CN110413372A - A kind of web services middleware extended method for supporting service security to mark - Google Patents
A kind of web services middleware extended method for supporting service security to mark Download PDFInfo
- Publication number
- CN110413372A CN110413372A CN201910536187.XA CN201910536187A CN110413372A CN 110413372 A CN110413372 A CN 110413372A CN 201910536187 A CN201910536187 A CN 201910536187A CN 110413372 A CN110413372 A CN 110413372A
- Authority
- CN
- China
- Prior art keywords
- service
- network resource
- mark
- user
- middleware
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 16
- 230000004044 response Effects 0.000 claims abstract description 14
- 238000012550 audit Methods 0.000 abstract description 4
- 238000007726 management method Methods 0.000 description 13
- 230000006399 behavior Effects 0.000 description 4
- 238000010586 diagram Methods 0.000 description 2
- 239000003550 marker Substances 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000007613 environmental effect Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45595—Network integration; Enabling network access in virtual machine instances
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Automation & Control Theory (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a kind of web services middleware extended methods for supporting service security to mark.The method include the steps that 1) configure the service security label of web services middleware, the service security attribute of Web service middleware is marked;The service security label of Web service middleware includes security level and class of service;2) when web services middleware receives the network resource request of user, the service security label of the user and the service security label of the requested Internet resources of the user are identified;3) the service security label of the service security label of the user and requested Internet resources is checked, passes through if checked, allows to execute the network resource request and return to corresponding Internet resources;Otherwise, refusal executes the network resource request.4) service security label is added for response message.The present invention can efficiently carry out fine granularity control and audit to user access activity.
Description
Technical Field
The invention relates to a web service middleware supporting a business security label, which provides functions of configuration, generation and identification aiming at the business security label, supports access control and audit based on the business security label, and belongs to the field of network space security.
Background
At present, when a user accesses a Web service, resource access control is mainly implemented according to user identity and network resource information, a traditional Web service middleware does not support fine-grained management and control on related access behaviors according to service security attributes of the user or network resources, functions such as fine-grained access control need to be implemented in an application program, the security attributes of the user need to be managed in the application program, development cost of each application is increased, and flexibility of access control implementation is also reduced.
Disclosure of Invention
In a network system using a business safety mark, aiming at the problems that the traditional Web service middleware does not support the fine-grained management and control of network resources based on the business safety attribute, and the like, the invention aims to provide a Web service middleware expansion method supporting the business safety mark, which supports the middleware to configure the business safety mark of the middleware; the service security label for identifying the user and the service security label for requesting the resource are supported, so that the user can only access the corresponding network resource according to the service security attribute of the user; and the method supports adding corresponding service safety marks to the application layer protocol messages according to the service safety marks of the requested resources, and supports other related systems to correctly understand the service safety properties of the resources according to the messages.
In order to achieve the above object, the present invention provides a method for extending a Web service middleware supporting a service security label, which comprises the following steps:
step 1: and configuring the business safety mark of the Web service middleware. And configuring a business safety mark of the Web service middleware, and marking the safety level, the business category and other business safety attributes of the Web service middleware. The service safety mark can be configured by management personnel, and can also be automatically configured by a configuration module after the service safety attribute information of the computing environment is acquired.
Step 2: identifying the service security label of the user and the network resource. When a user requests network resources, identifying a service security label of the user in the request, wherein the label identifies service security attributes such as security level, service category and the like of the user; and meanwhile, identifying a service security label of the network resource requested by the user, wherein the label identifies service security attributes such as security level, service category and the like of the network resource.
And step 3: and managing and controlling based on the service security label. Matching and checking the user service security mark and the network resource service security mark, and if the user service security mark and the network resource service security mark pass the checking, allowing the user request to be executed and returning the network resource; otherwise, the user request is denied.
And 4, step 4: and adding a service safety mark for the response message. When the network resource requested by the user is returned, the service security label of the resource is converted into the service security label of the response message through the label generating module (the converted response message contains the service security label), and the label is added into the extension field of the corresponding application layer protocol.
Preset information 1: the network resource (object) has a service security label indicating its security level, service type, operation control and other service security attributes.
Preset information 2: the access user has a service security label indicating the security level, service category and other service security attributes of the access user.
Fig. 1 shows a block diagram of an internal structure of a Web service middleware provided by the present invention, which includes: the system comprises a Web container module, a mark configuration module, a user mark identification module, a network resource mark identification module, a mark generation module and a management and control module.
The Web container module is used for receiving a user resource request, analyzing the request content and responding to the user network resource request; the mark configuration module is used for configuring a service safety mark for the web service middleware; the user mark identification module is used for identifying the service safety mark of the user in the web request; the network resource mark identification module identifies a service safety mark of the network resource; the mark generating module is used for converting the service security mark of the requested network resource into the service security mark of the response message and adding the mark into the extension field of the corresponding application layer protocol; the management and control module is used for controlling and auditing the network resource access behavior of the user.
Compared with the prior art, the invention has the beneficial effects that:
the invention provides a web service middleware supporting a business security mark, which supports the functions of configuration, generation and identification of the business security mark, supports the efficient fine-grained control and audit of user access behaviors based on the business security mark, and has the main advantages that:
1) the mark of the Web service middleware can be configured to indicate the ranges of security level, service category and the like of the network resources which are allowed to be processed by the Web service middleware;
2) performing fine-grained management and control or audit on user access behaviors by identifying service security marks of access users and network resources;
3) the addition of the service security label of the network resource to the response message can instruct other related systems to efficiently and directly understand the service security property of the resource according to the response message without resource data restoration.
Drawings
FIG. 1 is an architecture diagram of Web services middleware;
FIG. 2 is a flowchart of Web services middleware service security label identification;
FIG. 3 is a flow chart of Web service middleware management and control;
FIG. 4 is a flowchart of a Web services middleware service security label generation.
Detailed Description
The embodiments of the present invention will be described in conjunction with the accompanying drawings, and it should be understood that the embodiments described herein are only for the purpose of illustrating and explaining the present invention, and are not intended to limit the present invention.
Service security label definition:
the service security mark M is a multi-tuple containing a plurality of service security attributes, wherein M is equal to<C,G,F>. Wherein C is a security level; g is multiple service security attributes GiG ═ G1,g2,…gn},giThe service safety attributes can be service types, work groups, roles, environmental requirements and the like; f is an operation control attribute FjF ═ F1,f2,…fm},fjThe method can be used for operation attributes such as read-write control, printing control, burning control, copying control and the like.
The service security label of the network resource (object) is marked as M (r) ═ r<Cr,Gr,Fr>The service security label of the system object, user, etc. (subject) is denoted as m(s) ═ m<Cs,Gs>. There are two relationships between the subject tag m(s) and the network resource tag m (r): dominant versus incomparable. Marker M(s) dominating marker M (r) when Cs≥CrAnd isAnd M(s) ≧ M (r), meaning the subject has access to the object. If there is no dominance between M(s) and M (r), they are not comparable, and the subject does not have access to the object. If it is notAny subject should control attribute f according to the particular operation that the tag containsjAnd limiting the corresponding operation on the resource.
Preset information 1: the network resource (object) has a service security mark recorded as M (r) ═ r<Cr,Gr,Fr>And the service security attributes of the network are indicated, such as security level, service category, operation control and the like.
Preset information 2: service security label M (u) ═ of access user<Cu,Gu>And the service security attributes such as the security level, the service category and the like of the access user are indicated.
The embodiment of the invention is divided into 4 steps, namely label configuration, label identification, label generation and management and control.
Step 1: the business safety mark of the configuration Web service middleware (main body) is marked as M (o) ═ m<Co,Go>And the service security attributes such as the security level, the service category and the like of the middleware are indicated. The mark configuration module is called when the Web container is initialized to ensure that the business safety mark of the Web service middleware can be manually configured by a manager or the configuration module can acquire the business safety attribute of the environment where the business safety mark is positionedAnd automatically configuring after the sex information. The method comprises the following specific steps:
s101: after the Web service middleware is initialized, a Web container module, a mark configuration module, a user mark identification module, a network resource mark identification module, a mark generation module and a management and control module are loaded;
s102: if the administrator has configured the local configuration file, the mark configuration module reads the local configuration file, analyzes the business safety attribute information from the local configuration file, and configures the business safety mark M (o) of the web service middleware to which the business safety mark belongs.
S103: if the administrator does not configure the local configuration file, the mark configuration module automatically acquires the business safety attribute information of the computing environment, and configures the business safety mark M (o) of the web service middleware to which the mark configuration module belongs.
Step 2: a business security label is identified. The mark identification is composed of an access user mark identification module and a network resource mark identification module. A specific method for identifying a service security label m (u) of an access user and a service security label m (r) of a network resource is shown in fig. 2, and the specific steps include:
s201: and starting the Web service.
S202: after receiving the Web request, the Web container module calls a user mark identification module to acquire a service safety mark M (u) of an access user
S203: after receiving the Web request, the Web container calls a network resource mark identification module to obtain a service security mark M (r) of the network resource.
S204: and sending the marks M (u) and M (r) to a service security mark management and control module.
And step 3: and managing and controlling based on the service security label. The main function of the management and control is to perform matching check on the service security label m (u) of the access user and the service security label m (r) of the network resource in the request. If M (u) ≧ M (r), the check is passed, and the network resource is returned; otherwise, the request is denied. The specific method is shown in fig. 3, and comprises the following specific steps:
s301: the management and control module receives a service security label M (u) of an access user and a service security label M (r) of a network resource in a request;
s302: performing a match check on M (u) and M (r);
s303: if M (o) ≧ M (r) and M (u) ≧ M (r), the match check passes, allowing user access; otherwise, rejecting the access request;
s304: the management and control module records logs.
And 4, step 4: a response message service security label is generated. The tag generation module converts the service security tag m (r) of the requested network resource into the service security tag of the response message and adds the tag to the extension field of the corresponding application layer protocol. The specific method is shown in fig. 4, and comprises the following specific steps:
s401: the Web container calls a mark generation module;
s402: the tag generation module acquires a service security tag M (r) of the requested network resource;
s403: converting M (r) into a service safety mark of a response message, and adding the service safety mark into an extension field of an application layer protocol;
s404: the Web service middleware returns the response message to the user.
Although specific details of the invention, algorithms and figures are disclosed for illustrative purposes, these are intended to aid in the understanding of the contents of the invention and the implementation in accordance therewith, as will be appreciated by those skilled in the art: various substitutions, changes and modifications are possible without departing from the spirit and scope of the present invention and the appended claims. The invention should not be limited to the preferred embodiments and drawings disclosed herein, but rather should be defined only by the scope of the appended claims.
Claims (8)
1. A web service middleware extension method supporting business security marks comprises the following steps:
1) configuring a business safety mark of the Web service middleware, and marking the business safety attribute of the Web service middleware; the service safety mark of the Web service middleware comprises a safety level and a service type;
2) when receiving a network resource request of a user, the web service middleware identifies a service security label of the user and a service security label of the network resource requested by the user; the service security label of the user comprises the security level and the service type of the user, and the service security label of the network resource comprises the security level and the service type of the network resource;
3) matching check is carried out on the service security mark of the user and the service security mark of the requested network resource, if the check is passed, the network resource request is allowed to be executed, and the corresponding network resource is returned; otherwise, the network resource request is refused to be executed.
2. The method as claimed in claim 1, wherein in step 3), when the network resource is returned, the service security label of the returned network resource is converted into the service security label of the response message and added to the extension field of the corresponding application layer protocol.
3. A method according to claim 1 or 2, characterized in that the traffic security label of the network resource further comprises operation control information.
4. The method of claim 1, wherein the business security label of the web service middleware is configured by a manager, or is automatically configured after the configuration module acquires the business security attribute information of the computing environment where the web service middleware is located.
5. A Web service middleware supporting a business security mark is characterized by comprising a Web container module, a mark configuration module, a user mark identification module, a network resource mark identification module, a mark generation module and a management and control module; wherein,
the mark configuration module is used for configuring the business safety mark of the web service middleware; the service safety mark of the Web service middleware comprises a safety level and a service type;
the user mark identification module is used for identifying the service safety mark of the user; the service security mark of the user comprises the security level and the service category of the user;
the network resource mark identification module is used for identifying a service safety mark of the network resource; the service security label of the network resource comprises the security level and the service category of the network resource;
the Web container module is used for receiving the network resource request of the user, analyzing the network resource request content and responding to the network resource request of the user;
the mark generating module is used for converting the service safety mark of the requested network resource into the service safety mark of the response message and adding the service safety mark into the extension field of the corresponding application layer protocol;
the management and control module is used for matching and checking the service security mark of the user and the service security mark of the requested network resource, and if the check is passed, the management and control module allows the network resource request to be executed and returns the corresponding network resource; otherwise, the network resource request is refused to be executed.
6. The Web services middleware of claim 5, wherein when returning a network resource, the returned traffic security label of the network resource is converted into the traffic security label of the response message and added to the extension field of the corresponding application layer protocol.
7. The Web services middleware of claim 5, wherein the traffic security label for the network resource further includes operational control information.
8. The Web services middleware of claim 5 in which the configuration module automatically configures the business security label of the Web services middleware after obtaining the business security attribute information of the computing environment in which the Web services middleware resides.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910536187.XA CN110413372A (en) | 2019-06-20 | 2019-06-20 | A kind of web services middleware extended method for supporting service security to mark |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910536187.XA CN110413372A (en) | 2019-06-20 | 2019-06-20 | A kind of web services middleware extended method for supporting service security to mark |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110413372A true CN110413372A (en) | 2019-11-05 |
Family
ID=68359405
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910536187.XA Pending CN110413372A (en) | 2019-06-20 | 2019-06-20 | A kind of web services middleware extended method for supporting service security to mark |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110413372A (en) |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050114789A1 (en) * | 2003-11-24 | 2005-05-26 | Hung-Yang Chang | Method and system for collaborative web browsing |
| CN102355657A (en) * | 2011-06-28 | 2012-02-15 | 成都市华为赛门铁克科技有限公司 | Service access control method, device and system |
| CN102413198A (en) * | 2011-09-30 | 2012-04-11 | 山东中创软件工程股份有限公司 | Security-marker-based access control method and related system |
| CN102495989A (en) * | 2011-12-21 | 2012-06-13 | 北京诺思恒信科技有限公司 | Subject-label-based access control method and system |
| CN103248485A (en) * | 2013-04-24 | 2013-08-14 | 中国南方电网有限责任公司 | Security label-based power secondary system access control method and system |
| CN103974248A (en) * | 2013-01-24 | 2014-08-06 | 中国移动通信集团公司 | Terminal security protection method, device and system in ability open system |
| US20140281501A1 (en) * | 2013-03-13 | 2014-09-18 | Samsung Electronics Co., Ltd. | Application access control method and electronic apparatus implementing the same |
| CN105991626A (en) * | 2015-03-06 | 2016-10-05 | 小米科技有限责任公司 | Network access method and network access device |
| CN108183915A (en) * | 2018-01-15 | 2018-06-19 | 中国科学院信息工程研究所 | It is a kind of to realize frame towards the safety label of high safety grade business and application demand |
| CN108520177A (en) * | 2018-04-11 | 2018-09-11 | 厦门美图移动科技有限公司 | Application software management method and device, mobile terminal and readable storage medium |
| CN109656884A (en) * | 2018-12-14 | 2019-04-19 | 郑州云海信息技术有限公司 | A kind of method and device accessing file |
-
2019
- 2019-06-20 CN CN201910536187.XA patent/CN110413372A/en active Pending
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050114789A1 (en) * | 2003-11-24 | 2005-05-26 | Hung-Yang Chang | Method and system for collaborative web browsing |
| CN102355657A (en) * | 2011-06-28 | 2012-02-15 | 成都市华为赛门铁克科技有限公司 | Service access control method, device and system |
| CN102413198A (en) * | 2011-09-30 | 2012-04-11 | 山东中创软件工程股份有限公司 | Security-marker-based access control method and related system |
| CN102495989A (en) * | 2011-12-21 | 2012-06-13 | 北京诺思恒信科技有限公司 | Subject-label-based access control method and system |
| CN103974248A (en) * | 2013-01-24 | 2014-08-06 | 中国移动通信集团公司 | Terminal security protection method, device and system in ability open system |
| US20140281501A1 (en) * | 2013-03-13 | 2014-09-18 | Samsung Electronics Co., Ltd. | Application access control method and electronic apparatus implementing the same |
| CN103248485A (en) * | 2013-04-24 | 2013-08-14 | 中国南方电网有限责任公司 | Security label-based power secondary system access control method and system |
| CN105991626A (en) * | 2015-03-06 | 2016-10-05 | 小米科技有限责任公司 | Network access method and network access device |
| CN108183915A (en) * | 2018-01-15 | 2018-06-19 | 中国科学院信息工程研究所 | It is a kind of to realize frame towards the safety label of high safety grade business and application demand |
| CN108520177A (en) * | 2018-04-11 | 2018-09-11 | 厦门美图移动科技有限公司 | Application software management method and device, mobile terminal and readable storage medium |
| CN109656884A (en) * | 2018-12-14 | 2019-04-19 | 郑州云海信息技术有限公司 | A kind of method and device accessing file |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| RU2598324C2 (en) | Means of controlling access to online service using conventional catalogue features | |
| US9077609B2 (en) | Scalable reusable scanning of application networks/systems | |
| US8745223B2 (en) | System and method of distributed license management | |
| US10331878B2 (en) | Unified user identification with automatic mapping and database absence handling | |
| CN110858833B (en) | Access control policy configuration method, device and system and storage medium | |
| US7886053B1 (en) | Self-management of access control policy | |
| US9001364B2 (en) | Management system, image forming apparatus, management system control method, and image forming apparatus control method for migration of setting values of an application that operates in the image forimng apparatus | |
| US20170041504A1 (en) | Service providing system, information processing apparatus, program, and method for generating service usage information | |
| JP6101407B2 (en) | Mobile device connection control for synchronization and remote data access | |
| CN111800408B (en) | Policy configuration device, security policy configuration method of terminal, and readable storage medium | |
| JP2008242826A (en) | Information processing system and control method and program of information processing system | |
| CN113761552B (en) | Access control method, device, system, server and storage medium | |
| CN110427759B (en) | Network resource browsing control method and system supporting service security mark | |
| US20200026528A1 (en) | Message based discovery and management of applications | |
| JP2020181228A (en) | Information processing device and information processing program | |
| US20210359998A1 (en) | Access control for private channels in a channel-based discussion system | |
| CN112579694B (en) | Digital resource processing method, device, storage medium and equipment | |
| US20200097233A1 (en) | Information processing system, information processing apparatus, and non-transitory computer readable medium | |
| CN110413372A (en) | A kind of web services middleware extended method for supporting service security to mark | |
| CN115208689A (en) | Access control method, device and equipment based on zero trust | |
| CN113691575B (en) | Communication method, device and system | |
| CN114462016A (en) | Resource request method, device and system | |
| CN109492376B (en) | Device access authority control method and device and bastion machine | |
| KR20110063025A (en) | System for managing service user information, method for acquiring and managing of service user information | |
| CN106445410B (en) | Storage device sharing method and system and intelligent gateway with system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20191105 |