CN112395586A - File access control method, device, system, storage medium and electronic device - Google Patents

File access control method, device, system, storage medium and electronic device Download PDF

Info

Publication number
CN112395586A
CN112395586A CN201910755466.5A CN201910755466A CN112395586A CN 112395586 A CN112395586 A CN 112395586A CN 201910755466 A CN201910755466 A CN 201910755466A CN 112395586 A CN112395586 A CN 112395586A
Authority
CN
China
Prior art keywords
url
equipment
access request
access
credential information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910755466.5A
Other languages
Chinese (zh)
Inventor
付旻
李博
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Qianxin Technology Group Co Ltd
Qianxin Safety Technology Zhuhai Co Ltd
Original Assignee
Qianxin Technology Group Co Ltd
Qianxin Safety Technology Zhuhai Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Qianxin Technology Group Co Ltd, Qianxin Safety Technology Zhuhai Co Ltd filed Critical Qianxin Technology Group Co Ltd
Priority to CN201910755466.5A priority Critical patent/CN112395586A/en
Publication of CN112395586A publication Critical patent/CN112395586A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Health & Medical Sciences (AREA)
  • Automation & Control Theory (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The invention provides a method, a device, a system, a storage medium and an electronic device for controlling file access, wherein the method comprises the following steps: monitoring a Uniform Resource Locator (URL) access request initiated by the first equipment, wherein the URL access request carries a target URL address; sending login credential information to a server, wherein the login credential information comprises: the target URL address and a device identification of the first device; and after the login credential information is sent, sending the URL access request to second equipment, wherein the login credential information is used for the second equipment to carry out admission judgment on the URL access request of the first equipment. The invention solves the technical problem that URL access can only be verified through the account password in the related technology.

Description

File access control method, device, system, storage medium and electronic device
Technical Field
The invention relates to the field of network security, in particular to a file access control method, a file access control device, a file access control system, a storage medium and an electronic device.
Background
In the related art, when a service system manager manages a server or a remote device, a remote login management mode is usually adopted, and different remote management methods are adopted according to different services. Such as: for management of a Windows operating system of a server, a C/S mode is generally adopted, and a terminal is connected to a remote desktop service program on a managed server side through Mstsc (remote desktop connection). When Web service systems such as websites, mails, forums, OA (Office Automation) systems, etc. are managed, a B/S mode is usually adopted, and a browser is used at a terminal to perform login management through a management page provided by a corresponding Web service.
So far, a large number of overseas hackers outside the leisure law crack the password of the server system through tools, use a remote assistance attack means to carry out manual virus throwing, and damage the safety of the server system of the netizen. In contrast to explicit attacks, precision attacks against enterprise servers are implicit. Remote attacks by hackers are the most common two reasons, due to the weak password used by the server and the presence of severe system vulnerabilities.
Most products in the related art verify the identity of a user through login credentials, such as a user name, a password, a certificate and the like, when a hacker obtains the login credential information through other means, any operation of a normal user can be realized, and the login mode in the related art has serious security defects.
In view of the above problems in the related art, no effective solution has been found at present.
Disclosure of Invention
The embodiment of the invention provides a file access control method, a file access control device, a file access control system, a storage medium and an electronic device.
According to an embodiment of the present invention, there is provided a method for controlling file access, applied to a first device, including: monitoring a Uniform Resource Locator (URL) access request initiated by the first equipment, wherein the URL access request carries a target URL address; sending login credential information to a server, wherein the login credential information comprises: the target URL address and a device identification of the first device; and after the login credential information is sent, sending the URL access request to second equipment, wherein the login credential information is used for the second equipment to carry out admission judgment on the URL access request of the first equipment.
Optionally, the monitoring of the URL access request initiated by the first device includes one of: monitoring a first URL access request initiated by the first equipment through a browser plug-in of the first equipment; and monitoring a second URL access request initiated by the first equipment through a process hook of the first equipment.
Optionally, the method further includes: before login credential information is sent to a server, whether the target URL address is matched with a preset URL list or not is judged; when the target URL address is matched with an item in a preset URL list, determining to send the target URL address and the equipment identifier of the first equipment to a server; and when the target URL address does not match the table entry in the preset URL list, directly sending the URL access request to second equipment.
According to an embodiment of the present invention, another file access control method is provided, which is applied to a second device, and includes: monitoring a Uniform Resource Locator (URL) access request from first equipment, wherein the URL access request carries a target URL address; judging whether the URL access request is legal or not according to login credential information stored in a server, wherein the login credential information comprises: the target URL address is used for initiating a device identification of an access device accessed by URL access; and when the URL access request is legal, allowing the first equipment to access the file on the second equipment.
Optionally, the determining whether the URL access request is legal according to the login credential information stored in the server includes: inquiring a server about an access device list corresponding to the target URL address; matching the access device list by using a preset legal device list; when the list item of the preset legal equipment list is matched with the access equipment list, determining that the URL access request is legal; and when the table entry of the preset legal equipment list is not matched with the access equipment list, determining that the URL access request is illegal.
Optionally, before determining whether the URL access request is legal according to login credential information stored in the server, the method further includes: acquiring the preset legal equipment list from the server; and storing the preset legal equipment list locally.
According to an embodiment of the present invention, there is provided another file access control method applied to a server, including: receiving login credential information sent by a first device, wherein the login credential information comprises: a target URL address accessed by the first device and a device identification of the first device; and when receiving the URL access request sent by the first equipment, the second equipment sends an access equipment list corresponding to the target URL address to the second equipment, wherein the access equipment list is used for the second equipment to perform admission judgment on the URL access request of the first equipment.
Optionally, before receiving the login credential information sent by the first device, the method further includes: sending a preset URL list to the first equipment; and sending a preset URL list to the second device, and allowing to access a preset legal device list of the preset URL list.
According to another embodiment of the present invention, there is provided a file access control apparatus, which is applied to a first device, and includes: the monitoring module is used for monitoring a Uniform Resource Locator (URL) access request initiated by the first equipment, wherein the URL access request carries a target URL address; a first sending module, configured to send login credential information to a server, where the login credential information includes: the target URL address and a device identification of the first device; and the second sending module is used for sending the URL access request to second equipment after the login credential information is sent, wherein the login credential information is used for the second equipment to carry out admission judgment on the URL access request of the first equipment.
Optionally, the monitoring module includes at least one of: the first monitoring unit is used for monitoring a first URL access request initiated by the first equipment through a browser plug-in of the first equipment; and the second monitoring unit is used for monitoring a second URL access request initiated by the first equipment through a process hook of the first equipment.
Optionally, the apparatus further comprises: the judging module is used for judging whether the target URL address is matched with a preset URL list or not before the first sending module sends the login credential information to the server; the control module is used for determining to send the target URL address and the equipment identifier of the first equipment to a server when the target URL address is matched with an item in a preset URL list; and when the target URL address does not match the table entry in the preset URL list, directly sending the URL access request to second equipment.
According to another embodiment of the present invention, another file access control apparatus is provided, which is applied to a second device, and includes: the device comprises a monitoring module, a processing module and a processing module, wherein the monitoring module is used for monitoring a Uniform Resource Locator (URL) access request from first equipment, and the URL access request carries a target URL address; a judging module, configured to judge whether the URL access request is legal according to login credential information stored in a server, where the login credential information includes: the target URL address is used for initiating a device identification of an access device accessed by URL access; and the control module is used for allowing the first equipment to access the file on the second equipment when the URL access request is legal.
Optionally, the determining module includes: the query unit is used for querying a server for an access equipment list corresponding to the target URL address; the matching unit is used for matching the access equipment list by using a preset legal equipment list; a determining unit, configured to determine that the URL access request is valid when the entry of the preset valid device list matches the access device list; and when the table entry of the preset legal equipment list is not matched with the access equipment list, determining that the URL access request is illegal.
Optionally, the apparatus further comprises: an obtaining module, configured to obtain the preset legal device list from the server before the determining determines whether the URL access request is legal according to login credential information stored in the server; and the storage module is used for locally storing the preset legal equipment list.
According to another embodiment of the present invention, there is provided a file access control apparatus, applied to a server, including: a receiving module, configured to receive login credential information sent by a first device, where the login credential information includes: a target URL address accessed by the first device and a device identification of the first device; a first sending module, configured to send, to a second device, an access device list corresponding to the target URL address when the second device receives the URL access request sent by the first device, where the access device list is used for performing admission judgment on the URL access request of the first device by the second device.
Optionally, the apparatus further comprises: and the second sending module is used for sending a preset URL list to the first equipment, sending the preset URL list to the second equipment and allowing the preset legal equipment list to access the preset URL list before the receiving module receives the login credential information sent by the first equipment.
According to still another embodiment of the present invention, there is provided a file access control system including: the device comprises a first device, a second device and a server connected with the first device and the second device, wherein the first device comprises the device described in the embodiment; the second device, comprising the apparatus as described in the above embodiments; the server comprises the device described in the above embodiment.
According to a further embodiment of the present invention, there is also provided a storage medium having a computer program stored therein, wherein the computer program is arranged to perform the steps of any of the above method embodiments when executed.
According to yet another embodiment of the present invention, there is also provided an electronic device, including a memory in which a computer program is stored and a processor configured to execute the computer program to perform the steps in any of the above method embodiments.
According to the invention, a Uniform Resource Locator (URL) access request initiated by a first device is monitored, then login credential information is sent to a server, finally, after the login credential information is sent, a URL access request is sent to a second device, corresponding login credential information is sent to the server before the URL access request is sent, and a receiving end of the URL access request carries out admission judgment on the first device according to the login credential information in the server, so that the technical problem that URL access can only be verified through an account password in the related technology is solved. Illegal access created by weak passwords, password leakage or password blasting and the like can be avoided, and the security of URL access is improved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the invention without limiting the invention. In the drawings:
FIG. 1 is a block diagram of a hardware configuration of a file access control computer according to an embodiment of the present invention;
FIG. 2 is a flow chart of a method of controlling file access according to an embodiment of the present invention;
FIG. 3 is a flow chart of another method of controlling file access according to an embodiment of the present invention;
fig. 4 is a flowchart of still another file access control method according to an embodiment of the present invention;
FIG. 5 is a timing diagram illustrating http/https client access to server resources in an embodiment of the present invention;
FIG. 6 is a protection flow diagram of an embodiment of the present invention;
fig. 7 is a block diagram of a control apparatus for file access according to an embodiment of the present invention;
fig. 8 is a block diagram of another structure of a file access control apparatus according to an embodiment of the present invention;
fig. 9 is a block diagram of a control apparatus for file access according to another embodiment of the present invention;
fig. 10 is a block diagram of a control system for file access according to an embodiment of the present invention.
Detailed Description
In order to make the technical solutions better understood by those skilled in the art, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only partial embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application. It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict.
It should be noted that the terms "first," "second," and the like in the description and claims of this application and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the application described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Example 1
The method provided by the first embodiment of the present application may be executed in a server, a computer, a terminal, or a similar computing device. Taking an example of the present invention running on a computer, fig. 1 is a block diagram of a hardware structure of a file access control computer according to an embodiment of the present invention. As shown in fig. 1, computer 10 may include one or more (only one shown in fig. 1) processors 102 (processor 102 may include, but is not limited to, a processing device such as a microprocessor MCU or a programmable logic device FPGA) and a memory 104 for storing data, and optionally may also include a transmission device 106 for communication functions and an input-output device 108. It will be appreciated by those of ordinary skill in the art that the configuration shown in FIG. 1 is illustrative only and is not intended to limit the configuration of the computer described above. For example, computer 10 may also include more or fewer components than shown in FIG. 1, or have a different configuration than shown in FIG. 1.
The memory 104 may be used to store computer programs, for example, software programs and modules of application software, such as a computer program corresponding to a file access control method in the embodiment of the present invention, and the processor 102 executes various functional applications and data processing by running the computer programs stored in the memory 104, so as to implement the method described above. The memory 104 may include high speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, memory 104 may further include memory located remotely from processor 102, which may be connected to computer 10 via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmission device 106 is used for receiving or transmitting data via a network. Specific examples of such networks may include wireless networks provided by the communications provider of computer 10. In one example, the transmission device 106 includes a Network adapter (NIC), which can be connected to other Network devices through a base station so as to communicate with the internet. In one example, the transmission device 106 may be a Radio Frequency (RF) module, which is used for communicating with the internet in a wireless manner.
The remote login system applied in this embodiment includes a first device, a second device, and a server, where when a file is remotely accessed through a URL (Uniform Resource Locator), a local device (the first device) initiates a remote access request to log in to the remote device (the second device), and after the login is successful, the local device can access corresponding file data on the remote device within an authority range. The server is used for information transfer and interaction between the first device and the second device.
In this embodiment, a method for controlling file access is provided, and fig. 2 is a flowchart of a method for controlling file access according to an embodiment of the present invention, as shown in fig. 2, the flowchart includes the following steps:
step S202, monitoring a URL access request initiated by first equipment, wherein the URL access request carries a target URL address;
the target URL address corresponds to the storage address of the file on the second device.
Step S204, sending login credential information to the server, wherein the login credential information comprises: a target URL address and a device identification of the first device;
at this time, the URL access request is not sent for a while, and the corresponding process may be adjusted to the suspended state. The login credential information is dotting information sent by the first device to the server.
Step S206, after the sending of the login credential information is completed, sending a URL access request to the second device, wherein the login credential information is used for the second device to perform admission judgment on the URL access request of the first device.
Optionally, after receiving the feedback information of the server and confirming that the server has received the login credential information, the server may send the URL access request to the second device.
Through the steps, a Uniform Resource Locator (URL) access request initiated by first equipment is monitored, then login credential information is sent to a server, finally, after the login credential information is sent, a URL access request is sent to second equipment, corresponding login credential information is sent to the server before the URL access request is sent, and a receiving end of the URL access request carries out admission judgment on the first equipment according to the login credential information in the server, so that the technical problem that URL access can only be verified through account passwords in the related technology is solved. Illegal access created by weak passwords, password leakage or password blasting and the like can be avoided, and the security of URL access is improved.
The scheme of this embodiment may be applied to various different file access modes, such as a C/S mode, a B/S mode, and the like, where a communication mode between the first device and the second device may also be a relay or direct connection communication mode, and may be any information transmission and data exchange mode, such as a C direct connection S or a S direct connection C (similar to B/S), and fig. 3 is a schematic diagram of a remote login process of the C/S mode and the B/S mode in the embodiment of the present invention. The following is illustrated by way of example:
in the C/S mode scenario, when the Windows operating system of the server is managed, the C/S mode may be adopted, and the terminal is connected to the Telnet server program of the managed server through a Telnet (remote login protocol) client program for management.
In the B/S mode scenario, when Web service systems such as websites, mails, forums, OAs, etc. are managed, the B/S mode is usually adopted, and a browser is used at a terminal to perform login management through a management page provided by a corresponding Web service.
In this embodiment, the monitoring of the URL access request initiated by the first device may be, but is not limited to: monitoring a first URL access request initiated by first equipment through a browser plug-in of the first equipment; and monitoring a second URL access request initiated by the first equipment through a process hook of the first equipment.
In an implementation manner of this embodiment, the first device is further configured with a rule item for identifying that the user wishes to protect specific linked URLs (e.g., important files, sensitive files, root directory files, etc.) from being accessed by all persons, while some URLs can be accessed by all persons, and the first device is locally configured with a preset URL list, in which a URL address list that can be accessed by the local device is set, where the preset URL lists of different client devices may be different or the same. The scheme further comprises the following steps: before sending login credential information to a server, judging whether a target URL address is matched with a preset URL list or not; when the target URL address is matched with an item in a preset URL list, determining to send the target URL address and the equipment identifier of the first equipment to a server; and when the target URL address does not match the table entry in the preset URL list, directly sending a URL access request to the second equipment.
In this embodiment, another file access control method is provided, and fig. 3 is a flowchart of another file access control method according to an embodiment of the present invention, which is applied to a second device, as shown in fig. 3, where the flowchart includes the following steps:
step S302, monitoring a Uniform Resource Locator (URL) access request from first equipment, wherein the URL access request carries a target URL address;
step S304, judging whether the URL access request is legal or not according to login credential information stored in the server, wherein the login credential information comprises: a target URL address, a device identification of an access device initiating a URL access using the target URL address;
step S306, when the URL access request is legal, allowing the first device to access the file on the second device.
And when the remote login behavior is illegal, alarming or blocking the URL access request of the first equipment.
Optionally, the determining whether the URL access request is legal according to the login credential information stored in the server includes:
s11, inquiring the access equipment list corresponding to the target URL address from the server;
s12, matching the access device list by using a preset legal device list;
s13, when the list item of the preset legal device list is matched with the access device list, determining that the URL access request is legal; and when the list item of the preset legal device list is not matched with the access device list, determining that the URL access request is illegal.
When the first equipment initiates a URL access request, the login certificate information is already sent to the server, the server stores the equipment identifier and the target URL address of the first equipment in an access equipment list, and when the second equipment requests according to the target URL address, the corresponding access equipment list is issued to the second equipment.
The preset legal device comprises a plurality of devices which are considered to be legal by the second device, such as an administrator device, a device for specifying an IP address and the like.
In this embodiment, besides matching the device identifier, the device identifier may also be determined by time, including: the first device sends the operation time of the URL access request to the server when sending the login credential information, the server sends the operation time of the first device to the second device when the request of the second device is received, and the URL access request of the first device is considered to be legal when the interval between the operation time of the first device and the response time of the second device (the time of the second device responding to the remote login behavior) is calculated to determine whether the interval is smaller than a certain value.
Optionally, before determining whether the URL access request is legal according to the login credential information stored in the server, the method further includes: acquiring a preset legal device list from a server; and storing the preset legal equipment list locally.
In this embodiment, a further method for controlling file access is provided, and fig. 4 is a flowchart of the further method for controlling file access according to the embodiment of the present invention, which is applied to a server, as shown in fig. 4, the flowchart includes the following steps:
step S402, receiving login credential information sent by a first device, where the login credential information includes: a target URL address accessed by the first device and a device identification of the first device;
step S404, when the second device receives the URL access request sent by the first device, sending an access device list corresponding to the target URL address to the second device, where the access device list is used for the second device to perform admission judgment on the URL access request of the first device.
In one embodiment of this embodiment, after receiving the login credential information sent by the first device, the server sets a keep-alive time and keeps the keep-alive time only for a period of time locally.
Optionally, before receiving the login credential information sent by the first device, the method further includes: sending a preset URL list to the first equipment; and sending the preset URL list to the second device, and allowing to access the preset legal device list of the preset URL list.
Fig. 5 is a timing diagram of http/https client accessing server resources in the embodiment of the present invention, and the scheme of the present embodiment is described with reference to an application example of the present embodiment. In the configuration stage, protection modules of a server side and a client side are respectively installed on a server and a visitor computer which need to be protected, and a control center (server) is deployed, so that both the visitor computer and the server can access the control center. The process comprises the following steps:
s1, after the client protection module is started, the client protection module is actively connected with a control center, the control center issues protection rules to the client, and the rule contents are server url list rules to be protected;
s2, after the server protection module is started, actively connecting a control center, and issuing a protection rule to the server by the control center, wherein the rule content is a url list to be protected and a unique identifier of a client which is correspondingly allowed to access the url;
s3, when the url accessed by the client user is matched with the url rule list, the client protection module suspends the user access (the millisecond level can be achieved, and the user does not sense);
s4, the client protection module reports the url requested by the user and the unique identifier of the client to the control center;
s5, the client protection module releases the user' S access to the url;
s6, the server side protection module intercepts the access of the user to the file corresponding to the url, and inquires a unique identifier list of the client side accessing the url from the control center;
s7, the control center returns the client list for accessing the url, the server protection module matches the list with the client list for allowing access, and if not, the server protection module stops the access;
and S8, if the unique client identifier of the access url is matched with the list of the clients allowed to be accessed, the user access is released.
Fig. 6 is a protection flow chart of an embodiment of the present invention, which is a supplementary description of the above-described exemplary scheme, wherein the MID is a client unique identifier (a device identifier), and the matching judgment is performed by the MID.
The present embodiment also prevents replay attacks of login credentials by registering the client to the control center, checking at the server, and the registration will expire soon (by setting the keep alive time).
With the scheme of the embodiment, when a hacker tries to access the target system by using the acquired credential information, the server protection module fails to verify the registration information because of no registration of the client protection module, the access is denied, if the hacker takes the cookie information of the login credential, the information is replayed to log in, and the login also fails because of the timeout limitation. If an enterprise deploys a security protection product which accords with the processing flow of the invention, a hacker takes the user name and the password of the enterprise business system by sending a phishing mail to one of the employees and tries to log in the business system, and because the login computer does not have the client protection module of the security product, the hacker cannot log in the business system even if the user name and the password are correct, thereby protecting the security of the enterprise.
Through the above description of the embodiments, those skilled in the art can clearly understand that the method according to the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but the former is a better implementation mode in many cases. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which is stored in a storage medium (e.g., ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal device (e.g., a mobile phone, a computer, a server, or a network device) to execute the method according to the embodiments of the present invention.
Example 2
In this embodiment, a file access control device and system are further provided, which are used to implement the foregoing embodiments and preferred embodiments, and are not described again after being described. As used below, the term "module" may be a combination of software and/or hardware that implements a predetermined function. Although the means described in the embodiments below are preferably implemented in software, an implementation in hardware, or a combination of software and hardware is also possible and contemplated.
Fig. 7 is a block diagram of a control apparatus for file access according to an embodiment of the present invention, applied to a first device, as shown in fig. 7, the apparatus includes: a monitoring module 70, a first transmitting module 72, a second transmitting module 74, wherein,
a monitoring module 70, configured to monitor a URL access request initiated by the first device, where the URL access request carries a target URL address;
a first sending module 72, configured to send login credential information to a server, where the login credential information includes: the target URL address and a device identification of the first device;
a second sending module 74, configured to send the URL access request to a second device after the login credential information is sent, where the login credential information is used for the second device to perform admission judgment on the URL access request of the first device.
Optionally, the monitoring module includes at least one of: the first monitoring unit is used for monitoring a first URL access request initiated by the first equipment through a browser plug-in of the first equipment; and the second monitoring unit is used for monitoring a second URL access request initiated by the first equipment through a process hook of the first equipment.
Optionally, the apparatus further comprises: the judging module is used for judging whether the target URL address is matched with a preset URL list or not before the first sending module sends the login credential information to the server; the control module is used for determining to send the target URL address and the equipment identifier of the first equipment to a server when the target URL address is matched with an item in a preset URL list; and when the target URL address does not match the table entry in the preset URL list, directly sending the URL access request to second equipment.
Fig. 8 is a block diagram of another structure of a file access control device according to an embodiment of the present invention, which is applied to a second device, and as shown in fig. 8, the device includes: a monitoring module 80, a decision module 82, a control module 84, wherein,
a monitoring module 80, configured to monitor a URL access request from a first device, where the URL access request carries a target URL address;
a determining module 82, configured to determine whether the URL access request is legal according to login credential information stored in the server, where the login credential information includes: the target URL address is used for initiating a device identification of an access device accessed by URL access;
a control module 84, configured to allow the first device to access the file on the second device when the URL access request is legal.
Optionally, the determining module includes: the query unit is used for querying a server for an access equipment list corresponding to the target URL address; the matching unit is used for matching the access equipment list by using a preset legal equipment list; a determining unit, configured to determine that the URL access request is valid when the entry of the preset valid device list matches the access device list; and when the table entry of the preset legal equipment list is not matched with the access equipment list, determining that the URL access request is illegal.
Optionally, the apparatus further comprises: an obtaining module, configured to obtain the preset legal device list from the server before the determining determines whether the URL access request is legal according to login credential information stored in the server; and the storage module is used for locally storing the preset legal equipment list.
Fig. 9 is a block diagram of a control device for file access according to another embodiment of the present invention, which is applied to a server, and as shown in fig. 9, the device includes: a receiving module 90, a first transmitting module 92, wherein,
a receiving module 90, configured to receive login credential information sent by a first device, where the login credential information includes: a target URL address accessed by the first device and a device identification of the first device;
a first sending module 92, configured to send, to a second device, an access device list corresponding to the target URL address when the second device receives the URL access request sent by the first device, where the access device list is used for performing admission judgment on the URL access request of the first device by the second device.
Optionally, the apparatus further comprises: and the second sending module is used for sending a preset URL list to the first equipment, sending the preset URL list to the second equipment and allowing the preset legal equipment list to access the preset URL list before the receiving module receives the login credential information sent by the first equipment.
Fig. 10 is a block diagram of a control system for file access according to an embodiment of the present invention, and as shown in fig. 10, the system includes: a first device 100, a second device 102, and a server 104 connected to the first device and the second device, wherein the first device 100 includes the apparatus according to the above embodiment; the second device 102, comprising the apparatus according to the above embodiment; the server 104 includes the apparatus according to the above embodiment.
It should be noted that, the above modules may be implemented by software or hardware, and for the latter, the following may be implemented, but not limited to: the modules are all positioned in the same processor; alternatively, the modules are respectively located in different processors in any combination.
Example 3
Embodiments of the present invention also provide a storage medium having a computer program stored therein, wherein the computer program is arranged to perform the steps of any of the above method embodiments when executed.
Alternatively, in the present embodiment, the storage medium may be configured to store a computer program for executing the steps of:
s1, monitoring a Uniform Resource Locator (URL) access request initiated by the first equipment, wherein the URL access request carries a target URL address;
s2, sending login credential information to the server, wherein the login credential information comprises: the target URL address and a device identification of the first device;
and S3, after the sending of the login credential information is completed, sending the URL access request to a second device, wherein the login credential information is used for the second device to perform admission judgment on the URL access request of the first device.
Optionally, in this embodiment, the storage medium may include, but is not limited to: various media capable of storing computer programs, such as a usb disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic disk, or an optical disk.
Embodiments of the present invention also provide an electronic device comprising a memory having a computer program stored therein and a processor arranged to run the computer program to perform the steps of any of the above method embodiments.
Optionally, the electronic apparatus may further include a transmission device and an input/output device, wherein the transmission device is connected to the processor, and the input/output device is connected to the processor.
Optionally, in this embodiment, the processor may be configured to execute the following steps by a computer program:
s1, monitoring a Uniform Resource Locator (URL) access request initiated by the first equipment, wherein the URL access request carries a target URL address;
s2, sending login credential information to the server, wherein the login credential information comprises: the target URL address and a device identification of the first device;
and S3, after the sending of the login credential information is completed, sending the URL access request to a second device, wherein the login credential information is used for the second device to perform admission judgment on the URL access request of the first device.
Optionally, the specific examples in this embodiment may refer to the examples described in the above embodiments and optional implementation manners, and this embodiment is not described herein again.
The above-mentioned serial numbers of the embodiments of the present application are merely for description and do not represent the merits of the embodiments.
In the above embodiments of the present application, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
In the embodiments provided in the present application, it should be understood that the disclosed technology can be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one type of division of logical functions, and there may be other divisions when actually implemented, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, units or modules, and may be in an electrical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be substantially implemented or contributed to by the prior art, or all or part of the technical solution may be embodied in a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic or optical disk, and other various media capable of storing program codes.
The foregoing is only a preferred embodiment of the present application and it should be noted that those skilled in the art can make several improvements and modifications without departing from the principle of the present application, and these improvements and modifications should also be considered as the protection scope of the present application.

Claims (10)

1. A method for controlling file access is applied to a first device, and is characterized by comprising the following steps:
monitoring a Uniform Resource Locator (URL) access request initiated by the first equipment, wherein the URL access request carries a target URL address;
sending login credential information to a server, wherein the login credential information comprises: the target URL address and a device identification of the first device;
and after the login credential information is sent, sending the URL access request to second equipment, wherein the login credential information is used for the second equipment to carry out admission judgment on the URL access request of the first equipment.
2. The method of claim 1, wherein monitoring the first device-initiated URL access request comprises one of:
monitoring a first URL access request initiated by the first equipment through a browser plug-in of the first equipment;
and monitoring a second URL access request initiated by the first equipment through a process hook of the first equipment.
3. A method for controlling file access is applied to a second device, and is characterized by comprising the following steps:
monitoring a Uniform Resource Locator (URL) access request from first equipment, wherein the URL access request carries a target URL address;
judging whether the URL access request is legal or not according to login credential information stored in a server, wherein the login credential information comprises: the target URL address is used for initiating a device identification of an access device accessed by URL access;
and when the URL access request is legal, allowing the first equipment to access the file on the second equipment.
4. A method for controlling file access is applied to a server, and is characterized by comprising the following steps:
receiving login credential information sent by a first device, wherein the login credential information comprises: a target URL address accessed by the first device and a device identification of the first device;
and when receiving the URL access request sent by the first equipment, the second equipment sends an access equipment list corresponding to the target URL address to the second equipment, wherein the access equipment list is used for the second equipment to perform admission judgment on the URL access request of the first equipment.
5. A file access control device applied to a first device, comprising:
the monitoring module is used for monitoring a Uniform Resource Locator (URL) access request initiated by the first equipment, wherein the URL access request carries a target URL address;
a first sending module, configured to send login credential information to a server, where the login credential information includes: the target URL address and a device identification of the first device;
and the second sending module is used for sending the URL access request to second equipment after the login credential information is sent, wherein the login credential information is used for the second equipment to carry out admission judgment on the URL access request of the first equipment.
6. A file access control apparatus applied to a second device, comprising:
the device comprises a monitoring module, a processing module and a processing module, wherein the monitoring module is used for monitoring a Uniform Resource Locator (URL) access request from first equipment, and the URL access request carries a target URL address;
a judging module, configured to judge whether the URL access request is legal according to login credential information stored in a server, where the login credential information includes: the target URL address is used for initiating a device identification of an access device accessed by URL access;
and the control module is used for allowing the first equipment to access the file on the second equipment when the URL access request is legal.
7. A file access control device applied to a server is characterized by comprising:
a receiving module, configured to receive login credential information sent by a first device, where the login credential information includes: a target URL address accessed by the first device and a device identification of the first device;
a first sending module, configured to send, to a second device, an access device list corresponding to the target URL address when the second device receives the URL access request sent by the first device, where the access device list is used for performing admission judgment on the URL access request of the first device by the second device.
8. A system for controlling file access, comprising: a first device, a second device, a server connected to the first device and the second device, wherein,
the first device comprising the apparatus of claim 5;
the second device comprising the apparatus of claim 6;
the server comprising the apparatus of claim 7.
9. A storage medium, in which a computer program is stored, wherein the computer program is arranged to perform the method of any of claims 1 to 4 when executed.
10. An electronic device comprising a memory and a processor, wherein the memory has stored therein a computer program, and wherein the processor is arranged to execute the computer program to perform the method of any of claims 1 to 4.
CN201910755466.5A 2019-08-15 2019-08-15 File access control method, device, system, storage medium and electronic device Pending CN112395586A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910755466.5A CN112395586A (en) 2019-08-15 2019-08-15 File access control method, device, system, storage medium and electronic device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910755466.5A CN112395586A (en) 2019-08-15 2019-08-15 File access control method, device, system, storage medium and electronic device

Publications (1)

Publication Number Publication Date
CN112395586A true CN112395586A (en) 2021-02-23

Family

ID=74601855

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910755466.5A Pending CN112395586A (en) 2019-08-15 2019-08-15 File access control method, device, system, storage medium and electronic device

Country Status (1)

Country Link
CN (1) CN112395586A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113076170A (en) * 2021-06-03 2021-07-06 统信软件技术有限公司 Remote assistance method, system, device, computing equipment and storage medium
CN114329602A (en) * 2021-12-30 2022-04-12 奇安信科技集团股份有限公司 Access control method, server, electronic device and storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2000330939A (en) * 1999-05-25 2000-11-30 Matsushita Electric Ind Co Ltd Hypertext access control method for communication network
US20030200442A1 (en) * 2001-08-06 2003-10-23 Shivaram Bhat Uniform resource locator access management and control system and method
CN101039213A (en) * 2006-03-14 2007-09-19 华为技术有限公司 Method for controlling user access in communication network
CN105119776A (en) * 2015-09-08 2015-12-02 广东欧珀移动通信有限公司 Method and system for detecting cause of WiFi connection failure
CN107634947A (en) * 2017-09-18 2018-01-26 北京京东尚科信息技术有限公司 Limitation malice logs in or the method and apparatus of registration
CN109190341A (en) * 2018-07-26 2019-01-11 平安科技(深圳)有限公司 A kind of login management system and method

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2000330939A (en) * 1999-05-25 2000-11-30 Matsushita Electric Ind Co Ltd Hypertext access control method for communication network
US20030200442A1 (en) * 2001-08-06 2003-10-23 Shivaram Bhat Uniform resource locator access management and control system and method
CN101039213A (en) * 2006-03-14 2007-09-19 华为技术有限公司 Method for controlling user access in communication network
CN105119776A (en) * 2015-09-08 2015-12-02 广东欧珀移动通信有限公司 Method and system for detecting cause of WiFi connection failure
CN107634947A (en) * 2017-09-18 2018-01-26 北京京东尚科信息技术有限公司 Limitation malice logs in or the method and apparatus of registration
CN109190341A (en) * 2018-07-26 2019-01-11 平安科技(深圳)有限公司 A kind of login management system and method

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113076170A (en) * 2021-06-03 2021-07-06 统信软件技术有限公司 Remote assistance method, system, device, computing equipment and storage medium
CN113076170B (en) * 2021-06-03 2021-09-17 统信软件技术有限公司 Remote assistance method, system, device, computing equipment and storage medium
CN114329602A (en) * 2021-12-30 2022-04-12 奇安信科技集团股份有限公司 Access control method, server, electronic device and storage medium

Similar Documents

Publication Publication Date Title
EP3641266B1 (en) Data processing method and apparatus, terminal, and access point computer
US9215234B2 (en) Security actions based on client identity databases
CN108900484B (en) Access right information generation method and device
CN105939326A (en) Message processing method and device
US9787678B2 (en) Multifactor authentication for mail server access
US9548982B1 (en) Secure controlled access to authentication servers
US11165768B2 (en) Technique for connecting to a service
CN105516163A (en) Login method, terminal device and communication system
CN113347072B (en) VPN resource access method, device, electronic equipment and medium
US10404684B1 (en) Mobile device management registration
CN103428211A (en) Network authentication system on basis of switchboards and authentication method for network authentication system
CN113839966B (en) Security management system based on micro-service
CN109302397B (en) Network security management method, platform and computer readable storage medium
CN110516470A (en) Access control method, device, equipment and storage medium
US20220191193A1 (en) Cross site request forgery (csrf) protection for web browsers
CN105722072A (en) Business authorization method, device, system and router
CN108781367B (en) Method for reducing Cookie injection and Cookie replay attacks
CN112395586A (en) File access control method, device, system, storage medium and electronic device
CN112929388B (en) Network identity cross-device application rapid authentication method and system, and user agent device
CN114157438A (en) Network equipment management method and device and computer readable storage medium
CN112398786B (en) Method and device for identifying penetration attack, system, storage medium and electronic device
CN113812125B (en) Verification method and device for login behavior, system, storage medium and electronic device
CN112398788A (en) Bidirectional verification method, device and system for machine behavior, storage medium and electronic device
CN106462443B (en) Method and system for managing nodes
CN110048864B (en) Method and apparatus for authenticating an administrator of a device-specific message group

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20210223