CN111953664B - User request verification method and system based on variable security level - Google Patents
User request verification method and system based on variable security level Download PDFInfo
- Publication number
- CN111953664B CN111953664B CN202010731076.7A CN202010731076A CN111953664B CN 111953664 B CN111953664 B CN 111953664B CN 202010731076 A CN202010731076 A CN 202010731076A CN 111953664 B CN111953664 B CN 111953664B
- Authority
- CN
- China
- Prior art keywords
- user
- mobile terminal
- request
- mailbox
- user mobile
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L51/00—User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
- H04L51/42—Mailbox-related aspects, e.g. synchronisation of mailboxes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/105—Multiple levels of security
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Telephonic Communication Services (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The embodiment of the invention provides a user request verification method based on variable security level, which is characterized by comprising the following steps: detecting whether the activation device of the user mobile terminal can be normally accessed according to a set frequency; if the user mobile terminal activation device can normally access, after receiving a user request about accessing the mailbox sent by the user mobile terminal, verifying the user request in a normal safety verification level mode; and if the user mobile terminal activation device cannot normally access, verifying the user request in a mode of reducing the security verification level after receiving the user request about accessing the mailbox sent by the user mobile terminal. By the scheme, the method for automatically adjusting the safety verification level according to the system running condition solves the problem of safety agent service stop under the condition of system failure, so that the system can continuously provide safety agent service.
Description
Technical Field
The invention relates to the technical field of networks, in particular to a user request verification method and a user request verification system based on variable security levels.
Background
In the prior art, a plurality of intranet enterprise mailbox services are directly exposed to an extranet; the basic security protection is carried out on part of enterprise mailboxes through a simple agent technology, only the basic quantity limitation of access equipment is provided, the list control limitation on the specific mobile equipment of the user is not provided, additional comprehensive defense strategies about the limitations of equipment I D authentication of mailbox users, the quantity of user equipment and the like are not provided, and the authentication process on the mobile terminal equipment of the user accessing the mailbox server is not carried out.
Meanwhile, the prior art does not have a service monitoring and fault analysis automation joint analysis and processing mechanism. When the problems of identification failure of a user mobile terminal device or failure of mailbox proxy service and the like occur in the process of accessing a mailbox server by a user, the prior art only provides a pure monitoring mailbox gateway service, the monitoring of the service is stopped by alarming through mails or short messages, and after related personnel obtain alarm messages, the service equipment is manually logged in to carry out deep analysis and operation and maintenance of the failure.
In the process of implementing the invention, the inventor finds that at least the following problems exist in the prior art:
(1) when a user request for accessing the mailbox is verified in the prior art, only the user name is authenticated, so that numerous unregistered and activated devices under the legal user name can access the server without limit as long as the user name is legal, and a large safety risk is brought;
(2) because the prior art can not realize automatic operation and maintenance and needs manual intervention, if the verification process of the user mobile terminal equipment is added, if the mobile terminal equipment of the user fails in the processes of registration, activation and the like, a legal user adopting new equipment can not access the mailbox, so that the safety agent service is stopped and can be accessed after manual troubleshooting is needed.
Disclosure of Invention
The embodiment of the invention provides a user request verification method and a user request verification system based on variable security levels, which solve the problems of over simple user verification and low external service security of a mailbox system in a normal operation state of the system by adding a verification process for user mobile terminal equipment after user name verification is carried out on a user request; furthermore, the safety verification process has the capability of automatic maintenance by a mode of automatically adjusting the safety verification level by monitoring the running state of the activation device of the mobile terminal equipment in real time, so that the problem of safety agent service stop in the system fault state is solved, and the system can continuously provide services.
To achieve the above object, in one aspect, an embodiment of the present invention provides a method for verifying a user request based on a variable security level, including:
detecting whether the activation device of the user mobile terminal can be normally accessed according to a set frequency;
if the user mobile terminal activation device can normally access, after receiving a user request about accessing the mailbox sent by the user mobile terminal, verifying the user request in a normal security verification level mode through a mailbox security proxy gateway;
and if the user mobile terminal activation device cannot normally access, verifying the user request in a mode of reducing the security verification level through a mailbox security proxy gateway after receiving the user request about accessing the mailbox sent by the user mobile terminal.
In another aspect, an embodiment of the present invention provides a system for verifying a user request based on a variable security level, including:
the automatic operation and maintenance monitoring module is used for detecting whether the user mobile terminal activation device can normally access according to the set frequency;
the mailbox safety proxy gateway is used for verifying the user request in a normal safety verification level mode after receiving the user request about accessing the mailbox sent by the user mobile terminal when the user mobile terminal activation device can normally access; when the user mobile terminal activation device can not normally access, after a user request about accessing a mailbox sent by the user mobile terminal is received, the user request is verified in a mode of reducing the security verification level.
The technical scheme has the following beneficial effects:
when a request sent by a user mobile terminal for accessing a mailbox is processed, the running condition of an activation device of the user mobile terminal in the system is monitored in real time, and when the conditions that the activation device cannot provide activation service, the activation data of the user mobile terminal cannot be read and the like occur under unexpected conditions, the safety authentication level is automatically reduced, so that equipment which is not registered and activated by a legal user can be accessed temporarily, the stop of mailbox proxy service caused by the fact that the legal user cannot access and failure cannot process in time is avoided, and the system can provide continuous safety proxy service; after the fault is removed and the user mobile terminal activation device returns to the normal service supply, the normal safety authentication level is automatically recovered, so that the mobile terminal of a legal user can be accessed only after being registered and activated, the possible risks of accessing unknown equipment and the like are avoided, and the safety of the mailbox system for external services is improved.
In addition, when a certain mailbox agent security gateway can not normally provide mailbox agent services, the domain name of the fault gateway is automatically pointed to a normal gateway, so that a user access request can be processed in time; and after the fault gateway recovers the normal mail proxy service, adjusting the domain name. The faults do not need manual intervention, and automatic operation and maintenance are realized, so that the efficiency and the stability of the safety agent service are improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a flow chart of a variable security level based user request authentication method of the present invention;
FIG. 2 is a schematic diagram of a variable security level based user request authentication system of the present invention;
FIG. 3 is a schematic diagram of a system configuration according to an embodiment of the present invention;
FIG. 4 is a flowchart of a method according to yet another embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
As shown in fig. 1, the present invention provides a user request authentication method based on variable security levels, which includes:
s101, detecting whether a user mobile terminal activation device can normally access according to a set frequency;
s102, if the user mobile terminal activation device can normally access, after receiving a user request about accessing a mailbox sent by the user mobile terminal, verifying the user request in a normal safety verification level mode through a mailbox safety proxy gateway;
s103, if the user mobile terminal activation device cannot normally access, after receiving a user request about accessing the mailbox sent by the user mobile terminal, verifying the user request in a mode of reducing the security verification level through the mailbox security proxy gateway.
In the technical scheme, a mailbox safety proxy gateway is deployed before a mailbox server, all requests of users for mailbox service are intercepted based on a zero trust mode, the mailbox safety proxy gateway service analyzes the user requests, relevant information of the users and user equipment in mailbox request protocol data is obtained, the data is compared with an activated user mobile terminal equipment number list obtained through a user mobile terminal activation device, and an enterprise internal mailbox user and external network mobile terminal equipment management list limiting mechanism is formed. The security proxy gateway verifies the request of the user for accessing the mailbox server by adopting a double-layer authentication mode. When mobile terminals such as mobile phones of users access the mailbox server, the users can enter the mailbox only by carrying out identity authentication through user names, then the devices of the legal users are authenticated in an activated state, and only the activated terminal devices are registered for admission. Thus, the safety can be effectively improved.
However, this solution has a problem: when the device for providing the user terminal registration activation is not operating normally, for example, the device fails to process a user activation request, the device cannot access or the security gateway cannot read information of a user terminal device newly activated by the re-configuration device, even a truly legal user cannot access the mailbox through a new device (including that the new device cannot be activated or the security gateway cannot access the mailbox server due to failure to receive updated activation information even if the activation device performs the registration activation processing) in the case of replacing the device. Under the condition, the system in the prior art can only provide an alarm, the problem can be solved only by manually troubleshooting, and the user can normally access the mailbox after the fault is cleared, so that the efficiency is very low, and the user experience is poor.
In contrast, a technical means can be adopted, and the safety level of the automatic system can be adjusted in a step-up and step-down mode by analyzing the comprehensive reasons causing service failure stop and aiming at various conditions depending on self and other services in the service process. The mailbox safety agent gateway ensures the safety of the enterprise mailbox mobile user, and meanwhile, the system can continuously provide safety agent service through an automatic monitoring operation and maintenance means.
Further, the user request comprises a user name and a user mobile terminal device number;
step S102 specifically includes:
s1021, analyzing the user request, and acquiring a user name and a user mobile terminal device number;
s1022, judging whether the user name is in a preset legal user list or not;
s1023, if not, ignoring the user request;
s1024, if yes, further judging whether the number of the user mobile terminal equipment is in a current activated user mobile terminal equipment number list;
s1025, if not, prompting the user mobile terminal to send an activation request for activating the user equipment, and ignoring the user request;
and S1026, if so, forwarding the user request to a mail server.
Further, step S103 specifically includes:
s1031, analyzing the user request, and acquiring a user name;
s1032, judging whether the user name is in a preset legal user list or not;
s1033, if not, ignoring the user request;
s1034, if yes, the user request is forwarded to the mail server.
When the abnormal operation of the user terminal registration activation device is monitored, in order to prevent a legal user from accessing the mailbox by using new equipment, a temporary measure for reducing the security verification level is adopted, and only the validity judgment of the user name is carried out, so that the mailbox proxy service can be still provided before the fault is repaired. However, even if degradation is performed, in the process, the validity verification of the user name still needs to be performed, so that the entry of an illegal user is avoided, and the rights and interests of the legal user and the safety of the mailbox service are ensured to the maximum extent. In the process, the mailbox safety proxy gateway provides safe verification service for the user request, also provides mailbox proxy service, and forwards the user access request which is successfully verified to the mail server.
Further, the method further comprises:
s104, processing an activation request about activating the user equipment through the user mobile terminal activation device;
step S104 specifically includes:
s1041, when receiving an activation request about activating user equipment sent by a user mobile terminal, analyzing the activation request to obtain a user name and a user mobile terminal equipment number, wherein the activation request comprises the user name and the user mobile terminal equipment number;
s1042, judging whether the user name of the activation request is in a preset legal user list;
s1043, if not, ignoring the activation request;
and S1044, if so, storing the number of the user mobile terminal equipment of the activation request into a list of the number of the activated user mobile terminal equipment.
After the user changes new terminal equipment, an activation request is initiatively sent to the activation device, the user mobile terminal activation device updates the database after processing the request, and the security gateway acquires the latest activated user mobile terminal equipment number list by synchronizing the content in the activation device database. Thus, after the user sends a request for accessing the mailbox server to the security gateway, the terminal equipment can be identified; if the new terminal equipment of the user is not registered and activated in advance, when the user accesses the mailbox, the equipment is not in the activated terminal equipment list, the access cannot be passed, and the user terminal receives a prompt about the activated equipment.
Further, the method further comprises:
s105, detecting whether mailbox proxy services provided by each mailbox security proxy gateway run normally according to a preset frequency;
s106, if the abnormally operated mailbox proxy service exists, switching the domain name of the mailbox security proxy gateway corresponding to the abnormally operated mailbox proxy service to the normally operated mailbox security proxy gateway, and giving an alarm.
In the prior art, 3 methods for acquiring the health state of mailbox gateway services are provided:
the method comprises the following steps: by installing the monitoring script on the server, whether the proxy service process is in a survival state or not is monitored, and the service script needs to restart the service after the service process is found to stop the service.
The method 2 comprises the following steps: through an HTTPS protocol monitoring mode similar to Zabbix, an HTTPS request is initiatively initiated to monitor whether a specific service interface is in a healthy state, and then a monitoring result is sent to a related server administrator in the form of a mail or the like.
The method 3 comprises the following steps: the communication of the service network is monitored in the FPING mode, and the ICMP protocol is used for judging the network connection state of the server and providing service by continuously communicating with the outside.
The three methods are that whether the service is normal or not is monitored through detecting activity in a TCP network, calling an HTTPS interface and whether the server process is executed or not at 3 angles, once the monitoring finds that the service has problems, only simple reasons causing service faults can be found, and more detailed monitoring data cannot be provided, and the monitoring data are used as data bases for automatic operation and maintenance adjustment of the service, viewpoint alarm information needs manual processing, and the alarm data cannot be used for fault linkage analysis, so that automatic self-repairing of the mailbox gateway service is automatically executed, and the safety level of a self-service system is automatically adjusted through fault analysis of current monitoring data.
In the technical scheme, an API (application programming interface) interface of mailbox proxy service is monitored in real time, once an alarm is found, an alarm mail is sent through a server-side unified automatic analysis script, DNS domain name service is requested through the API, the domain name is pointed to the proxy service under a healthy machine room line again, and after a fault server interface is recovered to be normal, the domain name is automatically switched back to an original configuration host, so that continuous mailbox service is provided.
As shown in fig. 2, the present invention provides a user request authentication system based on variable security levels, comprising:
the automatic operation and maintenance monitoring module 21 is used for detecting whether the user mobile terminal activation device 23 can normally access according to a set frequency;
a mailbox security proxy gateway 22, configured to, when the user mobile terminal activation device 23 can access normally, after receiving a user request for accessing a mailbox sent by a user mobile terminal, authenticate the user request in a normal security authentication level manner; when the user mobile terminal activation device 23 cannot normally access, after receiving a user request for accessing a mailbox sent by a user mobile terminal, verifying the user request in a manner of reducing a security verification level.
Further, the user request comprises a user name and a user mobile terminal device number;
the mailbox safety proxy gateway comprises a normal safety verification level verification module which is used for analyzing the user request and acquiring a user name and the number of the user mobile terminal equipment; judging whether the user name is in a preset legal user list or not; if not, ignoring the user request; if yes, judging whether the number of the user mobile terminal equipment is in a current activated user mobile terminal equipment number list or not; if not, prompting the user mobile terminal to send an activation request for activating the user equipment so as to activate the equipment, and ignoring the user request; and if so, forwarding the user request to a mail server.
Further, the mailbox security proxy gateway comprises a verification module for reducing the security verification level, and is used for analyzing the user request and acquiring a user name; judging whether the user name is in the legal user list or not; if not, ignoring the user request; if yes, the user request is forwarded to a mail server.
Further, the system further comprises:
the user mobile terminal activation device 23 is configured to, when receiving an activation request for activating a user device sent by a user mobile terminal, parse the activation request to obtain a user name of the activation request and a user mobile terminal device number of the activation request, where the activation request includes user name information and user mobile terminal device number information; judging whether the user name of the activation request is in the legal user list or not; if not, ignoring the activation request; if so, storing the number of the user mobile terminal equipment of the activation request into the list of the number of the activated user mobile terminal equipment.
Further, the automatic operation and maintenance monitoring module 21 further includes:
the mailbox security proxy gateway monitoring module 211 is configured to detect whether the mailbox proxy services provided by the mailbox security proxy gateways operate normally according to a preset frequency; and if the abnormally operated mailbox proxy service exists, switching the domain name of the mailbox security proxy gateway corresponding to the abnormally operated mailbox proxy service to the normally operated mailbox security proxy gateway, and giving an alarm.
As shown in fig. 3, a specific embodiment of the system for verifying a user request based on variable security level is invented, and the system can be divided into a user mobile terminal activation device, a mailbox security proxy gateway, an automatic operation and maintenance monitoring module, and the like according to functions:
1. the user mobile terminal activating device:
obtaining HTTPS protocol requests of all client mailbox clients through proxy service, obtaining related user information and user equipment information in HTTPS request data, comparing the obtained related information with a number list of activated user mobile terminal equipment, enabling the user to be legal and enabling the user equipment corresponding to the request to be authorized, enabling the user equipment to access an intranet mailbox server, otherwise, enabling an illegal user not to forward the request, enabling the user to be legal and enabling the equipment to be unauthenticated and registered, and requiring the user to register and activate the equipment in advance in a user mobile terminal activation device.
1.1, user equipment registration authentication process:
when the user name in the HTTP mailbox request sent by the user mailbox client and the corresponding equipment ID do not exist in an equipment management data table of the equipment management system, the system can send the user information to carry out equipment registration authentication and activation through mail and short message information, and the registration information of the user has the following fields:
[ user name ] [ department ] [ device ID ] [ active state ]
1.2, data storage:
when the user activates the authenticated device, the related device is allowed to access the mailbox server, the user mobile terminal activation device stores the device information related to the user in a database and stores the device information in a user device management information table in the database, and the fields are as follows.
[ TABLE NAME ] [ DOMESTIC ] [ USED NAME ] [ DEVICE ID ] [ ACTIVATED STATE ]
1.3, other remarks:
wherein [ table name ] refers to the MySQL database table.
2. Mailbox security proxy gateway cluster:
the mailbox safety proxy gateway integrates a mailbox proxy server function, the mailbox safety proxy gateway can pay attention to the relevant state activation information of the user equipment at any time, a new activated user mobile terminal equipment number list is generated and stored in a Redis database and an openness Share dictionary by reading data of a user equipment management information table in a MySQL database of a user mobile terminal activation device, the mailbox safety proxy gateway can obtain the request data of the user before mailbox service, obtain the user information and the user equipment information in user request connection, then compare the user mobile terminal equipment number list with the activated user mobile terminal equipment number list in Redis and openness Share dictionary, the equipment in the list allows access to the mailbox service, and otherwise, the mailbox service request is rejected for the non-existing user and equipment.
2.1, obtaining a user management equipment information table:
and after the mailbox security proxy gateway obtains the newly added synchronization message of the user equipment, reading the latest Mysql user equipment information from the user equipment management table, generating a new activated user mobile terminal equipment number list, and storing the list in a Share dictionary table of Redis and OpenResty. And then the user name and the user equipment information in each user request participate in data comparison, the user equipment in the table can access the mailbox server, otherwise, the mailbox server is not allowed to be accessed, and the table field structure is as follows:
[ KV table ] [ user name ] [ device ID ] [ active State ]
2.2, requesting by the HTTPS of the user mailbox client:
the user mailbox client sends a mailbox interaction request to a mailbox safety proxy gateway service through an HTTPS protocol, a request URI sent by the mailbox client stores a user name and equipment information of a user, the safety proxy gateway obtains the two information and compares the two information with a list of user mobile terminal equipment numbers activated by a Share dictionary of OpenResty, the requests of the user and equipment IDs in the list can be normally forwarded to the mailbox service, and protocol data requested by the proxy gateway from the user mailbox client contains the following fields:
[ URI ] user name [ device ID ]
2.3, other descriptions:
the 'KV table' refers to a KV table stored in Openresty ShareDiction and Redis, and once Openresty mailbox security proxy gateway service is restarted, Openresty pulls data from the Redis to a ShareDiction user information dictionary.
3. Automatic operation and maintenance monitoring module:
the automatic operation and maintenance service monitors services such as an external API (application programming interface) of the mailbox safety proxy gateway service, a user equipment management information database, a Reids database and the like.
3.1, monitoring and fault self-healing processing of a mailbox safety proxy gateway interface:
the self-healing monitoring system monitors an API (application programming interface) interface of mailbox proxy service through Zabbix, sends an alarm mail through the Zabbix server unified automatic analysis script once alarm is found, requests DNS (domain name service) domain name service through the API, points the domain name to proxy service under a healthy machine room line again, and automatically switches the domain name back to the original mail server after the failed mail server interface is recovered to be normal.
3.2, monitoring and self-healing processing of the database:
activating a database of the device by an OSQuery audit agent user mobile terminal, sending heartbeat OSQuery audit request at regular time, checking whether a data process is alive and whether user equipment information returns to be effective, and when finding that a database cluster cannot be communicated, enabling a system to automatically perform degradation of safety verification, enabling existing equipment of a user to access mailbox service, and regenerating normal safety configuration after the database is recovered.
3.3, the user mobile terminal activating device monitors and self-healing processes:
when the mailbox security proxy gateway cannot receive the push of the newly added equipment, the user mobile terminal activation device cannot access and cannot pull data, and Zabbix monitors that the user mobile terminal activation device does not provide service offline, the self-healing monitoring system can send a high-level alarm and call the degraded API service of the mailbox security proxy gateway, so that the security proxy system uses the processing logic configuration without checking the user equipment, does not update the user equipment table, only needs the current latest user configuration, waits for the alarm resolution, and automatically changes to a mode of pulling the latest user equipment data state after the user mobile terminal activation device recovers the service, thereby improving the security level of the system.
4. A database:
the database stores the basic information of the user and the equipment information by adopting relational data MySQL. The KV database stores the ID information and the user information of the equipment activated by the user. The memory type KV system uses a ShareDiction dictionary function supported by the Openresty system to store user information and user equipment information.
5. Exchange mailbox server:
the Exchange mailbox server provides an enterprise mailbox service, and generally exists in a cluster mode. The mailbox safety proxy gateway is deployed in an enterprise, the mailbox safety proxy gateway is placed in front of an Exchange mailbox server to receive a mailbox client request of a user through the scheme of the mailbox safety proxy gateway provided by the scheme, the management and authentication are carried out on a user name and equipment information contained in the user request, the request of the user mailbox client is forwarded to the Exchange mailbox server for legal users and equipment which is allowed to be activated by the user, the blocking is carried out on the users and the equipment which do not meet the conditions, a user and user equipment list safety limiting mechanism is formed, and the safety of a mailbox service is ensured.
FIG. 4 is a flowchart of a method according to yet another embodiment of the present invention.
The mailbox safety proxy gateway service collects the ID information of the equipment under the user name, performs equipment management control, and only the activated equipment recorded in the user information table of the user mobile terminal activation device can normally access the mailbox server located in the intranet through the mailbox proxy service, and the mailbox safety proxy gateway service shares user and equipment data with the user mobile terminal activation device to jointly realize user equipment management control. If the user ID is found to be illegal or the user does not activate the corresponding equipment, the enterprise intranet mailbox server cannot be normally accessed through the mailbox safety proxy gateway.
The automatic operation and maintenance monitoring module monitors the whole associated service system in real time through similar services of Zabbix and OSQuery by means of automatic monitoring, creates interactive APIs in each system, and can perform communication interaction through the APIs among the systems once an alarm occurs, thereby completing the change of the original service security configuration and performing automatic change and automatic recovery processing of the system security level.
According to the principle, basic user information and user equipment information are shared between the mailbox safety proxy gateway system and the user mobile terminal activation device, and correlation analysis of whether corresponding users are allowed to access the intranet mailbox server is formed according to the actual activation condition of the user equipment through validity verification of the basic user information.
The method comprises the steps that a safe mailbox proxy gateway service receives user name and user equipment in a URI of a user HTTPS request, a one-to-one relation is formed from a user mobile terminal activation device synchronization user information table to an activated user mobile terminal equipment number list in a proxy system KV memory table, and only if department belongs to a user with legal information and the activated state of the user ID is an activated user, normal access to an intranet mailbox server is allowed.
It should be understood that the specific order or hierarchy of steps in the processes disclosed is an example of exemplary approaches. Based upon design preferences, it is understood that the specific order or hierarchy of steps in the processes may be rearranged without departing from the scope of the present disclosure. The accompanying method claims present elements of the various steps in a sample order, and are not intended to be limited to the specific order or hierarchy presented.
In the foregoing detailed description, various features are grouped together in a single embodiment for the purpose of streamlining the disclosure. This method of disclosure is not to be interpreted as reflecting an intention that the claimed embodiments of the subject matter require more features than are expressly recited in each claim. Rather, as the following claims reflect, invention lies in less than all features of a single disclosed embodiment. Thus, the following claims are hereby expressly incorporated into the detailed description, with each claim standing on its own as a separate preferred embodiment of the invention.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. To those skilled in the art; various modifications to these embodiments will be readily apparent, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the disclosure. Thus, the present disclosure is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
What has been described above includes examples of one or more embodiments. It is, of course, not possible to describe every conceivable combination of components or methodologies for purposes of describing the aforementioned embodiments, but one of ordinary skill in the art may recognize that many further combinations and permutations of various embodiments are possible. Accordingly, the embodiments described herein are intended to embrace all such alterations, modifications and variations that fall within the scope of the appended claims. Furthermore, to the extent that the term "includes" is used in either the detailed description or the claims, such term is intended to be inclusive in a manner similar to the term "comprising" as "comprising" is interpreted when employed as a transitional word in a claim. Furthermore, any use of the term "or" in the specification of the claims is intended to mean a "non-exclusive or".
Those of skill in the art will further appreciate that the various illustrative logical blocks, units, and steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both. To clearly illustrate the interchangeability of hardware and software, various illustrative components, elements, and steps have been described above generally in terms of their functionality. Whether such functionality is implemented as hardware or software depends upon the particular application and design requirements of the overall system. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present embodiments.
The various illustrative logical blocks, or elements, described in connection with the embodiments disclosed herein may be implemented or performed with a general purpose processor, a digital signal processor, an Application Specific Integrated Circuit (ASIC), a field programmable gate array or other programmable logic device, discrete gate or transistor logic, discrete hardware components, or any combination thereof designed to perform the functions described herein. A general-purpose processor may be a microprocessor, but in the alternative, the processor may be any conventional processor, controller, microcontroller, or state machine. A processor may also be implemented as a combination of computing devices, e.g., a digital signal processor and a microprocessor, a plurality of microprocessors, one or more microprocessors in conjunction with a digital signal processor core, or any other similar configuration.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may be stored in RAM memory, flash memory, ROM memory, EPROM memory, EEPROM memory, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art. For example, a storage medium may be coupled to the processor such the processor can read information from, and write information to, the storage medium. In the alternative, the storage medium may be integral to the processor. The processor and the storage medium may reside in an ASIC, which may be located in a user terminal. In the alternative, the processor and the storage medium may reside in different components in a user terminal.
In one or more exemplary designs, the functions described above in connection with the embodiments of the invention may be implemented in hardware, software, firmware, or any combination of the three. If implemented in software, the functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium. Computer-readable media includes both computer storage media and communication media that facilitate transfer of a computer program from one place to another. Storage media may be any available media that can be accessed by a general purpose or special purpose computer. For example, such computer-readable media can include, but is not limited to, RAM, ROM, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to carry or store program code in the form of instructions or data structures and which can be read by a general-purpose or special-purpose computer, or a general-purpose or special-purpose processor. In addition, any connection is properly termed a computer-readable medium, and thus is included if the software is transmitted from a website, server, or other remote source via a coaxial cable, fiber optic cable, twisted pair, Digital Subscriber Line (DSL), or wirelessly, e.g., infrared, radio, and microwave. Such discs (disk) and disks (disc) include compact disks, laser disks, optical disks, DVDs, floppy disks and blu-ray disks where disks usually reproduce data magnetically, while disks usually reproduce data optically with lasers. Combinations of the above may also be included in the computer-readable medium.
The above-mentioned embodiments are intended to illustrate the objects, technical solutions and advantages of the present invention in further detail, and it should be understood that the above-mentioned embodiments are merely exemplary embodiments of the present invention, and are not intended to limit the scope of the present invention, and any modifications, equivalent substitutions, improvements and the like made within the spirit and principle of the present invention should be included in the scope of the present invention.
Claims (6)
1. A user request authentication method based on variable security level is characterized by comprising the following steps:
detecting whether the activation device of the user mobile terminal can be normally accessed according to a set frequency;
if the user mobile terminal activation device can normally access, after receiving a user request about accessing the mailbox sent by the user mobile terminal, verifying the user request in a normal security verification level mode through a mailbox security proxy gateway;
if the user mobile terminal activation device cannot normally access, after receiving a user request about accessing a mailbox sent by the user mobile terminal, verifying the user request in a mode of reducing the security verification level through a mailbox security proxy gateway;
the user request comprises a user name and a user mobile terminal equipment number;
the authenticating the user request in a normal security authentication level manner includes:
analyzing the user request to obtain a user name and a user mobile terminal device number;
judging whether the user name requested by the user is in a preset legal user list or not;
if not, ignoring the user request; if yes, further judging whether the number of the user mobile terminal equipment is in a current activated user mobile terminal equipment number list;
if not, prompting the user mobile terminal to send an activation request for activating the user equipment, and ignoring the user request; if yes, forwarding the user request to a mail server;
the authenticating the user request in a manner that reduces a security authentication level includes:
analyzing the user request to obtain a user name;
judging whether the user name requested by the user is in a preset legal user list or not;
if not, ignoring the user request; if yes, the user request is forwarded to a mail server.
2. The variable security level-based user request authentication method of claim 1, further comprising:
when an activation request about activating user equipment sent by a user mobile terminal is received, analyzing the activation request through a user mobile terminal activation device to obtain a user name and a user mobile terminal equipment number, wherein the activation request comprises the user name and the user mobile terminal equipment number;
judging whether the user name of the activation request is in a preset legal user list or not;
if not, ignoring the activation request; and if so, storing the number of the user mobile terminal equipment of the activation request into a list of the number of the activated user mobile terminal equipment.
3. The variable security level-based user request authentication method of claim 1, further comprising:
detecting whether mailbox proxy services provided by each mailbox security proxy gateway run normally according to a preset frequency;
and if the abnormally operated mailbox proxy service exists, switching the domain name of the mailbox security proxy gateway corresponding to the abnormally operated mailbox proxy service to the normally operated mailbox security proxy gateway, and giving an alarm.
4. A variable security level based user request authentication system, comprising:
the automatic operation and maintenance monitoring module is used for detecting whether the user mobile terminal activation device can normally access according to the set frequency;
the mailbox safety proxy gateway is used for verifying the user request in a normal safety verification level mode after receiving the user request about accessing the mailbox sent by the user mobile terminal when the user mobile terminal activation device can normally access; when the user mobile terminal activation device cannot normally access, after a user request about accessing a mailbox sent by a user mobile terminal is received, verifying the user request in a mode of reducing a safety verification level;
the user request comprises a user name and a user mobile terminal equipment number;
the mailbox safety proxy gateway comprises a normal safety verification level verification module which is used for analyzing the user request and acquiring a user name and the number of the user mobile terminal equipment; judging whether the user name requested by the user is in a preset legal user list or not; if not, ignoring the user request; if yes, further judging whether the number of the user mobile terminal equipment is in a current activated user mobile terminal equipment number list; if not, prompting the user mobile terminal to send an activation request for activating the user equipment so as to activate the equipment, and ignoring the user request; if yes, forwarding the user request to a mail server;
the mailbox safety proxy gateway comprises a verification module for reducing the safety verification level, and is used for analyzing the user request and acquiring a user name; judging whether the user name requested by the user is in a preset legal user list or not; if not, ignoring the user request; if yes, the user request is forwarded to a mail server.
5. The variable security level-based user request authentication system of claim 4, wherein the system further comprises:
the activation device of the user mobile terminal is used for analyzing the activation request and acquiring a user name and the number of the user mobile terminal equipment when receiving the activation request which is sent by the user mobile terminal and is about to activate the user equipment, wherein the activation request comprises the user name and the number of the user mobile terminal equipment; judging whether the user name of the activation request is in a preset legal user list or not; if not, ignoring the activation request; and if so, storing the number of the user mobile terminal equipment of the activation request into an activated user mobile terminal equipment number list.
6. The variable security level-based user request authentication system of claim 4, wherein the automated operation and maintenance monitoring module further comprises:
the mailbox safety proxy gateway monitoring module is used for detecting whether mailbox proxy services provided by each mailbox safety proxy gateway operate normally or not according to preset frequency; and if the abnormally operated mailbox proxy service exists, switching the domain name of the mailbox security proxy gateway corresponding to the abnormally operated mailbox proxy service to the normally operated mailbox security proxy gateway, and giving an alarm.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010731076.7A CN111953664B (en) | 2020-07-27 | 2020-07-27 | User request verification method and system based on variable security level |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010731076.7A CN111953664B (en) | 2020-07-27 | 2020-07-27 | User request verification method and system based on variable security level |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111953664A CN111953664A (en) | 2020-11-17 |
| CN111953664B true CN111953664B (en) | 2022-07-08 |
Family
ID=73338248
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010731076.7A Active CN111953664B (en) | 2020-07-27 | 2020-07-27 | User request verification method and system based on variable security level |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111953664B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114124585B (en) * | 2022-01-28 | 2022-06-21 | 奇安信科技集团股份有限公司 | Security defense method, device, electronic equipment and medium |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101355532A (en) * | 2008-09-19 | 2009-01-28 | 中国网通集团宽带业务应用国家工程实验室有限公司 | Method for implementing e-mail business and mail server |
| CN104539523A (en) * | 2014-12-29 | 2015-04-22 | 宁波江东远通计算机有限公司 | Mail management method, device and terminal |
Family Cites Families (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101600169A (en) * | 2009-05-20 | 2009-12-09 | 深圳市腾讯计算机系统有限公司 | A kind of authentication method and device to the access mail server apparatus |
| CN102137083B (en) * | 2010-08-23 | 2013-11-06 | 华为技术有限公司 | Method, device and system for registering application system |
| KR20130034313A (en) * | 2011-09-28 | 2013-04-05 | 주식회사 한국무역정보통신 | System for trustworthy mail circulation and gateway there of |
| CN103490983B (en) * | 2013-09-17 | 2017-03-01 | 新浪网技术(中国)有限公司 | Corporate mail system and its method carrying out mail migration |
| JP5973413B2 (en) * | 2013-11-26 | 2016-08-23 | ビッグローブ株式会社 | Terminal device, WEB mail server, safety confirmation method, and safety confirmation program |
| CN103763105A (en) * | 2014-01-07 | 2014-04-30 | 上海众人网络安全技术有限公司 | Encryption method and device for login of Exchange corporate E-mails |
| CN105656843B (en) * | 2014-11-11 | 2020-07-24 | 腾讯数码(天津)有限公司 | Application layer protection method and device based on verification and network equipment |
| CN104717223B (en) * | 2015-03-26 | 2018-05-08 | 小米科技有限责任公司 | Data access method and device |
| CN105847245B (en) * | 2016-03-21 | 2020-01-03 | 杭州朗和科技有限公司 | Electronic mailbox login authentication method and device |
| CN105743916A (en) * | 2016-04-03 | 2016-07-06 | 北京动石科技有限公司 | Information processing method, system and device for enhancing access security |
| CN110572395B (en) * | 2019-09-09 | 2021-12-07 | 车智互联(北京)科技有限公司 | Identity verification method and system |
| CN111343080B (en) * | 2020-02-28 | 2020-12-04 | 北京芯盾时代科技有限公司 | Agent-based mail service method, server, client and system |
-
2020
- 2020-07-27 CN CN202010731076.7A patent/CN111953664B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101355532A (en) * | 2008-09-19 | 2009-01-28 | 中国网通集团宽带业务应用国家工程实验室有限公司 | Method for implementing e-mail business and mail server |
| CN104539523A (en) * | 2014-12-29 | 2015-04-22 | 宁波江东远通计算机有限公司 | Mail management method, device and terminal |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111953664A (en) | 2020-11-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10885165B2 (en) | Account monitoring | |
| US11223639B2 (en) | Endpoint network traffic analysis | |
| US7933584B2 (en) | Method for implementing security update of mobile station and a correlative reacting system | |
| US9047465B2 (en) | Methods and apparatus for automatic security checking in systems that monitor for improper network usage | |
| CN113923020B (en) | Micro-service authentication method, device and equipment of SaaS multi-tenant architecture | |
| US11477028B2 (en) | Preventing account lockout through request throttling | |
| CN111490981B (en) | Access management method and device, bastion machine and readable storage medium | |
| US20120030724A1 (en) | System and method for detecting hacked modems | |
| WO2008105884A2 (en) | Lockbox management system and method | |
| US20090113039A1 (en) | Method and system for content handling | |
| US11422830B1 (en) | Decentralized mobile device control | |
| US20160360430A1 (en) | Network access fault reporting | |
| US10374933B2 (en) | Systems and methods for monitoring operational statuses of network services | |
| CN111953664B (en) | User request verification method and system based on variable security level | |
| CN113347037B (en) | Data center access method and device | |
| CN112887105B (en) | Conference security monitoring method and device, electronic equipment and storage medium | |
| CN110138779A (en) | A kind of Hadoop platform security control method based on multi-protocols reverse proxy | |
| JP6117050B2 (en) | Network controller | |
| CN106790134B (en) | Access control method of video monitoring system and security policy server | |
| CN110969740A (en) | Access method of access control management system to different types of access control equipment and access control system | |
| US20220400384A1 (en) | Sim swap fraud detection | |
| US20200244647A1 (en) | Systems and Methods for Secure Management and Real-Time Diagnostics of Network Devices | |
| WO2023279831A1 (en) | Network management proxy and network element management platform | |
| CN115883574A (en) | Access equipment identification method and device in industrial control network | |
| CN102546552A (en) | Authentication method, equipment and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20230412 Address after: Room 501-502, 5/F, Sina Headquarters Scientific Research Building, Block N-1 and N-2, Zhongguancun Software Park, Dongbei Wangxi Road, Haidian District, Beijing, 100193 Patentee after: Sina Technology (China) Co.,Ltd. Address before: 100193 7th floor, scientific research building, Sina headquarters, plot n-1, n-2, Zhongguancun Software Park, Dongbei Wangxi Road, Haidian District, Beijing, 100193 Patentee before: Sina.com Technology (China) Co.,Ltd. |
|
| TR01 | Transfer of patent right |