CN110086813A - Access right control method and device - Google Patents
Access right control method and device Download PDFInfo
- Publication number
- CN110086813A CN110086813A CN201910359647.6A CN201910359647A CN110086813A CN 110086813 A CN110086813 A CN 110086813A CN 201910359647 A CN201910359647 A CN 201910359647A CN 110086813 A CN110086813 A CN 110086813A
- Authority
- CN
- China
- Prior art keywords
- service
- access request
- service access
- client
- authorized user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/133—Protocols for remote procedure calls [RPC]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0618—Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
- H04L9/0625—Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation with splitting of the data block into left and right halves, e.g. Feistel based algorithms, DES, FEAL, IDEA or KASUMI
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Power Engineering (AREA)
- Storage Device Security (AREA)
Abstract
Present disclose provides a kind of access right control method and devices;Wherein, this method is applied to system server;Creation has management user and authorized user in the system of system server operation;This method comprises: receiving the service access request from client;The authorization code carried in analysis service access request, the account information of authorized user;Judge whether the corresponding authorized user of account information that parsing obtains has the permission for accessing service access request corresponding with service;Wherein, corresponding authorized user is serviced by management user setting;Service the permission that corresponding authorized user has access service;If it has, returning to the corresponding service data of service access request to client.Security of system can be improved in the disclosure.
Description
Technical field
This disclosure relates to technical field of system security, more particularly, to a kind of access right control method and device.
Background technique
In the mandated program of relevant service system, client needs the account using certification account when requesting service
Name and password login system, and then the legitimacy for the authorization code that client is sent is verified, to determine whether that the client is visited
It asks.Should during, for client access service certification account be exactly it is that client is registered in systems, can be with login system
Account, and the account have modification system permission, such as all kinds of services in modification system;Thus, when account leaks
When, other users may usurp the Account Logon system of leakage, easily lead to system data leakage or be tampered.
Summary of the invention
The disclosure is designed to provide a kind of access right control method and device, to improve security of system.
To achieve the goals above, the disclosure the technical solution adopted is as follows:
In a first aspect, this method is applied to system server present disclose provides a kind of access right control method;System
Creation has management user and authorized user in the system of server operation;Manage the power that user has login system and management service
Limit;This method comprises: receiving the service access request from client;The authorization code carried in analysis service access request, obtains
To the account information of authorized user;Whether the corresponding authorized user of account information for judging that parsing obtains has access service access
Request the permission of corresponding with service;Wherein, corresponding authorized user is serviced by management user setting;Service corresponding authorized user's tool
The permission for thering is access to service;If it has, returning to the corresponding service data of service access request to client.
Second aspect, present disclose provides a kind of address control set, which is set to system server;System
Creation has management user and authorized user in the system of server operation;Manage the power that user has login system and management service
Limit;The device includes: request receiving module, for receiving the service access request from client;Authorization code parsing module is used
The authorization code carried in analysis service access request, the account information of authorized user;Judgment module, for judging parsing
Whether the corresponding authorized user of obtained account information has the permission of access service access request corresponding with service;Wherein, it services
Corresponding authorized user is by management user setting;Service the permission that corresponding authorized user has access service;Data return to mould
Block is used for if it has, returning to the corresponding service data of service access request to client.
The third aspect, it is machine readable present disclose provides a kind of server, including processor and machine readable storage medium
Storage medium is stored with the machine-executable instruction that can be executed by processor, and processor executes machine-executable instruction to realize
Above-mentioned access right control method.
Fourth aspect, present disclose provides a kind of machine readable storage medium, machine readable storage medium is stored with machine
Executable instruction, for machine-executable instruction when being called and being executed by processor, machine-executable instruction promotes processor to realize
Above-mentioned access right control method.
Above-mentioned access right control method, device, server and machine readable storage medium, system server operation are
Creation has management user and authorized user in system, and management user has the permission of login system and management service;When receiving
When the service access request that client is sent, the authorization code carried in analysis service access request obtains account information;And then sentence
Whether the disconnected corresponding authorized user of account information has the permission of access service access request corresponding with service;If it has, to
Client returns to the corresponding service data of service access request.In which, services corresponding authorized user and set by managing user
It sets, and services the permission that corresponding authorized user has access service, log in system since the account information of authorized user does not have
System and management service permission, only have the function of verifying client access authority, thus even if authorized user account information
It is leaked, system will not be distorted arbitrarily, to improve security of system.
Other feature and advantage of the disclosure will illustrate in the following description, alternatively, Partial Feature and advantage can be with
Deduce from specification or unambiguously determine, or by implement the disclosure above-mentioned technology it can be learnt that.
To enable the above objects, features, and advantages of the disclosure to be clearer and more comprehensible, better embodiment is cited below particularly, and match
Appended attached drawing is closed, is described in detail below.
Detailed description of the invention
It, below will be to specific in order to illustrate more clearly of disclosure specific embodiment or technical solution in the prior art
Embodiment or attached drawing needed to be used in the description of the prior art be briefly described, it should be apparent that, it is described below
Attached drawing is some embodiments of the disclosure, for those of ordinary skill in the art, before not making the creative labor
It puts, is also possible to obtain other drawings based on these drawings.
Fig. 1 is a kind of application scenarios schematic diagram for access right control method that disclosure embodiment provides;
Fig. 2 is the application scenarios schematic diagram for another access right control method that disclosure embodiment provides;
Fig. 3 is a kind of flow chart for access right control method that disclosure embodiment provides;
Fig. 4 is the flow chart for another access right control method that disclosure embodiment provides;
Fig. 5 is a kind of structural schematic diagram for address control set that disclosure embodiment provides;
Fig. 6 is a kind of structural schematic diagram for server that disclosure embodiment provides.
Specific embodiment
It is clearly and completely described below in conjunction with technical solution of the embodiment to the disclosure, it is clear that described
Embodiment is a part of embodiment of the disclosure, rather than whole embodiments.Based on the embodiment in the disclosure, originally
Field those of ordinary skill every other embodiment obtained without making creative work, belongs to this public affairs
Open the range of protection.
In order to make it easy to understand, a kind of application scenarios of access right control method are described first below, as shown in Figure 1, being
System server can run various systems or platform, as (Data Services Generator, data service generate flat DSG
Platform) system, data query system or other data services offer system;User can be registered and be stepped in system by client
Record, after logining successfully, user is the respective services that can be used in system.
By taking DSG system as an example, DSG system can be by various data sources, such as RDBMS (Relational Database
Management System, relational database management system), DataEngine (data engine) etc., issue into Web
Service web service;By DSG system, user is the number that may have access in above-mentioned data source using the browser in client
According to.But current big multisystem lacks the controlling mechanism of access privilege, it, can be with random access after logging in system by user
Respective services in system, it might even be possible to the respective services in modification system;If account information (account name, password of user
Deng) be leaked, the illegal login system of the account information being leaked can be used in other users, or even distorts every clothes in system
Business, this not only results in system data and is leaked, and the safety for also easily leading to system is lower.
Based on the above issues, disclosure embodiment provides a kind of access right control method first;As shown in Fig. 2, being
Creation has management user and authorized user in the system of system server operation;During creation, management user, which is arranged, to be had
The permission of login system and management service, such as generate service, modify the data serviced, in more new demand servicing;Meanwhile authorization is set
User does not have the permission of login system, certainly can not service in management system.The account information of authorized user can be pre-
It is first sent to legal client, for client when accessing service, system determines the visitor by the account information that client is sent
Whether family end is authorized user, and then determines the whether accessible service of the client.
Based on the Partition of role of above-mentioned management user and authorized user, a kind of access privilege control side shown in Figure 3
The flow chart of method;This method comprises the following steps:
Step S302 receives the service access request from client;
Two roles of user and authorized user are managed due to having created in the present embodiment, in system, thus
In present embodiment, client is referred to as third party's client.It, can when user sends service access request using client
To click the button of corresponding with service on the Webpage of client, client sends the corresponding clothes of the button to system server
The service access request of business.
Step S304, the authorization code carried in analysis service access request, the account information of authorized user;
The account information of above-mentioned authorized user can wrap containing information such as authorized user's name, passwords;System server is from clothes
After getting the account information of authorized user in business access request, authorization code is generated based on account information;It can specifically adopt
The authorization code is calculated with multiple encryption algorithms, data conversion algorithm etc., and then the authorization code is back to client again.
After client receives above-mentioned authorization code, service access request can be sent to system server again, i.e., it is above-mentioned
Service access request in step, and the authorization code received is carried to service access request and is sent to system service together
Device.Since authorization code is generated based on the account information of account with power of attorney, server can be by generating the used algorithm of authorization code
Inverse operation parses the account information of authorized account from authorization code.
Whether step S306, the corresponding authorized user of account information for judging that parsing obtains have access service access request
The permission of corresponding with service;Wherein, corresponding authorized user is serviced by management user setting;Servicing corresponding authorized user has visit
Ask the permission of service;
The account information of the authorized user created is usually preserved in system server, if the account letter that parsing obtains
Breath can be found from the account information saved, can confirm that there is the corresponding authorized user of the client access service to visit
Ask the permission of request corresponding with service.In addition, user is when sending service access request by client, the button of click is usually right
There should be address of service, therefore, the address of service wanted access in service access request and above-mentioned service access request comprising user;
Which service system server will access by the i.e. knowable client wants in address of service for including in service access request.
Corresponding authorized user can be serviced using various ways setting by managing user;In one way in which, institute is set
Some accessible all services of authorized user, such as tool is there are three types of service in system, for authorized user A, which can
To access these three services.In another way, corresponding authorized user can be set for each service, only under the service
Authorized user have permission to access the service.
Step S308, if it has, returning to the corresponding service data of service access request to client.
As described above, include address of service in service access request and service access request, system server according to
The address of service can be inquired from data source in corresponding service data, and then again return to the service data inquired
To client.
Above-mentioned access right control method, creation has management user and authorized user in the system of system server operation,
Management user has the permission of login system and management service;But when receiving the service access request of client transmission, solution
The authorization code carried in analysis service access request, obtains account information;And then judge that the corresponding authorized user of account information is
The no permission with access service access request corresponding with service;If it has, it is corresponding to return to service access request to client
Service data.In which, corresponding authorized user is serviced by management user setting, and services corresponding authorized user there is visit
The permission for asking service only has verifying since the account information of authorized user does not have the permission of login system and management service
The function of client access authority, thus even if the account information of authorized user is leaked, system will not be distorted arbitrarily, from
And improve security of system.
Disclosure embodiment also provides another access right control method, and this method provides one kind and more specifically sentences
Whether disconnected authorized user has the mode of access Service Privileges, to realize that the authorized user's between different services is mutually isolated;
As shown in figure 4, this method comprises the following steps:
Step S402 receives the service access request from client.
Step S404, judges whether the corresponding service of service access request needs access privilege control;If it is not needed, holding
Row step S406;If desired, executing step S408;
Step S406 returns to the corresponding service data of service access request to client.Terminate.
The service interface that client can be issued by system sends above-mentioned service access request, to request resource.It is above-mentioned
The service of the corresponding service of service access request, i.e. client request access, according to the address of service in service access request, i.e.,
It can determine which service is client request access.It can be provided in system server there are many service, some services need to access
Permission control, some services do not need access privilege control;For not needing the service of access privilege control, directly to client
Return to the corresponding service data of service access request.Therefore, when service access request, need to judge that the service access is asked
Ask whether corresponding service needs access privilege control.
Specifically, whether access privilege control can will be needed to be set as the attribute serviced, by inquiring the category
The attribute value of property determines whether current service needs the permission control that accesses;In another mode, power can be will need access
The service of limit control saves in lists, when receiving service access request, if the corresponding service of the request can be from above-mentioned
It is inquired in list, that is, can determine that the service needs to access permission control.
Step S408 judges whether carry authorization code in above-mentioned service access request;If not, executing step S410;
If so, executing step S412;
Step S410 generates authorization code according to the account information of the authorized user carried in service access request, this is awarded
Weighted code is sent to client, so that client carries authorization code into service access request.Terminate.
In order to identify the client with service access permission, user is managed in advance to the visitor with service access permission
Family end sends the account information of an authorized user, and is saved by client.It is visited when client sends service to system server
When asking request, the account information of authorized user is carried into the service access request, is sent to system server together.When being
When system server receives service access request, the account information of authorized user can be extracted from the request, if extracted
Information be authorized user legal in system account information, then to the request carry out subsequent processing;If the letter extracted
Breath is not the account information of authorized user legal in system, or is obtained less than relevant account information, then no longer asks to this
Carry out subsequent processing is sought, or returns to the information of denied access to the client.
Step S412, the authorization code carried in analysis service access request, obtains account information.
Step S414 obtains the account with power of attorney list of service access request corresponding with service;The account with power of attorney list includes tool
The account information of the authorized user for the permission for thering is access to service;
Whether step S416, the account information for judging that parsing obtains are stored in account with power of attorney list;It is awarded if be stored in
It weighs in account list, executes step S418;If be not stored in account with power of attorney list, step S420 is executed;
In actual implementation, which can be realized by two deterministic processes, first determine whether the authorization account of account information
Whether name in an account book is stored in above-mentioned account with power of attorney list, then judge account information account with power of attorney password whether the authorization with preservation
The corresponding password of account name is consistent, if being to be, can determine that the account information that parsing obtains is stored in account with power of attorney column
In table.
Step S418 determines that client has the permission of access service access request corresponding with service;It returns and takes to client
The corresponding service data of access request of being engaged in.Terminate.
Step S420, the client that refusal sends service access request access service.
It in systems, can be with configuration management user and authorized user both roles to not by spring-security
With the access authority in path, so that management user has the permission of login system and management service, does not have authorized user and step on
The permission of recording system, Spring Security therein, which is one, to provide sound for the enterprise application system based on Spring
The security framework of the safe access control solution of Ming Dynasty style.
User is managed when generating service, it can be by system interface for the database table editor under different data sources
Then this sql sentence is issued and is serviced at one, and provides a service access address by sql sentence, while providing this clothes
The input/output argument of business, user can get what sql sentence in the service of publication checked out by service access address
As a result.After service is generated, management user is that access control switch is opened in the service, so that it may establish an authorization for the user
Account list, the authorized user saved in the list have the permission for accessing the service.The account information of above-mentioned authorized user is logical
It often include the information such as authorized user's name, the authorized user's password of authorized user.For example, management user generates and manages three
A service, respectively service A, service B and service C, following table 1 are the corresponding account with power of attorney list of each service.Each service
Between authorized user can also have overlapping, such as a certain authorized user account information can be located at service A account with power of attorney column
In table, it can also be located in the account with power of attorney list of service B.
Table 1
In aforesaid way, by the way that corresponding account with power of attorney list is arranged for each service, authorized user can be made only to have
The permission of access portion service, so that isolation of the authorized user between service is realized, when the account information of authorized user is leaked
When, illegal user is only capable of the data of partial service in access system, the range which can be leaked with reduction system data, from
And further improve security of system.
In addition, the management user created in system and authorized user can also divide user group;Between different user groups
Service Source is mutually isolated.For example, if management user A and management user B belong to different user groups, manage user B without
Method sees the service that management user A is issued in system;And the service that user A is issued in system is managed, only used with management
The authorized user that family A belongs under same user group is possible to access authority;Specific to each service, a certain authorized user
Whether there is access authority this according to management user A also to be needed to determine the account with power of attorney list of current service setting.Which
Isolation of the system service resource between user group is realized, to further increase the safety of system data.
By aforementioned embodiments it is found that service access request can be based on after system server receives service access request
In authorized user account information generate authorization code.The generation and verification mode of existing authorization code, are mostly based on authorization account
Name in an account book and account with power of attorney password generate authorization code, whether just to verify account with power of attorney name and account with power of attorney password in verification process
Really;Or authorization code is generated based on random character, and whether verifying random character is correct in verification process;But if authorization
Account name and account with power of attorney password are stolen or random character is stolen, and illegal user can also be based on stolen information
It obtains authorization code and accesses service, so that system data has the risk of leakage.And in present embodiment, a kind of authorization code is provided
Generating mode, specifically retouched with further increasing the timeliness and safety of authorization code to improve the safety of system data
It states as follows.
Authorization code is referred to as token, generally comprises in the account information for the authorized user that system server is got
There are account with power of attorney name and account with power of attorney password;System server can will believe account with power of attorney name, account with power of attorney password and attribute
Breath is encrypted, and then generates authorization code;Encryption is specifically as follows DES (Data Encryption
Algorithm, data encryption algorithm) Encryption Algorithm, naturally it is also possible to it is other Encryption Algorithm or data conversion algorithm.It is therein
Attribute information includes the IP address of current time and/or the client extracted from service access request.
In actual implementation, which can be only comprising current time or the client extracted from service access request
The IP address at end can also include the IP address of current time and the client extracted from service access request, attribute simultaneously
The content that information specifically includes can be arranged according to the actual demand of system.
After system server receives the service access request for carrying authorization code, according to attribute during generation authorization code
The different content of information, it is also different to the judgment mode of authorization code legitimacy, it is specifically described below.
Mode one: if attribute information includes IP (Internet Protocol Address, the Internet protocol of client
Address) address, system server determines the legitimacy of authorization code by following step:
Step 50, it when receiving service access request, parses and obtains from the authorization code carried in service access request
The IP address of client;
Step 51, the IP address for sending the client of service access request is obtained;
Step 52, judge the IP address for the client that parsing obtains and send the IP address of the client of service access request
It is whether identical;If identical, step 53 is executed;If it is not the same, executing step 54.
Step 53, it determines that authorization code is legal, executes whether the corresponding authorized user of account information for judging that parsing obtains has
There is the step of permission of access service access request corresponding with service;
Step 54, the client that refusal sends service access request accesses service.
By aforementioned embodiments it is found that with parsing the IP for obtaining client from the authorization code carried in service access request
Location, for the IP address of the client of transmission service access request;It is serviced if parsing the IP address of obtained client and sending
The IP address of the client of access request is identical, and that illustrate to send service access request and service access request is the same client
End, the authorization code are not stolen by other.But if the IP address and transmission service access request of the client that parsing obtains
Client IP address it is different, illustrate to send service access request and service access request is not the same client, should
Authorization code is illegally stolen, i.e. the client of transmission service access request is illegitimate client, in order to avoid system is by illegal visitor
Illegitimate client access service is then refused in the access of family end.
It is further to note that the account letter that judgement parsing obtains can be continued to execute after determining that enabling legislation is legal
Cease whether corresponding authorized user has the step of permission of access service access request corresponding with service;Another feasible mode
In, it can also first carry out and judge whether the corresponding authorized user of account information that parsing obtains has access service access request pair
The step of permission that should be serviced, then determine enabling legislation legitimacy.
By the above-mentioned means, the safety of authorization code can be improved, illegitimate client is avoided to steal authorization code access system,
To further improve the safety of system.
Mode two: if attribute information includes current time, system server determines the conjunction of authorization code by following step
Method:
Step 60, it when receiving service access request, parses and obtains from the authorization code carried in service access request
Current time.
Step 61, judge whether the difference for the current time and system real-time time that parsing obtains is less than the preset time
Difference;If it is lower, executing step 62;If it is greater than or be equal to, execute step 63;
Step 62, determine that authorization code is legal;Execute whether the corresponding authorized user of account information for judging that parsing obtains has
There is the step of permission of access service access request corresponding with service;
Step 63, the client that refusal sends service access request accesses service.
It should be noted that the current time is after system server receives service access request, generate authorization code when
Between;System real-time time can be understood as executing the time of above-mentioned steps 61 after system server receives service access request.On
Stating the preset time difference can be arranged according to actual needs, such as 100 milliseconds, 3 seconds.If current time and system real-time time
Difference be less than the preset time difference, illustrate that the authorization code has timeliness, the authorization code is legal;If current time and system
The difference of real-time time is greater than or equal to the preset time difference, illustrates that the authorization code is expired, loses timeliness, at this time may be used
Service is accessed to refuse to send the client of service access request;In addition, system server can also prompt to send service access
The client of request retransmits service access request.
In view of the odjective cause of the no longer effective property of authorization code may have very much, as the obstruction of communication line, client are sent out
Give service access request slower etc., but can not rule out the authorization code and stolen by illegitimate client, the service of transmission is sent out by illegal third
Therefore time delay caused by access request by the timeliness of limitation enabling legislation, may further ensure that the legitimacy of authorization code,
To further increase the security performance of system.
In addition, when which can also avoid the account password of authorized user from being modified, the account based on former authorized user
The problem of authorization code that information generates can also be verified and access, to improve the reliability of system.
By aforementioned embodiments it is found that requiring to obtain the corresponding authorization account of the service when access of each client services
Family list, to confirm whether the client has the permission for accessing the service.If amount of access is larger, system server may be difficult
To handle in time, access time-out is caused, to influence the access experience of user.Based on this, present embodiment also provides a kind of clothes
The preserving type of the account with power of attorney list of business, is specifically described below.
The system run in system server generally comprises foreground web module and backstage core module.Wherein, foreground web
Module mainly includes system interface and system database;Backstage core module is mainly used for business logic processing.System database
In preserve the service created and the corresponding account with power of attorney list of the service;It is preserved in the core module of backstage each
Service corresponding dbs file.Upon power-up of the system, core module in backstage reads the dbs file of every service, then issues into clothes
Business issues the account with power of attorney list for the service being stored in advance in system database in system during issuing service
In memory;When the system is shut down, corresponding account with power of attorney list is serviced and services to disappear from Installed System Memory.
User is managed by the account with power of attorney list of the system interface modification service in above-mentioned foreground web module, is such as changed
The permission of authorized user services increase or deletion authorized user, modification authorized user's password etc. for some;System passes through system circle
Face can receive these more new informations that management user sends, if the management user that system server receives system sends
Service account with power of attorney list more new information, can be by the update information update into system database;Pass through RPC
(Remote Procedure Call, remote procedure call) far call interface will update information update into Installed System Memory.
In addition, the account with power of attorney list of service can also be stored in above-mentioned backstage core module, the dbs text of respective service
It in part, in this way in the access control serviced, does not need to read system database every time, to guarantee access effect yet
Rate.
By the above-mentioned means, service may be implemented in the case where not issuing again, the account with power of attorney letter in modification service
Breath, and ensure that account with power of attorney information comes into force after the modification.It is this that account with power of attorney synchronizing information is saved into ability system database
With the mode of Installed System Memory, the concurrent access efficiency of service can be improved, reduce access time-out.In addition, which can also avoid
Before service issue successfully again, the case where malfunctioning when client request service, to improve the stability of system.
Corresponding to above method embodiment, a kind of structural schematic diagram of address control set shown in Figure 5;
The device is set to system server;Creation has management user and authorized user in the system of system server operation;Management
User has the permission of login system and management service;Device includes:
Request receiving module 50, for receiving the service access request from client;
Authorization code parsing module 51, the authorization code for being carried in analysis service access request, the account of authorized user
Family information;
Judgment module 52, for judging whether the corresponding authorized user of account information that parsing obtains there is access service to visit
Ask the permission of request corresponding with service;Wherein, corresponding authorized user is serviced by management user setting;Service corresponding authorized user
Permission with access service;
Data return module 53 is used for if it has, returning to the corresponding service data of service access request to client.
Further, above-mentioned authorization code parsing module is also used to: judging whether carry authorization code in service access request;
If so, the authorization code carried in analysis service access request;If not, according to the authorized user carried in service access request
Account information generate authorization code, authorization code is sent to client, is asked so that client carries authorization code to service access
In asking.
Further, above-mentioned authorization code parsing module is also used to: judging whether the corresponding service of service access request needs
Access privilege control;If desired, generating authorization code according to account information;If it is not needed, returning to service access to client
Request corresponding service data.
Further, above-mentioned account information includes account with power of attorney name and account with power of attorney password;Above-mentioned authorization code parsing module
It is also used to: account with power of attorney name, account with power of attorney password and attribute information is encrypted, generate authorization code;Attribute information packet
It includes: the IP address of current time and/or the client extracted from service access request.
Further, above-mentioned apparatus further include: IP address parsing module, if for attribute information including the IP of client
Address, when receiving service access request, parsing obtains the IP of client from the authorization code carried in service access request
Address;IP address obtains module, for obtaining the IP address for sending the client of service access request;Second judgment module is used
In judging whether the IP address of client that parsing obtains is identical as the IP address of the client of transmission service access request;First
Legitimacy determining module, if determining that authorization code is legal for identical, the account information that execution judgement parsing obtains is corresponding to be awarded
Whether power user has the step of permission of access service access request corresponding with service;First access reject module, if for
Not identical, the client that refusal sends service access request accesses service.
Further, above-mentioned apparatus further include: time resolution module, if including current time for attribute information, when
When receiving service access request, parsing obtains current time from the authorization code carried in service access request;Third judgement
Module, for judging whether the difference for parsing obtained current time and system real-time time is less than the preset time difference;Second
Legitimacy determining module is used for if it is lower, determining that authorization code is legal;The account information that execution judgement parsing obtains is corresponding to be awarded
Whether power user has the step of permission of access service access request corresponding with service;Second access reject module, if for
It is greater than or equal to, the client that refusal sends service access request accesses service.
Further, above-mentioned judgment module is also used to: obtaining the account with power of attorney list of service access request corresponding with service;It awards
Weigh the account information that account list includes the authorized user of the permission with access service;Judgement parses obtained account information
It is no to be stored in account with power of attorney list;If be stored in account with power of attorney list, determine that there is client access service access to ask
Seek the permission of corresponding with service;If be not stored in account with power of attorney list, the client that refusal sends service access request is visited
The service of asking.
Further, system database and Installed System Memory are provided on above system server;Above-mentioned apparatus further include: hair
Cloth module, in the issuing process of service, the account with power of attorney list for the service being stored in advance in system database to be sent out
Cloth is in system memory;First update module, if the account with power of attorney for the service that the management user for receiving system sends
The more new information of list will update information update into system database;Second update module, for passing through RPC far call
Interface will update information update into Installed System Memory.
Above-mentioned address control set, creation has management user and authorized user in the system of system server operation,
Management user has the permission of login system and management service;But when receiving the service access request of client transmission, solution
The authorization code carried in analysis service access request, obtains account information;And then judge that the corresponding authorized user of account information is
The no permission with access service access request corresponding with service;If it has, it is corresponding to return to service access request to client
Service data.In which, corresponding authorized user is serviced by management user setting, and services corresponding authorized user there is visit
The permission for asking service only has verifying since the account information of authorized user does not have the permission of login system and management service
The function of client access authority, thus even if the account information of authorized user is leaked, system will not be distorted arbitrarily, from
And improve security of system.
Present embodiments provide for a kind of server corresponding with above method embodiment, Fig. 6 is the server
Structural schematic diagram, as shown in fig. 6, the equipment includes processor 601 and memory 600;Wherein, memory 600 is for storing one
Item or a plurality of computer instruction, one or more computer instruction are executed by processor, to realize above-mentioned access privilege control side
Method.
Server shown in fig. 6 further includes bus 602 and communication interface 603, processor 601, communication interface 603 and storage
Device 600 is connected by bus 602.The server can be network edge device.
Wherein, memory 600 may include high-speed random access memory (RAM, Random Access Memory),
It may further include non-labile memory (non-volatile memory), for example, at least a magnetic disk storage.Bus
602 can be isa bus, pci bus or eisa bus etc..The bus can be divided into address bus, data/address bus, control always
Line etc..Only to be indicated with a four-headed arrow in Fig. 6, it is not intended that an only bus or a type of convenient for indicating
Bus.
Communication interface 603 is used to connect by network interface at least one user terminal and other network units, will seal
The IPv4 message or IPv6 message installed is sent to the user terminal by network interface.
Processor 601 may be a kind of IC chip, the processing capacity with signal.It is above-mentioned during realization
Each step of method can be completed by the integrated logic circuit of the hardware in processor 601 or the instruction of software form.On
The processor 601 stated can be general processor, including central processing unit (Central Processing Unit, abbreviation
CPU), network processing unit (Network Processor, abbreviation NP) etc.;It can also be digital signal processor (Digital
Signal Processor, abbreviation DSP), specific integrated circuit (Application Specific Integrated
Circuit, abbreviation ASIC), field programmable gate array (Field-Programmable Gate Array, abbreviation FPGA) or
Person other programmable logic device, discrete gate or transistor logic, discrete hardware components.It may be implemented or execute sheet
Disclosed each method, step and logic diagram in disclosed embodiment.General processor can be microprocessor or this at
Reason device is also possible to any conventional processor etc..The step of method in conjunction with disclosed in disclosure embodiment, can direct body
Now executes completion for hardware decoding processor, or in decoding processor hardware and software module combine and execute completion.It is soft
Part module can be located at random access memory, and flash memory, read-only memory, programmable read only memory or electrically erasable programmable are deposited
In the storage medium of this fields such as reservoir, register maturation.The storage medium is located at memory 600, and processor 601 reads storage
Information in device 600, in conjunction with its hardware complete aforementioned embodiments method the step of.
For the disclosure embodiment further provides a kind of machine readable storage medium, machine readable storage medium storage is organic
Device executable instruction, for the machine-executable instruction when being called and being executed by processor, machine-executable instruction promotes processor
Realize above-mentioned access right control method, specific implementation can be found in method implementation, and details are not described herein.
The technical effect and preceding method of server provided by disclosure embodiment, realization principle and generation are implemented
Mode is identical, and to briefly describe, device embodiments part does not refer to place, can refer in corresponding in preceding method embodiment
Hold.
In several embodiments provided herein, it should be understood that disclosed device and method can also lead to
Other modes are crossed to realize.Device embodiments described above are only schematical, for example, the flow chart in attached drawing and
Block diagram shows the system in the cards of the device of multiple embodiments according to the disclosure, method and computer program product
Framework, function and operation.In this regard, each box in flowchart or block diagram can represent a module, program segment or generation
A part of code, a part of the module, section or code include one or more for realizing defined logic function
Executable instruction.It should also be noted that function marked in the box can also be in some implementations as replacement
Occur different from the sequence marked in attached drawing.For example, two continuous boxes can actually be basically executed in parallel, they
Sometimes it can also execute in the opposite order, this depends on the function involved.It is also noted that block diagram and or flow chart
In each box and the box in block diagram and or flow chart combination, can function or movement as defined in executing it is special
Hardware based system is realized, or can be realized using a combination of dedicated hardware and computer instructions.
Finally, it should be noted that embodiment described above, the only specific embodiment of the disclosure, to illustrate this public affairs
The technical solution opened, rather than its limitations, the protection scope of the disclosure are not limited thereto, although referring to aforementioned embodiments pair
The disclosure is described in detail, those skilled in the art should understand that: any technology for being familiar with the art
Personnel can still modify to technical solution documented by aforementioned embodiments in the technical scope that the disclosure discloses
Or variation or equivalent replacement of some of the technical features can be readily occurred in;And these modifications, variation or replacement,
The spirit and scope for disclosure embodiment technical solution that it does not separate the essence of the corresponding technical solution, should all cover in this public affairs
Within the protection scope opened.Therefore, the protection scope of the disclosure shall be subject to the protection scope of the claim.
Claims (10)
1. a kind of access right control method, which is characterized in that the method is applied to system server;The system server
Creation has management user and authorized user in the system of operation;The management user has the power of login system and management service
Limit;The described method includes:
Receive the service access request from client;
Parse the authorization code carried in the service access request, the account information of authorized user;
Judge whether the corresponding authorized user of account information that parsing obtains has the access service access request corresponding with service
Permission;Wherein, the corresponding authorized user of the service is by management user setting;It is described to service corresponding authorized user with visit
Ask the permission of the service;
If it has, returning to the corresponding service data of the service access request to the client.
2. the method according to claim 1, wherein parsing the authorization code carried in the service access request
Step, comprising:
Judge whether carry authorization code in the service access request;
If so, parsing the authorization code carried in the service access request;
If not, generating authorization code according to the account information of the authorized user carried in the service access request, awarded described
Weighted code is sent to the client, to prompt the client to carry the authorization code into service access request, and again
Send service access request.
3. according to the method described in claim 2, it is characterized in that, according to the authorized user carried in the service access request
Account information generate authorization code the step of, comprising:
Judge whether the corresponding service of the service access request needs access privilege control;
If desired, generating authorization code according to the account information of the authorized user carried in the service access request;
If it is not needed, returning to the corresponding service data of the service access request to the client.
4. according to the method described in claim 2, it is characterized in that, the account information includes account with power of attorney name and account with power of attorney
Password;
Described the step of authorization code is generated according to the account information of the authorized user carried in the service access request, comprising:
The account with power of attorney name, the account with power of attorney password and attribute information are encrypted, authorization code is generated;The category
The IP address of the client that property information includes: current time and/or extracts from the service access request.
5. according to the method described in claim 4, it is characterized in that, the method also includes:
If the attribute information includes the IP address of the client, when receiving the service access request, from described
Parsing obtains the IP address of the client in the authorization code carried in service access request;
Obtain the IP address for sending the client of the service access request;
Judgement parses the IP address of the obtained client and the IP address of the client of the transmission service access request is
It is no identical;
If identical, determine that the authorization code is legal, executes and judge whether parse the obtained corresponding authorized user of account information
There is the step of permission for accessing the service access request corresponding with service;
If it is not the same, the client that refusal sends the service access request accesses the service.
6. according to the method described in claim 4, it is characterized in that, the method also includes:
If the attribute information includes current time, when receiving the service access request, asked from the service access
Parsing in the authorization code of carrying is asked to obtain current time;
Judge whether the difference for the current time and system real-time time that parsing obtains is less than the preset time difference;
If it is lower, determining that the authorization code is legal;It executes and judge whether parse the obtained corresponding authorized user of account information
There is the step of permission for accessing the service access request corresponding with service;
If it is greater than or be equal to, the client that refusal sends the service access request accesses the service.
7. the method according to claim 1, wherein the corresponding authorized user of account information that judgement parsing obtains
Whether there is the step of permission for accessing the service access request corresponding with service, comprising:
Obtain the account with power of attorney list of the service access request corresponding with service;The account with power of attorney list includes to have access institute
State the account information of the authorized user of the permission of service;
Whether the account information for judging that parsing obtains is stored in the account with power of attorney list;
If be stored in the account with power of attorney list, determines that the client has and access the corresponding clothes of the service access request
The permission of business;
If be not stored in the account with power of attorney list, refusal is sent described in the client access of the service access request
Service.
8. the method according to claim 1, wherein being provided with system database on the system server and being
System memory;
The method also includes:
In the issuing process of the service, the account with power of attorney for the service being stored in advance in the system database is arranged
Table is issued in the Installed System Memory;
If the more new information of the account with power of attorney list for the service that the management user for receiving system sends, by the update
Information update is into the system database;
By RPC far call interface by the update information update into the Installed System Memory.
9. a kind of address control set, which is characterized in that described device is set to system server;The system server
Creation has management user and authorized user in the system of operation;The management user has the power of login system and management service
Limit;Described device includes:
Request receiving module, for receiving the service access request from client;
Authorization code parsing module, for parsing the authorization code carried in the service access request, the account of authorized user
Information;
Judgment module, for judging whether the corresponding authorized user of account information that parsing obtains has the access service access
Request the permission of corresponding with service;Wherein, the corresponding authorized user of the service is by management user setting;The service is corresponding to award
Weighing user has the permission for accessing the service;
Data return module is used for if it has, returning to the corresponding service data of the service access request to the client.
10. device according to claim 9, which is characterized in that the authorization code parsing module is also used to:
Judge whether carry authorization code in the service access request;
If so, parsing the authorization code carried in the service access request;
If not, generating authorization code according to the account information of the authorized user carried in the service access request, awarded described
Weighted code is sent to the client, so that the client carries the authorization code into service access request.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910359647.6A CN110086813A (en) | 2019-04-30 | 2019-04-30 | Access right control method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910359647.6A CN110086813A (en) | 2019-04-30 | 2019-04-30 | Access right control method and device |
Publications (1)
Publication Number | Publication Date |
---|---|
CN110086813A true CN110086813A (en) | 2019-08-02 |
Family
ID=67417982
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910359647.6A Pending CN110086813A (en) | 2019-04-30 | 2019-04-30 | Access right control method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110086813A (en) |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110427767A (en) * | 2019-08-08 | 2019-11-08 | 北京阿尔山区块链联盟科技有限公司 | Assets recurrence authorization method and device |
CN111245656A (en) * | 2020-01-10 | 2020-06-05 | 浪潮商用机器有限公司 | Method and system for remote monitoring through mobile equipment |
CN112347427A (en) * | 2020-09-30 | 2021-02-09 | 西安万像电子科技有限公司 | Authority management method and system |
CN112528337A (en) * | 2020-12-21 | 2021-03-19 | 中电福富信息科技有限公司 | WFP-based method for authorizing database high-risk commands in real time |
WO2021169112A1 (en) * | 2020-02-28 | 2021-09-02 | 平安国际智慧城市科技股份有限公司 | Shared permission-based service data procesing method, apparatus and device, and medium |
CN114465772A (en) * | 2021-12-30 | 2022-05-10 | 江苏慧眼数据科技股份有限公司 | Automation control equipment system and method |
Citations (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101534300A (en) * | 2009-04-17 | 2009-09-16 | 公安部第一研究所 | System protection framework combining multi-access control mechanism and method thereof |
CN102904870A (en) * | 2011-07-28 | 2013-01-30 | 佳能株式会社 | Server apparatus and information processing method |
CN103428235A (en) * | 2012-05-15 | 2013-12-04 | 上海博路信息技术有限公司 | Data exchange system |
CN103593602A (en) * | 2012-08-14 | 2014-02-19 | 深圳中兴网信科技有限公司 | User authorization management method and system |
CN103617485A (en) * | 2013-11-15 | 2014-03-05 | 中国航空无线电电子研究所 | Uniform authority management and deployment system |
CN106254075A (en) * | 2015-06-11 | 2016-12-21 | 佳能株式会社 | Certificate server system and method |
CN106998551A (en) * | 2016-01-25 | 2017-08-01 | 中兴通讯股份有限公司 | A kind of method, system, device and the terminal of application access authentication |
CN107231346A (en) * | 2017-05-03 | 2017-10-03 | 北京海顿中科技术有限公司 | A kind of method of cloud platform identification |
CN107426134A (en) * | 2016-05-23 | 2017-12-01 | 上海神计信息系统工程有限公司 | A kind of access control method based on relation |
CN108984415A (en) * | 2018-07-26 | 2018-12-11 | 郑州云海信息技术有限公司 | A kind of product use-case persistence maintenance system and management method |
CN109327477A (en) * | 2018-12-06 | 2019-02-12 | 泰康保险集团股份有限公司 | Authentication method, device and storage medium |
CN109347855A (en) * | 2018-11-09 | 2019-02-15 | 南京医渡云医学技术有限公司 | Data access method, device, system, Electronic Design and computer-readable medium |
CN109587101A (en) * | 2017-09-29 | 2019-04-05 | 腾讯科技(深圳)有限公司 | A kind of digital certificate management method, device and storage medium |
US10270759B1 (en) * | 2017-06-21 | 2019-04-23 | Mesosphere, Inc. | Fine grained container security |
-
2019
- 2019-04-30 CN CN201910359647.6A patent/CN110086813A/en active Pending
Patent Citations (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101534300A (en) * | 2009-04-17 | 2009-09-16 | 公安部第一研究所 | System protection framework combining multi-access control mechanism and method thereof |
CN102904870A (en) * | 2011-07-28 | 2013-01-30 | 佳能株式会社 | Server apparatus and information processing method |
CN103428235A (en) * | 2012-05-15 | 2013-12-04 | 上海博路信息技术有限公司 | Data exchange system |
CN103593602A (en) * | 2012-08-14 | 2014-02-19 | 深圳中兴网信科技有限公司 | User authorization management method and system |
CN103617485A (en) * | 2013-11-15 | 2014-03-05 | 中国航空无线电电子研究所 | Uniform authority management and deployment system |
CN106254075A (en) * | 2015-06-11 | 2016-12-21 | 佳能株式会社 | Certificate server system and method |
CN106998551A (en) * | 2016-01-25 | 2017-08-01 | 中兴通讯股份有限公司 | A kind of method, system, device and the terminal of application access authentication |
CN107426134A (en) * | 2016-05-23 | 2017-12-01 | 上海神计信息系统工程有限公司 | A kind of access control method based on relation |
CN107231346A (en) * | 2017-05-03 | 2017-10-03 | 北京海顿中科技术有限公司 | A kind of method of cloud platform identification |
US10270759B1 (en) * | 2017-06-21 | 2019-04-23 | Mesosphere, Inc. | Fine grained container security |
CN109587101A (en) * | 2017-09-29 | 2019-04-05 | 腾讯科技(深圳)有限公司 | A kind of digital certificate management method, device and storage medium |
CN108984415A (en) * | 2018-07-26 | 2018-12-11 | 郑州云海信息技术有限公司 | A kind of product use-case persistence maintenance system and management method |
CN109347855A (en) * | 2018-11-09 | 2019-02-15 | 南京医渡云医学技术有限公司 | Data access method, device, system, Electronic Design and computer-readable medium |
CN109327477A (en) * | 2018-12-06 | 2019-02-12 | 泰康保险集团股份有限公司 | Authentication method, device and storage medium |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110427767A (en) * | 2019-08-08 | 2019-11-08 | 北京阿尔山区块链联盟科技有限公司 | Assets recurrence authorization method and device |
CN111245656A (en) * | 2020-01-10 | 2020-06-05 | 浪潮商用机器有限公司 | Method and system for remote monitoring through mobile equipment |
CN111245656B (en) * | 2020-01-10 | 2023-04-07 | 浪潮商用机器有限公司 | Method and system for remote monitoring through mobile equipment |
WO2021169112A1 (en) * | 2020-02-28 | 2021-09-02 | 平安国际智慧城市科技股份有限公司 | Shared permission-based service data procesing method, apparatus and device, and medium |
CN112347427A (en) * | 2020-09-30 | 2021-02-09 | 西安万像电子科技有限公司 | Authority management method and system |
CN112528337A (en) * | 2020-12-21 | 2021-03-19 | 中电福富信息科技有限公司 | WFP-based method for authorizing database high-risk commands in real time |
CN114465772A (en) * | 2021-12-30 | 2022-05-10 | 江苏慧眼数据科技股份有限公司 | Automation control equipment system and method |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110086813A (en) | Access right control method and device | |
CN106612290B (en) | Cross-domain single sign-on method oriented to system integration | |
KR102514325B1 (en) | Model training system and method, storage medium | |
CN106850699B (en) | A kind of mobile terminal login authentication method and system | |
CN110197058B (en) | Unified internal control security management method, system, medium and electronic device | |
CN107172054B (en) | Authority authentication method, device and system based on CAS | |
JP2022000757A5 (en) | ||
CN110069908A (en) | A kind of authority control method and device of block chain | |
WO2014004412A1 (en) | Identity risk score generation and implementation | |
CN105812350B (en) | Cross-platform single sign-on system | |
CN108632241B (en) | Unified login method and device for multiple application systems | |
CN104506542A (en) | Security certification method and security certification system | |
CN105577835B (en) | Cross-platform single sign-on system based on cloud computing | |
US11757877B1 (en) | Decentralized application authentication | |
CN109861968A (en) | Resource access control method, device, computer equipment and storage medium | |
CN108881218B (en) | Data security enhancement method and system based on cloud storage management platform | |
CN111031074A (en) | Authentication method, server and client | |
CN110069909A (en) | It is a kind of to exempt from the close method and device for logging in third party system | |
CN109962892A (en) | A kind of authentication method and client, server logging in application | |
CN107566329A (en) | A kind of access control method and device | |
CN107846676A (en) | Safety communicating method and system based on network section security architecture | |
CN116415217A (en) | Instant authorization system based on zero trust architecture | |
CN112187725A (en) | Cloud computing resource access method and device, service line service and gateway | |
CN106603567B (en) | A kind of login management method and device of WEB administrator | |
CN106982193A (en) | A kind of method and device of prevention batch registration |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190802 |