CN111614620A - Database access control method, system and storage medium - Google Patents
Database access control method, system and storage medium Download PDFInfo
- Publication number
- CN111614620A CN111614620A CN202010305483.1A CN202010305483A CN111614620A CN 111614620 A CN111614620 A CN 111614620A CN 202010305483 A CN202010305483 A CN 202010305483A CN 111614620 A CN111614620 A CN 111614620A
- Authority
- CN
- China
- Prior art keywords
- client
- session
- information
- database
- acquiring
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 54
- 238000012795 verification Methods 0.000 claims description 12
- 238000012545 processing Methods 0.000 claims description 11
- 238000004590 computer program Methods 0.000 claims description 8
- 238000004891 communication Methods 0.000 abstract description 5
- 238000010586 diagram Methods 0.000 description 9
- 238000012544 monitoring process Methods 0.000 description 6
- 230000005540 biological transmission Effects 0.000 description 5
- 230000000694 effects Effects 0.000 description 5
- 230000006870 function Effects 0.000 description 5
- 206010000117 Abnormal behaviour Diseases 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 230000008878 coupling Effects 0.000 description 2
- 238000010168 coupling process Methods 0.000 description 2
- 238000005859 coupling reaction Methods 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 2
- 230000006399 behavior Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000007613 environmental effect Effects 0.000 description 1
- 238000003384 imaging method Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 239000002245 particle Substances 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
- H04L9/3239—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving non-keyed hash functions, e.g. modification detection codes [MDCs], MD5, SHA or RIPEMD
Abstract
The invention discloses a database access control method, a system and a storage medium, wherein the method comprises the following steps: allocating a session ID to a client, acquiring a client IP, and binding the session ID and the client IP; receiving timing heartbeat information sent by a client, wherein the timing heartbeat information comprises a client IP; verifying the corresponding session ID at regular time according to the timed heartbeat information; acquiring operation information of a client, wherein the operation information comprises an operation instruction and a session ID; acquiring corresponding operation authority from a cache according to the session ID; and operating the database according to the operation instruction and the operation authority. The invention verifies the client by using the session ID when the client sends the database operation instruction to the server, and prevents a network attacker from directly reading the database information through the client, thereby improving the security of database access under the CS framework. The invention can be applied to the technical field of computer communication.
Description
Technical Field
The present invention relates to the field of computer communication technologies, and in particular, to a database access control method, system, and storage medium.
Background
Databases have become a major target of attack by hackers because they store large amounts of valuable and sensitive information. The information includes the content of various aspects of finance, intellectual property, enterprise data, and the like. Network criminals are beginning to gain substantial profits from intruding on-line business servers and breaking databases, and therefore, ensuring database security is becoming an increasingly important proposition. At present, under a CS architecture, a client and a database generally adopt a direct connection manner, but since the client is placed in a client native machine, most of the existing CS architectures are developed based on interpreted languages such as C # or JAVA, and are easily decompiled, once important information such as account number password/code construction connected to the database is cracked, a major security problem is generated, and a major loss is caused.
Disclosure of Invention
In view of the above, the present invention provides a method, a system and a storage medium for controlling database access, so as to improve the security of database access under the CS architecture.
The first technical scheme adopted by the invention is as follows:
a database access control method, comprising the steps of:
allocating a session ID to a client, acquiring a client IP, and binding the session ID and the client IP;
receiving timing heartbeat information sent by a client, wherein the timing heartbeat information comprises a client IP;
verifying the corresponding session ID at regular time according to the timed heartbeat information;
acquiring operation information of a client, wherein the operation information comprises an operation instruction and a session ID;
acquiring corresponding operation authority from a cache according to the session ID;
and operating the database according to the operation instruction and the operation authority.
Further, the method also comprises the following steps:
obtaining login information of a client, wherein the login information comprises an account number, a password, an intranet ID and an extranet ID;
and performing user login verification according to the login information.
Further, the method also comprises the following steps:
acquiring account information and operation permission corresponding to an account from a database according to the account;
and sending the account information and the operation authority to a client, wherein the account information and the operation authority are used for initializing a user interface by the client.
Further, the client and the server communicate through the WCF framework.
Further, the login information is encrypted by MD 5.
Further, the periodically verifying the corresponding session ID according to the timed heartbeat information sent from the client to the server includes:
acquiring timing heartbeat information of a client;
and clearing the corresponding session ID in the cache according to the timing heartbeat information.
Further, the method also comprises the following steps:
acquiring a corresponding session ID according to the timing heartbeat information;
sending the session ID to a database;
receiving the online state of the corresponding account sent by the database;
and performing user login verification according to the online state of the account.
The second technical scheme adopted by the invention is as follows:
a database access control system comprising:
the distribution module is used for distributing the session ID for the client, acquiring the client IP and binding the session ID with the client IP;
the receiving module is used for receiving timing heartbeat information sent by a client, wherein the timing heartbeat information comprises a client IP;
the verification module is used for regularly verifying the corresponding session ID according to the timed heartbeat information;
the system comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for acquiring operation information of a client, and the operation information comprises an operation instruction and a session ID;
the authority module is used for acquiring corresponding operation authority from a cache according to the session ID;
and the operation module is used for operating the database according to the operation instruction and the operation authority.
The third technical scheme adopted by the invention is as follows:
a database access control system comprising:
a memory for storing a program;
and the processor is used for loading the program to execute the database access control method.
The fourth technical scheme adopted by the invention is as follows:
a computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the database access control method.
Compared with the prior art, the invention verifies the client by using the session ID when the client sends the operation database instruction to the server, and prevents a network attacker from directly reading the database information through the client, thereby improving the security of database access under the CS framework.
Drawings
FIG. 1 is a flow chart of a method for controlling database access according to an embodiment of the present invention;
FIG. 2 is a diagram illustrating a client login procedure of a database access control method according to an embodiment of the present invention;
fig. 3 is a diagram illustrating a client monitoring step of a database access control method according to an embodiment of the present invention;
FIG. 4 is a diagram illustrating a client accessing step of a database access control method according to an embodiment of the present invention;
FIG. 5 is a diagram illustrating a client architecture of a database access control method according to an embodiment of the present invention;
fig. 6 is a diagram of a server architecture of a database access control method according to an embodiment of the present invention;
fig. 7 is a database architecture diagram of a database access control method according to an embodiment of the present invention.
Detailed Description
The conception, the specific structure and the technical effects of the present invention will be clearly and completely described in conjunction with the embodiments and the accompanying drawings to fully understand the objects, the schemes and the effects of the present invention.
An embodiment of the present invention provides a database access control method, referring to fig. 1, including the following steps:
s1, distributing a session ID for the client, acquiring a client IP, and binding the session ID and the client IP;
s2, receiving timing heartbeat information sent by a client, wherein the timing heartbeat information comprises a client IP;
s3, verifying the corresponding session ID at regular time according to the timed heartbeat information;
s4, obtaining operation information of the client, wherein the operation information comprises an operation instruction and a session ID;
s5, acquiring corresponding operation authority from the cache according to the session ID;
and S6, operating the database according to the operation instruction and the operation authority.
Specifically, the session ID is used to uniquely identify the client currently accessing the server in this embodiment, and by setting the session ID, a network attacker can be prevented from directly sending an operation instruction to the server through the client to control the database, so as to achieve the effect of protecting the database.
In this embodiment, the client IP is extracted from the timing heartbeat information sent by the client by binding the client IP and the session ID, and the corresponding session ID is updated by the client IP.
In this embodiment, the client sends the timed heartbeat information to the server at regular time, which indicates that the client is in a normal operating state.
And (3) timing verification, namely the server can judge the state of the account of the client through timing heartbeat information, and when the client does not send the timing heartbeat information to the server within specified time, for example, the client does not send the timing heartbeat information to the server within 5s, the account where the client is located is considered to be offline, the server recovers the session ID corresponding to the account of the client, and the session ID is prevented from being used for operating and accessing a database by a network attacker.
The operation information is information which is sent to the server by the client and is used for operating the database, the operation information comprises an operation instruction and a session ID, and the operation instruction comprises a specific instruction for operating the database; the session ID is used for uniquely identifying the client, after the client is accessed, the server distributes a unique session ID for the client so as to identify the client and cache the client on the server, and meanwhile, the server acquires the operation authority of the client corresponding to the account from the database according to the account of the client and caches the operation authority in the database.
And the operation authority is used for limiting the operable instruction of the client, each account has the corresponding operation authority, and after the account logs in, the server reads the operation authority corresponding to the account from the database and binds the operation authority corresponding to the account with the session ID. When the client sends the operation instruction and the session ID, the server needs to inquire the operation authority of the session ID, so as to judge whether the operation instruction is valid.
Further as an optional implementation, the method further comprises the following steps:
obtaining login information of a client, wherein the login information comprises an account number, a password, an intranet ID and an extranet ID;
and performing user login verification according to the login information.
Specifically, in this embodiment, the client user is authenticated through login information, where the login information includes an account, a password, an intranet ID, and an extranet ID, the account and the password authenticate the user information, and the intranet ID and the extranet ID authenticate the user equipment. Only after the account password is verified, the intranet ID and the extranet ID are continuously verified, and therefore invalid verification is reduced. The intranet ID is a local area network ID, the extranet ID is a public network ID, and whether the login equipment is the common equipment or not can be verified through the intranet ID and the extranet ID.
In the embodiment of the invention, the client users are classified, the users comprise advanced users and common users, and the advanced users can perform operations such as real-time operation monitoring, forced offline and notification issuing on the common users. The client uploads the operation record to the server every time, the server updates the client online information and records the operation log after receiving the user timing heartbeat information and the operation record, meanwhile, the server sends a return instruction to the corresponding client, the client obtains the server instruction, if the client is offline, the client pops up a warning information window and the like, and corresponding operation is correspondingly executed. Through the process, the monitoring of the client is realized. If the server does not receive the user timing heartbeat information, the session ID information is not updated due to time out, the session ID is invalid, the system cannot perform the next operation, and the system needs to log in again, so that the data and the system safety are protected.
Further as an optional implementation, the method further comprises the following steps:
acquiring account information and operation permission corresponding to an account from a database according to the account;
and sending the account information and the operation authority to a client, wherein the account information and the operation authority are used for initializing a user interface by the client.
Specifically, different user interfaces are loaded to users with different account information and operation permissions, so that the client can be prevented from operating the database by using unauthorized operation instructions, and different operation interfaces can be customized for different users.
Further as an optional implementation manner, the client and the server communicate through a WCF framework.
Specifically, the WCF integrates the mechanisms of Net Remoting, Web Service, and Socket of the original Windows communication, and integrates the related technologies of HTTP and FTP. WCF implementations already support both transport level security and message level security. Transmission level security: encryption, e.g., SSL, occurs during data transmission. Message level security: the data is encrypted at the time of processing, for example, using a digital signature, a hash, or using a key encryption method. The architecture recommends the use of X509 certificate encryption of the WCF, and has the advantages of high encryption strength, convenience in use and deployment and the like. By using the WCF certificate for authentication, the security of login information transmission can be improved. In this embodiment, not only the login information, but also the interaction information between the client and the server may carry the WCF certificate, so as to improve the security of the database operation access.
Further as an optional embodiment, the login information is encrypted by MD 5.
Specifically, the MD5 message digest algorithm can generate a 128-bit hash value for ensuring the integrity and consistency of the message transmission, and by encrypting the login message using the MD5, the risk of deciphering the login message during the transmission process can be reduced, thereby improving the security of the client account.
As a further optional implementation manner, the periodically verifying the corresponding session ID according to the timed heartbeat information sent by the client to the server includes:
acquiring timing heartbeat information of a client;
and clearing the corresponding session ID in the cache according to the timing heartbeat information.
Specifically, after the client quits, the session ID of this time is recovered by the server, so as to ensure that the session ID is not used illegally. The next time the client logs in again, a new session ID needs to be obtained again. The session ID in the cache of the server is cleared by regularly detecting the online state of the client, so that the memory of the server can be released, the invalid session ID can be processed, and the invalid session ID is prevented from being used by a network attacker to access the database.
As a further optional implementation, the method further includes the following steps:
acquiring a corresponding session ID according to the timing heartbeat information;
sending the session ID to a database;
receiving the online state of the corresponding account sent by the database;
and performing user login verification according to the online state of the account.
Specifically, the online state of the account can be determined through timing heartbeat information, and the online state of the account needs to be verified before the account logs in, so that the account is prevented from logging in repeatedly. In this embodiment, the client includes an interface presentation layer and a client agent layer for WCF services. After a user opens a client system, the user enters a login box, basic login information such as an account number and a password needs to be input, the client carries a WCF certificate and the login information encrypted by the MD5, and the client accesses a server interface through WCF communication. The server side can verify the login information, including whether the WCF certificate is legal or not; comparing and verifying the account number and the password MD 5; whether the account number is logged in; whether IP allows login, etc. After the verification is passed, the server side can automatically distribute the ID of the session, and record the login related information, including the account number, the login intranet IP, the login extranet IP, the login time and the like. Thereafter, each time the client accesses the server interface through the WCF, the client must carry the session ID.
By recording login related information, namely an account, an intranet IP, an extranet IP, login time and the like, and combining historical operation information of the account, the system can count out the account, namely habits of a user, through big data, can judge whether the current behavior of the user belongs to abnormal behavior by comparing the current operation of the user through the habits of the user, and when the client side generates abnormal behavior, a senior user managing the user can be correspondingly notified, and through monitoring and responding to the abnormal behavior, the safety of database access is further improved.
The invention also provides a database access control system, comprising:
the distribution module is used for distributing the session ID for the client, acquiring the client IP and binding the session ID with the client IP;
the receiving module is used for receiving timing heartbeat information sent by a client, wherein the timing heartbeat information comprises a client IP;
the verification module is used for regularly verifying the corresponding session ID according to the timed heartbeat information;
the system comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for acquiring operation information of a client, and the operation information comprises an operation instruction and a session ID;
the authority module is used for acquiring corresponding operation authority from a cache according to the session ID;
and the operation module is used for operating the database according to the operation instruction and the operation authority.
Specifically, the contents in the above method embodiments are all applicable to the present system embodiment, the functions specifically implemented by the present system embodiment are the same as those in the above method embodiment, and the beneficial effects achieved by the present system embodiment are also the same as those achieved by the above method embodiment.
It should be appreciated that the layers, modules, units, platforms, and/or the like included in an embodiment system of the invention may be implemented or embodied by computer hardware, a combination of hardware and software, or by computer instructions stored in a non-transitory computer readable memory. The methods may be implemented in a computer program using standard programming techniques, including a non-transitory computer-readable storage medium configured with the computer program, where the storage medium so configured causes a computer to operate in a specific and predefined manner, according to the methods and figures described in the detailed description. Each program may be implemented in a high level procedural or object oriented programming language to communicate with a computer system. However, the program(s) can be implemented in assembly or machine language, if desired. In any case, the language may be a compiled or interpreted language. Furthermore, the program can be run on a programmed application specific integrated circuit for this purpose.
Moreover, the data processing flows performed by the layers, modules, units, and/or platforms included in the system of embodiments of the invention may be performed in any suitable order unless otherwise indicated herein or otherwise clearly contradicted by context. The data processing flows correspondingly performed by the layers, modules, units and/or platforms included in the system of embodiments of the invention may be performed under the control of one or more computer systems configured with executable instructions, and may be implemented as code (e.g., executable instructions, one or more computer programs, or one or more applications) collectively executed on one or more processors, by hardware, or a combination thereof. The computer program includes a plurality of instructions executable by one or more processors.
The invention also provides a database access control system, comprising:
a memory for storing a program;
and the processor is used for loading the program to execute the database access control method.
In particular, the system may be implemented in any type of computing platform operatively connected to a suitable connection, including but not limited to a personal computer, mini computer, mainframe, workstation, networked or distributed computing environment, separate or integrated computer platform, or in communication with a charged particle tool or other imaging device, and the like. The data processing flows correspondingly executed by the layers, modules, units and/or platforms included in the inventive system may be implemented in machine readable code stored on a non-transitory storage medium or device, whether removable or integrated into a computing platform, such as a hard disk, an optical read and/or write storage medium, a RAM, a ROM, etc., such that it may be read by a programmable computer, and when the storage medium or device is read by the computer, may be used to configure and operate the computer to perform the procedures described herein. Further, the machine-readable code, or portions thereof, may be transmitted over a wired or wireless network. The invention described herein includes these and other different types of non-transitory computer-readable storage media when such media include instructions or programs that implement the steps described above in conjunction with a microprocessor or other data processor. The invention also includes the computer itself when programmed according to the methods and techniques described herein.
An embodiment of the present invention further provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the database access control method.
In particular, the storage medium stores processor-executable instructions, which when executed by the processor are configured to perform the steps of the method for processing mutual information according to any one of the above-mentioned method embodiments. For the storage medium, it may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid state storage device. It can be seen that the contents in the foregoing method embodiments are all applicable to this storage medium embodiment, the functions specifically implemented by this storage medium embodiment are the same as those in the foregoing method embodiments, and the advantageous effects achieved by this storage medium embodiment are also the same as those achieved by the foregoing method embodiments.
The software system of the embodiment of the invention mainly comprises three parts, including a client application program, a server application program and a database. The client application program mainly refers to Winform, Wpf and the like; the database comprises local databases such as Mysql, SQL Server, Oracle, SQLite, PostgreSQL and MariaD, and Cloud databases such as Alice Cloud database, Tencent Cloud database, Amazon rows, Oracle Cloud and Microsoft Azure. The software system of the embodiment of the invention is divided into 3 layers, comprises client login, client monitoring and client access, and realizes the security control of database access through the security protection of the three layers.
The client login stage, referring to fig. 2, executes the following steps: the method comprises the steps that a client sends login information encrypted by an X509 certificate of an application WCF to a server, an account and a password in the login information are encrypted through an MD5, and the login information further comprises IP information of login equipment; after receiving the login information of the client, the server firstly verifies the WCF in the login information; the server side verifies the account number, the password, the IP information and the login state in the login information; the server side distributes a unique session ID for the client side, and the session ID is used for a certificate of the client side for accessing the database later; the server side sends login related information such as session ID, login information and login time to the database, and the data stores the login related information; the database searches corresponding account number related information such as account number basic information, function authority, data authority and the like in the database according to the login related information sent by the server; the server side sends the account related information and the session ID to the client side; and the client initializes the UI of the client according to the related information of the account.
The client monitoring stage, referring to fig. 3, executes the following steps: the client is set to be a background thread and can send timing heartbeat information to the server at regular time, and the timing heartbeat information is used for verifying the online state of the client; the server side can update the login state of the client side in the database regularly according to the received heartbeat information of the client side. The administrator can perform forced offline and popup operations on the client of the ordinary user.
The client access phase, referring to fig. 4, performs the following steps: the client sends operation information to the server, wherein the operation information comprises a first operation instruction and a session ID; the server side acquires the corresponding data authority and function authority according to the session ID, and generates a second operation instruction by matching with the first operation instruction according to the data authority and function authority of the session ID; and the server side sends a second operation instruction to the database to realize the access to the database.
An embodiment of the present invention provides a new CS mode architecture design method, and with reference to fig. 5, fig. 6, and fig. 7, fig. 5 is a client architecture diagram, fig. 6 is a server architecture diagram, and fig. 7 is a database architecture diagram, which solves the problem of high maintenance difficulty caused by weak security and high code coupling of a conventional CS architecture. The CS framework has strong environmental adaptability and high module reusability; independent configuration, less code modification; the method realizes control safety, data safety, operation safety and access safety, is a framework application with good elasticity, can be used for application software based on a local area network, can also be used for internet environment application of a distributed technology, and is a mature, stable, safe and efficient technical framework. The architecture can greatly improve the security of the CS architecture, the interface presentation layer of the client application program is related to the WCF service client agent layer, and the agent layer is related to the WCF service layer, so that the defect that the application program directly accesses the database is overcome, and the data security is improved. The coupling degree between the modules is greatly reduced, the code maintenance difficulty is reduced, and the development efficiency is improved.
The above description is only a preferred embodiment of the present invention, and the present invention is not limited to the above embodiment, and any modifications, equivalent substitutions, improvements, etc. within the spirit and principle of the present invention should be included in the protection scope of the present invention as long as the technical effects of the present invention are achieved by the same means. The invention is capable of other modifications and variations in its technical solution and/or its implementation, within the scope of protection of the invention.
Claims (10)
1. A database access control method, comprising the steps of:
allocating a session ID to a client, acquiring a client IP, and binding the session ID and the client IP;
receiving timing heartbeat information sent by a client, wherein the timing heartbeat information comprises a client IP;
verifying the corresponding session ID at regular time according to the timed heartbeat information;
acquiring operation information of a client, wherein the operation information comprises an operation instruction and a session ID;
acquiring corresponding operation authority from a cache according to the session ID;
and operating the database according to the operation instruction and the operation authority.
2. The database access control method according to claim 1, further comprising the steps of:
obtaining login information of a client, wherein the login information comprises an account number, a password, an intranet ID and an extranet ID;
and performing user login verification according to the login information.
3. The database access control method according to claim 2, further comprising the steps of:
acquiring account information and operation permission corresponding to an account from a database according to the account;
and sending the account information and the operation authority to a client, wherein the account information and the operation authority are used for initializing a user interface by the client.
4. The method of claim 2, wherein the client and the server communicate via the WCF framework.
5. The database access control method of claim 2, wherein the login information is encrypted by MD 5.
6. The method according to claim 1, wherein the periodically verifying the corresponding session ID according to the timed heartbeat information sent from the client to the server includes:
acquiring timing heartbeat information of a client;
and clearing the corresponding session ID in the cache according to the timing heartbeat information.
7. The database access control method according to claim 6, further comprising the steps of:
acquiring a corresponding session ID according to the timing heartbeat information;
sending the session ID to a database;
receiving the online state of the corresponding account sent by the database;
and performing user login verification according to the online state of the account.
8. A database access control system, comprising:
the distribution module is used for distributing the session ID for the client, acquiring the client IP and binding the session ID with the client IP;
the receiving module is used for receiving timing heartbeat information sent by a client, wherein the timing heartbeat information comprises a client IP;
the verification module is used for regularly verifying the corresponding session ID according to the timed heartbeat information;
the system comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for acquiring operation information of a client, and the operation information comprises an operation instruction and a session ID;
the authority module is used for acquiring corresponding operation authority from a cache according to the session ID;
and the operation module is used for operating the database according to the operation instruction and the operation authority.
9. A database access control system, comprising:
a memory for storing a program;
a processor for loading the program to perform a database access control method as claimed in any one of claims 1 to 7.
10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out a database access control method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010305483.1A CN111614620A (en) | 2020-04-17 | 2020-04-17 | Database access control method, system and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010305483.1A CN111614620A (en) | 2020-04-17 | 2020-04-17 | Database access control method, system and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111614620A true CN111614620A (en) | 2020-09-01 |
Family
ID=72203927
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010305483.1A Pending CN111614620A (en) | 2020-04-17 | 2020-04-17 | Database access control method, system and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111614620A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114615048A (en) * | 2022-03-09 | 2022-06-10 | 中国农业银行股份有限公司 | Method and device for processing submission data |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1835514A (en) * | 2006-03-31 | 2006-09-20 | 北京润汇科技有限公司 | Management method of broadband access of DHCP customer's terminal mode |
| US20070283021A1 (en) * | 2006-06-02 | 2007-12-06 | Daniel Manhung Wong | Method and apparatus for establishing multiple sessions between a database and a middle-tier client |
| CN102104607A (en) * | 2011-03-10 | 2011-06-22 | 易程(苏州)软件股份有限公司 | Method, device and system for controlling safety of service access |
| US20140115176A1 (en) * | 2012-10-22 | 2014-04-24 | Cassidian Communications, Inc. | Clustered session management |
| CN105611520A (en) * | 2015-12-25 | 2016-05-25 | 北京奇虎科技有限公司 | Method and device for realizing user Internet surfing control |
| CN106033422A (en) * | 2015-03-11 | 2016-10-19 | 中国移动通信集团内蒙古有限公司 | A database operation control method, device and system |
| CN107133516A (en) * | 2017-04-24 | 2017-09-05 | 深信服科技股份有限公司 | A kind of authority control method and system |
| CN109167802A (en) * | 2018-11-08 | 2019-01-08 | 金蝶软件(中国)有限公司 | Prevent method, server and the terminal of Session Hijack |
| CN110072127A (en) * | 2018-01-24 | 2019-07-30 | 腾讯科技(深圳)有限公司 | Media Stream play handling method, device, system, storage medium and equipment |
-
2020
- 2020-04-17 CN CN202010305483.1A patent/CN111614620A/en active Pending
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1835514A (en) * | 2006-03-31 | 2006-09-20 | 北京润汇科技有限公司 | Management method of broadband access of DHCP customer's terminal mode |
| US20070283021A1 (en) * | 2006-06-02 | 2007-12-06 | Daniel Manhung Wong | Method and apparatus for establishing multiple sessions between a database and a middle-tier client |
| CN102104607A (en) * | 2011-03-10 | 2011-06-22 | 易程(苏州)软件股份有限公司 | Method, device and system for controlling safety of service access |
| US20140115176A1 (en) * | 2012-10-22 | 2014-04-24 | Cassidian Communications, Inc. | Clustered session management |
| CN106033422A (en) * | 2015-03-11 | 2016-10-19 | 中国移动通信集团内蒙古有限公司 | A database operation control method, device and system |
| CN105611520A (en) * | 2015-12-25 | 2016-05-25 | 北京奇虎科技有限公司 | Method and device for realizing user Internet surfing control |
| CN107133516A (en) * | 2017-04-24 | 2017-09-05 | 深信服科技股份有限公司 | A kind of authority control method and system |
| CN110072127A (en) * | 2018-01-24 | 2019-07-30 | 腾讯科技(深圳)有限公司 | Media Stream play handling method, device, system, storage medium and equipment |
| CN109167802A (en) * | 2018-11-08 | 2019-01-08 | 金蝶软件(中国)有限公司 | Prevent method, server and the terminal of Session Hijack |
Non-Patent Citations (2)
| Title |
|---|
| 张春,李红辉: "Oracle数据库网络安全访问机制", 《微计算机信息》 * |
| 张春,李红辉: "Oracle数据库网络安全访问机制", 《微计算机信息》, 30 January 2006 (2006-01-30), pages 187 - 189 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114615048A (en) * | 2022-03-09 | 2022-06-10 | 中国农业银行股份有限公司 | Method and device for processing submission data |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10601807B2 (en) | Systems and methods for providing container security | |
| US10063594B2 (en) | Network access control with compliance policy check | |
| US11784823B2 (en) | Object signing within a cloud-based architecture | |
| US11720678B2 (en) | Systems and methods for ransomware detection and mitigation | |
| US10153906B2 (en) | Systems and methods for implementing computer security | |
| EP3453136B1 (en) | Methods and apparatus for device authentication and secure data exchange between a server application and a device | |
| CN106687971B (en) | Automatic code locking to reduce attack surface of software | |
| US9288199B1 (en) | Network access control with compliance policy check | |
| US20140201843A1 (en) | Systems and methods for identifying and reporting application and file vulnerabilities | |
| US20150026767A1 (en) | Systems and methods for implementing computer security | |
| JP2009518762A (en) | A method for verifying the integrity of a component on a trusted platform using an integrity database service | |
| CN109936555A (en) | A kind of date storage method based on cloud platform, apparatus and system | |
| CN114003943A (en) | Safe double-control management platform for computer room trusteeship management | |
| CN110851837B (en) | Self-service equipment based on trusted computing, and security management system and method thereof | |
| CN111614620A (en) | Database access control method, system and storage medium | |
| US20230244797A1 (en) | Data processing method and apparatus, electronic device, and medium | |
| CN113922975A (en) | Security control method, server, terminal, system and storage medium | |
| Jarvis et al. | Inside a targeted point-of-sale data breach | |
| CN108347411B (en) | Unified security guarantee method, firewall system, equipment and storage medium | |
| US20220150241A1 (en) | Permissions for backup-related operations | |
| CN111324872A (en) | Method and system for redirected centralized audit of login records and operation records | |
| Sotirios | Windows Active Directory Security Audit | |
| Papadopoulos | Windows Active Directory security audit | |
| Horwath | Setting up a database security logging and monitoring program | |
| CN116961967A (en) | Data processing method, device, computer readable medium and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200901 |
|
| RJ01 | Rejection of invention patent application after publication |