CN110750766B

CN110750766B - Authority verification method, device, computer equipment and storage medium

Info

Publication number: CN110750766B
Application number: CN201910968967.1A
Authority: CN
Inventors: 杨霄
Original assignee: Shenzhen Ping An Medical Health Technology Service Co Ltd
Current assignee: Shenzhen Ping An Medical Health Technology Service Co Ltd
Priority date: 2019-10-12
Filing date: 2019-10-12
Publication date: 2022-11-04
Anticipated expiration: 2039-10-12
Also published as: CN110750766A

Abstract

The application relates to a data analysis technology and provides a permission verification method, a permission verification device, computer equipment and a storage medium. The method comprises the following steps: receiving an authority verification request sent by an application system through an interface when the application system obtains a service request; the authority verification request carries an interface key and a user identifier; the authentication of the interface calling authority is carried out according to the interface identification corresponding to the interface and the interface key; when the authentication is passed, determining a corresponding role identifier according to the user identifier; inquiring a preconfigured node operation tree and an organization tree according to the role identifier to obtain a user authority corresponding to the user identifier; feeding back the user authority to the application system through the interface; and the fed back user authority is used for indicating the application system to respond to the service request according to the user authority. By adopting the method, the cost of authority verification can be reduced.

Description

Authority verification method and device, computer equipment and storage medium

Technical Field

The present application relates to the field of computer technologies, and in particular, to a method and an apparatus for verifying a permission, a computer device, and a storage medium.

Background

With the development of computer technology, application systems integrating a service processing function and an authority verification function appear, people can transact online services without leaving home through the application systems, and a great deal of convenience is brought to the lives of people. The application systems usually have differences in the aspects of infrastructure, coding mode, application resource types and the like, so that a corresponding permission verification function module needs to be developed and designed for each application system, and the permission verification function module authenticates user permission before service processing, so that the development cost and the maintenance cost of the permission verification function module are increased. Moreover, the coupling degree between the service processing function module and the authority verification function module in the application system is high, and the two modules in the application system need to be updated synchronously, so that the maintenance cost of the application system is further increased. Therefore, the traditional authority verification method has the problem of high authority verification cost.

Disclosure of Invention

In view of the above, it is necessary to provide a method, an apparatus, a computer device, and a storage medium for rights verification that can reduce the cost of rights verification in view of the above technical problems.

A method of rights verification, the method comprising:

receiving an authority verification request sent by an application system through an interface when the application system obtains a service request; the authority verification request carries an interface key and a user identifier;

performing interface calling authority authentication according to the interface identifier corresponding to the interface and the interface key;

when the authentication is passed, determining a corresponding role identifier according to the user identifier;

inquiring a preconfigured node operation tree and an organization tree according to the role identifier to obtain a user authority corresponding to the user identifier;

feeding back the user authority to the application system through the interface; and the fed back user authority is used for indicating the application system to respond to the service request according to the user authority.

In one embodiment, the querying a preconfigured node operation tree and an organization tree according to the role identifier to obtain a user right corresponding to the user identifier includes:

inquiring a node identifier corresponding to the role identifier from a preconfigured node operation tree, and determining an operation authority corresponding to the node identifier;

inquiring organization identification corresponding to the role identification from a pre-configured organization tree, and determining data authority corresponding to the user identification according to an organization label corresponding to the organization identification or the position of the organization identification in the organization tree;

and obtaining the user authority corresponding to the user identification according to the operation authority and the data authority.

In one embodiment, the step of configuring the node operation tree includes:

constructing a node tree comprising at least one node;

acquiring an operation item to be configured, and associating the operation item with the node to obtain an operation authority corresponding to the node;

establishing a corresponding relation between the node and the role identifier to be configured;

and configuring according to the node tree, and the operation authority and the role identifier corresponding to each node in the node tree to obtain the node operation tree.

In one embodiment, the step of configuring the organization tree comprises:

acquiring a configuration file; the configuration file comprises a role identifier to be configured, a plurality of organization identifiers, an incidence relation among the organization identifiers and organization labels corresponding to the organization identifiers;

constructing an organization tree according to the organization identifier and the incidence relation between the organization identifiers;

determining the data authority corresponding to each organization identifier according to the organization label corresponding to each organization identifier in the organization tree or the position of each organization identifier in the organization tree;

establishing a corresponding relation between the role identification and the organization identification;

and obtaining a configured organization tree according to the organization tree, and the data authority and the role identifier corresponding to each organization identifier in the organization tree.

In one embodiment, after receiving the permission verification request sent by the application system through the interface, the method further includes:

acquiring the calling times corresponding to the interface in a preset time period;

when the calling times are less than the preset calling times, continuing to execute the step of authenticating the interface calling authority according to the interface identification corresponding to the interface and the interface key;

and refusing to respond to the permission verification request when the calling times are greater than or equal to the preset calling times.

In one embodiment, the method further comprises:

acquiring a login request corresponding to a user identifier; the login request carries a user account and a password;

authenticating the user account and the password according to the user identification;

and when the authentication is passed, logging in a plurality of pre-configured application systems according to the user account and the password.

In one embodiment, the method further comprises:

acquiring a configuration request corresponding to an application system;

establishing an authority space corresponding to the application system according to the configuration request, and configuring a node operation tree and an organization tree corresponding to the application system;

storing the configured node operation tree and organization tree to the permission space;

and generating an interface corresponding to the permission space and an interface key corresponding to the interface, and determining the interface key as the interface key corresponding to the application system.

An authorization verification device, the device comprising:

the receiving module is used for receiving an authority verification request sent by an application system through an interface when the application system obtains a service request; the authority verification request carries an interface key and a user identifier;

the authentication module is used for authenticating the interface calling authority according to the interface identifier corresponding to the interface and the interface key;

the authentication module is also used for determining a corresponding role identifier according to the user identifier when the authentication is passed;

the query module is used for querying a preconfigured node operation tree and an organization tree according to the role identifier to obtain a user authority corresponding to the user identifier;

the feedback module is used for feeding back the user authority to the application system through the interface; and the fed back user authority is used for indicating the application system to respond to the service request according to the user authority.

A computer device comprises a memory and a processor, wherein the memory stores a computer program, and the processor implements the steps of the authorization verification method in the above embodiments when executing the computer program.

A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, implements the steps of the rights verification method described in the above-mentioned embodiments.

According to the permission verification method, the permission verification device, the computer equipment and the storage medium, after a permission verification request sent by an application system when the application system obtains a service request is received through an interface, the interface calling permission of the application system is authenticated according to an interface identifier corresponding to the interface and an interface key in the permission verification request, when the authentication is passed, a preconfigured node operation tree and an organization tree are inquired according to a role identifier corresponding to a user identifier so as to obtain the user permission corresponding to the user identifier, and the user permission is fed back to the corresponding application system, so that the application system responds to the obtained service request according to the received user permission. Therefore, the authority verification function module and the service processing function module of the application system are decoupled, so that the maintenance cost of the service processing function module can be reduced, and the authority verification cost can be reduced. Moreover, the permission verification function modules of the application systems are integrated, the permission verification design of the application systems can be realized by configuring the node operation tree, the organization tree and the corresponding interfaces, the corresponding permission verification function modules do not need to be developed and maintained for each application system, and the permission verification cost can be further reduced.

Drawings

FIG. 1 is a diagram of an embodiment of a method for rights verification;

FIG. 2 is a flowchart illustrating a method for rights verification according to one embodiment;

FIG. 3 is a flowchart illustrating a method for rights verification in another embodiment;

FIG. 4 is a block diagram showing the construction of a right verifying apparatus according to an embodiment;

FIG. 5 is a diagram illustrating an internal structure of a computer device according to an embodiment.

Detailed Description

In order to make the objects, technical solutions and advantages of the present application more clearly understood, the present application is further described in detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.

The authority verification method provided by the application can be applied to the application environment shown in fig. 1. Wherein the application server 102 and the authorization verification server 104 communicate via a network. The application servers 102 include at least a first application server 102a and a second application server 102b. An application system is deployed on the application server 102, and an authority verification system is deployed on the authority verification server 104. The permission verification system receives a permission verification request which is sent by the application system through an interface when the application system obtains the service request and carries an interface key and a user identifier, carries out interface calling permission authentication on the application system according to the interface identifier and the interface key corresponding to the interface, inquires a preconfigured node operation tree and an organization tree according to a role identifier corresponding to the user identifier when the authentication is passed, obtains the user permission corresponding to the user identifier, and feeds the user permission back to the application system through a corresponding interface, so that the application system responds to the obtained service request according to the user permission. The service server 102 and the right verification server 104 may be implemented by separate servers or a server cluster composed of a plurality of servers.

In one embodiment, the number of application servers 102 in the application environment is only an example and is not intended to limit the number of application servers. In a particular case, the number of application servers may be 1.

In one embodiment, as shown in fig. 2, a method for rights verification is provided, which is described by taking the method as an example applied to the rights verification server in fig. 1, and includes the following steps:

s202, receiving an authority verification request sent by an application system through an interface when the application system obtains a service request; the permission verification request carries an interface key and a user identifier.

Wherein the permission verification request is a request for triggering a permission verification operation. The permission verification request carries an interface key and a user identifier. The interface key is a permission certificate for the application system to perform interface call, and specifically may be a character string composed of at least one of characters such as numbers, letters, symbols, and the like. The user identifier is used for uniquely identifying a user, and specifically can be used for identifying a target object triggering the permission verification request. The user identifier is a character string composed of at least one of characters such as numbers, letters, symbols and the like, and specifically may be a character string that can be used for uniquely identifying a user, such as a user number or an identification number.

Specifically, when the application system acquires a service request, the application system triggers and generates an authority verification request according to the acquired service request, and sends the generated authority verification request to the authority verification system through a pre-configured interface. The permission verification system receives a permission verification request sent by the application system through the interface, analyzes the received permission verification request to obtain an interface key and a user identifier, so that interface calling permission authentication can be conveniently carried out based on the interface key, and permission verification can be conveniently carried out based on the user identifier.

In one embodiment, an application system receives a service request corresponding to a user identifier sent by a terminal, acquires a pre-stored interface key from a local according to the received service request, and generates a corresponding permission verification request according to the interface key and the user identifier. It can be understood that the terminal detects a preset trigger operation of the user, and generates a service request according to the detected preset trigger operation trigger.

In one embodiment, the application system acquires a user identifier and an interface to be called corresponding to a user and an interface key corresponding to the interface to be called according to the acquired service request, generates an authorization verification request according to the acquired interface key and the user identifier, and sends the generated authorization verification request to the authorization verification system through the interface to be called.

In one embodiment, the authorization verification request carries an interface identifier, an interface key, and a user identifier. And the authority verification system analyzes the authority verification request to obtain an interface identifier, an interface key and a user identifier.

In one embodiment, the permission verification request carries the operation objects, the operation items corresponding to each operation object, the interface key and the user identifier, so that whether the user corresponding to the user identifier has the operation permission specified by the operation item to the operation object or not is verified under the condition that the application system is authenticated to have the interface calling permission according to the interface key.

And S204, authenticating the interface calling authority according to the interface identifier and the interface key corresponding to the interface.

The interface identifier is used to uniquely identify the interface, and may be a character string composed of at least one of numbers, letters, symbols, and the like.

Specifically, after receiving the permission verification request, the permission verification system determines an interface identifier corresponding to an interface receiving the permission verification request, and analyzes the permission verification request to obtain an interface key and a user identifier. And the authority verification system inquires a pre-configured standard interface key according to the determined interface identifier, compares the inquired standard interface key with the analyzed interface key so as to authenticate the interface calling authority of the application system sending the authority verification request, and obtains an authentication result of the interface calling authority corresponding to the application system according to the comparison result. When the standard interface key is consistent with the interface key obtained by analysis, the authority verification system judges that the authentication result of the interface calling authority of the application system is passed; otherwise, judging that the authentication result is that the authentication fails.

In one embodiment, the authorization verification system is pre-configured with an interface identifier corresponding to each interface and a standard interface key corresponding to each interface identifier locally. And after receiving the permission verification request through the interface, the permission verification system acquires an interface identifier corresponding to the interface and a standard interface key corresponding to the interface identifier from the local.

In one embodiment, the permission verification system analyzes the received permission verification request to obtain an interface identifier corresponding to the interface, and queries a pre-configured standard interface key according to the analyzed interface identifier.

In one embodiment, the rights verification server is preconfigured with a respective standard interface key for each interface. When the application system calls the interface, namely when the application system sends an authority verification request through the interface, the authority verification system obtains a standard interface key pre-configured for the interface, and authenticates whether the application system has the interface calling authority for calling the interface according to the standard interface key and the interface key sent by the application system, so as to correspondingly process the authority verification request according to an authentication result.

S206, when the authentication is passed, determining the corresponding role identification according to the user identification.

The character identifier is used for uniquely identifying a character, and may be a character string composed of at least one of characters such as numbers, letters, symbols, and the like. Roles are abstract generalizations of objects with specific behavioral characteristics or permissions, such as audit roles, administrative roles, and so forth.

Specifically, when the standard interface key corresponding to the interface identifier is consistent with the interface key obtained by analysis, that is, when the interface of the application system calls the authority authentication, the authority verification system queries the corresponding role identifier according to the user identifier obtained by analyzing the authority verification request.

In one embodiment, the authority verification system locally pre-stores the corresponding relation between the user identifier and the role identifier. And the authority verification system determines the role identifier corresponding to the user identifier according to the user identifier obtained by analysis and the pre-stored corresponding relation.

In one embodiment, one user identifier may correspond to a plurality of role identifiers. And when the authentication is passed, the authority verification system inquires corresponding one or more role identifications according to the user identification obtained by analysis.

In one embodiment, the privilege verification system is preconfigured with multiple interfaces for the application system, and with corresponding privilege verification logic for each interface. The application system realizes different authority verification by calling different interfaces. And when the interface of the application system calls the authority authentication to pass, the authority authentication system determines the role identification corresponding to the user identification according to the interface identification corresponding to the interface receiving the authority authentication request. For example, when the authority verification logic corresponding to the interface acquires all roles of the user, the authority verification system determines all role identifications corresponding to the user identification; when the authority verification logic corresponding to the interface acquires the authority of the user to the specific operation object, determining the role identification corresponding to the specific operation object according to the user identification.

And S208, querying the preconfigured node operation tree and organization tree according to the role identifier to obtain the user authority corresponding to the user identifier.

The node operation tree is a node tree which comprises a plurality of nodes and operation authorities corresponding to the nodes. The node operation tree is a tree structure, nodes in the node operation tree can be understood as operation objects, the nodes and operation items form operation authorities corresponding to the nodes, the operation items are operation contents common to all application systems, such as adding, modifying, deleting, updating, checking or exporting, and the corresponding operation authorities such as adding authorities, modifying authorities, deleting authorities, updating authorities, checking authorities or exporting authorities. The node operation tree is similar to a file system tree, the tree structure of the node operation tree corresponds to a file directory, a node corresponds to a file, and the operation authority corresponds to the file and the authority under the file.

An organization tree is a tree that includes a plurality of organizations and an organization tag corresponding to each organization. The organization tree is a tree structure, and each organization in the organization tree is a node in the tree structure, which can be understood as an organization node. An organization tag is a tag used to specifically describe or characterize an organization, such as a region or job attribute, for example, the organization is a sales team and the organization tag is an east region. The organization tree is similar to the organization structure tree of a company, nodes in the organization tree are all organizations or teams in the organization structure, the organization labels are job attributes such as profession, academic calendar and skill, and the organization labels can also comprise jobs of employees in the organizations.

The user authority is used for representing the operation or data authority of the user on the operation object, and specifically may include the operation authority and the data authority. The operation right is used to represent control over an action, and the data right is used to represent control over a resource. For example, the a-user has the right to transfer this action to his bank account number, which belongs to the operating right; the bank account of the user A can only operate the bank card of the user A, and the bank card of others, namely the user A, has no authority, which belongs to the data authority.

Specifically, the authority verification system queries a preconfigured node operation tree according to a role identifier corresponding to the user identifier, and obtains an operation authority corresponding to the user identifier. And the authority verification system queries a pre-configured organization tree according to the role identifier corresponding to the user identifier to obtain the data authority corresponding to the user identifier. And the authority verification system obtains the user authority corresponding to the user identification according to the operation authority and the data authority.

In one embodiment, the permission verification system is configured with a corresponding node operation tree and an organization tree for each application system in advance, associates nodes in the node operation tree with roles, and associates organizations in the organization tree with roles. The authority verification system can obtain the operation authority corresponding to the associated node according to the node operation tree inquired by the role identifier, can obtain the data authority corresponding to the associated organization or the user in the organization according to the organization tree inquired by the role identifier, and further can obtain the user authority corresponding to the user identifier according to the inquired operation authority and data authority. It is to be appreciated that there may be one or more organizational trees corresponding to each application system.

In one embodiment, the rights verification system is preconfigured with a respective interface for each application system. When an authority verification request sent by an application system is received through an interface and the application system is determined to have an interface calling authority for the interface through authentication, the authority verification system calls an interface function pre-configured for the interface to perform authority verification, namely, the interface function is called to inquire a node operation tree and an organization tree according to a role identifier corresponding to a user identifier to obtain the user authority.

In one embodiment, the privilege verification system is preconfigured with the same interface for multiple application systems. When the interface of the application system calls the authority authentication to pass, the authority verification system inquires a node operation tree and an organization tree which are pre-configured aiming at the application system, and acquires the user authority corresponding to the user identification from the inquired node operation tree and the organization tree according to the role identification corresponding to the user identification.

S210, feeding back the user right to an application system through an interface; and the fed back user authority is used for indicating the application system to respond to the service request according to the user authority.

Specifically, after acquiring the user right corresponding to the user identifier, the right verification system feeds the acquired user right back to the application system through the corresponding interface. And after receiving the user authority fed back by the authority verification system, the application system obtains the operation authority and the data authority corresponding to the user identifier according to the received user authority, and responds to the acquired service request according to the operation authority and the data authority.

In one embodiment, the application system obtains the operation object and the operation item specified in the service request according to the service request corresponding to the permission verification request, and verifies the permission of the user for the operation object and the operation item in the service request according to the operation permission and the data permission in the user permission. When the verification is passed, it indicates that the user has the operation authority specified by the operation item to the operation object in the service request, and the application system processes the operation object according to the operation item. For example, the operation object in the service request is a document, the operation item is deleted, and if the user is authenticated to have the right to delete the document, the document is deleted.

In one embodiment, the application system sends a permission verification request generated according to the triggering operation of a user to the permission verification system and receives user permission fed back by the permission verification request aiming at the permission verification request, and then determines and displays data content displayed in a user operation interface according to the user permission. For example, when a user triggers a trigger operation of entering an audit interface, the application system obtains the user right through the right verification system, and when the user right indicates that the user has the audit right, the data content to be audited and/or an audit button are displayed on the user operation interface.

According to the authority verification method, after an authority verification request sent by an application system when a service request is obtained is received through an interface, the interface calling authority of the application system is authenticated according to an interface identifier corresponding to the interface and an interface key in the authority verification request, when the authentication is passed, a preconfigured node operation tree and organization tree are inquired according to a role identifier corresponding to a user identifier so as to obtain the user authority corresponding to the user identifier, and the user authority is fed back to a corresponding application system, so that the application system responds to the obtained service request according to the received user authority. Therefore, the authority verification function module and the service processing function module of the application system are decoupled, so that the maintenance cost of the service processing function module can be reduced, and the authority verification cost can be reduced. Moreover, the permission verification function modules of the application systems are integrated, the permission verification design of the application systems can be realized by configuring the node operation tree, the organization tree and the corresponding interfaces, the corresponding permission verification function modules do not need to be developed and maintained for each application system, and the permission verification cost can be further reduced.

In one embodiment, step S208 includes: inquiring node identification corresponding to the role identification from a preconfigured node operation tree, and determining operation authority corresponding to the node identification; inquiring organization identification corresponding to the role identification from a pre-configured organization tree, and determining data authority corresponding to the user identification according to an organization label corresponding to the organization identification or the position of the organization identification in the organization tree; and obtaining the user authority corresponding to the user identification according to the operation authority and the data authority.

The node identifier is used to uniquely identify the node, and specifically may be a name, a number, or a code of an operation object represented by the node, for example, when the node represents a file, the node identifier may be a name, a code, or a path of the file. The operation authority refers to an authority for operating or processing an operation object, such as an addition authority, a modification authority, a deletion authority, and the like. The organization identifier is used for uniquely identifying the organization, and specifically may be a name, a number, a code, or the like of the organization.

Specifically, the authority verification system queries a preconfigured node operation tree according to a role identifier corresponding to a user identifier, so as to determine a node identifier corresponding to the role identifier from the node operation tree, and obtains an operation authority corresponding to the node identifier, as an operation authority corresponding to the role identifier, and further as an operation authority corresponding to the user identifier corresponding to the role identifier. And the authority verification system inquires a pre-configured organization tree according to the role identifier corresponding to the user identifier so as to determine the organization identifier corresponding to the role identifier from the organization tree. And the authority verification system determines an organization label corresponding to the organization identifier corresponding to the role identifier according to the organization tree, and determines the data authority corresponding to the role identifier according to the organization label to be used as the data authority corresponding to the corresponding user identifier. Or the authority verification system determines the organization identifier corresponding to the role identifier or the position of the organization in the organization tree, and determines the data authority corresponding to the role identifier according to the determined position to serve as the data authority corresponding to the corresponding user identifier. And the authority verification system obtains the user authority corresponding to the user identification according to the operation authority and the data authority corresponding to the user identification.

In one embodiment, the privilege verification system associates an organization with users in the organization in an organization tree through an organization identification and a user identification. After the authority verification system analyzes the authority verification request to obtain the user identification, the organization identification associated with the user identification is inquired from the organization tree according to the user identification obtained by analysis, and the data authority corresponding to the user identification is determined according to the organization label corresponding to the organization identification or the position of the organization corresponding to the organization identification in the organization tree.

In one embodiment, the authority verification system combines the operation authority and the data authority corresponding to the user identifier to obtain the user authority corresponding to the user identifier. For example, the operation authority indicates that the user has an audit role in the sales group and can perform audit operation on the sales order, and the data authority indicates that the user can only audit the sales order in the east region, and the audit role obtained through combination processing is that the user has an audit role in the sales group and can perform audit operation on the sales order in the east region.

In one embodiment, the authority verification system determines the operation authority and the data authority corresponding to the user identification through two threads in parallel, so that the obtaining efficiency of the user authority is improved.

In the above embodiment, the operation right and the data right corresponding to the user identifier can be quickly queried by querying the preconfigured node operation tree and the preconfigured organization tree, and the obtaining efficiency of the user right, that is, the right verification efficiency for the user can be improved.

In one embodiment, the step of configuring the node operation tree includes: constructing a node tree comprising at least one node; acquiring an operation item to be configured, and associating the operation item with a node to obtain an operation authority corresponding to the node; establishing a corresponding relation between the node and the role identification to be configured; and configuring according to the node tree, and the operation authority and the role identifier corresponding to each node in the node tree to obtain the node operation tree.

Specifically, when detecting a node operation tree configuration trigger operation, the permission verification system constructs a node tree including at least one node according to the detected node operation tree configuration trigger operation, and acquires an operation item to be configured and a role identifier. And the authority verification system associates the operation items to be configured with the nodes in the constructed node tree to obtain the operation authority corresponding to each node. The authority verification system establishes a corresponding relation between the nodes in the node tree and the role identifiers to be configured, namely, the nodes in the node tree are associated with the role identifiers to be configured. And the permission verification system obtains the configured node operation tree according to the constructed node tree and the operation permission and role identification associated with each node in the node tree.

For example, assuming that the operation right corresponding to the x node in the node operation tree is a modification right, after the corresponding relationship between the role identifier corresponding to the user a and the x node is established, the user a obtains the operation right for modifying the data of the x node, and thus, the user a can modify the data of the x node on the user operation node of the application system by triggering an operation.

In one embodiment, the permission verification system acquires a corresponding configuration file according to the detected configuration triggering operation of the node operation tree, analyzes the configuration file to obtain an operation item to be configured and a role identifier, and is used for constructing an association relationship between an operation object of the node tree and each operation object. And the authority verification system takes the operation objects obtained by analysis as nodes, and constructs a node tree comprising each operation object according to the association relationship between each operation object and the operation object. It can be understood that the configuration file may further include an operation item and a role identifier corresponding to each operation object. And the permission verification system associates the operation objects with the corresponding operation items according to the configuration file to obtain the operation permission corresponding to each operation object, and obtains the node operation tree of the mail according to the constructed node tree, the operation permission corresponding to each operation object in the node tree and the role identification.

In one embodiment, one node may correspond to a plurality of operation authorities, one role identifier may also correspond to a plurality of operation authorities, and one user identifier may correspond to a plurality of role identifiers, whereby one personal user identifier may correspond to a plurality of operation authorities.

In the embodiment, the node operation tree comprising the node tree and the operation authority and the role identifier corresponding to each node in the node tree is configured in advance, so that the corresponding operation authority can be rapidly positioned directly based on the role identifier corresponding to the user identifier during authority verification, and the authority verification efficiency can be improved.

In one embodiment, the step of configuring the organizational tree comprises: acquiring a configuration file; the configuration file comprises a role identifier to be configured, a plurality of organization identifiers, an incidence relation among the organization identifiers and organization labels corresponding to the organization identifiers; constructing an organization tree according to the association relationship between the organization identifier and the organization identifier; determining the data authority corresponding to the organization identifier according to the organization label corresponding to each organization identifier in the organization tree or the position of each organization identifier in the organization tree; establishing a corresponding relation between the role identification and the organization identification; and obtaining the configured organization tree according to the organization tree and the data authority and role identification corresponding to each organization identification in the organization tree.

The configuration file is a file or a data set used for specifying an item to be configured, and may specifically include a role identifier to be configured, an organization identifier, an association relationship between the organization identifiers, and an organization tag corresponding to the organization identifier. And the incidence relation among the organization identifications is used for specifying the connection relation or the position relation among the organization identifications in the organization tree.

Specifically, the authority verification system detects an organization tree configuration triggering operation, acquires a configuration file according to the detected organization tree configuration triggering operation, and analyzes the configuration file to obtain a role identifier to be configured, an organization identifier, an association relationship among the organization identifiers and an organization label corresponding to the organization identifier. The authority verification system takes the analyzed organization identification as a node or an organization node, and an initial organization tree is constructed according to the association relationship between the organization identification and each organization identification. And the authority verification system determines the data authority corresponding to each organization identifier according to the organization label corresponding to each organization identifier in the organization tree and/or the position of each organization identifier in the organization tree. The authority verification system establishes a corresponding relation between the role identification to be configured and each organization identification in the organization tree, so that the corresponding organization identification can be inquired based on the role identification, and further the corresponding data authority of the role identification can be inquired based on the organization identification. And the authority verification system obtains a configured organization tree according to the initial organization tree and the data authority and role identification corresponding to each organization identification in the organization tree.

In one embodiment, the configuration file specifies configuration data for building a plurality of organizational trees. The authority verification system builds a plurality of initial organization trees based on the configuration file, and carries out the configuration operation on each initial organization tree to obtain a plurality of configured organization trees. Therefore, when the application system is opened for a plurality of organizations, a corresponding organization tree is constructed for each organization, so that the corresponding organization tree can be quickly positioned according to the user identification, the corresponding data authority can be inquired from the positioned organization tree, and the acquisition efficiency of the data authority can be improved.

In one embodiment, the permission verification system configures the node operation tree to be the same as the configuration file based on the organization tree, that is, the configuration file includes the operation objects to be configured, the association relationship among the operation objects, the operation items, the role identifiers, the organization identifiers, the association relationship among the organization identifiers, and the organization labels corresponding to the organization identifiers. And the authority verification system performs the configuration of the node operation tree and the organization tree based on the acquired configuration file. The configuration of the node operation tree and the organization tree may be performed in parallel by a plurality of threads.

In the embodiment, the organization tree comprising the plurality of organization identifications, the role identification corresponding to each organization identification and the data permission is configured in advance, so that the corresponding data permission can be quickly positioned according to the role identification corresponding to the user identification during permission verification, and the acquisition efficiency of the data permission can be improved.

In an embodiment, after step S202, the method for verifying authority further includes: acquiring the corresponding calling times of the interface in a preset time period; when the calling times are less than the preset calling times, continuing to execute the step of authenticating the interface calling authority according to the interface identification and the interface key corresponding to the interface; and refusing to respond to the permission verification request when the calling times are more than or equal to the preset calling times.

The calling times refer to the times of calling the interface by the application system. The preset time period is a time interval determined by a specified start time and end time, or a time interval determined by a specified time length and end time. The preset time period is, for example, a time interval in which the current time is the end time and the time length is equal to a specified time length, that is, a past time period, and the specified time length is, for example, 1 second. The preset number of calls is a preset threshold number of calls, such as 50 calls.

Specifically, after receiving an authority verification request sent by an application system through an interface, the authority verification system obtains the number of calls of the interface within a preset time period according to an interface identifier of the interface, and compares the obtained number of calls with the preset number of calls corresponding to the interface. And when the calling times are less than the preset calling times, the interface is indicated to accord with the calling condition, and the authority verification system skips to the step of carrying out the authentication of the interface calling authority according to the interface identifier and the interface key corresponding to the interface to continue executing. When the calling times are more than or equal to the preset calling times, the calling of the interface is indicated to be too frequent, and the permission verification system refuses to respond to the received permission verification request, namely, the step of performing interface calling permission authentication according to the interface identifier and the interface key corresponding to the interface is not continuously performed.

In one embodiment, when the calling times of the interface are judged to be greater than or equal to the preset calling times, the authority verification system replaces the standard interface key corresponding to the interface. Therefore, when the authority verification system authenticates the interface calling authority of the application system according to the standard interface key corresponding to the interface and the interface key obtained by analysis, the authentication result of the interface calling authority is that the authentication is not passed due to the inconsistency of the replaced standard interface key and the interface key obtained by analysis, so that the response to the authority verification request is refused, namely the current calling of the application system to the interface is refused. It can be understood that when the recall condition is met, the permission verification system switches the standard interface key corresponding to the interface key pre-configured for the application system so as to restore the interface recall permission of the application system for the interface. Recall conditions such as detection of a trigger to resume invocation or detection of the arrival of a next time period or time slice. For example, assuming that 1 second is taken as a time slice, if the number of calls in the time slice corresponding to the current preset time period is greater than or equal to the preset number of calls, the call of the interface is stopped until the time slice corresponding to the next preset time period arrives, that is, the call is resumed when the next second arrives.

In one embodiment, the privilege verification system is pre-configured with an interface for multiple application system calls. And after acquiring the permission verification request sent by the application system, the permission verification system acquires the calling times of the application system to the interface in a preset time period. When the calling times of the application system are more than or equal to the preset calling times, the permission verification system refuses to respond to the permission verification request sent by the application system, namely refusing the call of the application system to the interface. It will be appreciated that when the application system is denied access to the interface in the manner described above, the permission verification system will still allow other applications that have permission to invoke the interface. Therefore, the interface can be effectively prevented from being frequently called maliciously by a single application system to increase the interface calling pressure, so that the authority verification pressure of the authority verification system is increased.

In the above embodiment, whether the corresponding application system is allowed to call the interface currently is determined based on the number of times of calling the interface within the preset time period, and corresponding processing is performed according to a determination result, so as to avoid that a system load is increased due to too frequent interface calling, thereby causing a system to be rushed or crashed.

In one embodiment, the method for verifying the authority further includes: acquiring a login request corresponding to a user identifier; the login request carries a user account and a password; authenticating the user account and the password according to the user identification; and when the authentication is passed, logging in a plurality of pre-configured application systems according to the user account and the password.

The login request is a request for triggering a login operation, and may specifically carry a user account and a key. The user account and the key are the credentials of the user to log in the application system.

Specifically, the authority verification system obtains a login request which corresponds to the user identifier and carries a user account and a password, and analyzes the received login request to obtain the corresponding user account and the password. The authority verification system locally inquires a pre-stored standard user account and a corresponding standard key according to the user identification, compares the inquired standard user account with the analyzed user account, compares the inquired standard password with the analyzed password to realize the authentication of the user account and the password, and determines an authentication result according to the comparison result. And when the user account is consistent with the standard user account and the password is consistent with the standard password, the authority verification system judges that the authentication results of the user account and the password are authenticated, and simultaneously logs in a plurality of preconfigured application systems according to the authenticated user account and the authenticated password.

In one embodiment, the authority verification system obtains a login request corresponding to a user identifier through a user operation interface of the terminal. The terminal acquires a user account and a password triggered by a user through a user operation interface, generates a login request according to the acquired user account and password, and sends the login request to the authority verification system, so that unified login of a plurality of application systems is realized through the authority verification system.

In one embodiment, when the authentication result of the user account and the password is judged to be passed, one or more application systems corresponding to the corresponding user identifications are determined, and the one or more application systems are logged in according to the user account and the password which are passed through the authentication.

In one embodiment, the login request carries an identifier of the application system to be logged in. And when the authentication is passed, the authority verification system logs in the application system corresponding to the application system identification appointed in the login request according to the user account and the password which are passed through the authentication. In this way, the application system to be registered is specified by the registration request and registered.

In the embodiment, the unified login of the plurality of application systems is realized through the authentication of the single user account and the password, the login efficiency of the application systems can be improved, and the operation complexity of the login of the application systems is reduced.

In one embodiment, the method for verifying the authority further includes: acquiring a configuration request corresponding to an application system; creating an authority space corresponding to the application system according to the configuration request, and configuring a node operation tree and an organization tree corresponding to the application system; storing the configured node operation tree and the organization tree to an authority space; and generating an interface corresponding to the authority space and an interface key corresponding to the interface, and determining the interface key as the interface key corresponding to the application system.

The configuration request is a request for triggering configuration operation, and is used for instructing the permission verification system to configure a corresponding permission space, a node operation tree, an organization tree, an interface key and the like for the application system. The authority space is a space for storing authority data corresponding to the application system, that is, a space for storing a node operation tree and an organization tree corresponding to the application system.

Specifically, the authority verification system obtains a configuration request corresponding to the application system to be configured, and analyzes the configuration request to obtain an application system identifier and a corresponding configuration file. And the permission verification system creates a permission space corresponding to the application system according to the configuration file obtained by analysis, pre-configures a node operation tree and an organization tree of the application system object, and stores the configured node operation tree and the organization tree into the created permission space. The permission verification system may configure the node operation tree and the organization tree corresponding to the application system according to the configuration manner of the node operation tree and the organization tree provided in the foregoing one or more embodiments, which is not described herein again. And the permission verification system generates a corresponding interface aiming at the created permission space, pre-configures a corresponding interface key aiming at the generated interface, and takes the interface key as a permission certificate for calling the interface by the application system. And the authority verification system feeds back an interface password generated aiming at the application system to the application system, and stores the interface key as a standard interface key corresponding to the interface.

In one embodiment, after the permission verification system creates a permission space corresponding to an application system, one or more interfaces corresponding to the permission space are created for the application system. When a plurality of interfaces are created, corresponding authority verification logic or interface functions are pre-configured for each interface, so that the application system can realize different authority verification operations by calling different interfaces. The pre-configured interfaces are used for acquiring all organization trees corresponding to the users, acquiring user rights of all nodes corresponding to the users, acquiring user rights of the users to data in a single node and the like. It is understood that the interface keys of each of the plurality of interfaces pre-configured for the application system may be the same, which can reduce the number of interface keys stored in the application system.

In one embodiment, when the preconfigured interface is an interface shared by multiple application systems, after the permission verification system creates a permission space for the application system to be configured, the created permission space is associated with the configured interface, and an interface key corresponding to the interface is created for the application system. In this way, each application system calls the same interface to access the respective privilege space based on the respective interface key, thus enabling privilege isolation with a reduced number of interfaces.

In the embodiment, the node operation tree and the organization tree which are pre-configured for the application systems are stored in the corresponding permission spaces, so that permission isolation among the application systems is realized, the permission can be conveniently and directly positioned to the corresponding permission spaces to obtain the user permission during permission verification, and the obtaining efficiency of the user permission can be improved.

As shown in fig. 3, in an embodiment, a method for verifying authority is provided, which specifically includes the following steps:

s302, a node tree comprising at least one node is constructed.

S304, obtaining the operation item to be configured, and associating the operation item with the node to obtain the operation authority corresponding to the node.

S306, establishing a corresponding relation between the node and the role identifier to be configured.

And S308, configuring according to the node tree and the operation authority and the role identifier corresponding to each node in the node tree to obtain the node operation tree.

S310, acquiring a configuration file; the configuration file comprises a role identifier to be configured, a plurality of organization identifiers, an association relation among the organization identifiers and organization labels corresponding to the organization identifiers.

S312, an organization tree is built according to the association relation between the organization identifications and the organization identifications.

S314, determining the data authority corresponding to the organization identifier according to the organization label corresponding to each organization identifier in the organization tree or the position of each organization identifier in the organization tree.

S316, establishing the corresponding relation between the role identification and the organization identification.

And S318, obtaining a configured organization tree according to the organization tree and the data authority and role identification corresponding to each organization identification in the organization tree.

S320, receiving an authority verification request sent by an application system through an interface when the application system acquires a service request; the permission verification request carries an interface key and a user identifier.

And S322, acquiring the corresponding calling times of the interface in the preset time period.

And S324, when the calling times are less than the preset calling times, authenticating the interface calling authority according to the interface identification and the interface key corresponding to the interface.

S326, when the calling times are larger than or equal to the preset calling times, refusing to respond to the authority verification request.

And S328, when the authentication is passed, determining a corresponding role identifier according to the user identifier.

S330, inquiring the node identification corresponding to the role identification from the preconfigured node operation tree, and determining the operation authority corresponding to the node identification.

S332, inquiring the organization identifier corresponding to the role identifier from the pre-configured organization tree, and determining the data authority corresponding to the user identifier according to the organization label corresponding to the organization identifier or the position of the organization identifier in the organization tree.

And S334, obtaining the user authority corresponding to the user identifier according to the operation authority and the data authority.

S336, the user authority is fed back to the application system through the interface; and the fed back user authority is used for indicating the application system to respond to the service request according to the user authority.

It should be understood that although the various steps in the flow charts of fig. 2-3 are shown in order as indicated by the arrows, the steps are not necessarily performed in order as indicated by the arrows. The steps are not performed in the exact order shown and described, and may be performed in other orders, unless explicitly stated otherwise. Moreover, at least some of the steps in fig. 2-3 may include multiple sub-steps or multiple stages that are not necessarily performed at the same time, but may be performed at different times, and the order of performance of the sub-steps or stages is not necessarily sequential, but may be performed in turn or alternating with other steps or at least some of the sub-steps or stages of other steps.

In one embodiment, as shown in fig. 4, there is provided a rights verifying unit 400 including: a receiving module 402, an authentication module 404, a query module 406, and a feedback module 408, wherein:

a receiving module 402, configured to receive an authority verification request sent by an application system through an interface when obtaining a service request; the permission verification request carries an interface key and a user identifier.

And the authentication module 404 is configured to authenticate the interface call authority according to the interface identifier and the interface key corresponding to the interface.

The authentication module 404 is further configured to determine a corresponding role identifier according to the user identifier when the authentication is passed.

And the query module 406 is configured to query the preconfigured node operation tree and organization tree according to the role identifier, so as to obtain the user right corresponding to the user identifier.

A feedback module 408, configured to feed back the user right to the application system through an interface; and the fed back user authority is used for indicating the application system to respond to the service request according to the user authority.

In an embodiment, the query module 406 is further configured to query a node identifier corresponding to the role identifier from a preconfigured node operation tree, and determine an operation authority corresponding to the node identifier; inquiring organization identification corresponding to the role identification from a pre-configured organization tree, and determining data authority corresponding to the user identification according to an organization label corresponding to the organization identification or the position of the organization identification in the organization tree; and obtaining the user authority corresponding to the user identifier according to the operation authority and the data authority.

In one embodiment, the above-mentioned right verifying apparatus 400 further includes: a configuration module;

a configuration module for constructing a node tree comprising at least one node; acquiring an operation item to be configured, and associating the operation item with a node to obtain an operation authority corresponding to the node; establishing a corresponding relation between the node and the role identifier to be configured; and configuring according to the node tree, and the operation authority and the role identifier corresponding to each node in the node tree to obtain the node operation tree.

In one embodiment, the configuration module is further configured to obtain a configuration file; the configuration file comprises a role identifier to be configured, a plurality of organization identifiers, an incidence relation among the organization identifiers and organization labels corresponding to the organization identifiers; constructing an organization tree according to the association relationship between the organization identifications and the organization identifications; determining the data authority corresponding to the organization identifier according to the organization label corresponding to each organization identifier in the organization tree or the position of each organization identifier in the organization tree; establishing a corresponding relation between the role identification and the organization identification; and obtaining the configured organization tree according to the organization tree and the data authority and role identification corresponding to each organization identification in the organization tree.

In an embodiment, the authentication module 404 is further configured to obtain a number of calls corresponding to the interface within a preset time period; when the calling times are less than the preset calling times, continuing to execute the step of authenticating the interface calling authority according to the interface identification and the interface key corresponding to the interface; and refusing to respond to the permission verification request when the calling times are more than or equal to the preset calling times.

In one embodiment, the apparatus 400 for verifying authority further includes: a login module;

the login module is used for acquiring a login request corresponding to the user identifier; the login request carries a user account and a password; authenticating the user account and the password according to the user identification; and when the authentication is passed, logging in a plurality of pre-configured application systems according to the user account and the password.

In one embodiment, the configuration module is further configured to obtain a configuration request corresponding to the application system; establishing an authority space corresponding to the application system according to the configuration request, and configuring a node operation tree and an organization tree corresponding to the application system; storing the configured node operation tree and the organization tree to an authority space; and generating an interface corresponding to the authority space and an interface key corresponding to the interface, and determining the interface key as the interface key corresponding to the application system.

For the specific definition of the right verifying device, reference may be made to the above definition of the right verifying method, which is not described herein again. The modules in the authorization verifying device can be wholly or partially realized by software, hardware and a combination thereof. The modules can be embedded in a hardware form or independent from a processor in the computer device, and can also be stored in a memory in the computer device in a software form, so that the processor can call and execute operations corresponding to the modules.

In one embodiment, a computer device is provided, and the computer device may be a rights verification server deployed with a rights verification system, and the internal structure diagram of the computer device may be as shown in fig. 5. The computer device includes a processor, a memory, a network interface, and a database connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, a computer program, and a database. The internal memory provides an environment for the operating system and the computer program to run on the non-volatile storage medium. The database of the computer device is used to store a node operation tree and an organization tree. The network interface of the computer device is used for communicating with an external terminal through a network connection. The computer program is executed by a processor to implement a method of rights verification.

Those skilled in the art will appreciate that the architecture shown in fig. 5 is merely a block diagram of some of the structures associated with the disclosed aspects and is not intended to limit the computing devices to which the disclosed aspects apply, as particular computing devices may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.

In one embodiment, a computer device is provided, which includes a memory and a processor, the memory stores a computer program, and the processor implements the steps of the authority verification method in the above embodiments when executing the computer program.

In one embodiment, a computer-readable storage medium is provided, on which a computer program is stored, which when executed by a processor implements the steps of the method for rights verification in the various embodiments described above.

It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware instructions of a computer program, which can be stored in a non-volatile computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. Any reference to memory, storage, database, or other medium used in the embodiments provided herein may include non-volatile and/or volatile memory, among others. Non-volatile memory can include read-only memory (ROM), programmable ROM (PROM), electrically Programmable ROM (EPROM), electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double Data Rate SDRAM (DDRSDRAM), enhanced SDRAM (ESDRAM), synchronous Link DRAM (SLDRAM), rambus (Rambus) direct RAM (RDRAM), direct Rambus Dynamic RAM (DRDRAM), and Rambus Dynamic RAM (RDRAM), among others.

The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.

The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, and these are all within the scope of protection of the present application. Therefore, the protection scope of the present patent application shall be subject to the appended claims.

Claims

1. A method of rights verification, the method comprising:

when the authentication is passed, determining a corresponding role identifier according to the user identifier; the number of the corresponding role identifiers is multiple;

feeding the user authority back to the application system through the interface; the fed back user authority is used for indicating the application system to respond to the service request according to the user authority;

the querying a preconfigured node operation tree and organization tree according to the role identifier to obtain a user right corresponding to the user identifier includes:

inquiring an organization identifier corresponding to the role identifier from a pre-configured organization tree, and determining data authority corresponding to the user identifier according to an organization label corresponding to the organization identifier or the position of the organization identifier in the organization tree;

2. The method of claim 1, wherein the step of configuring the node operation tree comprises:

constructing a node tree comprising at least one node;

3. The method according to claim 1, wherein the authenticating the interface call authority according to the interface identifier corresponding to the interface and the interface key comprises:

inquiring a pre-configured standard interface key according to the interface identifier;

comparing the standard interface key with the interface key;

and obtaining the authentication result of the interface calling authority of the interface by the application system according to the comparison result.

4. The method of claim 1, wherein the step of configuring the organizational tree comprises:

5. The method of claim 1, wherein after receiving the permission verification request sent by the application system through the interface, the method further comprises:

acquiring the number of calling times corresponding to the interface in a preset time period;

and refusing to respond to the authority verification request when the calling times are greater than or equal to the preset calling times.

6. The method according to any one of claims 1 to 5, further comprising:

and when the authentication is passed, logging in a plurality of preconfigured application systems according to the user account and the password.

7. The method according to any one of claims 1 to 5, further comprising:

acquiring a configuration request corresponding to an application system;

8. An authority verifying apparatus, characterized in that the apparatus comprises:

the receiving module is used for receiving an authority verification request sent by an application system through an interface when the application system acquires a service request; the authority verification request carries an interface key and a user identifier;

the authentication module is further used for determining a corresponding role identifier according to the user identifier when the authentication is passed; the number of the corresponding role identifiers is multiple;

the feedback module is used for feeding back the user authority to the application system through the interface; the fed-back user authority is used for indicating the application system to respond to the service request according to the user authority;

the query module is further configured to query a node identifier corresponding to the role identifier from a preconfigured node operation tree, and determine an operation authority corresponding to the node identifier; inquiring organization identification corresponding to the role identification from a pre-configured organization tree, and determining data authority corresponding to the user identification according to an organization label corresponding to the organization identification or the position of the organization identification in the organization tree; and obtaining the user authority corresponding to the user identification according to the operation authority and the data authority.

9. A computer device comprising a memory and a processor, the memory storing a computer program, wherein the processor when executing the computer program performs the steps of the method according to any of claims 1 to 7.

10. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the method according to any one of claims 1 to 7.