CN112528248A - User authority management scheme facing multiple applications - Google Patents

Abstract

The invention relates to the technical field of website system development, in particular to a user authority management scheme oriented to multiple applications, aiming at supporting the unified authority management of a multiple application system with personalized authority control requirements; comprises the following steps: the authority model consists of four parts, namely a user, a role, a resource and an operation; based on a defined authority model, basic operations of adding, deleting, modifying and checking aiming at the model are firstly provided and packaged into an SDK for building and accessing an application of a unified authority system, and after the SDK is prepared, the method comprises the following steps: s1, application; s2, a right confirming module; s3, a weighting module; s4, and an authentication module.

Description

User authority management scheme facing multiple applications

Technical Field

The invention relates to the technical field of website system development, in particular to a user authority management scheme for multiple applications.

Background

The development of a website system has been developed from a single application in the long term into an application group composed of multiple applications, the system security of the applications is very important, and the system security is away from and does not need to be subjected to authority management, so that in the face of such numerous systems, the cost for each system to independently develop an own authority system is higher and higher. Therefore, resources are wasted, research and development cost is increased, and maintenance and expansion are not facilitated.

Most of the existing multi-application authority management schemes are Based on RBAC (Role-Based-Access Control) to perform authority management, and unified authority distribution management is achieved by steps of presetting authority management configuration, definitely standardizing roles of an application management system, distributing roles to an integrated multi-application system and the like. Although the right management mode is convenient, the expansibility is low, and the control requirements of an application system on personalized customized roles and rights are difficult to meet in complex services.

Disclosure of Invention

In order to solve the technical problems, the invention provides a user authority management scheme oriented to multiple applications, and aims to support the unified authority management of a multiple-application system with personalized authority control requirements.

The user authority management scheme facing to multiple applications comprises the following steps:

the authority model consists of four parts, namely a user, a role, a resource and an operation;

based on a defined authority model, basic operations of adding, deleting, modifying and checking aiming at the model are firstly provided and packaged into an SDK for building and accessing an application of a unified authority system, and after the SDK is prepared, the method comprises the following steps:

s1, application

If the new application needs to use unified authority management, application registration is needed to be carried out firstly, and an application unique identifier is obtained;

s2 right-confirming module

The right confirming module confirms the basic right content of the application, including basic information such as resources, operation, roles and the like, the unified user right system needs to provide a right management background, and the application accessed into the system can perform right confirming operation for the application in the management background;

s3, right-giving module

The authorization module is responsible for setting the authority of the operation resources for the user, the access system can set the system authority for the user through the unified authority management SDK, and when the authority needs to be set for the user, only the method in the SDK needs to be called;

s4 authentication module

The authentication module is responsible for judging whether the current user has the authority to operate a certain resource, and is a very important part in the authority control system.

The user authority management scheme facing to multiple applications of the invention specifically comprises the following authority models:

the user: the user of the resource is the owner of the authority;

role: the role can be a role uniformly defined by the system or a role self-defined by each application;

resource: a resource to which access is restricted, which may be defined by a system or application;

the operation is as follows: certain operations, such as view, add, modify, delete, are performed on the resource.

In the multi-application-oriented user right management scheme of the present invention, in step S2, the right management background includes functions of:

s201, application switching function: because the authority management background serves a plurality of applications, an application administrator needs to be capable of selecting or switching the application which needs to be subjected to authority determination, after the application is switched to a certain application, the administrator only can manage the authority of the system in the background, and the independence of the authority is ensured by the application switching function, so that each application can self-define and design the authority determination rule;

s202, authority management function: the method provides the operations of conveniently checking, newly adding, editing or deleting the resources;

s203, role management function: the system is responsible for providing a user-defined role setting function;

s204, role authority management function: the system is responsible for establishing the relation between the user-defined role and the authority;

in addition, if the application does not use the authority management background to confirm the authority, the unified authority management SDK can be used to develop the independent authority confirming function.

In the multi-application-oriented user right management scheme of the present invention, in step S3, according to different requirements of the applications, the unified right management system provides two types of authorization modes:

s301, establishing a mapping relation between a user and a right (resource and operation) directly to mark which rights the user has;

s302, user-role-authority, firstly, establishing a mapping relation between the role defined in the authority determining module and the existing authority to declare the role to have the qualification of operating which resources; and then, establishing the relationship between the user and the role, and indirectly realizing the user authority control.

In the multi-application-oriented user right management scheme of the present invention, in the step S4, three authentication modes are included, and an accessed application can be selected and used according to its own right system or project architecture; the three authentication modes are integrated in the unified authentication SDK and comprise the following steps:

s401, calling a static method of the authority SDK for authentication, and judging the best authority by calling the following static method when the user accesses the resources:

a. judging whether the user has certain authority(s);

b. judging whether the user has certain role(s);

c. acquiring all roles of a user under the application;

d. acquiring all permissions (including user permission and user role permission) of a user under the application;

s402, authentication is carried out by using a Spring annotation mode;

and S403, filter mode authentication.

Compared with the prior art, the invention has the beneficial effects that: based on the RBAC model, the invention provides an improved user authority management scheme facing multiple applications, which is different from the prior RBAC multiple application authority management system.

Drawings

FIG. 1 is a diagram of a rights model of the present invention;

FIG. 2 is a definition diagram of annotation classes in an embodiment;

FIG. 3 is an example diagram of "comment authentication using manner is to configure @ PemDeccle on an interface, declare a role or right that a user needs to have when accessing the interface" in the embodiment;

fig. 4 is a configuration diagram of "after introducing an authentication SDK, taking the SpringMVC project as an example" in the embodiment.

Detailed Description

The following detailed description of embodiments of the present invention is provided in connection with the accompanying drawings and examples. The following examples are intended to illustrate the invention but are not intended to limit the scope of the invention.

As shown in fig. 1 to 4, the multi-application-oriented user right management scheme of the present invention includes the following:

as shown in fig. 1, the authority model is composed of four parts, namely, a user, a role, a resource and an operation;

based on a defined authority model, basic operations of adding, deleting, modifying and checking aiming at the model are firstly provided and packaged into an SDK for building and accessing an application of a unified authority system, and after the SDK is prepared, the method comprises the following steps:

s1, application

If the new application needs to use unified authority management, application registration is needed to be carried out firstly, and an application unique identifier is obtained;

s2 right-confirming module

The right confirming module confirms the basic right content of the application, including basic information such as resources, operation, roles and the like, the unified user right system needs to provide a right management background, and the application accessed into the system can perform right confirming operation for the application in the management background;

s3, right-giving module

The authorization module is responsible for setting the authority of the operation resources for the user, the access system can set the system authority for the user through the unified authority management SDK, and when the authority needs to be set for the user, only the method in the SDK needs to be called;

s4 authentication module

The authentication module is responsible for judging whether the current user has the authority to operate a certain resource, and is a very important part in the authority control system.

The user authority management scheme facing to multiple applications of the invention specifically comprises the following authority models:

the user: the user of the resource is the owner of the authority;

role: the role can be a role uniformly defined by the system or a role self-defined by each application;

resource: a resource to which access is restricted, which may be defined by a system or application;

the operation is as follows: certain operations, such as view, add, modify, delete, are performed on the resource.

In the multi-application-oriented user right management scheme of the present invention, in step S2, in order to meet different requirements of each application on rights, the rights management background designs the following functions:

s201, application switching function: because the authority management background serves a plurality of applications, an application administrator needs to be capable of selecting or switching the application which needs to be subjected to authority determination, after the application is switched to a certain application, the administrator only can manage the authority of the system in the background, and the independence of the authority is ensured by the application switching function, so that each application can self-define and design the authority determination rule;

s202, authority management function: the method provides the operations of conveniently checking, newly adding, editing or deleting the resources;

s203, role management function: the system is responsible for providing a user-defined role setting function;

s204, role authority management function: the system is responsible for establishing the relation between the user-defined role and the authority;

in addition, if the application does not use the authority management background to confirm the authority, the unified authority management SDK can be used to develop the independent authority confirming function.

In the multi-application-oriented user right management scheme of the present invention, in step S3, according to different requirements of the applications, the unified right management system provides two types of authorization modes:

s301, establishing a mapping relation between a user and a right (resource and operation) directly to mark which rights the user has;

s302, user-role-authority, firstly, establishing a mapping relation between the role defined in the authority determining module and the existing authority to declare the role to have the qualification of operating which resources; and then, establishing the relationship between the user and the role, and indirectly realizing the user authority control.

In the multi-application-oriented user right management scheme of the invention, in the step S4, three authentication modes are designed for supporting various applications to conveniently realize authentication, and an accessed application can be selected and used according to a self right system or project architecture; the three authentication modes are integrated in the unified authentication SDK and comprise the following steps:

s401, calling a static method of the authority SDK for authentication, and judging the best authority by calling the following static method when the user accesses the resources:

a. judging whether the user has certain authority(s);

b. judging whether the user has certain role(s);

c. acquiring all roles of a user under the application;

d. acquiring all permissions (including user permission and user role permission) of a user under the application;

s402, authentication is carried out by using a Spring annotation mode;

the SDK defines the authentication annotation, and the definition of the annotation class is shown in figure 2;

the annotation authentication use mode is to configure @ pemdetail on the interface, and declare the role or authority that the user needs to have when accessing the interface, as shown in fig. 3 for example;

the example shows that the user needs to have manager rights to call/user/get interface;

s403, filter mode authentication;

authentication management is realized by configuring a filter (PemmisionFilter) and defining which access paths need which authority limits to access;

taking the SpringMVC project as an example, after the authentication SDK is introduced, the configuration as shown in fig. 4 is performed.

The above description is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, several modifications and variations can be made without departing from the technical principle of the present invention, and these modifications and variations should also be regarded as the protection scope of the present invention.

Claims (5)

1. The user authority management scheme facing to multiple applications is characterized by comprising the following steps:

the authority model consists of four parts, namely a user, a role, a resource and an operation;

based on a defined authority model, basic operations of adding, deleting, modifying and checking aiming at the model are firstly provided and packaged into an SDK for building and accessing an application of a unified authority system, and after the SDK is prepared, the method comprises the following steps:

s1, application

If the new application needs to use unified authority management, application registration is needed to be carried out firstly, and an application unique identifier is obtained;

s2 right-confirming module

The right confirming module confirms the basic right content of the application, including basic information such as resources, operation, roles and the like, the unified user right system needs to provide a right management background, and the application accessed into the system can perform right confirming operation for the application in the management background;

s3, right-giving module

The authorization module is responsible for setting the authority of the operation resources for the user, the access system can set the system authority for the user through the unified authority management SDK, and when the authority needs to be set for the user, only the method in the SDK needs to be called;

s4 authentication module

The authentication module is responsible for judging whether the current user has the authority to operate a certain resource, and is a very important part in the authority control system.

2. The multi-application-oriented user rights management scheme of claim 1, wherein the rights model is specifically as follows:

the user: the user of the resource is the owner of the authority;

role: the role can be a role uniformly defined by the system or a role self-defined by each application;

resource: a resource to which access is restricted, which may be defined by a system or application;

the operation is as follows: certain operations, such as view, add, modify, delete, are performed on the resource.

3. A multi-application oriented user rights management scheme as claimed in claim 2 wherein the rights management back-end comprises the functions of:

s201, application switching function: because the authority management background serves a plurality of applications, an application administrator needs to be capable of selecting or switching the application which needs to be subjected to authority determination, after the application is switched to a certain application, the administrator only can manage the authority of the system in the background, and the independence of the authority is ensured by the application switching function, so that each application can self-define and design the authority determination rule;

s202, authority management function: the method provides the operations of conveniently checking, newly adding, editing or deleting the resources;

s203, role management function: the system is responsible for providing a user-defined role setting function;

s204, role authority management function: the system is responsible for establishing the relation between the user-defined role and the authority;

in addition, if the application does not use the authority management background to confirm the authority, the unified authority management SDK can be used to develop the independent authority confirming function.

4. The multi-application-oriented user rights management scheme of claim 3, wherein in step S3, the unified rights management system provides two types of authorization according to different requirements of the applications:

s301, establishing a mapping relation between a user and a right (resource and operation) directly to mark which rights the user has;

s302, user-role-authority, firstly, establishing a mapping relation between the role defined in the authority determining module and the existing authority to declare the role to have the qualification of operating which resources; and then, establishing the relationship between the user and the role, and indirectly realizing the user authority control.

5. The multi-application-oriented user right management scheme of claim 4, wherein the step S4 includes three authentication methods, and the accessed application can be selected from a proper one for use according to its own right system or project architecture; the three authentication modes are integrated in the unified authentication SDK and comprise the following steps:

s401, calling a static method of the authority SDK for authentication, and judging the best authority by calling the following static method when the user accesses the resources:

a. judging whether the user has certain authority(s);

b. judging whether the user has certain role(s);

c. acquiring all roles of a user under the application;

d. acquiring all permissions (including user permission and user role permission) of a user under the application;

s402, authentication is carried out by using a Spring annotation mode;

and S403, filter mode authentication.

Images