CN112528248A - User authority management scheme facing multiple applications - Google Patents
User authority management scheme facing multiple applications Download PDFInfo
- Publication number
- CN112528248A CN112528248A CN202011421801.7A CN202011421801A CN112528248A CN 112528248 A CN112528248 A CN 112528248A CN 202011421801 A CN202011421801 A CN 202011421801A CN 112528248 A CN112528248 A CN 112528248A
- Authority
- CN
- China
- Prior art keywords
- authority
- user
- application
- role
- management
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 claims abstract description 17
- 238000013475 authorization Methods 0.000 claims description 6
- 238000013507 mapping Methods 0.000 claims description 6
- 230000003068 static effect Effects 0.000 claims description 6
- 238000013461 design Methods 0.000 claims description 4
- 238000012797 qualification Methods 0.000 claims description 3
- 230000033772 system development Effects 0.000 abstract description 2
- 238000010586 diagram Methods 0.000 description 4
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000018109 developmental process Effects 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000012827 research and development Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/95—Retrieval from the web
- G06F16/958—Organisation or management of web site content, e.g. publishing, maintaining pages or automatic linking
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Databases & Information Systems (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Data Mining & Analysis (AREA)
- Storage Device Security (AREA)
Abstract
The invention relates to the technical field of website system development, in particular to a user authority management scheme oriented to multiple applications, aiming at supporting the unified authority management of a multiple application system with personalized authority control requirements; comprises the following steps: the authority model consists of four parts, namely a user, a role, a resource and an operation; based on a defined authority model, basic operations of adding, deleting, modifying and checking aiming at the model are firstly provided and packaged into an SDK for building and accessing an application of a unified authority system, and after the SDK is prepared, the method comprises the following steps: s1, application; s2, a right confirming module; s3, a weighting module; s4, and an authentication module.
Description
Technical Field
The invention relates to the technical field of website system development, in particular to a user authority management scheme for multiple applications.
Background
The development of a website system has been developed from a single application in the long term into an application group composed of multiple applications, the system security of the applications is very important, and the system security is away from and does not need to be subjected to authority management, so that in the face of such numerous systems, the cost for each system to independently develop an own authority system is higher and higher. Therefore, resources are wasted, research and development cost is increased, and maintenance and expansion are not facilitated.
Most of the existing multi-application authority management schemes are Based on RBAC (Role-Based-Access Control) to perform authority management, and unified authority distribution management is achieved by steps of presetting authority management configuration, definitely standardizing roles of an application management system, distributing roles to an integrated multi-application system and the like. Although the right management mode is convenient, the expansibility is low, and the control requirements of an application system on personalized customized roles and rights are difficult to meet in complex services.
Disclosure of Invention
In order to solve the technical problems, the invention provides a user authority management scheme oriented to multiple applications, and aims to support the unified authority management of a multiple-application system with personalized authority control requirements.
The user authority management scheme facing to multiple applications comprises the following steps:
the authority model consists of four parts, namely a user, a role, a resource and an operation;
based on a defined authority model, basic operations of adding, deleting, modifying and checking aiming at the model are firstly provided and packaged into an SDK for building and accessing an application of a unified authority system, and after the SDK is prepared, the method comprises the following steps:
s1, application
If the new application needs to use unified authority management, application registration is needed to be carried out firstly, and an application unique identifier is obtained;
s2 right-confirming module
The right confirming module confirms the basic right content of the application, including basic information such as resources, operation, roles and the like, the unified user right system needs to provide a right management background, and the application accessed into the system can perform right confirming operation for the application in the management background;
s3, right-giving module
The authorization module is responsible for setting the authority of the operation resources for the user, the access system can set the system authority for the user through the unified authority management SDK, and when the authority needs to be set for the user, only the method in the SDK needs to be called;
s4 authentication module
The authentication module is responsible for judging whether the current user has the authority to operate a certain resource, and is a very important part in the authority control system.
The user authority management scheme facing to multiple applications of the invention specifically comprises the following authority models:
the user: the user of the resource is the owner of the authority;
role: the role can be a role uniformly defined by the system or a role self-defined by each application;
resource: a resource to which access is restricted, which may be defined by a system or application;
the operation is as follows: certain operations, such as view, add, modify, delete, are performed on the resource.
In the multi-application-oriented user right management scheme of the present invention, in step S2, the right management background includes functions of:
s201, application switching function: because the authority management background serves a plurality of applications, an application administrator needs to be capable of selecting or switching the application which needs to be subjected to authority determination, after the application is switched to a certain application, the administrator only can manage the authority of the system in the background, and the independence of the authority is ensured by the application switching function, so that each application can self-define and design the authority determination rule;
s202, authority management function: the method provides the operations of conveniently checking, newly adding, editing or deleting the resources;
s203, role management function: the system is responsible for providing a user-defined role setting function;
s204, role authority management function: the system is responsible for establishing the relation between the user-defined role and the authority;
in addition, if the application does not use the authority management background to confirm the authority, the unified authority management SDK can be used to develop the independent authority confirming function.
In the multi-application-oriented user right management scheme of the present invention, in step S3, according to different requirements of the applications, the unified right management system provides two types of authorization modes:
s301, establishing a mapping relation between a user and a right (resource and operation) directly to mark which rights the user has;
s302, user-role-authority, firstly, establishing a mapping relation between the role defined in the authority determining module and the existing authority to declare the role to have the qualification of operating which resources; and then, establishing the relationship between the user and the role, and indirectly realizing the user authority control.
In the multi-application-oriented user right management scheme of the present invention, in the step S4, three authentication modes are included, and an accessed application can be selected and used according to its own right system or project architecture; the three authentication modes are integrated in the unified authentication SDK and comprise the following steps:
s401, calling a static method of the authority SDK for authentication, and judging the best authority by calling the following static method when the user accesses the resources:
a. judging whether the user has certain authority(s);
b. judging whether the user has certain role(s);
c. acquiring all roles of a user under the application;
d. acquiring all permissions (including user permission and user role permission) of a user under the application;
s402, authentication is carried out by using a Spring annotation mode;
and S403, filter mode authentication.
Compared with the prior art, the invention has the beneficial effects that: based on the RBAC model, the invention provides an improved user authority management scheme facing multiple applications, which is different from the prior RBAC multiple application authority management system.
Drawings
FIG. 1 is a diagram of a rights model of the present invention;
FIG. 2 is a definition diagram of annotation classes in an embodiment;
FIG. 3 is an example diagram of "comment authentication using manner is to configure @ PemDeccle on an interface, declare a role or right that a user needs to have when accessing the interface" in the embodiment;
fig. 4 is a configuration diagram of "after introducing an authentication SDK, taking the SpringMVC project as an example" in the embodiment.
Detailed Description
The following detailed description of embodiments of the present invention is provided in connection with the accompanying drawings and examples. The following examples are intended to illustrate the invention but are not intended to limit the scope of the invention.
As shown in fig. 1 to 4, the multi-application-oriented user right management scheme of the present invention includes the following:
as shown in fig. 1, the authority model is composed of four parts, namely, a user, a role, a resource and an operation;
based on a defined authority model, basic operations of adding, deleting, modifying and checking aiming at the model are firstly provided and packaged into an SDK for building and accessing an application of a unified authority system, and after the SDK is prepared, the method comprises the following steps:
s1, application
If the new application needs to use unified authority management, application registration is needed to be carried out firstly, and an application unique identifier is obtained;
s2 right-confirming module
The right confirming module confirms the basic right content of the application, including basic information such as resources, operation, roles and the like, the unified user right system needs to provide a right management background, and the application accessed into the system can perform right confirming operation for the application in the management background;
s3, right-giving module
The authorization module is responsible for setting the authority of the operation resources for the user, the access system can set the system authority for the user through the unified authority management SDK, and when the authority needs to be set for the user, only the method in the SDK needs to be called;
s4 authentication module
The authentication module is responsible for judging whether the current user has the authority to operate a certain resource, and is a very important part in the authority control system.
The user authority management scheme facing to multiple applications of the invention specifically comprises the following authority models:
the user: the user of the resource is the owner of the authority;
role: the role can be a role uniformly defined by the system or a role self-defined by each application;
resource: a resource to which access is restricted, which may be defined by a system or application;
the operation is as follows: certain operations, such as view, add, modify, delete, are performed on the resource.
In the multi-application-oriented user right management scheme of the present invention, in step S2, in order to meet different requirements of each application on rights, the rights management background designs the following functions:
s201, application switching function: because the authority management background serves a plurality of applications, an application administrator needs to be capable of selecting or switching the application which needs to be subjected to authority determination, after the application is switched to a certain application, the administrator only can manage the authority of the system in the background, and the independence of the authority is ensured by the application switching function, so that each application can self-define and design the authority determination rule;
s202, authority management function: the method provides the operations of conveniently checking, newly adding, editing or deleting the resources;
s203, role management function: the system is responsible for providing a user-defined role setting function;
s204, role authority management function: the system is responsible for establishing the relation between the user-defined role and the authority;
in addition, if the application does not use the authority management background to confirm the authority, the unified authority management SDK can be used to develop the independent authority confirming function.
In the multi-application-oriented user right management scheme of the present invention, in step S3, according to different requirements of the applications, the unified right management system provides two types of authorization modes:
s301, establishing a mapping relation between a user and a right (resource and operation) directly to mark which rights the user has;
s302, user-role-authority, firstly, establishing a mapping relation between the role defined in the authority determining module and the existing authority to declare the role to have the qualification of operating which resources; and then, establishing the relationship between the user and the role, and indirectly realizing the user authority control.
In the multi-application-oriented user right management scheme of the invention, in the step S4, three authentication modes are designed for supporting various applications to conveniently realize authentication, and an accessed application can be selected and used according to a self right system or project architecture; the three authentication modes are integrated in the unified authentication SDK and comprise the following steps:
s401, calling a static method of the authority SDK for authentication, and judging the best authority by calling the following static method when the user accesses the resources:
a. judging whether the user has certain authority(s);
b. judging whether the user has certain role(s);
c. acquiring all roles of a user under the application;
d. acquiring all permissions (including user permission and user role permission) of a user under the application;
s402, authentication is carried out by using a Spring annotation mode;
the SDK defines the authentication annotation, and the definition of the annotation class is shown in figure 2;
the annotation authentication use mode is to configure @ pemdetail on the interface, and declare the role or authority that the user needs to have when accessing the interface, as shown in fig. 3 for example;
the example shows that the user needs to have manager rights to call/user/get interface;
s403, filter mode authentication;
authentication management is realized by configuring a filter (PemmisionFilter) and defining which access paths need which authority limits to access;
taking the SpringMVC project as an example, after the authentication SDK is introduced, the configuration as shown in fig. 4 is performed.
The above description is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, several modifications and variations can be made without departing from the technical principle of the present invention, and these modifications and variations should also be regarded as the protection scope of the present invention.
Claims (5)
1. The user authority management scheme facing to multiple applications is characterized by comprising the following steps:
the authority model consists of four parts, namely a user, a role, a resource and an operation;
based on a defined authority model, basic operations of adding, deleting, modifying and checking aiming at the model are firstly provided and packaged into an SDK for building and accessing an application of a unified authority system, and after the SDK is prepared, the method comprises the following steps:
s1, application
If the new application needs to use unified authority management, application registration is needed to be carried out firstly, and an application unique identifier is obtained;
s2 right-confirming module
The right confirming module confirms the basic right content of the application, including basic information such as resources, operation, roles and the like, the unified user right system needs to provide a right management background, and the application accessed into the system can perform right confirming operation for the application in the management background;
s3, right-giving module
The authorization module is responsible for setting the authority of the operation resources for the user, the access system can set the system authority for the user through the unified authority management SDK, and when the authority needs to be set for the user, only the method in the SDK needs to be called;
s4 authentication module
The authentication module is responsible for judging whether the current user has the authority to operate a certain resource, and is a very important part in the authority control system.
2. The multi-application-oriented user rights management scheme of claim 1, wherein the rights model is specifically as follows:
the user: the user of the resource is the owner of the authority;
role: the role can be a role uniformly defined by the system or a role self-defined by each application;
resource: a resource to which access is restricted, which may be defined by a system or application;
the operation is as follows: certain operations, such as view, add, modify, delete, are performed on the resource.
3. A multi-application oriented user rights management scheme as claimed in claim 2 wherein the rights management back-end comprises the functions of:
s201, application switching function: because the authority management background serves a plurality of applications, an application administrator needs to be capable of selecting or switching the application which needs to be subjected to authority determination, after the application is switched to a certain application, the administrator only can manage the authority of the system in the background, and the independence of the authority is ensured by the application switching function, so that each application can self-define and design the authority determination rule;
s202, authority management function: the method provides the operations of conveniently checking, newly adding, editing or deleting the resources;
s203, role management function: the system is responsible for providing a user-defined role setting function;
s204, role authority management function: the system is responsible for establishing the relation between the user-defined role and the authority;
in addition, if the application does not use the authority management background to confirm the authority, the unified authority management SDK can be used to develop the independent authority confirming function.
4. The multi-application-oriented user rights management scheme of claim 3, wherein in step S3, the unified rights management system provides two types of authorization according to different requirements of the applications:
s301, establishing a mapping relation between a user and a right (resource and operation) directly to mark which rights the user has;
s302, user-role-authority, firstly, establishing a mapping relation between the role defined in the authority determining module and the existing authority to declare the role to have the qualification of operating which resources; and then, establishing the relationship between the user and the role, and indirectly realizing the user authority control.
5. The multi-application-oriented user right management scheme of claim 4, wherein the step S4 includes three authentication methods, and the accessed application can be selected from a proper one for use according to its own right system or project architecture; the three authentication modes are integrated in the unified authentication SDK and comprise the following steps:
s401, calling a static method of the authority SDK for authentication, and judging the best authority by calling the following static method when the user accesses the resources:
a. judging whether the user has certain authority(s);
b. judging whether the user has certain role(s);
c. acquiring all roles of a user under the application;
d. acquiring all permissions (including user permission and user role permission) of a user under the application;
s402, authentication is carried out by using a Spring annotation mode;
and S403, filter mode authentication.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011421801.7A CN112528248A (en) | 2020-12-08 | 2020-12-08 | User authority management scheme facing multiple applications |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011421801.7A CN112528248A (en) | 2020-12-08 | 2020-12-08 | User authority management scheme facing multiple applications |
Publications (1)
Publication Number | Publication Date |
---|---|
CN112528248A true CN112528248A (en) | 2021-03-19 |
Family
ID=74998124
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202011421801.7A Pending CN112528248A (en) | 2020-12-08 | 2020-12-08 | User authority management scheme facing multiple applications |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN112528248A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113742746A (en) * | 2021-08-27 | 2021-12-03 | 北京航天云路有限公司 | Combined authentication authority management system and method based on annotation realization |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107257337A (en) * | 2017-06-15 | 2017-10-17 | 重庆扬讯软件技术股份有限公司 | A kind of shared authority control method of multiterminal and its system |
CN109117647A (en) * | 2018-07-17 | 2019-01-01 | 众安信息技术服务有限公司 | A kind of the permission control management method and management system of mobile application SDK |
CN109688120A (en) * | 2018-12-14 | 2019-04-26 | 浙江大学 | Based on the dynamic permission management system for improving RBAC model and Spring Security frame |
CN110162960A (en) * | 2019-05-22 | 2019-08-23 | 陕西中达公路技术服务有限公司 | A kind of method for verifying authority based on user management |
CN110197058A (en) * | 2019-04-15 | 2019-09-03 | 杭州恩牛网络技术有限公司 | Unified internal control method for managing security, system, medium and electronic equipment |
CN110445697A (en) * | 2019-08-08 | 2019-11-12 | 杭州阿启视科技有限公司 | Video big data cloud platform equipment access service method |
CN110825362A (en) * | 2019-11-04 | 2020-02-21 | 广东道一信息技术股份有限公司 | Low-code application software development system and method |
-
2020
- 2020-12-08 CN CN202011421801.7A patent/CN112528248A/en active Pending
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107257337A (en) * | 2017-06-15 | 2017-10-17 | 重庆扬讯软件技术股份有限公司 | A kind of shared authority control method of multiterminal and its system |
CN109117647A (en) * | 2018-07-17 | 2019-01-01 | 众安信息技术服务有限公司 | A kind of the permission control management method and management system of mobile application SDK |
CN109688120A (en) * | 2018-12-14 | 2019-04-26 | 浙江大学 | Based on the dynamic permission management system for improving RBAC model and Spring Security frame |
CN110197058A (en) * | 2019-04-15 | 2019-09-03 | 杭州恩牛网络技术有限公司 | Unified internal control method for managing security, system, medium and electronic equipment |
CN110162960A (en) * | 2019-05-22 | 2019-08-23 | 陕西中达公路技术服务有限公司 | A kind of method for verifying authority based on user management |
CN110445697A (en) * | 2019-08-08 | 2019-11-12 | 杭州阿启视科技有限公司 | Video big data cloud platform equipment access service method |
CN110825362A (en) * | 2019-11-04 | 2020-02-21 | 广东道一信息技术股份有限公司 | Low-code application software development system and method |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113742746A (en) * | 2021-08-27 | 2021-12-03 | 北京航天云路有限公司 | Combined authentication authority management system and method based on annotation realization |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10601875B2 (en) | Automated multi-level federation and enforcement of information management policies in a device network | |
CN108701175B (en) | Associating user accounts with enterprise workspaces | |
US9171172B2 (en) | Automated multi-level federation and enforcement of information management policies in a device network | |
US8695060B2 (en) | System and method for creating secure applications | |
CN104516777B (en) | User interface management method and system | |
US9183534B2 (en) | Devices with profile-based operating mode controls | |
US7219230B2 (en) | Optimizing costs associated with managing encrypted data | |
US10511630B1 (en) | Dividing a data processing device into separate security domains | |
US20130219176A1 (en) | Secure Virtual File Management System | |
CN112818309A (en) | Method and device for controlling data access authority and storage medium | |
CN101739526B (en) | Service system-oriented and oriented object-based rights management method | |
KR20150052010A (en) | Network system for implementing a cloud platform | |
CN106506511A (en) | A kind of address list information processing method, device | |
CA2829805C (en) | Managing application execution and data access on a device | |
CN112019543A (en) | Multi-tenant permission system based on BRAC model | |
RU2359316C2 (en) | Method of managing software components integrated into portable system | |
EP2725513B1 (en) | Managing permission settings applied to applications | |
CN112528248A (en) | User authority management scheme facing multiple applications | |
CN103049707B (en) | A kind of interception of the gps data based on Android platform control method | |
CN111970162B (en) | Heterogeneous GIS platform service central control system under super-integration framework | |
CN115412564A (en) | Method and system for cross-chain transmission and verification of block chain government affair information data | |
KR20100070763A (en) | Access control method and device of usn middleware | |
US20030135738A1 (en) | Compartmented multi operator network management | |
CN115422526B (en) | Role authority management method, device and storage medium | |
US20240022418A1 (en) | Cryptographic processing |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |