CN112231686B - System security authentication method and device based on security authentication identification - Google Patents
System security authentication method and device based on security authentication identification Download PDFInfo
- Publication number
- CN112231686B CN112231686B CN202011124595.3A CN202011124595A CN112231686B CN 112231686 B CN112231686 B CN 112231686B CN 202011124595 A CN202011124595 A CN 202011124595A CN 112231686 B CN112231686 B CN 112231686B
- Authority
- CN
- China
- Prior art keywords
- security authentication
- user
- identification
- authentication
- list
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 70
- 230000006870 function Effects 0.000 claims description 82
- 238000012545 processing Methods 0.000 claims description 29
- 238000004590 computer program Methods 0.000 claims description 11
- 238000012423 maintenance Methods 0.000 abstract description 5
- 238000011161 development Methods 0.000 abstract description 4
- 239000000243 solution Substances 0.000 description 9
- 238000000605 extraction Methods 0.000 description 4
- 230000003287 optical effect Effects 0.000 description 3
- 238000013475 authorization Methods 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 238000013459 approach Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/23—Updating
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/24—Querying
- G06F16/242—Query formulation
- G06F16/2433—Query languages
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
Abstract
The invention provides a system security authentication method based on security authentication identification, which comprises the following steps: receiving a user request, wherein the user request comprises a user session and a requested interface method, generating a corresponding label based on the requested interface method, taking the label as a key value to acquire a security authentication identifier of the interface function from a security authentication identifier cache, acquiring a security authentication list of a user from the user session, simplifying the complexity and complexity of extracting security authentication SQL by a developer in a development stage of software through the user request when the security authentication identifier exists in the user security list, simplifying the service context environment association complexity in an implementation stage and an operation and maintenance stage, reducing service deployment and system configuration requirements, and improving efficiency.
Description
Technical Field
The invention relates to the field of internet information, in particular to a system security authentication method and device based on security authentication identification.
Background
Software refers to computer programs, procedures, rules, and possibly files, documents, and data related to the operation of a computer system. With the development and increasing popularity of smartphones, software also includes systems and applications installed on mobile devices, which are increasingly used in real life. However, ensuring the security of the software ensures that the software is legally used in an authorized range and is not attacked or tampered by malicious or can continue to run correctly even if the software is attacked by malicious, which is the most basic requirement for the security of the software, so that the corresponding software should be configured with a software security authentication system.
Currently, most software security authentication systems perform security authentication based on address paths. The specific authentication process is as follows: when a user clicks a certain function in the software, the security authentication framework acquires an address path corresponding to the function and an authorized address path of the user, and matches the two address paths to judge whether the user has access rights. However, this approach has technical drawbacks that are difficult to avoid: the operation and maintenance engineer needs to configure the context path prefix of the service deployment, then updates the link address of the menu interface of the security authentication authority table of the service in the database, and splices the context path prefix to the front of the address of the menu interface, and often hundreds of menu interface addresses in the software system all need the security authentication service, which brings complicated address configuration update, definitely increases the configuration pressure of operation and maintenance personnel, and meanwhile, complicated address configuration needs to occupy a large number of interfaces, which is inconvenient for the management of the interfaces.
Disclosure of Invention
The invention aims to provide a system security authentication method and a device based on security authentication identification, wherein the system security authentication method carries out security authentication on a user request based on the security authentication identification, the complexity and the complexity of extracting security authentication SQL by developers can be simplified in a software development stage, the service context environment association complexity can be simplified in an implementation personnel deployment system stage and an operation and maintenance stage, the service deployment and system configuration requirements are reduced, and the efficiency is improved.
In order to achieve the above object, the present technical solution provides a system security authentication method based on security authentication identification, including the following steps: receiving a user request, wherein the user request comprises a user session and a requested interface method, generating a corresponding label based on the requested interface method, acquiring a security authentication identifier of the interface function from a security authentication identifier cache by taking the label as a key value, acquiring a security authentication list of a user from the user session, and passing the user request when the security authentication identifier exists in the user security list.
According to a second aspect, the present technical solution provides a system security authentication device based on a security authentication identifier, which includes a security authentication identifier configuration unit, configured to configure a corresponding security authentication identifier for an interface function, where the security authentication identifier at least includes the following attribute information: coding, function name, authority classification and whether authentication is performed; a system security authentication switch for switching on or off a system security authentication method and configuring information in a session identification container, wherein the security authentication switch has at least the following configuration information: session, description, rights classification; the safety authentication register is used for initializing the safety authentication processor and the safety authentication configurator when the system safety authentication switch is started, and registering the safety authentication processor and the safety authentication configurator on a processing link of the application container; the safety authentication processor is used for receiving a user request and executing the system safety authentication method based on the safety authentication identifier to perform safety authentication processing; a secure authentication configurator for configuring a registered secure authentication processor onto a processing link of the application container; the user logs in the security authentication information loading device: setting a safety authentication list configured to the user by the user identification searching system into a user session, wherein a set key is session identification information, and a set value is the safety authentication list of the user.
According to a third aspect, the present technical solution provides an electronic device, including a memory, a processor, and a computer program stored on the memory and executable on the processor, where the processor implements the above-mentioned system security authentication method based on security authentication identification when executing the program.
According to a fourth aspect, there is provided a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the above-mentioned system security authentication method based on security authentication identification.
Compared with the prior art, the technical scheme has the following characteristics and beneficial effects:
1. the safety authentication identification capable of describing the interface function information is adopted, the traditional address path is replaced by the coding information of the safety authentication identification, the safety authentication identification and the interfaces are in a many-to-many relationship, a plurality of safety authentication identifications can be configured on the same interface, one safety authentication identification can identify a plurality of interfaces, and the multiplexing rate of the interfaces is improved.
2. Based on the coded information, the security authentication processing replaces the traditional authentication mode by address, and a self-defined security authentication processing chain interface can be reserved to facilitate the additional authentication processing of the service system.
Drawings
FIG. 1 is a flow chart of a process of security authentication according to an embodiment of the present invention.
Fig. 2 is a typical application scenario of the security authentication process according to an embodiment of the present invention.
Fig. 3 is a configuration of security authentication identification at the development stage.
Fig. 4 user login and security authentication information loading flow.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which are derived by a person skilled in the art based on the embodiments of the invention, fall within the scope of protection of the invention.
It will be understood that the terms "a" and "an" should be interpreted as referring to "at least one" or "one or more," i.e., in one embodiment, the number of elements may be one, while in another embodiment, the number of elements may be plural, and the term "a" should not be interpreted as limiting the number.
The scheme provides a scheme for carrying out software security authentication by utilizing the security authentication identifier instead of the traditional address path, which is different from the traditional complex address path configuration mode in which the context path prefix is spliced to the menu interface address, and the security authentication identifier adopts the coding attribute mode, so that interfaces can be correspondingly arranged in a mode of many-to-many, and the configuration work of operation and maintenance personnel is reduced.
Specifically, the security authentication identifier referred to in the present solution is used to describe the interface function and information thereof, and the attribute information of the corresponding security authentication identifier is encoded when the interface function is defined. Namely, the attribute information of the safety authentication identifier is coded to correspond to different interface functions, so that the relation between the safety authentication identifier and the interfaces is many-to-many, namely, one interface function can identify a plurality of safety authentication identifiers, one safety authentication identifier can also label a plurality of interface functions, and one function set is identified.
Specifically, the security authentication identification code configuration at least includes the following attribute information: code, function name, authority classification privilegtype, and whether to authenticate validate; the code of the security authentication identifier is used for identifying a code of an interface function, the name of the security authentication identifier is used for describing a name of the interface function, the authority classification privilegeType of the security authentication identifier is used for describing a weight of the interface function, the authentication validate of the security authentication identifier is used for identifying whether authentication is needed, if the attribute is true, the security authentication is needed when the interface is accessed, and if the attribute is false, the authentication is not needed.
Illustratively, the following security authentication identities identify interface function a: the name "function a" of the interface function is identified by the security authentication identifier, the authority is classified as "management side authority", the code of the interface function is "10010101", and security authentication is required when accessing the interface.
Illustratively, the following security authentication identifier identifies a set of functions, @ privilege connection (name= "function a", "function B", "function C", privilege type = privilege type. Platform, code= "10010101", value = true).
The above is a description of the content of the security authentication identifier.
In addition, the implementation of the system security authentication method of the present solution also needs to configure a security authentication switch, where the security authentication switch is used to turn on or off the system security authentication method and system of the present solution, and perform configuration of security authentication information, such as information configuration in a session identifier container, where multiple switches may be configured when the switch is turned on, so as to distinguish different system authority authentications.
Wherein the security authentication switch has at least the following configuration information: session keys describing notes, rights class privilegeType; the session key is used for placing authentication information of a user in a key name in session, the description notes is used for describing functions, and the authority classification privilegeType is used for describing the authority of the user, such as user side authority and management side authority.
Wherein the security authentication switch can also be configured in a plurality, when the security authentication needs to have a plurality of divisions, a plurality of @ EnablePrivilege authentications can be configured, and the @ EnablePrivilege authentications are outlined by @ EnablePrivilege authentications, which is a group of configurations:
the @ EnablePrivilege Authorizations ({ @ EnablePrivilege Authorization = "user_Privilege" non = "user side function rights configuration", privilege type = Privilege type. PLATFORM) and @ EnablePrivilege Authority ({ @ EnablePrivilege = "user_Privilege" non = "user side function rights configuration", privilege type = PLATFORM }
The scheme provides a system security authentication method based on security authentication identification, which comprises the following steps:
receiving a user request, wherein the user request comprises a user session and a requested interface method, generating a corresponding label based on the requested interface method, acquiring a security authentication identifier of the interface function from a security authentication identifier cache by taking the label as a key value, acquiring a security authentication list of a user from the user session, and passing the user request when the security authentication identifier exists in the user security list.
Specifically, the generating the corresponding tag based on the request interface method includes: and acquiring package names, class names and method names of the interface methods, splicing the acquired parameter types of the interface methods in sequence, and encoding the same interface to generate the same interface method label because the encoding rule is an idempotent rule.
Specifically, the tag includes at least the following parameters: package names, class names, interface method names and interface method parameter types, wherein the package names refer to names of software packages, similar to directories, the class names refer to file names, the interface method names refer to names of methods in files, and the interface method parameter types refer to types of input parameters in the methods; because the four pieces of information can meet the idempotent of the coding rule, the same label can be obtained by signing the same interface method every time.
Data-shaped sample of tags:
cn.com.citycroud.account.accountcontroller.queryuser.inter; where cn.com.citycroud.account is the package name, accountController is the file name, queryUser is the method name, and intelger is the parameter type.
In the step of acquiring the security authentication identifier from the security authentication identifier buffer, if the security authentication identifier cannot be acquired, acquiring a security authentication identifier list from an interface, taking an interface method tag as a key, taking the security authentication identifier list as a value, putting the security authentication identifier of the security authentication identifier list into the security authentication identifier buffer, and returning to the security authentication identifier list.
After the system security authentication program provided by the scheme is started, before a user accesses, a security authentication identification cache is empty, when an interface is accessed for the first time, the program encodes the interface and extracts security authentication identifications (a developer can mark a plurality of security authentication identifications to multiplex functions), if the interface marks a plurality of security authentication identifications, a group of identifications, namely a security authentication identification list, are extracted, elements in the security authentication identification list are the security authentication identifications, then the security authentication identification list encoded and extracted by the interface is written into the security authentication identification cache, and then the security authentication identification can be directly obtained from the security authentication identification cache by revisiting.
Wherein the obtaining the security authentication list of the user from the user session comprises:
and acquiring session identification information from a session identification container according to the authority classification of the security authentication identification, wherein the authority classification and the session identification information are preset as key value pairs, and acquiring a security authentication list of a user from the user session according to the session identification information.
The security authentication list represents the access authority of the user, the security authentication list is formed by taking the code of the interface function corresponding to the user authority as the content, and the session identification information is used as a key value and is stored in the user session.
The session identification information corresponding to the type of the two @ enable privilege authentications configured by the security authentication configuration switch, privilege type=privilege type.
For example, if the session identifier information of a user is user-private and the user only has access rights of interface function a and interface function B, only the codes of interface function a and interface function B are 10010101, 10010102, and the obtained security authentication list is { '10010101', '10010102'.
Wherein the permission classification and the session identification information are set in advance as a key value pair: for example, if the authority is the management background function, the authority corresponds to session identification information of the management background function, and a data structure stored in the session identification container is as follows: { PrivilegeType. PLATFORM=user-Privilege }, if the rights are classified as: PLATFORM, then the corresponding session identification information user-private is obtained, wherein the session identification container functions to tell the processor from which field of the user session the user's permission classification should be obtained.
After logging in the software, the user loads the user authority to obtain the user authority, takes the session identification information as a key, takes the security authentication list of the user as a value, puts the value into the user session, and takes the security authentication list of the user by the user authority when checking. Correspondingly, the device needs to configure a user login security authentication information loading device: according to the safety authentication information configured by the user identification searching system for the user, setting the read safety authentication information of the user into the user session, wherein the set key is the value of the session identification information configured by the system safety authentication switch, the set value is the read safety authentication information of the user, and the safety authentication information of the user is the safety authentication list of the user.
One example is that the user loads the user authority after logging in, uses the user-privile as a key, uses the user security authentication list as a value, puts the value into the user session of the user, and obtains the user security authentication list through the user-privile when checking.
The process of comparing the elements of the security authentication list with the security authentication identifier is as follows:
judging whether the safety authentication list has the current safety authentication identification or not, if so, directly passing through the request, and not carrying out the next processing, and if not, carrying out the next processing.
For example, if the security authentication list of the user is { '10010101', '10010102'; the security authentication identifier @ privilegean connection of the interface C (name = "function C", privilegetetype = privilegetetype. Platform, code = "10010103" valid = true), the corresponding interface function C is determined, the user request is unauthorized, and the user request is intercepted and returned.
In one embodiment of the present solution, the processing on the secure authentication processing chain is performed if there is a custom secure authentication processing chain, and the unauthorized is returned if there is no custom secure authentication processing chain.
The system security authentication method based on the security authentication identifier is performed on a security authentication processor, and in order to realize the method, the security authentication processor at least stores the following information: 1. the security authentication switch information 2. The data structure in the security authentication identification cache is in the form of key value pairs (key=value), and the security authentication identification cache is used for caching the security authentication identification configured by the interface in the security authentication processing process; 3. the session identification container, wherein the data structure in the session identification container is in the form of key-value pair (key=value), wherein the session identification container stores the authority and the session identification information corresponding to the authority, and the information is configured on the security authentication switch, 4. The self-defined security authentication processing chain is used for expanding the additional authority judgment of the application layer by relying on the automatic injection of the spring container.
In addition, in order to ensure that the system security authentication method based on the security authentication identifier operates normally on the processing link of the application container, a security authentication configurator and a security authentication registrar are also required to be configured, wherein the security authentication configurator has the function that when a system security authentication switch is opened, an initialization action occurs, the security authentication processor and the security authentication configurator are initialized, related parameter information is initialized, and the security authentication configurator is registered on the processing link of the application container; the security authentication configurator is used for configuring the security authentication processor registered by the security authentication registrar to a processing link in the container to enable the security authentication processor to be effective.
The system security authentication method based on the security authentication identification initializes and registers configuration information such as a security authentication configuration switch, a security authentication registrar, a security authentication processor and the like into a web container in a service starting stage of an application service. In the service providing stage of the application system, the security authentication processor intercepts and processes the user request, compares the user's own authority information with the authority information of the system configuration, and further performs security authentication identification.
In addition, in order to simplify the complexity and complexity of extracting the security authentication SQL by the developer in the development stage, the scheme is provided with the security authentication identification information extracting device, and the security authentication identification information extracting device assists the developer in conveniently extracting security authentication mark information marked on all interfaces after the interface definition is completed, generating SQL sentences and writing the SQL sentences into a security authentication table of a database, so that the workload of extracting the security authentication information by the developer is reduced.
Wherein the security authentication table comprises at least key fields: the security authentication identification codes, function names name, type and sort no, and the system identification codes and privilegeType are used for distinguishing different authority classifications.
The extraction process of the safety authentication identification information extraction device is as follows: in the system starting stage, an interface with a safety authentication mark is scanned, safety authentication mark information is extracted, an inserted SQL sentence and an updated SQL sentence are generated according to functions and subfunctions, the extracting device is provided in the form of an interface, and the safety authentication mark information and the SQL information can be obtained by accessing a specific interface of the device.
According to a second aspect of the present invention, there is provided a system security authentication device based on a security authentication identifier, the system authentication device implementing the above system security authentication method as a carrier, the system security authentication device at least comprising:
the security authentication identification configuration unit is used for configuring a corresponding security authentication identification for the interface function, wherein the security authentication identification at least comprises the following attribute information: code, function name, authority classification privilegtype, and whether to authenticate validate.
A system security authentication switch for turning on or off a system security authentication method and configuring security authentication information, such as information configuration in a session identification container, wherein the security authentication switch has at least the following configuration information: session key, describing notes, rights class privilegtype.
And the security authentication register is used for initializing the security authentication processor and the security authentication configurator when the system security authentication switch is started and registering on a processing link of the application container.
And the safety authentication processor is used for receiving the user request and carrying out safety authentication processing by using the safety authentication method.
A security authentication configurator for configuring a security authentication processor registered by the security authentication registrar onto the processing link of the application container.
The user logs in the security authentication information loading device: according to the user identification, searching the safety authentication information configured to the user by the system, setting the read safety authentication information of the user into a request session of the user, wherein the set key is the value of the session key configured by the system safety authentication switch, and the set value is the read safety authentication information of the user and is used as a safety authentication list.
In some embodiments, the system security authentication device based on the security authentication identifier additionally comprises a security authentication mark information extraction device, which is used for assisting a developer in conveniently extracting security authentication mark information marked on all interfaces after the interface definition is completed, generating SQL sentences, writing the SQL sentences into a security authentication table of a database, and reducing the workload of the developer for extracting the security authentication information.
Specific embodiments are described below in conjunction with fig. 1-4:
the system security authentication method and device are shown in fig. 1 in the starting stage and the service providing stage of application service. And in the service starting stage, initializing and registering configuration information such as a security authentication configuration switch, a security authentication registrar, a security authentication processor, a security authentication identification information lifting device and the like into the web container. In the service providing stage of the application system, the security authentication processor intercepts and processes the user request, compares the user's own authority information with the authority information of the system configuration, and further performs security authentication identification.
Fig. 2 illustrates a typical application scenario of the method and apparatus described in the embodiments of the present application: in one web page, there are function a, function B, and function C. The server has three interfaces to provide corresponding functions. When the user accesses the function A, the browser initiates a request to access the function A, the server side shall conduct security authentication on the request, identify whether access is allowed, call the interface function A if access is allowed, otherwise return the information of the access-free interface function.
As shown in FIG. 3, security authentication identification marking is performed on the interface function A, such as
The @ privilege authentication (name= "function a", privilege type = privilege type @ platform, code= "10010101" value = true) and so on are analogically performed on the interface function B, and the interface function C is labeled with security authentication identification information:
@ PrivilegeAnotion (name = "function B", privilegeType = PrivilegeType. PLATFORM, code = "10010102" validate = true)
@ PrivilegeAnotion (name = "function C", privilegeType = PrivilegeType. PLATFORM, code = "10010103" validate = true)
A security authentication switch may be configured on the startup class, such as @ enable privilege authentication (sessionkey= "user-privilege", privilege type = privilege type. Platform, notes= "user rights control switch")
In the service initiation phase shown in fig. 1, the security authentication switch will be read, followed by two actions, the first: loading a security authentication registrar, wherein the registrar initializes and registers the security authentication processor in the web container and injects configuration information of a system security authentication switch into the security authentication processor, and simultaneously registers the security authentication configurator in the web container. The second action: initializing a safety authentication identification information extraction device, extracting authentication information, generating SQL, and inserting the SQL into a safety authentication information table. The SQL information generated is as follows:
INSERT INTO [ safety certification information Table ]
(code,name,type,parent_id,sort_no,system_code)
values ('10010101', 'function a', '0', '1', '1001',
('10010102', 'function B', '0', '2', '1001',
('10010103', 'functional C', '0', '3', '1001')
FIG. 4 is a flow chart of user login and security authentication information loading in the present application; according to the above configuration, it is assumed that the user only has the access rights of the function a and the function B, and when the user security authentication information List is loaded, only two codes of 10010101, 10010102 are acquired, and the two codes are assembled into a List, { '10010101', '10010102'.
In the service providing stage shown in fig. 1 and in conjunction with fig. 2, the processing actions and steps of the security authentication processor are as follows:
when the browser initiates a request to the function A, the request arrives at a server end and is intercepted by a security authentication processor, the security authentication processor acquires security authentication information List, { '10010101', '10010102',from a user session, acquires security authentication information @ privilege analysis (name= "function A", privilegeType=privileType. Platform, code= "10010101" value=true) of the function A from a security authentication identification cache, and further judges that the request is a legal request by comparing the security authentication information of elements of the List and the security authentication information of the function A, and releases the request. The request will reach function a and proceed with subsequent business logic processing. When the browser initiates a request to the function C, the request arrives at the server end and is also intercepted by the security authentication processor, the security authentication processor acquires security authentication information List, { '10010101', '10010102' } of the function C from the user session, acquires security authentication information @ PrivilegeAnconnection (name = "function C", privileType = PrivileType. PLATFORM, code = "10010103" value = true) of the function C from the security authentication identification cache, and further judges that the request is an unauthorized request by comparing the security authentication information of the element of the List and the security authentication information of the function A, and the request is intercepted and returns { "code": "9900", "message": "the function is unauthorized, and cannot access" } information to the browser.
This embodiment implementation no longer involves a functional URL address, decoupling the security authentication from the URL address.
As another aspect, the present invention also provides a computer-readable medium that may be contained in the apparatus described in the above embodiments; or may be present alone without being fitted into the device. The computer readable medium carries one or more programs which, when executed by one of the devices, cause the device to perform the flow steps corresponding to the system security authentication method based on the security authentication identifier. The computer readable medium shown in the invention may be a computer readable signal medium or a computer readable storage medium or any combination of the two. The computer readable storage medium can be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples of the computer-readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In the present invention, however, the computer-readable signal medium may include a data signal propagated in baseband or as part of a carrier wave, with the computer-readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
As another aspect, the present solution provides a computer program product, which includes a computer program loaded on a computer readable medium, the computer program containing program code for executing a system security authentication method based on security authentication identification shown in the flowchart. In such embodiments, the computer program may be downloaded and installed from a network via a communication portion, and/or installed from a removable medium. The above-described functions defined in the system of the present invention are performed when the computer program is executed by a Central Processing Unit (CPU).
The present invention is not limited to the above-described preferred embodiments, and any person who can obtain other various products under the teaching of the present invention, however, any change in shape or structure of the product is within the scope of the present invention, and all the products having the same or similar technical solutions as the present application are included.
Claims (9)
1. The system security authentication method based on the security authentication mark is characterized by comprising the following steps:
receiving a user request, wherein the user request comprises a user session and a requested interface method, generating a corresponding label based on the requested interface method, acquiring a security authentication identifier of the interface function from a security authentication identifier cache by taking the label as a key value, acquiring session identifier information from a session identifier container according to authority classification of the security authentication identifier, wherein the authority classification and the session identifier information are preset as key value pairs, acquiring a security authentication list of a user from the user session according to the session identifier information, and identifying the access authority of the user by the security authentication list;
the security authentication identifier at least comprises the following attribute information: coding, function names, authority classification and authentication, wherein the authority classification is used for describing the authority of an interface function; the secure authentication list includes at least an encoding of the interface function corresponding to the user rights.
2. The security authentication identification-based system security authentication method of claim 1, wherein generating a corresponding tag based on the requested interface method comprises: and acquiring package names, class names and method names of the interface methods for splicing, and acquiring parameter types of the interface methods for splicing in sequence.
3. The system security authentication method based on security authentication identification according to claim 1, wherein if there is no corresponding security authentication identification in the security authentication identification buffer, a security authentication identification list is obtained from an interface, a tag is used as a key, the security authentication identification list is used as a value, and the security authentication identification of the security authentication identification list is put into the security authentication identification buffer and returned to the security authentication identification list.
4. The system security authentication method based on security authentication identification according to claim 1, wherein a user loads user rights after logging in software, searches a security authentication list configured to the user by the system according to the user identification, sets the security authentication list into the user session, sets a key as the session identification information, sets a value as the security authentication list, and composes the security authentication list with a code of an interface function corresponding to the user rights as content.
5. The system security authentication method based on security authentication identification according to claim 1, wherein if there is a custom security authentication processing chain, processing on the security authentication processing chain is performed, and if there is no custom security authentication processing chain, no authority is returned.
6. The system security authentication method based on security authentication identification according to claim 1, wherein the interface with the security authentication identification is scanned and the security authentication identification is extracted, and the inserted SQL statement and the updated SQL statement are generated according to functions and subfunctions and written into a security authentication table of a database.
7. A system security authentication device based on a security authentication identifier, comprising at least:
the security authentication identification configuration unit is used for configuring a corresponding security authentication identification for the interface function, wherein the security authentication identification at least comprises the following attribute information: coding, function name, authority classification and whether authentication is performed;
a system security authentication switch for switching on or off a system security authentication method and configuring information in a session identification container, wherein the security authentication switch has at least the following configuration information: session, description, rights classification;
the safety authentication register is used for initializing the safety authentication processor and the safety authentication configurator when the system safety authentication switch is started, and registering the safety authentication processor and the safety authentication configurator on a processing link of the application container;
a security authentication processor for receiving a user request and performing a security authentication process by performing the security authentication identification-based system security authentication method according to any one of claims 1 to 6;
a secure authentication configurator for configuring a registered secure authentication processor onto a processing link of the application container;
the user logs in the security authentication information loading device: setting a safety authentication list configured to the user by the user identification searching system into a user session, wherein a set key is session identification information, and a set value is the safety authentication list of the user.
8. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the security authentication identification based system security authentication method as set forth in any one of claims 1 to 6 when the program is executed.
9. A computer readable storage medium, characterized in that a computer program is stored thereon, which computer program, when being executed by a processor, implements the system security authentication method based on security authentication identification as mentioned in any of the preceding claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011124595.3A CN112231686B (en) | 2020-10-20 | 2020-10-20 | System security authentication method and device based on security authentication identification |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011124595.3A CN112231686B (en) | 2020-10-20 | 2020-10-20 | System security authentication method and device based on security authentication identification |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112231686A CN112231686A (en) | 2021-01-15 |
| CN112231686B true CN112231686B (en) | 2024-02-27 |
Family
ID=74118081
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011124595.3A Active CN112231686B (en) | 2020-10-20 | 2020-10-20 | System security authentication method and device based on security authentication identification |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112231686B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102065026A (en) * | 2010-12-21 | 2011-05-18 | 百度在线网络技术(北京)有限公司 | Device and method for authenticating object to be loaded |
| CN105074682A (en) * | 2013-01-15 | 2015-11-18 | 施耐德电气美国股份有限公司 | Systems and methods for securely accessing programmable devices |
| CN108600266A (en) * | 2018-05-09 | 2018-09-28 | 聚龙股份有限公司 | A kind of statement filtering authentication method and Verification System |
| CN109542412A (en) * | 2018-10-16 | 2019-03-29 | 平安普惠企业管理有限公司 | Interface message generation method, device, computer equipment and storage medium |
| CN109766686A (en) * | 2018-04-25 | 2019-05-17 | 新华三大数据技术有限公司 | Rights management |
| CN110049031A (en) * | 2019-04-08 | 2019-07-23 | 厦门网宿有限公司 | A kind of interface security authentication method and server, authentication center's server |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7133845B1 (en) * | 1995-02-13 | 2006-11-07 | Intertrust Technologies Corp. | System and methods for secure transaction management and electronic rights protection |
-
2020
- 2020-10-20 CN CN202011124595.3A patent/CN112231686B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102065026A (en) * | 2010-12-21 | 2011-05-18 | 百度在线网络技术(北京)有限公司 | Device and method for authenticating object to be loaded |
| CN105074682A (en) * | 2013-01-15 | 2015-11-18 | 施耐德电气美国股份有限公司 | Systems and methods for securely accessing programmable devices |
| CN109766686A (en) * | 2018-04-25 | 2019-05-17 | 新华三大数据技术有限公司 | Rights management |
| CN108600266A (en) * | 2018-05-09 | 2018-09-28 | 聚龙股份有限公司 | A kind of statement filtering authentication method and Verification System |
| CN109542412A (en) * | 2018-10-16 | 2019-03-29 | 平安普惠企业管理有限公司 | Interface message generation method, device, computer equipment and storage medium |
| CN110049031A (en) * | 2019-04-08 | 2019-07-23 | 厦门网宿有限公司 | A kind of interface security authentication method and server, authentication center's server |
Non-Patent Citations (2)
| Title |
|---|
| An Adaptive Mixed Reality Training System for Stroke Rehabilitation;Margaret Duff 等;《IEEE Transactions on Neural Systems and Rehabilitation Engineering 》;20100628;第18卷(第5期);第531-541页 * |
| 基于扩展RBAC模型的钱塘权限管理系统研究与实现;丁小明;《中国优秀硕士学位论文全文数据库 信息科技辑》;20110415(第4期);第I138-529页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112231686A (en) | 2021-01-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105069355B (en) | The static detection method and device of webshell deformations | |
| US8943588B1 (en) | Detecting unauthorized websites | |
| EP3178011B1 (en) | Method and system for facilitating terminal identifiers | |
| CN104735091B (en) | A kind of user access control method and apparatus based on linux system | |
| US20160306795A1 (en) | Data processing on a non-volatile mass storage device | |
| CN105787366A (en) | Android software visualization safety analysis method based on module relations | |
| CN104168293A (en) | Method and system for recognizing suspicious phishing web page in combination with local content rule base | |
| CN108769070A (en) | One kind is gone beyond one's commission leak detection method and device | |
| CN107832618A (en) | A kind of SQL injection detecting system and its method based on fine granularity control of authority | |
| CN104137115A (en) | Network service interface analysis | |
| CN105488400A (en) | Comprehensive detection method and system of malicious webpage | |
| CN110636038A (en) | Account number analysis method, account number analysis device, security gateway and system | |
| CN112989348A (en) | Attack detection method, model training method, device, server and storage medium | |
| CN113190838A (en) | Web attack behavior detection method and system based on expression | |
| CN110135153A (en) | The credible detection method and device of software | |
| Fu et al. | Data correlation‐based analysis methods for automatic memory forensic | |
| CN110070360B (en) | Transaction request processing method, device, equipment and storage medium | |
| CN112231686B (en) | System security authentication method and device based on security authentication identification | |
| CN116167057B (en) | Code dynamic safe loading method and device based on key code semantic detection | |
| CN102915360B (en) | Present the system of the relevant information of website | |
| CN108200191B (en) | Utilize the client dynamic URL associated script character string detection system of perturbation method | |
| CN107766342A (en) | A kind of recognition methods of application and device | |
| CN116070191A (en) | Information processing method and device, storage medium, and program product | |
| CN113849789A (en) | Authority verification method, device and equipment based on AOP and storage medium | |
| CN114817903A (en) | Vaccination verification system, method and contract platform based on intelligent contract |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |