the authorized user's password of authorized user.For example, management user generates and manages three A service, respectively service A, service B and service C, following table 1 are the corresponding account with power of attorney list of each service.Each service Between authorized user can also have overlapping, such as a certain authorized user account information can be located at service A account with power of attorney column In table, it can also be located in the account with power of attorney list of service B.
Table 1
In aforesaid way, by the way that corresponding account with power of attorney list is arranged for each service, authorized user can be made only to have The permission of access portion service, so that isolation of the authorized user between service is realized, when the account information of authorized user is leaked When, illegal user is only capable of the data of partial service in access system, the range which can be leaked with reduction system data, from And further improve security of system.
In addition, the management user created in system and authorized user can also divide user group;Between different user groups Service Source is mutually isolated.For example, if management user A and management user B belong to different user groups, manage user B without Method sees the service that management user A is issued in system;And the service that user A is issued in system is managed, only used with management The authorized user that family A belongs under same user group is possible to access authority;Specific to each service, a certain authorized user Whether there is access authority this according to management user A also to be needed to determine the account with power of attorney list of current service setting.Which Isolation of the system service resource between user group is realized, to further increase the safety of system data.
By aforementioned embodiments it is found that service access request can be based on after system server receives service access request In authorized user account information generate authorization code.The generation and verification mode of existing authorization code, are mostly based on authorization account Name in an account book and account with power of attorney password generate authorization code, whether just to verify account with power of attorney name and account with power of attorney password in verification process Really;Or authorization code is generated based on random character, and whether verifying random character is correct in verification process;But if authorization Account name and account with power of attorney password are stolen or random character is stolen, and illegal user can also be based on stolen information It obtains authorization code and accesses service, so that system data has the risk of leakage.And in present embodiment, a kind of authorization code is provided Generating mode, specifically retouched with further increasing the timeliness and safety of authorization code to improve the safety of system data It states as follows.
Authorization code is referred to as token, generally comprises in the account information for the authorized user that system server is got There are account with power of attorney name and account with power of attorney password;System server can will believe account with power of attorney name, account with power of attorney password and attribute Breath is encrypted, and then generates authorization code;Encryption is specifically as follows DES (Data Encryption Algorithm, data encryption algorithm) Encryption Algorithm, naturally it is also possible to it is other Encryption Algorithm or data conversion algorithm.It is therein Attribute information includes the IP address of current time and/or the client extracted from service access request.
In actual implementation, which can be only comprising current time or the client extracted from service access request The IP address at end can also include the IP address of current time and the client extracted from service access request, attribute simultaneously The content that information specifically includes can be arranged according to the actual demand of system.
After system server receives the service access request for carrying authorization code, according to attribute during generation authorization code The different content of information, it is also different to the judgment mode of authorization code legitimacy, it is specifically described below.
Mode one: if attribute information includes IP (Internet Protocol Address, the Internet protocol of client Address) address, system server determines the legitimacy of authorization code by following step:
Step 50, it when receiving service access request, parses and obtains from the authorization code carried in service access request The IP address of client;
Step 51, the IP address for sending the client of service access request is obtained;
Step 52, judge the IP address for the client that parsing obtains and send the IP address of the client of service access request It is whether identical;If identical, step 53 is executed;If it is not the same, executing step 54.
Step 53, it determines that authorization code is legal, executes whether the corresponding authorized user of account information for judging that parsing obtains has There is the step of permission of access service access request corresponding with service;
Step 54, the client that refusal sends service access request accesses service.
By aforementioned embodiments it is found that with parsing the IP for obtaining client from the authorization code carried in service access request Location, for the IP address of the client of transmission service access request;It is serviced if parsing the IP address of obtained client and sending The IP address of the client of access request is identical, and that illustrate to send service access request and service access request is the same client End, the authorization code are not stolen by other.But if the IP address and transmission service access request of the client that parsing obtains Client IP address it is different, illustrate to send service access request and service access request is not the same client, should Authorization code is illegally stolen, i.e. the client of transmission service access request is illegitimate client, in order to avoid system is by illegal visitor Illegitimate client access service is then refused in the access of family end.
It is further to note that the account letter that judgement parsing obtains can be continued to execute after determining that enabling legislation is legal Cease whether corresponding authorized user has the step of permission of access service access request corresponding with service;Another feasible mode In, it can also first carry out and judge whether the corresponding authorized user of account information that parsing obtains has access service access request pair The step of permission that should be serviced, then determine enabling legislation legitimacy.
By the above-mentioned means, the safety of authorization code can be improved, illegitimate client is avoided to steal authorization code access system, To further improve the safety of system.
Mode two: if attribute information includes current time, system server determines the conjunction of authorization code by following step Method:
Step 60, it when receiving service access request, parses and obtains from the authorization code carried in service access request Current time.
Step 61, judge whether the difference for the current time and system real-time time that parsing obtains is less than the preset time Difference;If it is lower, executing step 62;If it is greater than or be equal to, execute step 63;
Step 62, determine that authorization code is legal;Execute whether the corresponding authorized user of account information for judging that parsing obtains has There is the step of permission of access service access request corresponding with service;
Step 63, the client that refusal sends service access request accesses service.
It should be noted that the current time is after system server receives service access request, generate authorization code when Between;System real-time time can be understood as executing the time of above-mentioned steps 61 after system server receives service access request.On Stating the preset time difference can be arranged according to actual needs, such as 100 milliseconds, 3 seconds.If current time and system real-time time Difference be less than the preset time difference, illustrate that the authorization code has timeliness, the authorization code is legal;If current time and system The difference of real-time time is greater than or equal to the preset time difference, illustrates that the authorization code is expired, loses timeliness, at this time may be used Service is accessed to refuse to send the client of service access request;In addition, system server can also prompt to send service access The client of request retransmits service access request.
In view of the odjective cause of the no longer effective property of authorization code may have very much, as the obstruction of communication line, client are sent out Give service access request slower etc., but can not rule out the authorization code and stolen by illegitimate client, the service of transmission is sent out by illegal third Therefore time delay caused by access request by the timeliness of limitation enabling legislation, may further ensure that the legitimacy of authorization code, To further increase the security performance of system.
In addition, when which can also avoid the account password of authorized user from being modified, the account based on former authorized user The problem of authorization code that information generates can also be verified and access, to improve the reliability of system.
By aforementioned embodiments it is found that requiring to obtain the corresponding authorization account of the service when access of each client services Family list, to confirm whether the client has the permission for accessing the service.If amount of access is larger, system server may be difficult To handle in time, access time-out is caused, to influence the access experience of user.Based on this, present embodiment also provides a kind of clothes The preserving type of the account with power of attorney list of business, is specifically described below.
The system run in system server generally comprises foreground web module and backstage core module.Wherein, foreground web Module mainly includes system interface and system database;Backstage core module is mainly used for business logic processing.System database In preserve the service created and the corresponding account with power of attorney list of the service;It is preserved in the core module of backstage each Service corresponding dbs file.Upon power-up of the system, core module in backstage reads the dbs file of every service, then issues into clothes Business issues the account with power of attorney list for the service being stored in advance in system database in system during issuing service In memory;When the system is shut down, corresponding account with power of attorney list is serviced and services to disappear from Installed System Memory.
User is managed by the account with power of attorney list of the system interface modification service in above-mentioned foreground web module, is such as changed The permission of authorized user services increase or deletion authorized user, modification authorized user's password etc. for some;System passes through system circle Face can receive these more new informations that management user sends, if the management user that system server receives system sends Service account with power of attorney list more new information, can be by the update information update into system database;Pass through RPC (Remote Procedure Call, remote procedure call) far call interface will update information update into Installed System Memory.
In addition, the account with power of attorney list of service can also be stored in above-mentioned backstage core module, the dbs text of respective service It in part, in this way in the access control serviced, does not need to read system database every time, to guarantee access effect yet Rate.
By the above-mentioned means, service may be implemented in the case where not issuing again, the account with power of attorney letter in modification service Breath, and ensure that account with power of attorney information comes into force after the modification.It is this that account with power of attorney synchronizing information is saved into ability system database With the mode of Installed System Memory, the concurrent access efficiency of service can be improved, reduce access time-out.In addition, which can also avoid Before service issue successfully again, the case where malfunctioning when client request service, to improve the stability of system.
Corresponding to above method embodiment, a kind of structural schematic diagram of address control set shown in Figure 5; The device is set to system server;Creation has management user and authorized user in the system of system server operation;Management User has the permission of login system and management service;Device includes:
Request receiving module 50, for receiving the service access request from client;
Authorization code parsing module 51, the authorization code for being carried in analysis service access request, the account of authorized user Family information;
Judgment module 52, for judging whether the corresponding authorized user of account information that parsing obtains there is access service to visit Ask the permission of request corresponding with service;Wherein, corresponding authorized user is serviced by management user setting;Service corresponding authorized user Permission with access service;
Data return module 53 is used for if it has, returning to the corresponding service data of service access request to client.
Further, above-mentioned authorization code parsing module is also used to: judging whether carry authorization code in service access request; If so, the authorization code carried in analysis service access request;If not, according to the authorized user carried in service access request Account information generate authorization code, authorization code is sent to client, is asked so that client carries authorization code to service access In asking.
Further, above-mentioned authorization code parsing module is also used to: judging whether the corresponding service of service access request needs Access privilege control;If desired, generating authorization code according to account information;If it is not needed, returning to service access to client Request corresponding service data.
Further, above-mentioned account information includes account with power of attorney name and account with power of attorney password;Above-mentioned authorization code parsing module It is also used to: account with power of attorney name, account with power of attorney password and attribute information is encrypted, generate authorization code;Attribute information packet It includes: the IP address of current time and/or the client extracted from service access request.
Further, above-mentioned apparatus further include: IP address parsing module, if for attribute information including the IP of client Address, when receiving service access request, parsing obtains the IP of client from the authorization code carried in service access request Address;IP address obtains module, for obtaining the IP address for sending the client of service access request;Second judgment module is used In judging whether the IP address of client that parsing obtains is identical as the IP address of the client of transmission service access request;First Legitimacy determining module, if determining that authorization code is legal for identical, the account information that execution judgement parsing obtains is corresponding to be awarded Whether power user has the step of permission of access service access request corresponding with service;First access reject module, if for Not identical, the client that refusal sends service access request accesses service.
Further, above-mentioned apparatus further include: time resolution module, if including current time for attribute information, when When receiving service access request, parsing obtains current time from the authorization code carried in service access request;Third judgement Module, for judging whether the difference for parsing obtained current time and system real-time time is less than the preset time difference;Second Legitimacy determining module is used for if it is lower, determining that authorization code is legal;The account information that execution judgement parsing obtains is corresponding to be awarded Whether power user has the step of permission of access service access request corresponding with service;Second access reject module, if for It is greater than or equal to, the client that refusal sends service access request accesses service.
Further, above-mentioned judgment module is also used to: obtaining the account with power of attorney list of service access request corresponding with service;It awards Weigh the account information that account list includes the authorized user of the permission with access service;Judgement parses obtained account information It is no to be stored in account with power of attorney list;If be stored in account with power of attorney list, determine that there is client access service access to ask Seek the permission of corresponding with service;If be not stored in account with power of attorney list, the client that refusal sends service access request is visited The service of asking.
Further, system database and Installed System Memory are provided on above system server;Above-mentioned apparatus further include: hair Cloth module, in the issuing process of service, the account with power of attorney list for the service being stored in advance in system database to be sent out Cloth is in system memory;First update module, if the account with power of attorney for the service that the management user for receiving system sends The more new information of list will update information update into system database;Second update module, for passing through RPC far call Interface will update information update into Installed System Memory.
Above-mentioned address control set, creation has management user and authorized user in the system of system server operation, Management user has the permission of login system and management service;But when receiving the service access request of client transmission, solution The authorization code carried in analysis service access request, obtains account information;And then judge that the corresponding authorized user of account information is The no permission with access service access request corresponding with service;If it has, it is corresponding to return to service access request to client Service data.In which, corresponding authorized user is serviced by management user setting, and services corresponding authorized user there is visit The permission for asking service only has verifying since the account information of authorized user does not have the permission of login system and management service The function of client access authority, thus even if the account information of authorized user is leaked, system will not be distorted arbitrarily, from And improve security of system.
Present embodiments provide for a kind of server corresponding with above method embodiment, Fig. 6 is the server Structural schematic diagram, as shown in fig. 6, the equipment includes processor 601 and memory 600;Wherein, memory 600 is for storing one Item or a plurality of computer instruction, one or more computer instruction are executed by processor, to realize above-mentioned access privilege control side Method.
Server shown in fig. 6 further includes bus 602 and communication interface 603, processor 601, communication interface 603 and storage Device 600 is connected by bus 602.The server can be network edge device.
Wherein, memory 600 may include high-speed random access memory (RAM, Random Access Memory), It may further include non-labile memory (non-volatile memory), for example, at least a magnetic disk storage.Bus 602 can be isa bus, pci bus or eisa bus etc..The bus can be divided into address bus, data/address bus, control always Line etc..Only to be indicated with a four-headed arrow in Fig. 6, it is not intended that an only bus or a type of convenient for indicating Bus.
Communication interface 603 is used to connect by network interface at least one user terminal and other network units, will seal The IPv4 message or IPv6 message installed is sent to the user terminal by network interface.
Processor 601 may be a kind of IC chip, the processing capacity with signal.It is above-mentioned during realization Each step of method can be completed by the integrated logic circuit of the hardware in processor 601 or the instruction of software form.On The processor 601 stated can be general processor, including central processing unit (Central Processing Unit, abbreviation CPU), network processing unit (Network Processor, abbreviation NP) etc.;It can also be digital signal processor (Digital Signal Processor, abbreviation DSP), specific integrated circuit (Application Specific Integrated Circuit, abbreviation ASIC), field programmable gate array (Field-Programmable Gate Array, abbreviation FPGA) or Person other programmable logic device, discrete gate or transistor logic, discrete hardware components.It may be implemented or execute sheet Disclosed each method, step and logic diagram in disclosed embodiment.General processor can be microprocessor or this at Reason device is also possible to any conventional processor etc..The step of method in conjunction with disclosed in disclosure embodiment, can direct body Now executes completion for hardware decoding processor, or in decoding processor hardware and software module combine and execute completion.It is soft Part module can be located at random access memory, and flash memory, read-only memory, programmable read only memory or electrically erasable programmable are deposited In the storage medium of this fields such as reservoir, register maturation.The storage medium is located at memory 600, and processor 601 reads storage Information in device 600, in conjunction with its hardware complete aforementioned embodiments method the step of.
For the disclosure embodiment further provides a kind of machine readable storage medium, machine readable storage medium storage is organic Device executable instruction, for the machine-executable instruction when being called and being executed by processor, machine-executable instruction promotes processor Realize above-mentioned access right control method, specific implementation can be found in method implementation, and details are not described herein.
The technical effect and preceding method of server provided by disclosure embodiment, realization principle and generation are implemented Mode is identical, and to briefly describe, device embodiments part does not refer to place, can refer in corresponding in preceding method embodiment Hold.
In several embodiments provided herein, it should be understood that disclosed device and method can also lead to Other modes are crossed to realize.Device embodiments described above are only schematical, for example, the flow chart in attached drawing and Block diagram shows the system in the cards of the device of multiple embodiments according to the disclosure, method and computer program product Framework, function and operation.In this regard, each box in flowchart or block diagram can represent a module, program segment or generation A part of code, a part of the module, section or code include one or more for realizing defined logic function Executable instruction.It should also be noted that function marked in the box can also be in some implementations as replacement Occur different from the sequence marked in attached drawing.For example, two continuous boxes can actually be basically executed in parallel, they Sometimes it can also execute in the opposite order, this depends on the function involved.It is also noted that block diagram and or flow chart In each box and the box in block diagram and or flow chart combination, can function or movement as defined in executing it is special Hardware based system is realized, or can be realized using a combination of dedicated hardware and computer instructions.
Finally, it should be noted that embodiment described above, the only specific embodiment of the disclosure, to illustrate this public affairs The technical solution opened, rather than its limitations, the protection scope of the disclosure are not limited thereto, although referring to aforementioned embodiments pair The disclosure is described in detail, those skilled in the art should understand that: any technology for being familiar with the art Personnel can still modify to technical solution documented by aforementioned embodiments in the technical scope that the disclosure discloses Or variation or equivalent replacement of some of the technical features can be readily occurred in;And these modifications, variation or replacement, The spirit and scope for disclosure embodiment technical solution that it does not separate the essence of the corresponding technical solution, should all cover in this public affairs Within the protection scope opened.Therefore, the protection scope of the disclosure shall be subject to the protection scope of the claim.

Claims (10)

1. a kind of access right control method, which is characterized in that the method is applied to system server;The system server Creation has management user and authorized user in the system of operation;The management user has the power of login system and management service Limit;The described method includes:
Receive the service access request from client;
Parse the authorization code carried in the service access request, the account information of authorized user;
Judge whether the corresponding authorized user of account information that parsing obtains has the access service access request corresponding with service Permission;Wherein, the corresponding authorized user of the service is by management user setting;It is described to service corresponding authorized user with visit Ask the permission of the service;
If it has, returning to the corresponding service data of the service access request to the client.
2. the method according to claim 1, wherein parsing the authorization code carried in the service access request Step, comprising:
Judge whether carry authorization code in the service access request;
If so, parsing the authorization code carried in the service access request;
If not, generating authorization code according to the account information of the authorized user carried in the service access request, awarded described Weighted code is sent to the client, to prompt the client to carry the authorization code into service access request, and again Send service access request.
3. according to the method described in claim 2, it is characterized in that, according to the authorized user carried in the service access request Account information generate authorization code the step of, comprising:
Judge whether the corresponding service of the service access request needs access privilege control;
If desired, generating authorization code according to the account information of the authorized user carried in the service access request;
If it is not needed, returning to the corresponding service data of the service access request to the client.
4. according to the method described in claim 2, it is characterized in that, the account information includes account with power of attorney name and account with power of attorney Password;
Described the step of authorization code is generated according to the account information of the authorized user carried in the service access request, comprising:
The account with power of attorney name, the account with power of attorney password and attribute information are encrypted, authorization code is generated;The category The IP address of the client that property information includes: current time and/or extracts from the service access request.
5. according to the method described in claim 4, it is characterized in that, the method also includes:
If the attribute information includes the IP address of the client, when receiving the service access request, from described Parsing obtains the IP address of the client in the authorization code carried in service access request;
Obtain the IP address for sending the client of the service access request;
Judgement parses the IP address of the obtained client and the IP address of the client of the transmission service access request is It is no identical;
If identical, determine that the authorization code is legal, executes and judge whether parse the obtained corresponding authorized user of account information There is the step of permission for accessing the service access request corresponding with service;
If it is not the same, the client that refusal sends the service access request accesses the service.
6. according to the method described in claim 4, it is characterized in that, the method also includes:
If the attribute information includes current time, when receiving the service access request, asked from the service access Parsing in the authorization code of carrying is asked to obtain current time;
Judge whether the difference for the current time and system real-time time that parsing obtains is less than the preset time difference;
If it is lower, determining that the authorization code is legal;It executes and judge whether parse the obtained corresponding authorized user of account information There is the step of permission for accessing the service access request corresponding with service;
If it is greater than or be equal to, the client that refusal sends the service access request accesses the service.
7. the method according to claim 1, wherein the corresponding authorized user of account information that judgement parsing obtains Whether there is the step of permission for accessing the service access request corresponding with service, comprising:
Obtain the account with power of attorney list of the service access request corresponding with service;The account with power of attorney list includes to have access institute State the account information of the authorized user of the permission of service;
Whether the account information for judging that parsing obtains is stored in the account with power of attorney list;
If be stored in the account with power of attorney list, determines that the client has and access the corresponding clothes of the service access request The permission of business;
If be not stored in the account with power of attorney list, refusal is sent described in the client access of the service access request Service.
8. the method according to claim 1, wherein being provided with system database on the system server and being System memory;
The method also includes:
In the issuing process of the service, the account with power of attorney for the service being stored in advance in the system database is arranged Table is issued in the Installed System Memory;
If the more new information of the account with power of attorney list for the service that the management user for receiving system sends, by the update Information update is into the system database;
By RPC far call interface by the update information update into the Installed System Memory.
9. a kind of address control set, which is characterized in that described device is set to system server;The system server Creation has management user and authorized user in the system of operation;The management user has the power of login system and management service Limit;Described device includes:
Request receiving module, for receiving the service access request from client;
Authorization code parsing module, for parsing the authorization code carried in the service access request, the account of authorized user Information;
Judgment module, for judging whether the corresponding authorized user of account information that parsing obtains has the access service access Request the permission of corresponding with service;Wherein, the corresponding authorized user of the service is by management user setting;The service is corresponding to award Weighing user has the permission for accessing the service;
Data return module is used for if it has, returning to the corresponding service data of the service access request to the client.
10. device according to claim 9, which is characterized in that the authorization code parsing module is also used to:
Judge whether carry authorization code in the service access request;
If so, parsing the authorization code carried in the service access request;
If not, generating authorization code according to the account information of the authorized user carried in the service access request, awarded described Weighted code is sent to the client, so that the client carries the authorization code into service access request.
CN201910359647.6A 2019-04-30 2019-04-30 Access right control method and device Pending CN110086813A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910359647.6A CN110086813A (en) 2019-04-30 2019-04-30 Access right control method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910359647.6A CN110086813A (en) 2019-04-30 2019-04-30 Access right control method and device

Publications (1)

Publication Number Publication Date
CN110086813A true CN110086813A (en) 2019-08-02

Family

ID=67417982

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910359647.6A Pending CN110086813A (en) 2019-04-30 2019-04-30 Access right control method and device

Country Status (1)

Country Link
CN (1) CN110086813A (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110427767A (en) * 2019-08-08 2019-11-08 北京阿尔山区块链联盟科技有限公司 Assets recurrence authorization method and device
CN111245656A (en) * 2020-01-10 2020-06-05 浪潮商用机器有限公司 Method and system for remote monitoring through mobile equipment
CN112347427A (en) * 2020-09-30 2021-02-09 西安万像电子科技有限公司 Authority management method and system
CN112528337A (en) * 2020-12-21 2021-03-19 中电福富信息科技有限公司 WFP-based method for authorizing database high-risk commands in real time
WO2021169112A1 (en) * 2020-02-28 2021-09-02 平安国际智慧城市科技股份有限公司 Shared permission-based service data procesing method, apparatus and device, and medium
CN114465772A (en) * 2021-12-30 2022-05-10 江苏慧眼数据科技股份有限公司 Automation control equipment system and method

Citations (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101534300A (en) * 2009-04-17 2009-09-16 公安部第一研究所 System protection framework combining multi-access control mechanism and method thereof
CN102904870A (en) * 2011-07-28 2013-01-30 佳能株式会社 Server apparatus and information processing method
CN103428235A (en) * 2012-05-15 2013-12-04 上海博路信息技术有限公司 Data exchange system
CN103593602A (en) * 2012-08-14 2014-02-19 深圳中兴网信科技有限公司 User authorization management method and system
CN103617485A (en) * 2013-11-15 2014-03-05 中国航空无线电电子研究所 Uniform authority management and deployment system
CN106254075A (en) * 2015-06-11 2016-12-21 佳能株式会社 Certificate server system and method
CN106998551A (en) * 2016-01-25 2017-08-01 中兴通讯股份有限公司 A kind of method, system, device and the terminal of application access authentication
CN107231346A (en) * 2017-05-03 2017-10-03 北京海顿中科技术有限公司 A kind of method of cloud platform identification
CN107426134A (en) * 2016-05-23 2017-12-01 上海神计信息系统工程有限公司 A kind of access control method based on relation
CN108984415A (en) * 2018-07-26 2018-12-11 郑州云海信息技术有限公司 A kind of product use-case persistence maintenance system and management method
CN109327477A (en) * 2018-12-06 2019-02-12 泰康保险集团股份有限公司 Authentication method, device and storage medium
CN109347855A (en) * 2018-11-09 2019-02-15 南京医渡云医学技术有限公司 Data access method, device, system, Electronic Design and computer-readable medium
CN109587101A (en) * 2017-09-29 2019-04-05 腾讯科技(深圳)有限公司 A kind of digital certificate management method, device and storage medium
US10270759B1 (en) * 2017-06-21 2019-04-23 Mesosphere, Inc. Fine grained container security

Patent Citations (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101534300A (en) * 2009-04-17 2009-09-16 公安部第一研究所 System protection framework combining multi-access control mechanism and method thereof
CN102904870A (en) * 2011-07-28 2013-01-30 佳能株式会社 Server apparatus and information processing method
CN103428235A (en) * 2012-05-15 2013-12-04 上海博路信息技术有限公司 Data exchange system
CN103593602A (en) * 2012-08-14 2014-02-19 深圳中兴网信科技有限公司 User authorization management method and system
CN103617485A (en) * 2013-11-15 2014-03-05 中国航空无线电电子研究所 Uniform authority management and deployment system
CN106254075A (en) * 2015-06-11 2016-12-21 佳能株式会社 Certificate server system and method
CN106998551A (en) * 2016-01-25 2017-08-01 中兴通讯股份有限公司 A kind of method, system, device and the terminal of application access authentication
CN107426134A (en) * 2016-05-23 2017-12-01 上海神计信息系统工程有限公司 A kind of access control method based on relation
CN107231346A (en) * 2017-05-03 2017-10-03 北京海顿中科技术有限公司 A kind of method of cloud platform identification
US10270759B1 (en) * 2017-06-21 2019-04-23 Mesosphere, Inc. Fine grained container security
CN109587101A (en) * 2017-09-29 2019-04-05 腾讯科技(深圳)有限公司 A kind of digital certificate management method, device and storage medium
CN108984415A (en) * 2018-07-26 2018-12-11 郑州云海信息技术有限公司 A kind of product use-case persistence maintenance system and management method
CN109347855A (en) * 2018-11-09 2019-02-15 南京医渡云医学技术有限公司 Data access method, device, system, Electronic Design and computer-readable medium
CN109327477A (en) * 2018-12-06 2019-02-12 泰康保险集团股份有限公司 Authentication method, device and storage medium

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110427767A (en) * 2019-08-08 2019-11-08 北京阿尔山区块链联盟科技有限公司 Assets recurrence authorization method and device
CN111245656A (en) * 2020-01-10 2020-06-05 浪潮商用机器有限公司 Method and system for remote monitoring through mobile equipment
CN111245656B (en) * 2020-01-10 2023-04-07 浪潮商用机器有限公司 Method and system for remote monitoring through mobile equipment
WO2021169112A1 (en) * 2020-02-28 2021-09-02 平安国际智慧城市科技股份有限公司 Shared permission-based service data procesing method, apparatus and device, and medium
CN112347427A (en) * 2020-09-30 2021-02-09 西安万像电子科技有限公司 Authority management method and system
CN112528337A (en) * 2020-12-21 2021-03-19 中电福富信息科技有限公司 WFP-based method for authorizing database high-risk commands in real time
CN114465772A (en) * 2021-12-30 2022-05-10 江苏慧眼数据科技股份有限公司 Automation control equipment system and method

Similar Documents

Publication Publication Date Title
CN110086813A (en) Access right control method and device
CN106612290B (en) Cross-domain single sign-on method oriented to system integration
KR102514325B1 (en) Model training system and method, storage medium
CN106850699B (en) A kind of mobile terminal login authentication method and system
CN110197058B (en) Unified internal control security management method, system, medium and electronic device
CN107172054B (en) Authority authentication method, device and system based on CAS
JP2022000757A5 (en)
CN110069908A (en) A kind of authority control method and device of block chain
WO2014004412A1 (en) Identity risk score generation and implementation
CN105812350B (en) Cross-platform single sign-on system
CN108632241B (en) Unified login method and device for multiple application systems
CN104506542A (en) Security certification method and security certification system
CN105577835B (en) Cross-platform single sign-on system based on cloud computing
US11757877B1 (en) Decentralized application authentication
CN109861968A (en) Resource access control method, device, computer equipment and storage medium
CN108881218B (en) Data security enhancement method and system based on cloud storage management platform
CN111031074A (en) Authentication method, server and client
CN110069909A (en) It is a kind of to exempt from the close method and device for logging in third party system
CN109962892A (en) A kind of authentication method and client, server logging in application
CN107566329A (en) A kind of access control method and device
CN107846676A (en) Safety communicating method and system based on network section security architecture
CN116415217A (en) Instant authorization system based on zero trust architecture
CN112187725A (en) Cloud computing resource access method and device, service line service and gateway
CN106603567B (en) A kind of login management method and device of WEB administrator
CN106982193A (en) A kind of method and device of prevention batch registration

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20190802