CN112615875A - User access control method and device - Google Patents

User access control method and device Download PDF

Info

Publication number
CN112615875A
CN112615875A CN202011552612.3A CN202011552612A CN112615875A CN 112615875 A CN112615875 A CN 112615875A CN 202011552612 A CN202011552612 A CN 202011552612A CN 112615875 A CN112615875 A CN 112615875A
Authority
CN
China
Prior art keywords
request
user
query
access
blacklist
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202011552612.3A
Other languages
Chinese (zh)
Inventor
刘子羿
王程程
马闪闪
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Agricultural Bank of China
Original Assignee
Agricultural Bank of China
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Agricultural Bank of China filed Critical Agricultural Bank of China
Priority to CN202011552612.3A priority Critical patent/CN112615875A/en
Publication of CN112615875A publication Critical patent/CN112615875A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/215Flow control; Congestion control using token-bucket
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application discloses a user access control method and a device, wherein the method comprises the following steps: receiving a user access request; and when the user access request is a request received in a peak period, determining that the type of the user access request is a peak traffic type request. And responding to the peak period user access request, and sending a token query request to the data analysis layer. And receiving a token query result sent by the data analysis layer. And when the token query result is that no token is available, rejecting the peak period user to access the request. When the user accesses the limited function, determining the type of the user access request as an unauthorized access request. And responding the unauthorized access request, and sending an authority inquiry request to the authority module. And receiving the authority inquiry request result sent by the authority module. And when the result of the authority inquiry request is that the target authority of the user does not exist, refusing the unauthorized access request. By the method, different access controls can be performed according to different user access requests, and the stability and the safety of the network application are improved.

Description

User access control method and device
Technical Field
The present application relates to the field of computer technologies, and in particular, to a user access control method and apparatus.
Background
In the process of serving users by internet applications, the access of the users to the server needs to be limited for the system stability or application security.
Currently, existing user access controls cannot perform specific access controls for a specific user.
Disclosure of Invention
In order to solve the technical problem, the application provides a user access control method and device, which can perform specific access control for a specific user, and improve the stability and security of network application.
In order to achieve the above purpose, the technical solutions provided in the embodiments of the present application are as follows:
the embodiment of the application provides a user access control method, which comprises the following steps:
receiving a user access request;
when the user access request is a request received in a peak period, determining that the type of the user access request is a peak traffic type request;
responding to the peak period user access request, and sending a token query request to a data analysis layer, wherein the token query request is used for enabling the data analysis layer to query whether an access token exists in a first target cluster;
receiving a token query result sent by the data analysis layer;
when the token query result is that no token is available, rejecting the peak period user access request;
when the user accesses the limited function, determining the type of the user access request as an unauthorized access request;
responding the unauthorized access request, and sending an authority inquiry request to an authority module; the permission query request is used for enabling the permission module to query whether a first target cluster has target permission of the user;
receiving an authority inquiry request result sent by the authority module;
and when the permission query request result indicates that the target permission of the user does not exist, rejecting the unauthorized access request.
Optionally, the method further includes:
when the number of times of access of the user in unit time exceeds a preset number of times, determining the type of the user access request as an abnormal traffic request;
responding to the abnormal traffic request, and sending a blacklist query request to a blacklist control layer; the blacklist query request is used for enabling the blacklist control layer to query whether the user is the blacklist user according to a blacklist in a first target cluster;
receiving a blacklist query request result sent by the blacklist control layer;
and performing access control on the user according to the result of the blacklist query request.
Optionally, the performing access control on the user according to the result of the blacklist query request includes:
and when the result of the blacklist query request is that the user is a blacklist user, rejecting the abnormal traffic class request.
Optionally, the performing access control on the user according to the result of the blacklist query request includes:
when the result of the blacklist query request is that the user is not a blacklist user, sending a user access message to a second target cluster so that the data analysis layer consumes the user access message received by the second target cluster, and when the user access is determined to be abnormal, sending an abnormal user access message back to the second target cluster, and then enabling the blacklist control layer to consume the abnormal user access message received by the second target cluster and adding the user into the blacklist;
and when the user is added into the blacklist, rejecting the abnormal traffic class request.
Optionally, the method further includes:
when the user accesses a special type transaction, determining the type of the user access request as an abnormal behavior request;
responding to the user access request, and sending an abnormal behavior query request to a blacklist control layer; the abnormal behavior query request is used for enabling the blacklist control layer to query whether the user behavior is an abnormal behavior in the abnormal behavior list according to the abnormal behavior list in the first target cluster;
receiving an abnormal behavior query request result sent by the blacklist control layer;
and performing access control on the abnormal behavior request according to the abnormal behavior query request result.
Optionally, the performing access control on the abnormal behavior class request according to the abnormal behavior query request result includes:
and rejecting the abnormal behavior request when the abnormal behavior query request result indicates that the user behavior is the abnormal behavior in the abnormal behavior list.
Optionally, the performing access control on the user according to the abnormal behavior query request result includes:
when the abnormal behavior query request result is that the user behavior is not the abnormal behavior in the abnormal behavior list, sending a user behavior message to a second target cluster so that the data analysis layer consumes the user behavior message received by the second target cluster, sending an abnormal user behavior message to return to the second target cluster when the user behavior is determined to be abnormal, then enabling the blacklist control layer to consume the abnormal user behavior message received by the second target cluster, and adding the user to the abnormal behavior list;
and when the user is added into the abnormal behavior list, rejecting the abnormal behavior class request.
An embodiment of the present application further provides a user access control device, where the device includes:
a first receiving unit, configured to receive a user access request;
a first determining unit, configured to determine that the type of the user access request is a peak traffic class request, when the user access request is a request received during a peak period;
a first response unit, configured to respond to the peak user access request, and send a token query request to a data analysis layer, where the token query request is used for enabling the data analysis layer to query whether an access token exists in a first target cluster;
the second receiving unit is used for receiving the token query result sent by the data analysis layer;
a first rejecting unit, configured to reject the peak period user access request when the token query result is that no token is available;
the second determining unit is used for determining the type of the user access request as an unauthorized access request when the user accesses the limited function;
the second response unit is used for responding the unauthorized access request and sending an authority inquiry request to the authority module; the permission query request is used for enabling the permission module to query whether a first target cluster has target permission of the user;
the third receiving unit is used for receiving the authority inquiry request result sent by the authority module;
and the second refusing unit is used for refusing the unauthorized access request when the result of the authority inquiry request is that the target authority of the user does not exist.
According to the technical scheme, the method has the following beneficial effects:
the embodiment of the application provides a user access control method, which comprises the following steps:
receiving a user access request; and when the user access request is a request received in a peak period, determining that the type of the user access request is a peak traffic type request. And responding to the peak period user access request, and sending a token query request to the data analysis layer, wherein the token query request is used for enabling the data analysis layer to query whether the first target cluster has an access token. And receiving a token query result sent by the data analysis layer. And when the token query result is that no token is available, rejecting the peak period user to access the request. When the user accesses the limited function, determining the type of the user access request as an unauthorized access request. And responding the unauthorized access request, and sending an authority inquiry request to the authority module, wherein the authority inquiry request is used for enabling the authority module to inquire whether the first target cluster has the target authority of the user. And receiving the authority inquiry request result sent by the authority module. And when the result of the authority inquiry request is that the target authority of the user does not exist, refusing the unauthorized access request. By the method provided by the embodiment of the application, when the user is a peak period user or a user with limited access function, different access control can be performed according to different user access requests, and the stability and the safety of network application are improved.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a flowchart of a user access control method according to an embodiment of the present application;
fig. 2 is a schematic view illustrating an access control flow for a peak traffic class request according to an embodiment of the present application;
fig. 3 is a schematic view of an access control flow for an unauthorized access type request according to an embodiment of the present application;
fig. 4 is a schematic view of an access control flow for an abnormal traffic class request according to an embodiment of the present application;
fig. 5 is a schematic view of an access control flow for an abnormal behavior class request according to an embodiment of the present application;
fig. 6 is a schematic diagram of a user access control device according to an embodiment of the present application.
Detailed Description
In order to make the aforementioned objects, features and advantages of the present application more comprehensible, embodiments accompanying the drawings are described in detail below.
In order to facilitate understanding and explaining the technical solutions provided by the embodiments of the present application, the following first describes the background art of the embodiments of the present application.
With the development of modern internet, hardware technology and software technology are continuously updated. The internet application service exposed on the internet generally faces the following scenarios in the face of complex customer environments and customer operations:
(1) the flow was high peak. In the scenes of commodity promotion, enterprise activities and the like, the access of customers is far higher than usual. During the peak period of client access, the enterprise server is under huge load pressure, and certain unimportant interfaces need to be subjected to access control, so that the system throughput is reduced, the system load is reduced, and the service capacity of key functions is improved.
(2) Client access rights control. Enterprises often offer diversified enterprise services for various users, some services are universal, but some services are only targeted to specific client groups. Identifying and controlling the access rights set of the client, limiting the range of interfaces accessible to the user, is the key point for achieving this functionality.
Based on this, an embodiment of the present application provides a user access control method, including: receiving a user access request; when the user access request is a peak period user access request, determining the type of the user access request to be a peak flow type request. And responding to the peak period user access request, and sending a token query request to the data analysis layer, wherein the token query request is used for enabling the data analysis layer to query whether the first target cluster has an access token. And receiving a token query result sent by the data analysis layer. And when the token query result is that no token is available, rejecting the peak period user to access the request. When the user accesses the limited function, determining the type of the user access request as an unauthorized access request. And responding the unauthorized access request, and sending an authority inquiry request to the authority module, wherein the authority inquiry request is used for enabling the authority module to inquire whether the first target cluster has the target authority of the user. And receiving the authority inquiry request result sent by the authority module. And when the result of the authority inquiry request is that the target authority of the user does not exist, refusing the unauthorized access request.
In order to facilitate understanding of the technical solutions provided in the embodiments of the present application, a user access control method provided in the embodiments of the present application is described below with reference to the accompanying drawings. It should be noted that the method can be applied to the access control layer of the B/S architecture internet application. Referring to fig. 1, fig. 1 is a flowchart of a user access control method according to an embodiment of the present application. As shown in fig. 1, the method may include S101-S109:
s101: a user access request is received.
When a user sends an access request through the interface, the access control layer receives the user access request.
It should be noted that different users have different access request types, such as peak traffic class requests and unauthorized access class requests. It is to be understood that the server access control layer is used for unified access control.
It is understood that an interface (or web site interface) refers to a tool that an enterprise deploys on a server, accepts customer requests, and provides services to the customers. Generally, a client-oriented interface will provide a specific service function.
S102: and when the user access request is a request received in a peak period, determining that the type of the user access request is a peak traffic type request.
When the user sends an access request at the peak traffic period, the type of the user access request at the time is determined to be a peak traffic type request. Referring to fig. 2, fig. 2 is a schematic view illustrating an access control flow for a peak traffic class request according to an embodiment of the present application. As shown in fig. 2, peak users have access to the access control layer.
S103: and responding to the peak period user access request, and sending a token query request to the data analysis layer, wherein the token query request is used for enabling the data analysis layer to query whether the first target cluster has an access token.
And the access control layer responds to the user access request in the peak period, detects the system load and sends a token query request to the data analysis layer. The token query request is used for enabling the data analysis layer to query whether the first target cluster has the access token. As shown in fig. 2, the access control layer sends a request to check the token to the data analysis layer.
In some embodiments, the first target cluster is a Redis cluster. The Redis cluster can be used for efficient data reading and writing, and is used for storing data such as user marks, authority data, access tokens and the like during user access control.
It can be understood that the data analysis layer is used for analyzing the user behavior and judging whether the access or operation of the user is abnormal or not.
S104: and receiving a token query result sent by the data analysis layer.
And the access control layer receives the token query result sent by the data analysis layer.
It should be noted that, after the data analysis layer receives the token query request sent by the access control layer, the data analysis layer calculates data in a first target cluster, for example, a Redis cluster, and obtains a token query result according to a calculation result. And sending the obtained token query result to an access control layer.
S105: and when the token query result is that no token is available, rejecting the peak period user to access the request.
And the data analysis layer calculates the data in the first target cluster, such as the Redis cluster, and finds that no token is available, namely the token query result is no available token, and the access control layer rejects the peak period user access request of the user. As shown in fig. 2, the access control layer receives the token query result sent by the data analysis layer as an unavailable token, and at this time, the access control layer denies the access request of the user.
Through the operation, the token bucket algorithm is used for limiting the peak flow, and the effect of flow peak clipping is achieved. The token bucket flow control refers to flow control in a virtual token bucket mode. The system will produce tokens at a constant rate for a client and the resulting tokens will be placed in the bucket until the bucket is full. When a user sends a service request, the tokens in the bucket are consumed, if no token exists in the bucket, the service request is rejected, and if a token exists in the bucket, one token is consumed and the service request is accepted.
S106: when the user accesses the limited function, determining the type of the user access request as an unauthorized access request.
When the user accesses the limited function, the type of the user access request at the moment is determined to be an unauthorized access type request. As an example, restricted functions are functions that are only targeted to a particular customer population. Referring to fig. 3, fig. 3 is a schematic view of an access control flow for an unauthorized access class request according to an embodiment of the present application. As shown in fig. 3, the user has access to control layer limited functionality.
S107: responding the unauthorized access request, and sending an authority inquiry request to the authority module; the permission query request is used for enabling the permission module to query whether the first target cluster has the target permission of the user.
The access control layer responds to the unauthorized access request and sends an authority inquiry request to the authority module; the permission query request is used for enabling the permission module to query whether the first target cluster has the target permission of the user. As shown in fig. 3, the access control layer sends a permission query request to the permission module to enable the permission module to check whether the user has permission to access the restricted function.
It should be noted that the authority module is used for checking the user authority.
S108: and receiving the authority inquiry request result sent by the authority module.
And the access control layer receives the permission query request result sent by the permission module.
S109: and when the result of the authority inquiry request is that the target authority of the user does not exist, refusing the unauthorized access request.
And when the access control layer receives the authority inquiry request result sent by the authority module, the access control layer refuses the unauthorized access request of the user when the target authority of the user does not exist. Referring to fig. 3, when the result of the permission query request sent by the permission module is that the user has no permission to access the restricted function, the access control layer denies the access request of the user.
It should be noted that the target authority of the user is generated after the user logs in the user module and is stored in a first target cluster, where the first target cluster is, for example, a Redis cluster.
In addition to the two user access requests described above, there may be user access in the following situations:
(1) the client access traffic is abnormal. Outside of normal clients, there may be a possibility that web crawlers (web tools that download enterprise server content in bulk) and the like will make abnormal web access. The web crawler often downloads and copies the content provided by the enterprise server in batches, and creates a large number of network requests which have no value to the enterprise. The web crawler not only occupies the bandwidth and server resources of an enterprise, but also can use the downloaded content to create illegal behaviors such as a simulation station (a counterfeit website) and the like. Enterprises need to detect and prevent and control these.
(2) And controlling abnormal behaviors of the client. Not all visitors are law-conscious users, and some novice users may attempt to attack internet applications to profit. For example, an attacker may try to steal the account of another user by brute force cracking or the like, or may try to reuse the coupon by replay attack, and for such a behavior, interface level checking and access control are also required.
For the above two user access requests, the following method applied to the access control layer is also provided in the embodiments of the present application.
On one hand, when the access times of the user in unit time exceed the preset times, determining the type of the user access request as an abnormal flow type request;
responding to the abnormal traffic request, and sending a blacklist query request to a blacklist control layer; the blacklist query request is used for enabling the blacklist control layer to query whether the user is a blacklist user according to the blacklist in the first target cluster;
receiving a blacklist query request result sent by a blacklist control layer;
and according to the result of the blacklist query request, performing access control on the user.
In specific implementation, according to the result of the blacklist query request, access control is performed on the user, and the method comprises the following steps:
and when the result of the blacklist query request is that the user is the blacklist user, rejecting the abnormal traffic class request.
When the result of the blacklist query request is that the user is not a blacklist user, sending a user access message to a second target cluster so that a data analysis layer consumes the user access message received by the second target cluster, sending an abnormal user access message to return to the second target cluster when the user access is determined to be abnormal, then enabling a blacklist control layer to consume the abnormal user access message received by the second target cluster, and adding the user into a blacklist;
and when the user is added into the blacklist, rejecting the abnormal traffic class request.
It is to be understood that the second target cluster is a Kafka cluster, as an example, and the users are able to generate and consume messages at a large scale, and in the flow control, the users receive and broadcast messages of the types "user access", "user behavior", "abnormal user", and so on. It should be noted that the preset times are selected according to actual situations, for example, fifty thousand times per hour.
The blacklist control layer is used for recording and marking the limited users or limited user behaviors.
It should be noted that, when processing the user access request, the server may use other resources in the first target cluster and the second target cluster, for example, the Redis cluster and the Kafka cluster, which is efficient.
In specific application, referring to fig. 4, fig. 4 is a schematic view of an access control flow for an abnormal traffic class request provided in the embodiment of the present application, as shown in fig. 4:
1. when a user of a specific IP (or a specific equipment serial number) continuously accesses the server application and sends an access request to the interface, the user request is determined to be an abnormal traffic class request.
2. The traffic access layer will check if the IP (or device) is blacklisted. The flow access layer comprises an access control layer and a blacklist control layer.
Specifically, A-1: the access control layer, upon receiving a request, asynchronously sends a "user access" type message to the Kafka cluster.
A-2: the data analysis layer will start a daemon process that continuously consumes and analyzes "user access" type messages. The daemon process refers to a special process running in the system background and used for executing a specific system task.
B-1: when the data analysis layer finds that the access of one user is abnormal, an 'abnormal user' message is pushed to the Kafka cluster.
B-2: the blacklist control layer starts a daemon process, consumes abnormal user messages continuously, and marks corresponding users (namely IP or clients) as abnormal users when consuming one 'abnormal user' message.
3. If the access control layer finds that the user's IP has been marked as blacklisted, the request is denied.
On the other hand, when the user accesses the special type transaction, determining the type of the user access request as an abnormal behavior type request;
responding to the user access request, and sending an abnormal behavior query request to a blacklist control layer; the abnormal behavior query request is used for enabling the blacklist control layer to query whether the user behavior is an abnormal behavior in the abnormal behavior list according to the abnormal behavior list in the first target cluster;
receiving an abnormal behavior query request result sent by a blacklist control layer;
and according to the abnormal behavior query request result, performing access control on the abnormal behavior request.
When the method is specifically implemented, according to the result of the abnormal behavior query request, performing access control on the abnormal behavior request, wherein the access control comprises the following steps:
and rejecting the abnormal behavior request when the abnormal behavior query request result indicates that the behavior of the user is the abnormal behavior in the abnormal behavior list.
When the abnormal behavior query request result is that the user behavior is not the abnormal behavior in the abnormal behavior list, sending a user behavior message to a second target cluster so that a data analysis layer consumes the user behavior message received by the second target cluster, sending the abnormal user behavior message to return to the second target cluster when the user behavior is determined to be abnormal, then enabling a blacklist control layer to consume the abnormal user behavior message received by the second target cluster, and adding the user into the abnormal behavior list;
and when the user is added into the abnormal behavior list, rejecting the abnormal behavior request.
In specific application, referring to fig. 5, fig. 5 is a schematic view of an access control flow for an abnormal behavior class request according to an embodiment of the present application, as shown in fig. 5:
1. the user sends an access request through the interface, attempting to access the high-risk transaction.
2. The traffic access layer will check if the secondary user's action to access the high risk transaction is blacklisted.
Specifically, A-1: the access control layer, upon receiving a request, asynchronously sends a "user action" type message to the Kafka cluster.
A-2: the data analysis layer will start a daemon process, continuously consume the "user behavior" type messages, and perform analysis.
B-1: when the data analysis layer finds that the access of one user is abnormal, an 'abnormal user behavior' message is pushed to the Kafka cluster.
B-2: the blacklist control layer starts a daemon process, consumes abnormal user messages continuously, and marks corresponding abnormal user behaviors as forbidden every time one abnormal user behavior message is consumed.
3. If the user's behavior is found to have been marked as prohibited, the request is denied.
It should be noted that, by performing corresponding control on different access requests of a user through the above implementation, peak access, abnormal traffic access, restricted access, abnormal behavior access, and the like can be identified and limited without affecting normal service processing, and the control requirement of internet application on user access is met. In addition, the problem that the existing development frameworks such as SpringBoot and the like cannot perform specially customized access restriction on specific users and specific interfaces can be solved, authority verification, access control and the like on specific IP (or specific equipment serial numbers) and specific interfaces are realized, and common Redis clusters and Kafka clusters of Internet applications can be effectively utilized. In addition, different access times can be set for each interface, for example, 10000 times per second is set for the query interface, and 5000 times per second is set for the dynamic account interface, so that the flexibility of interface setting is increased.
The user access control method provided by the embodiment of the application comprises the following steps: receiving a user access request; and when the user access request is a request received in a peak period, determining that the type of the user access request is a peak traffic type request. And responding to the peak period user access request, and sending a token query request to the data analysis layer, wherein the token query request is used for enabling the data analysis layer to query whether the first target cluster has an access token. And receiving a token query result sent by the data analysis layer. And when the token query result is that no token is available, rejecting the peak period user to access the request. When the user accesses the limited function, determining the type of the user access request as an unauthorized access request. And responding the unauthorized access request, and sending an authority inquiry request to the authority module, wherein the authority inquiry request is used for enabling the authority module to inquire whether the first target cluster has the target authority of the user. And receiving the authority inquiry request result sent by the authority module. And when the result of the authority inquiry request is that the target authority of the user does not exist, refusing the unauthorized access request. By the method provided by the embodiment of the application, when the user is a peak period user or a user with limited access function, different access control can be performed according to different user access requests, and the stability and the safety of network application are improved.
Referring to fig. 6, fig. 6 is a schematic diagram of a user access control device according to an embodiment of the present application, where the device includes:
a first receiving unit 601, configured to receive a user access request;
a first determining unit 602, configured to determine that the type of the user access request is a peak traffic class request, when the user access request is a request received during a peak period;
a first response unit 603, configured to respond to the peak user access request, and send a token query request to a data analysis layer, where the token query request is used for enabling the data analysis layer to query whether an access token exists in a first target cluster;
a second receiving unit 604, configured to receive a token query result sent by the data analysis layer;
a first rejecting unit 605, configured to reject the peak period user access request when the token query result is that no token is available;
a second determining unit 606, configured to determine, when the user accesses the restricted function, that the type of the user access request is an unauthorized access type request;
a second response unit 607, configured to respond to the unauthorized access type request and send an authority query request to the authority module; the permission query request is used for enabling the permission module to query whether a first target cluster has target permission of the user;
a third receiving unit 608, configured to receive a result of the permission query request sent by the permission module;
a second rejecting unit 609, configured to reject the unauthorized access request when the result of the permission query request is that the target permission of the user does not exist.
Optionally, in some implementations of this embodiment, the apparatus further includes:
a third determining unit, configured to determine that the type of the user access request is an abnormal traffic type request when the number of times of access within the user unit time exceeds a preset number of times;
a third response unit, configured to send a blacklist query request to a blacklist control layer in response to the abnormal traffic class request; the blacklist query request is used for enabling the blacklist control layer to query whether the user is the blacklist user according to a blacklist in a first target cluster;
a fourth receiving unit, configured to receive a result of the blacklist query request sent by the blacklist control layer;
and the first control unit is used for carrying out access control on the user according to the result of the blacklist query request.
Optionally, in some implementations of this embodiment, the first control unit includes:
and the first rejection subunit is configured to reject the abnormal traffic class request when the result of the blacklist query request is that the user is a blacklist user.
Optionally, in some implementations of this embodiment, the first control unit includes:
a first sending subunit, configured to send, when the result of the blacklist query request is that the user is not a blacklist user, a user access message to a second target cluster, so that the data analysis layer consumes the user access message received by the second target cluster, and when it is determined that the user access is abnormal, send an abnormal user access message back to the second target cluster, and then make the blacklist control layer consume the abnormal user access message received by the second target cluster, and add the user to the blacklist;
and the second rejection subunit is used for rejecting the abnormal traffic class request when the user is added into the blacklist.
Optionally, in some implementations of this embodiment, the apparatus further includes:
the fourth determining unit is used for determining the type of the user access request as an abnormal behavior type request when the user accesses a special type transaction;
the fourth response unit is used for responding to the user access request and sending an abnormal behavior query request to the blacklist control layer; the abnormal behavior query request is used for enabling the blacklist control layer to query whether the user behavior is an abnormal behavior in the abnormal behavior list according to the abnormal behavior list in the first target cluster;
a fifth receiving unit, configured to receive an abnormal behavior query request result sent by the blacklist control layer;
and the second control unit is used for performing access control on the abnormal behavior request according to the abnormal behavior query request result.
Optionally, in some implementations of this embodiment, the second control unit includes:
a third rejecting subunit, configured to reject the abnormal behavior class request when the result of the abnormal behavior query request is that the behavior of the user is an abnormal behavior in the abnormal behavior list.
Optionally, in some implementations of this embodiment, the second control unit includes:
a second sending subunit, configured to send a user behavior message to a second target cluster when the abnormal behavior query request result indicates that the behavior of the user is not an abnormal behavior in the abnormal behavior list, so that the data analysis layer consumes the user behavior message received by the second target cluster, and when it is determined that the user behavior is abnormal, send an abnormal user behavior message back to the second target cluster, and then cause the blacklist control layer to consume the abnormal user behavior message received by the second target cluster, and add the user to the abnormal behavior list;
and the fourth rejecting subunit is used for rejecting the abnormal behavior class request when the user is added into the abnormal behavior list.
The embodiment of the application provides a user access control device, which receives a user access request; and when the user access request is a request received in a peak period, determining that the type of the user access request is a peak traffic type request. And responding to the peak period user access request, and sending a token query request to the data analysis layer, wherein the token query request is used for enabling the data analysis layer to query whether the first target cluster has an access token. And receiving a token query result sent by the data analysis layer. And when the token query result is that no token is available, rejecting the peak period user to access the request. When the user accesses the limited function, determining the type of the user access request as an unauthorized access request. And responding the unauthorized access request, and sending an authority inquiry request to the authority module, wherein the authority inquiry request is used for enabling the authority module to inquire whether the first target cluster has the target authority of the user. And receiving the authority inquiry request result sent by the authority module. And when the result of the authority inquiry request is that the target authority of the user does not exist, refusing the unauthorized access request. By the device provided by the embodiment of the application, when the user is a peak period user or a user with limited access function, different access control can be performed according to different user access requests, and the stability and the safety of network application are improved.
As can be seen from the above description of the embodiments, those skilled in the art can clearly understand that all or part of the steps in the above embodiment methods can be implemented by software plus a necessary general hardware platform. Based on such understanding, the technical solution of the present application may be essentially or partially implemented in the form of a software product, which may be stored in a storage medium, such as a ROM/RAM, a magnetic disk, an optical disk, etc., and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network communication device such as a media gateway, etc.) to execute the method according to the embodiments or some parts of the embodiments of the present application.
It should be noted that, in the present specification, the embodiments are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments may be referred to each other. The method disclosed by the embodiment corresponds to the system disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the system part for description.
It should also be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (8)

1. A method for user access control, the method comprising:
receiving a user access request;
when the user access request is a request received in a peak period, determining that the type of the user access request is a peak traffic type request;
responding to the peak period user access request, and sending a token query request to a data analysis layer, wherein the token query request is used for enabling the data analysis layer to query whether an access token exists in a first target cluster;
receiving a token query result sent by the data analysis layer;
when the token query result is that no token is available, rejecting the peak period user access request;
when the user accesses the limited function, determining the type of the user access request as an unauthorized access request;
responding the unauthorized access request, and sending an authority inquiry request to an authority module; the permission query request is used for enabling the permission module to query whether a first target cluster has target permission of the user;
receiving an authority inquiry request result sent by the authority module;
and when the permission query request result indicates that the target permission of the user does not exist, rejecting the unauthorized access request.
2. The method of claim 1, further comprising:
when the number of times of access of the user in unit time exceeds a preset number of times, determining the type of the user access request as an abnormal traffic request;
responding to the abnormal traffic request, and sending a blacklist query request to a blacklist control layer; the blacklist query request is used for enabling the blacklist control layer to query whether the user is the blacklist user according to a blacklist in a first target cluster;
receiving a blacklist query request result sent by the blacklist control layer;
and performing access control on the user according to the result of the blacklist query request.
3. The method of claim 2, wherein the performing access control on the user according to the result of the blacklist query request comprises:
and when the result of the blacklist query request is that the user is a blacklist user, rejecting the abnormal traffic class request.
4. The method of claim 2, wherein the performing access control on the user according to the result of the blacklist query request comprises:
when the result of the blacklist query request is that the user is not a blacklist user, sending a user access message to a second target cluster so that the data analysis layer consumes the user access message received by the second target cluster, and when the user access is determined to be abnormal, sending an abnormal user access message back to the second target cluster, and then enabling the blacklist control layer to consume the abnormal user access message received by the second target cluster and adding the user into the blacklist;
and when the user is added into the blacklist, rejecting the abnormal traffic class request.
5. The method of claim 1, further comprising:
when the user accesses a special type transaction, determining the type of the user access request as an abnormal behavior request;
responding to the user access request, and sending an abnormal behavior query request to a blacklist control layer; the abnormal behavior query request is used for enabling the blacklist control layer to query whether the user behavior is an abnormal behavior in the abnormal behavior list according to the abnormal behavior list in the first target cluster;
receiving an abnormal behavior query request result sent by the blacklist control layer;
and performing access control on the abnormal behavior request according to the abnormal behavior query request result.
6. The method according to claim 5, wherein the performing access control on the abnormal behavior class request according to the result of the abnormal behavior query request includes:
and rejecting the abnormal behavior request when the abnormal behavior query request result indicates that the user behavior is the abnormal behavior in the abnormal behavior list.
7. The method according to claim 5, wherein the performing access control on the user according to the abnormal behavior query request result comprises:
when the abnormal behavior query request result is that the user behavior is not the abnormal behavior in the abnormal behavior list, sending a user behavior message to a second target cluster so that the data analysis layer consumes the user behavior message received by the second target cluster, sending an abnormal user behavior message to return to the second target cluster when the user behavior is determined to be abnormal, then enabling the blacklist control layer to consume the abnormal user behavior message received by the second target cluster, and adding the user to the abnormal behavior list;
and when the user is added into the abnormal behavior list, rejecting the abnormal behavior class request.
8. A user access control apparatus, characterized in that the apparatus comprises:
a first receiving unit, configured to receive a user access request;
a first determining unit, configured to determine that the type of the user access request is a peak traffic class request, when the user access request is a request received during a peak period;
a first response unit, configured to respond to the peak user access request, and send a token query request to a data analysis layer, where the token query request is used for enabling the data analysis layer to query whether an access token exists in a first target cluster;
the second receiving unit is used for receiving the token query result sent by the data analysis layer;
a first rejecting unit, configured to reject the peak period user access request when the token query result is that no token is available;
the second determining unit is used for determining the type of the user access request as an unauthorized access request when the user accesses the limited function;
the second response unit is used for responding the unauthorized access request and sending an authority inquiry request to the authority module; the permission query request is used for enabling the permission module to query whether a first target cluster has target permission of the user;
the third receiving unit is used for receiving the authority inquiry request result sent by the authority module;
and the second refusing unit is used for refusing the unauthorized access request when the result of the authority inquiry request is that the target authority of the user does not exist.
CN202011552612.3A 2020-12-24 2020-12-24 User access control method and device Pending CN112615875A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011552612.3A CN112615875A (en) 2020-12-24 2020-12-24 User access control method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011552612.3A CN112615875A (en) 2020-12-24 2020-12-24 User access control method and device

Publications (1)

Publication Number Publication Date
CN112615875A true CN112615875A (en) 2021-04-06

Family

ID=75245498

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011552612.3A Pending CN112615875A (en) 2020-12-24 2020-12-24 User access control method and device

Country Status (1)

Country Link
CN (1) CN112615875A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113315637A (en) * 2021-05-31 2021-08-27 中国农业银行股份有限公司 Security authentication method, device and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102137111A (en) * 2011-04-20 2011-07-27 北京蓝汛通信技术有限责任公司 Method and device for preventing CC (Challenge Collapsar) attack and content delivery network server
CN108418821A (en) * 2018-03-06 2018-08-17 北京焦点新干线信息技术有限公司 Redis and Kafka-based high-concurrency scene processing method and device for online shopping system
CN112118237A (en) * 2020-09-04 2020-12-22 紫光云(南京)数字技术有限公司 Resource access management method

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102137111A (en) * 2011-04-20 2011-07-27 北京蓝汛通信技术有限责任公司 Method and device for preventing CC (Challenge Collapsar) attack and content delivery network server
CN108418821A (en) * 2018-03-06 2018-08-17 北京焦点新干线信息技术有限公司 Redis and Kafka-based high-concurrency scene processing method and device for online shopping system
CN112118237A (en) * 2020-09-04 2020-12-22 紫光云(南京)数字技术有限公司 Resource access management method

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113315637A (en) * 2021-05-31 2021-08-27 中国农业银行股份有限公司 Security authentication method, device and storage medium

Similar Documents

Publication Publication Date Title
US8255532B2 (en) Metric-based monitoring and control of a limited resource
US7591004B2 (en) Using trusted communication channel to combat user name/password theft
CN101166091B (en) A dynamic password authentication method and service end system
JP4685876B2 (en) System and method for providing multiple credential authentication protocols
US8341707B2 (en) Near real-time multi-party task authorization access control
US5926549A (en) Process for verifying the preservation of the integrity of an unprotected request sent by a client to a server by verifying the integrity of the response
CN110166451B (en) Lightweight electronic document transfer control system and method
CN102110200A (en) Authentication method capable of being executed by computer
CN110690972A (en) Token authentication method and device, electronic equipment and storage medium
CN105871577A (en) Method and device for managing resource privilege
JP2010026662A (en) Information leakage prevention system
CN102739638A (en) Establishing privileges through claims of valuable assets
US20070055666A1 (en) Personalisation
CN111880919B (en) Data scheduling method, system and computer equipment
EP2255505B1 (en) Selective filtering of network traffic requests
CN112615875A (en) User access control method and device
Rottermanner et al. Privacy and data protection in smartphone messengers
CN101785242A (en) Identity assertion
US20020129273A1 (en) Secure content server apparatus and method
JP2003258795A (en) Computer aggregate operating method, implementation system therefor, and processing program therefor
CN115022008A (en) Access risk assessment method, device, equipment and medium
WO2006059852A1 (en) Method and system for providing resources by using virtual path
CN108494805B (en) CC attack processing method and device
CN115589577B (en) Communication service access management method and device, electronic equipment and storage medium
JP2001236320A (en) Terminal specifying method for www

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20210406

RJ01 Rejection of invention patent application after publication