CN111416822A - Method for access control, electronic device and storage medium - Google Patents
Method for access control, electronic device and storage medium Download PDFInfo
- Publication number
- CN111416822A CN111416822A CN202010203739.8A CN202010203739A CN111416822A CN 111416822 A CN111416822 A CN 111416822A CN 202010203739 A CN202010203739 A CN 202010203739A CN 111416822 A CN111416822 A CN 111416822A
- Authority
- CN
- China
- Prior art keywords
- token
- access request
- access
- determining
- client
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/102—Entity profiles
Abstract
Embodiments of the present disclosure provide a method, an electronic device, and a computer storage medium for access control. The method comprises the following steps: in response to receiving an access request from a client for a server, determining whether the access request includes a token generated by a certificate issuing device; in response to determining that the access request includes a token, determining a user identity associated with the access request from the token; determining an access policy corresponding to a user identity; and forwarding the access request to the server according to the fact that the access request is determined to accord with the access policy. In this way, a unified user authentication may be achieved at the access request forwarding device.
Description
Technical Field
Embodiments of the present disclosure relate generally to the field of computer technology, and more particularly, to a method of access control, an electronic device, and a computer storage medium.
Background
In recent years, with the development of computer technology, people pay more attention to network security. Some enterprises secure networks by setting up private networks so that users of other networks cannot directly access services or data within the private networks. Application gateway technology is commonly used to enable interconnection between different networks. Due to the particularity of private networks, there is also an increasing interest in this security of service access via application gateways.
Disclosure of Invention
According to an embodiment of the present disclosure, a scheme for access control is provided.
In a first aspect of the disclosure, a method of access control is provided. The method comprises the following steps: in response to receiving an access request from a client for a server, determining whether the access request includes a token generated by a certificate issuing device; in response to determining that the access request includes a token, determining a user identity associated with the access request from the token; determining an access policy corresponding to a user identity; and forwarding the access request to the server according to the fact that the access request is determined to accord with the access policy.
In a second aspect of the disclosure, a method of access control is provided. The method comprises the following steps: determining, at the client, whether the client stores a token corresponding to the requested resource, the token being generated by the certificate authority, in accordance with the determination requesting access to the server; and in response to determining that the client stores the token, sending an access request including the token to the forwarding device to cause the forwarding device to forward the access request to the server based on the slave token.
In a third aspect of the present disclosure, an electronic device is provided. The apparatus comprises: at least one processing unit; at least one memory coupled to the at least one processing unit and storing instructions for execution by the at least one processing unit, the instructions when executed by the at least one processing unit, cause the apparatus to perform acts comprising: in response to receiving an access request from a client for a server, determining whether the access request includes a token generated by a certificate issuing device; in response to determining that the access request includes a token, determining a user identity associated with the access request from the token; determining an access policy corresponding to a user identity; and forwarding the access request to the server according to the fact that the access request is determined to accord with the access policy.
In a fourth aspect of the present disclosure, an electronic device is provided. The apparatus comprises: at least one processing unit; at least one memory coupled to the at least one processing unit and storing instructions for execution by the at least one processing unit, the instructions when executed by the at least one processing unit, cause the apparatus to perform acts comprising: determining, at the client, whether the client stores a token corresponding to the requested resource, the token being generated by the certificate authority, in accordance with the determination requesting access to the server; and in response to determining that the client stores the token, sending an access request including the token to the forwarding device to cause the forwarding device to forward the access request to the server based on the slave token.
In a fifth aspect of the present disclosure, a computer-readable storage medium is provided, on which a computer program is stored, which program, when executed by a processor, implements a method according to the first aspect of the present disclosure.
In a sixth aspect of the present disclosure, a computer-readable storage medium is provided, on which a computer program is stored, which program, when executed by a processor, implements a method according to the second aspect of the present disclosure.
It should be understood that the statements herein reciting aspects are not intended to limit the critical or essential features of the embodiments of the present disclosure, nor are they intended to limit the scope of the present disclosure. Other features of the present disclosure will become apparent from the following description.
Drawings
The above and other features, advantages and aspects of various embodiments of the present disclosure will become more apparent by referring to the following detailed description when taken in conjunction with the accompanying drawings. In the drawings, like or similar reference characters designate like or similar elements, and wherein:
FIG. 1 illustrates a schematic diagram of an example environment in which embodiments of the present disclosure can be implemented;
FIG. 2 illustrates a schematic diagram of an example method of access control, in accordance with some embodiments of the present disclosure;
FIG. 3 illustrates a schematic diagram of an example method of access control, in accordance with further embodiments of the present disclosure;
FIG. 4 illustrates a flow diagram of an example method of access control, in accordance with some embodiments of the present disclosure;
FIG. 5 illustrates a flow diagram of an example method of access control in accordance with further embodiments of the present disclosure; and
FIG. 6 illustrates a block diagram of a computing device capable of implementing various embodiments of the present disclosure.
Detailed Description
Embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While certain embodiments of the present disclosure are shown in the drawings, it is to be understood that the present disclosure may be embodied in various forms and should not be construed as limited to the embodiments set forth herein, but rather are provided for a more thorough and complete understanding of the present disclosure. It should be understood that the drawings and embodiments of the disclosure are for illustration purposes only and are not intended to limit the scope of the disclosure.
In describing embodiments of the present disclosure, the terms "include" and its derivatives should be interpreted as being inclusive, i.e., "including but not limited to. The term "based on" should be understood as "based at least in part on". The term "one embodiment" or "the embodiment" should be understood as "at least one embodiment". The terms "first," "second," and the like may refer to different or the same object. Other explicit and implicit definitions are also possible below.
As mentioned before, application gateways are often used to enable interconnection between different networks, which enables e.g. users located outside the private network to normally access data or services within the private network as well. Typically such access is done by different services within the private network to identify and authenticate the identity. This makes it difficult to make different services need to manage the rights of respective users, and to achieve uniform management of the rights.
According to various embodiments of the present disclosure, a scheme of access control is provided. According to an aspect of the disclosure, upon receiving an access request from a client for a server, a forwarding device (e.g., an application gateway server) determines whether the access request includes a token generated by a certificate issuing device. If it is determined that the access request includes a token, the forwarding device determines a user identity associated with the access request from the token and determines an access policy corresponding to the user identity. If the access request is determined to conform to the access policy, the forwarding device forwards the access request to the server.
According to another aspect of the disclosure, upon determining that a user requests access to the server, the client may store a token corresponding to the requested resource, the token being generated by the certificate authority. If it is determined that the token is stored, the client sends an access request including the token to the forwarding device to cause the forwarding device to forward the access request to the server based on the slave token.
In this manner, embodiments of the present disclosure may enable unified user authentication at an access request forwarding device (e.g., an application gateway).
Embodiments of the present disclosure will be described below in detail with reference to the accompanying drawings. Fig. 1 illustrates a schematic diagram of an example environment 100 in which various embodiments of the present disclosure can be implemented. As shown in FIG. 1, environment 100 includes one or more clients 110-1 and 110-2 (referred to individually or collectively as clients 110), a forwarding device 120, and a server 130. Client 110-1 and forwarding device 120 reside, for example, in network 140 (e.g., a public network), and client 110-2, forwarding device 120, and server 130 reside in network 150 (e.g., a private network).
The forwarding device 120 deployed with the application gateway may, for example, receive access requests 115-1 and 115-2 (referred to individually or collectively as access requests 115) from the clients 110-1 and 110-2 and implement a unified authentication of the access requests at the forwarding device 120. Upon determining that the access request 115 satisfies the permission requirements, the forwarding device 120 may forward the access request to the server 130 to enable the client 110 to access the service provided by the server 130. The process of access control will be described in detail below in conjunction with fig. 2-5.
It should be understood that the number of clients 110 and this arrangement in fig. 1 is merely illustrative and is not intended to limit the present disclosure.
Fig. 2 shows a schematic diagram of a method 200 of access control according to an embodiment of the present disclosure. For ease of description, the method 200 will be described below with reference to fig. 1.
As shown in FIG. 2, at 222, when the client 110 receives a request from a user to access the server 130, the client 110 determines whether the client 110 stores a token corresponding to the resource requested by the user.
At 224, if the client 110 determines that a token is not stored, the client 110 may send an access request 115 without a token to the forwarding device 120. As an example, the client 110 may send an access request for UR L (e.g., www.url1.com) to the forwarding device 120 to request access to the server 130 with address www.url1.com, for example.
For example, forwarding device 120 may determine whether a token is included in the access request 115 by parsing the received UR L.
At 228, after forwarding device 120 determines that the access request 115 does not include a token, forwarding device 120 sends an authentication indication to client 110 to cause client 110 to authenticate with authentication device 210. in some embodiments, forwarding device 120 may cause client 110 to jump to a network address corresponding to authentication device 210, for example, by way of HTTP 302 redirection.
Continuing with the previous example, client 110 will be redirected to UR L: "www.url2.com" corresponding to authentication device 210. the user may authenticate by entering an identity and corresponding credentials.
For example, after the user authentication passes, the authentication device 210 will generate authentication information and attach the authentication information to the tail of the redirected UR L by way of HTTP 302 redirection, so that the client 110 sends the access request with the authentication information to the forwarding device 120. for example, the redirection indication may be "302 redirect www.url1.com/token: xxx", i.e., authentication information (e.g., "xxx") is attached to the access request.
At 234, client 110 sends an access request with authentication information to forwarding device 120. At 236, forwarding device 120 extracts the authentication information and sends the authentication information to authentication device 210. For example, the forwarding device 120 may extract authentication information corresponding to the ticket field from the request. At 238, the authentication device 210 will send the user identification corresponding to the authentication information to the forwarding device 120.
After obtaining the user identification, the forwarding device 120 sends the user identification to the certificate authority 220 at 240, where the certificate authority 220 may be deployed in a "quarantine zone" (DMZ), for example, to improve the reliability of the token. In some embodiments, forwarding device 120 may also send the source network address of the access request 115. For example, the forwarding device 120 may, for example, send "(userid, ip _ address)" to the certificate authority 220 to cause the certificate authority 220 to digitally sign the received information with a private key to generate a token. In some embodiments, the token also includes a token expiration time that is signed by a private key such that the token will be invalid after a predetermined time.
At 242, after generating the token, the certificate issuing device 220 transmits the token information to the forwarding device 120. In some embodiments, certificate authority 220 may also maintain a user identification or organization identification associated with the user. The certificate authority 220 may generate token information by digitally signing one or more of the user identification, the organization identification, and the received source network address with a private key. For example, the token may include a hash value of "{ userid, ip _ address }" in clear text representation and "{ userid, ip _ address }" signed with a private key.
At 244, the forwarding device 120 sends an indication to the client 110 that the token is being cached. The indication, for example, causes the client 110 to obtain the corresponding token from the certificate authority 220, which may then be cached, for example, in a local cookie.
At 246, the forwarding device 120 obtains the user identity from the token in response to verifying the token with the public key associated with the certificate authority 220. As described above, the user identity may include a user identification or an organization identification. For example, forwarding device 120 may decrypt the hash value of "{ userid, ip _ address }" signed by the private key using the public key and hash the "{ userid, ip _ address }" in the plaintext part. In the case where the two hash values are the same, forwarding device 120 may determine that the token is authenticated. After authenticating the authenticity of the token with the public key, forwarding device 120 may read information from the token indicating the identity of the user.
At 248, the forwarding device 120 determines an access policy corresponding to the user identity. In some embodiments, the forwarding device 120 may obtain the set of access policies from a storage device, either local or remote. The set of access policies may for example define permissions for different user identities or different organization identities. In some embodiments, the set of access policies may be a series of access rules configured by, for example, an administrator, which may set different permissions for different resources and/or services for different users and/or organizations.
In some embodiments, the set of access policies may also be dynamically updated based on historical access requests. For example, forwarding device 120 may obtain historical analysis information that indicates whether a plurality of access requests received within a predetermined time period conform to a corresponding historical access policy. Subsequently, the forwarding device 120 may generate a recommended policy for access control based on the historical analysis information.
For example, forwarding device 120 may collect visits by various department employees over the past month. When it is determined that there are a large number of access requests from the same organization that access the same resource is denied, forwarding device 120 may generate a reminder to open the organization's permissions for the resource. In some embodiments, after obtaining, for example, a confirmation of the administrator of the provisioning rights, the forwarding device 120 may update the set of access policies to allow the organization the rights to the resource.
As another example, when it is determined that a member of an organization that has a certain resource privilege has not accessed the resource within a predetermined period of time, forwarding device 120 may generate a reminder to turn off the privilege of the organization for the resource. In some embodiments, after obtaining, for example, a confirmation of the administrator of the provisioning rights, the forwarding device 120 may update the set of access policies to allow the organization the rights to the resource.
In some embodiments, forwarding device 120 may then determine a policy corresponding to the identity information based on the recommended policy. For example, the forwarding device 120 may look up an access policy corresponding to the identity information from the set of access policies updated based on the recommended policy. Based on the mode, the automatic refinement of the authority of different users and/or organizations can be realized by analyzing the historical access requests, and the burden of setting the authority for different users/organizations by the authority manager is further lightened.
In 250, the forwarding device 120 determines that the access request 115 complies with the access policy in some embodiments, the forwarding device 120 may determine the resource to which the access request 115 is directed.
At 252, in accordance with a determination that the access request 115 complies with the access policy, the access request 115 is forwarded to the server 250. In some embodiments, the forwarding device 120 may append the token to the access request 115 for forwarding to the server 130 so that the server 130 may independently manage the rights without requiring secondary authentication of the user.
Based on the above discussed process, uniform authentication management can be implemented at the forwarding device 120 and the granularity of access control can be refined to a specific user identity, thereby implementing security management with zero trust. Furthermore, by implementing authentication management at the forwarding device 120, the burden of implementing separate authentication systems for backend services may also be avoided.
While the above discusses the case where no token is stored at the client 110, the case where a token is stored at the client 110 will be discussed below in conjunction with fig. 3. Fig. 3 shows a schematic diagram of a method 300 of access control according to an embodiment of the present disclosure. For ease of description, the method 300 will be described below with reference to fig. 1 and 2.
As shown in FIG. 3, at 305, when a client 110 receives a request from a user to access a server 130, the client 110 determines whether the client 110 stores a token corresponding to the resource requested by the user.
Upon determining that client 110 stores the token, client 110 sends an access request 115 including the token to forwarding device 110 at 310. In some embodiments, the client 110 may check whether the token has expired and, if not, append the token to the access request 115 for transmission to the forwarding device 120.
At 315, forwarding device 120 determines that access request 115 includes a token. At 320, after the forwarding device 120 determines that the token is included in the access request 115, the forwarding device 120 determines a user identity associated with the access request 115 from the token. In some embodiments, forwarding device 120 may obtain a user identity from the token in response to verifying the token with a public key associated with certificate authority 220, the user identity including a user identification or an organization identification.
At 320, the forwarding device 120 determines an access policy corresponding to the user identity. In some embodiments, the forwarding device 120, as discussed with reference to 248, may retrieve an access policy from a local or remote storage device that looks up an access policy corresponding to a user identity.
In some embodiments, for an access request with a token, forwarding device 120 may also first determine whether the access request is at risk. In particular, forwarding device 120 may determine the source network address of the access request from the token in response to verifying the token with a public key associated with certificate authority 220. Forwarding device 120 may also determine a device network address of client 110 based on the access request. The forwarding device 120 may then compare the source network address and the device network address and upon determining that the source network address and the device network address are consistent, the forwarding device 120 determines an access policy based on the user identity. In this manner, the forwarding device 120 may exclude forged tokens, thereby improving security of access control.
At 325, forwarding device 120 determines that access request 115 complies with the corresponding access policy. As discussed with reference to 250, the forwarding device 120 may determine the resource to which the access request 115 is directed. When it is determined that the access policy allows access to the resource, forwarding device 120 may determine that access request 115 conforms to the access policy corresponding to the user identity.
At 330, the forwarding device 130 forwards the access request 115 to the server. As discussed with reference to 252, the forwarding device 120 may append the token to the access request 115 for forwarding to the server 130 so that the server 130 may independently manage rights without requiring secondary authentication of the user.
Based on the method discussed above, the embodiment of the present disclosure fuses the zero trust technology and the application gateway, thereby implementing refined authority management for user identity granularity at the application gateway, and improving security of access control.
Fig. 4 shows a flow diagram of a process 400 of access control according to one embodiment of the present disclosure. Process 400 may be implemented, for example, by forwarding device 120 in fig. 1. As shown in fig. 4, at block 402, forwarding device 120 receives an access request 115 from client 110 for server 130. In response to receiving the access request 115 from the client 110 for the server 130, the forwarding device 120 determines whether the access request includes a token generated by the certificate issuing device, at block 404. At block 406, in response to determining at block 404 that the token is included in the access request 115, the forwarding device 120 determines a user identity associated with the access request 115 from the token. At block 408, forwarding device 120 determines an access policy corresponding to the user identity. In accordance with a determination that the access request complies with the access policy, forwarding device 120 forwards access request 115 to server 130 at block 410.
Fig. 5 shows a flow diagram of a process 500 of access control according to another embodiment of the present disclosure. Process 500 may be implemented, for example, by client 110 in fig. 1. As shown in fig. 5, at block 502, client 110 determines to request access to server 130. At block 504, the client 110 determines whether the client 110 stores a token corresponding to the requested resource, the token being generated by the certificate authority. In block 506, in response to determining that the client 110 stores the token, the client 110 sends an access request including the token to the forwarding device 120 to cause the forwarding device 120 to forward 130 the access request to the server based on the slave token.
Fig. 6 illustrates a schematic block diagram of an example device 600 that can be used to implement embodiments of the present disclosure. Device 600 may be used to implement client 110 and/or forwarding device 120. As shown, device 600 includes a Central Processing Unit (CPU)601 that may perform various appropriate actions and processes in accordance with computer program instructions stored in a Read Only Memory (ROM)602 or loaded from a storage unit 608 into a Random Access Memory (RAM) 603. In the RAM603, various programs and data required for the operation of the device 600 can also be stored. The CPU 601, ROM 602, and RAM603 are connected to each other via a bus 604. An input/output (I/O) interface 605 is also connected to bus 604.
A number of components in the device 600 are connected to the I/O interface 605, including: an input unit 606 such as a keyboard, a mouse, or the like; an output unit 607 such as various types of displays, speakers, and the like; a storage unit 608, such as a magnetic disk, optical disk, or the like; and a communication unit 609 such as a network card, modem, wireless communication transceiver, etc. The communication unit 609 allows the device 600 to exchange information/data with other devices via a computer network such as the internet and/or various telecommunication networks.
The processing unit 601 performs the various methods and processes described above, such as the method 400 and/or the method 500. For example, in some embodiments, method 400 and/or method 500 may be implemented as a computer software program tangibly embodied in a machine-readable medium, such as storage unit 608. In some embodiments, part or all of the computer program may be loaded and/or installed onto the device 600 via the ROM 602 and/or the communication unit 609. When the computer program is loaded into RAM603 and executed by CPU 601, one or more steps of method 400 and/or method 500 described above may be performed. Alternatively, in other embodiments, CPU 601 may be configured to perform method 400 and/or method 500 in any other suitable manner (e.g., by way of firmware).
Program code for implementing the methods of the present disclosure may be written in any combination of one or more programming languages. These program codes may be provided to a processor or controller of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the program codes, when executed by the processor or controller, cause the functions/operations specified in the flowchart and/or block diagram to be performed. The program code may execute entirely on the machine, partly on the machine, as a stand-alone software package partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of this disclosure, a machine-readable medium may be a tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. The machine-readable medium may be a machine-readable signal medium or a machine-readable storage medium. A machine-readable medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
Further, while operations are depicted in a particular order, this should be understood as requiring that such operations be performed in the particular order shown or in sequential order, or that all illustrated operations be performed, to achieve desirable results. Under certain circumstances, multitasking and parallel processing may be advantageous. Likewise, while several specific implementation details are included in the above discussion, these should not be construed as limitations on the scope of the disclosure. Certain features that are described in the context of separate embodiments can also be implemented in combination in a single implementation. Conversely, various features that are described in the context of a single implementation can also be implemented in multiple implementations separately or in any suitable subcombination.
Although the subject matter has been described in language specific to structural features and/or methodological acts, it is to be understood that the subject matter defined in the appended claims is not necessarily limited to the specific features or acts described above. Rather, the specific features and acts described above are disclosed as example forms of implementing the claims.
Claims (17)
1. A method of access control, comprising:
in response to receiving an access request from a client for a server, determining whether the access request includes a token generated by a certificate issuing device;
in response to determining that the token is included in the access request, determining a user identity associated with the access request from the token;
determining an access policy corresponding to the user identity; and
and forwarding the access request to the server according to the fact that the access request is determined to accord with the access policy.
2. The method of claim 1, wherein determining the user identity of the access request from the token comprises:
in response to verifying the token with a public key associated with the certificate authority, obtaining the user identity from the token, the user identity comprising at least one of a user identification or an organization identification.
3. The method of claim 1, further comprising:
in response to determining that the token is not included in the access request, sending an authentication indication to a client to enable the client to perform identity authentication with an identity authentication device;
in response to receiving authentication information from the client, sending the authentication information to the identity authentication device to obtain the user identity, the authentication information generated by the identity authentication device in response to a successful authentication;
sending the user identity to the certificate authority server to cause the certificate authority server to generate the token based on the user identity.
4. The method of claim 3, further comprising:
sending an indication to the client to cache the token.
5. The method of claim 1, wherein the token is generated by the certificate authority device digitally signing with a private key at least one of:
a user identification of the access request;
an organization identification of the access request; or
A source network address of the access request.
6. The method of claim 1, wherein determining an access policy corresponding to the identity information comprises:
responsive to verifying the token with a public key associated with the certificate authority device, determining a source network address of the access request from the token;
determining a device network address of the client based on the access request; and
determining the access policy based on the user identity according to a determination that the source network address is consistent with the device network address.
7. The method of claim 1, wherein determining an access policy corresponding to the identity information comprises:
generating a recommended policy for access control based on history analysis information indicating whether a plurality of access requests received within a predetermined period of time comply with a corresponding history access policy; and
determining an access policy corresponding to the identity information based on the recommended policy.
8. The method of claim 1, further comprising:
determining a resource to which the access request is directed; and
in accordance with a determination that the access policy allows access to the resource, determining that the access request conforms to the access policy corresponding to the user identity.
9. The method of claim 1, wherein the server is located in a private network that is not directly accessible to the client.
10. A method of access control, comprising:
determining, at a client, whether the client stores a token corresponding to the requested resource, the token generated by a certificate authority, in accordance with a determination to request access to a server; and
in response to determining that the client stores the token, sending an access request including the token to a forwarding device to cause the forwarding device to forward the access request to the server based on from the token.
11. The method of claim 10, further comprising:
in response to determining that the client does not store the token, sending an access request that does not include the token to the forwarding device; and
in response to receiving an authentication indication from the forwarding device, authenticating a user associated with the access request via the authentication device based on the authentication indication.
12. The method of claim 11, further comprising:
in response to receiving an indication from the forwarding device to cache the token, storing, at the client, a token generated by the certificate authority device based on identification information generated by the identity authentication device in response to successful authentication.
13. The method of claim 10, wherein sending the access request including the token to the forwarding device comprises:
determining whether the token is expired; and
in accordance with a determination that the token is not expired, sending the access request including the token to the forwarding device.
14. An electronic device, comprising:
at least one processing unit;
at least one memory coupled to the at least one processing unit and storing instructions for execution by the at least one processing unit, the instructions when executed by the at least one processing unit, cause the apparatus to perform the method of any of claims 1-9.
15. An electronic device, comprising:
at least one processing unit;
at least one memory coupled to the at least one processing unit and storing instructions for execution by the at least one processing unit, the instructions when executed by the at least one processing unit, cause the apparatus to perform the method of any of claims 10-13.
16. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the method according to any one of claims 1 to 9.
17. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the method according to any one of claims 10 to 13.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010203739.8A CN111416822B (en) | 2020-03-20 | 2020-03-20 | Method for access control, electronic device and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010203739.8A CN111416822B (en) | 2020-03-20 | 2020-03-20 | Method for access control, electronic device and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111416822A true CN111416822A (en) | 2020-07-14 |
| CN111416822B CN111416822B (en) | 2022-10-18 |
Family
ID=71494526
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010203739.8A Active CN111416822B (en) | 2020-03-20 | 2020-03-20 | Method for access control, electronic device and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111416822B (en) |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111737723A (en) * | 2020-08-25 | 2020-10-02 | 杭州海康威视数字技术股份有限公司 | Service processing method, device and equipment |
| CN112100675A (en) * | 2020-11-05 | 2020-12-18 | 南京云信达科技有限公司 | Zero-trust data storage access method and system |
| CN112202708A (en) * | 2020-08-24 | 2021-01-08 | 国网山东省电力公司 | Identity authentication method and device, electronic equipment and storage medium |
| CN112202750A (en) * | 2020-09-25 | 2021-01-08 | 统信软件技术有限公司 | Control method for policy execution, policy execution system and computing device |
| CN112311788A (en) * | 2020-10-28 | 2021-02-02 | 北京锐安科技有限公司 | Access control method, device, server and medium |
| CN113612776A (en) * | 2021-08-04 | 2021-11-05 | 杭州虎符网络有限公司 | Private network access method, device, computer equipment and storage medium |
| CN114598489A (en) * | 2020-11-20 | 2022-06-07 | 华为技术有限公司 | Method for determining trust terminal and related device |
| CN114745431A (en) * | 2022-03-18 | 2022-07-12 | 上海道客网络科技有限公司 | Side car technology-based non-invasive authority authentication method, system, medium and equipment |
| CN115174142A (en) * | 2022-05-27 | 2022-10-11 | 深圳市世强元件网络有限公司 | Gateway unified authentication management method, device, storage medium and computer |
| CN115277207A (en) * | 2022-07-28 | 2022-11-01 | 联想(北京)有限公司 | Access control method and electronic equipment |
Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CA2641862A1 (en) * | 2007-10-25 | 2009-04-25 | Research In Motion Limited | Authentication certificate management for access to a wireless communication device |
| WO2009084601A1 (en) * | 2007-12-27 | 2009-07-09 | Nec Corporation | Access right managing system, access right managing method, and access right managing program |
| US20090222900A1 (en) * | 2008-02-29 | 2009-09-03 | Microsoft Corporation | Authentication ticket validation |
| EP2384040A1 (en) * | 2010-04-29 | 2011-11-02 | Research In Motion Limited | Authentication server and method for granting tokens |
| US20140331060A1 (en) * | 2013-05-03 | 2014-11-06 | Citrix Systems, Inc. | User and Device Authentication in Enterprise Systems |
| JP2016051451A (en) * | 2014-09-02 | 2016-04-11 | 富士ゼロックス株式会社 | Access control system, and program |
| US20170257360A1 (en) * | 2016-03-03 | 2017-09-07 | Blackberry Limited | Accessing enterprise resources |
| CN107624238A (en) * | 2015-05-19 | 2018-01-23 | 微软技术许可有限责任公司 | To the safe access control of the application based on cloud |
| US9948612B1 (en) * | 2017-09-27 | 2018-04-17 | Citrix Systems, Inc. | Secure single sign on and conditional access for client applications |
| US20180300471A1 (en) * | 2017-04-18 | 2018-10-18 | Intuit Inc. | Systems and mechanism to control the lifetime of an access token dynamically based on access token use |
| US20180332016A1 (en) * | 2017-05-10 | 2018-11-15 | Verizon Patent And Licensing Inc. | Token and device location-based automatic client device authentication |
| CN109194673A (en) * | 2018-09-20 | 2019-01-11 | 江苏满运软件科技有限公司 | Authentication method, system, equipment and storage medium based on authorized user message |
| CN110086822A (en) * | 2019-05-07 | 2019-08-02 | 北京智芯微电子科技有限公司 | The realization method and system of unified identity authentication strategy towards micro services framework |
-
2020
- 2020-03-20 CN CN202010203739.8A patent/CN111416822B/en active Active
Patent Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CA2641862A1 (en) * | 2007-10-25 | 2009-04-25 | Research In Motion Limited | Authentication certificate management for access to a wireless communication device |
| WO2009084601A1 (en) * | 2007-12-27 | 2009-07-09 | Nec Corporation | Access right managing system, access right managing method, and access right managing program |
| US20090222900A1 (en) * | 2008-02-29 | 2009-09-03 | Microsoft Corporation | Authentication ticket validation |
| EP2384040A1 (en) * | 2010-04-29 | 2011-11-02 | Research In Motion Limited | Authentication server and method for granting tokens |
| US20140331060A1 (en) * | 2013-05-03 | 2014-11-06 | Citrix Systems, Inc. | User and Device Authentication in Enterprise Systems |
| JP2016051451A (en) * | 2014-09-02 | 2016-04-11 | 富士ゼロックス株式会社 | Access control system, and program |
| CN107624238A (en) * | 2015-05-19 | 2018-01-23 | 微软技术许可有限责任公司 | To the safe access control of the application based on cloud |
| US20170257360A1 (en) * | 2016-03-03 | 2017-09-07 | Blackberry Limited | Accessing enterprise resources |
| US20180300471A1 (en) * | 2017-04-18 | 2018-10-18 | Intuit Inc. | Systems and mechanism to control the lifetime of an access token dynamically based on access token use |
| US20180332016A1 (en) * | 2017-05-10 | 2018-11-15 | Verizon Patent And Licensing Inc. | Token and device location-based automatic client device authentication |
| US9948612B1 (en) * | 2017-09-27 | 2018-04-17 | Citrix Systems, Inc. | Secure single sign on and conditional access for client applications |
| CN109194673A (en) * | 2018-09-20 | 2019-01-11 | 江苏满运软件科技有限公司 | Authentication method, system, equipment and storage medium based on authorized user message |
| CN110086822A (en) * | 2019-05-07 | 2019-08-02 | 北京智芯微电子科技有限公司 | The realization method and system of unified identity authentication strategy towards micro services framework |
Non-Patent Citations (1)
| Title |
|---|
| 张星等: "基于PMI的Web安全访问控制系统设计", 《舰船电子工程》 * |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112202708A (en) * | 2020-08-24 | 2021-01-08 | 国网山东省电力公司 | Identity authentication method and device, electronic equipment and storage medium |
| CN111737723A (en) * | 2020-08-25 | 2020-10-02 | 杭州海康威视数字技术股份有限公司 | Service processing method, device and equipment |
| CN112202750A (en) * | 2020-09-25 | 2021-01-08 | 统信软件技术有限公司 | Control method for policy execution, policy execution system and computing device |
| CN112202750B (en) * | 2020-09-25 | 2023-01-24 | 统信软件技术有限公司 | Control method for policy execution, policy execution system and computing device |
| CN112311788A (en) * | 2020-10-28 | 2021-02-02 | 北京锐安科技有限公司 | Access control method, device, server and medium |
| CN112100675A (en) * | 2020-11-05 | 2020-12-18 | 南京云信达科技有限公司 | Zero-trust data storage access method and system |
| CN114598489A (en) * | 2020-11-20 | 2022-06-07 | 华为技术有限公司 | Method for determining trust terminal and related device |
| CN113612776A (en) * | 2021-08-04 | 2021-11-05 | 杭州虎符网络有限公司 | Private network access method, device, computer equipment and storage medium |
| CN114745431A (en) * | 2022-03-18 | 2022-07-12 | 上海道客网络科技有限公司 | Side car technology-based non-invasive authority authentication method, system, medium and equipment |
| CN114745431B (en) * | 2022-03-18 | 2023-09-29 | 上海道客网络科技有限公司 | Non-invasive authority authentication method, system, medium and equipment based on side car technology |
| CN115174142A (en) * | 2022-05-27 | 2022-10-11 | 深圳市世强元件网络有限公司 | Gateway unified authentication management method, device, storage medium and computer |
| CN115174142B (en) * | 2022-05-27 | 2024-01-12 | 深圳市世强元件网络有限公司 | Gateway unified authentication management method, device, storage medium and computer |
| CN115277207A (en) * | 2022-07-28 | 2022-11-01 | 联想(北京)有限公司 | Access control method and electronic equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111416822B (en) | 2022-10-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111416822B (en) | Method for access control, electronic device and storage medium | |
| US10505929B2 (en) | Management and authentication in hosted directory service | |
| US11831642B2 (en) | Systems and methods for endpoint management | |
| US8347403B2 (en) | Single point authentication for web service policy definition | |
| US7568218B2 (en) | Selective cross-realm authentication | |
| US9374372B2 (en) | Systems and methods for profiling client devices | |
| US8281374B2 (en) | Attested identities | |
| US20190306148A1 (en) | Method for oauth service through blockchain network, and terminal and server using the same | |
| US20130269007A1 (en) | Authentication system, authentication server, service providing server, authentication method, and computer-readable recording medium | |
| CN111614672A (en) | CAS basic verification method and CAS-based authority authentication device | |
| JP2013140480A (en) | Server system, service providing server, and control method | |
| KR20220160549A (en) | Cluster access method, apparatus, electronic equipment and media | |
| US8863225B2 (en) | Generalized identity mediation and propagation | |
| CN112788031A (en) | Envoy architecture-based micro-service interface authentication system, method and device | |
| EP3062254B1 (en) | License management for device management system | |
| Kubovy et al. | A secure token-based communication for authentication and authorization servers | |
| US7072969B2 (en) | Information processing system | |
| KR101803535B1 (en) | Single Sign-On Service Authentication Method Using One-Time-Token | |
| US20190222582A1 (en) | Decentralized method of tracking user login status | |
| KR101736157B1 (en) | Method and Apparatus for Federated Authentication | |
| KR20150095255A (en) | A system providing trusted identity management service using trust service device and its methods of operation | |
| CN113784354A (en) | Request conversion method and device based on gateway | |
| JP2003030063A (en) | System and method of oa management | |
| WO2016018402A1 (en) | Service request modification | |
| CN112511565B (en) | Request response method and device, computer readable storage medium and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |