CN112615875A - User access control method and device - Google Patents
User access control method and device Download PDFInfo
- Publication number
- CN112615875A CN112615875A CN202011552612.3A CN202011552612A CN112615875A CN 112615875 A CN112615875 A CN 112615875A CN 202011552612 A CN202011552612 A CN 202011552612A CN 112615875 A CN112615875 A CN 112615875A
- Authority
- CN
- China
- Prior art keywords
- request
- user
- query
- access
- blacklist
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 48
- 238000007405 data analysis Methods 0.000 claims abstract description 53
- 206010000117 Abnormal behaviour Diseases 0.000 claims description 88
- 230000002159 abnormal effect Effects 0.000 claims description 58
- 230000004044 response Effects 0.000 claims description 9
- 230000006399 behavior Effects 0.000 description 34
- 230000008569 process Effects 0.000 description 10
- 230000009471 action Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004422 calculation algorithm Methods 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000005336 cracking Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 238000004088 simulation Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/215—Flow control; Congestion control using token-bucket
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
- H04L9/3213—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application discloses a user access control method and a device, wherein the method comprises the following steps: receiving a user access request; and when the user access request is a request received in a peak period, determining that the type of the user access request is a peak traffic type request. And responding to the peak period user access request, and sending a token query request to the data analysis layer. And receiving a token query result sent by the data analysis layer. And when the token query result is that no token is available, rejecting the peak period user to access the request. When the user accesses the limited function, determining the type of the user access request as an unauthorized access request. And responding the unauthorized access request, and sending an authority inquiry request to the authority module. And receiving the authority inquiry request result sent by the authority module. And when the result of the authority inquiry request is that the target authority of the user does not exist, refusing the unauthorized access request. By the method, different access controls can be performed according to different user access requests, and the stability and the safety of the network application are improved.
Description
Technical Field
The present application relates to the field of computer technologies, and in particular, to a user access control method and apparatus.
Background
In the process of serving users by internet applications, the access of the users to the server needs to be limited for the system stability or application security.
Currently, existing user access controls cannot perform specific access controls for a specific user.
Disclosure of Invention
In order to solve the technical problem, the application provides a user access control method and device, which can perform specific access control for a specific user, and improve the stability and security of network application.
In order to achieve the above purpose, the technical solutions provided in the embodiments of the present application are as follows:
the embodiment of the application provides a user access control method, which comprises the following steps:
receiving a user access request;
when the user access request is a request received in a peak period, determining that the type of the user access request is a peak traffic type request;
responding to the peak period user access request, and sending a token query request to a data analysis layer, wherein the token query request is used for enabling the data analysis layer to query whether an access token exists in a first target cluster;
receiving a token query result sent by the data analysis layer;
when the token query result is that no token is available, rejecting the peak period user access request;
when the user accesses the limited function, determining the type of the user access request as an unauthorized access request;
responding the unauthorized access request, and sending an authority inquiry request to an authority module; the permission query request is used for enabling the permission module to query whether a first target cluster has target permission of the user;
receiving an authority inquiry request result sent by the authority module;
and when the permission query request result indicates that the target permission of the user does not exist, rejecting the unauthorized access request.
Optionally, the method further includes:
when the number of times of access of the user in unit time exceeds a preset number of times, determining the type of the user access request as an abnormal traffic request;
responding to the abnormal traffic request, and sending a blacklist query request to a blacklist control layer; the blacklist query request is used for enabling the blacklist control layer to query whether the user is the blacklist user according to a blacklist in a first target cluster;
receiving a blacklist query request result sent by the blacklist control layer;
and performing access control on the user according to the result of the blacklist query request.
Optionally, the performing access control on the user according to the result of the blacklist query request includes:
and when the result of the blacklist query request is that the user is a blacklist user, rejecting the abnormal traffic class request.
Optionally, the performing access control on the user according to the result of the blacklist query request includes:
when the result of the blacklist query request is that the user is not a blacklist user, sending a user access message to a second target cluster so that the data analysis layer consumes the user access message received by the second target cluster, and when the user access is determined to be abnormal, sending an abnormal user access message back to the second target cluster, and then enabling the blacklist control layer to consume the abnormal user access message received by the second target cluster and adding the user into the blacklist;
and when the user is added into the blacklist, rejecting the abnormal traffic class request.
Optionally, the method further includes:
when the user accesses a special type transaction, determining the type of the user access request as an abnormal behavior request;
responding to the user access request, and sending an abnormal behavior query request to a blacklist control layer; the abnormal behavior query request is used for enabling the blacklist control layer to query whether the user behavior is an abnormal behavior in the abnormal behavior list according to the abnormal behavior list in the first target cluster;
receiving an abnormal behavior query request result sent by the blacklist control layer;
and performing access control on the abnormal behavior request according to the abnormal behavior query request result.
Optionally, the performing access control on the abnormal behavior class request according to the abnormal behavior query request result includes:
and rejecting the abnormal behavior request when the abnormal behavior query request result indicates that the user behavior is the abnormal behavior in the abnormal behavior list.
Optionally, the performing access control on the user according to the abnormal behavior query request result includes:
when the abnormal behavior query request result is that the user behavior is not the abnormal behavior in the abnormal behavior list, sending a user behavior message to a second target cluster so that the data analysis layer consumes the user behavior message received by the second target cluster, sending an abnormal user behavior message to return to the second target cluster when the user behavior is determined to be abnormal, then enabling the blacklist control layer to consume the abnormal user behavior message received by the second target cluster, and adding the user to the abnormal behavior list;
and when the user is added into the abnormal behavior list, rejecting the abnormal behavior class request.
An embodiment of the present application further provides a user access control device, where the device includes:
a first receiving unit, configured to receive a user access request;
a first determining unit, configured to determine that the type of the user access request is a peak traffic class request, when the user access request is a request received during a peak period;
a first response unit, configured to respond to the peak user access request, and send a token query request to a data analysis layer, where the token query request is used for enabling the data analysis layer to query whether an access token exists in a first target cluster;
the second receiving unit is used for receiving the token query result sent by the data analysis layer;
a first rejecting unit, configured to reject the peak period user access request when the token query result is that no token is available;
the second determining unit is used for determining the type of the user access request as an unauthorized access request when the user accesses the limited function;
the second response unit is used for responding the unauthorized access request and sending an authority inquiry request to the authority module; the permission query request is used for enabling the permission module to query whether a first target cluster has target permission of the user;
the third receiving unit is used for receiving the authority inquiry request result sent by the authority module;
and the second refusing unit is used for refusing the unauthorized access request when the result of the authority inquiry request is that the target authority of the user does not exist.
According to the technical scheme, the method has the following beneficial effects:
the embodiment of the application provides a user access control method, which comprises the following steps:
receiving a user access request; and when the user access request is a request received in a peak period, determining that the type of the user access request is a peak traffic type request. And responding to the peak period user access request, and sending a token query request to the data analysis layer, wherein the token query request is used for enabling the data analysis layer to query whether the first target cluster has an access token. And receiving a token query result sent by the data analysis layer. And when the token query result is that no token is available, rejecting the peak period user to access the request. When the user accesses the limited function, determining the type of the user access request as an unauthorized access request. And responding the unauthorized access request, and sending an authority inquiry request to the authority module, wherein the authority inquiry request is used for enabling the authority module to inquire whether the first target cluster has the target authority of the user. And receiving the authority inquiry request result sent by the authority module. And when the result of the authority inquiry request is that the target authority of the user does not exist, refusing the unauthorized access request. By the method provided by the embodiment of the application, when the user is a peak period user or a user with limited access function, different access control can be performed according to different user access requests, and the stability and the safety of network application are improved.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a flowchart of a user access control method according to an embodiment of the present application;
fig. 2 is a schematic view illustrating an access control flow for a peak traffic class request according to an embodiment of the present application;
fig. 3 is a schematic view of an access control flow for an unauthorized access type request according to an embodiment of the present application;
fig. 4 is a schematic view of an access control flow for an abnormal traffic class request according to an embodiment of the present application;
fig. 5 is a schematic view of an access control flow for an abnormal behavior class request according to an embodiment of the present application;
fig. 6 is a schematic diagram of a user access control device according to an embodiment of the present application.
Detailed Description
In order to make the aforementioned objects, features and advantages of the present application more comprehensible, embodiments accompanying the drawings are described in detail below.
In order to facilitate understanding and explaining the technical solutions provided by the embodiments of the present application, the following first describes the background art of the embodiments of the present application.
With the development of modern internet, hardware technology and software technology are continuously updated. The internet application service exposed on the internet generally faces the following scenarios in the face of complex customer environments and customer operations:
(1) the flow was high peak. In the scenes of commodity promotion, enterprise activities and the like, the access of customers is far higher than usual. During the peak period of client access, the enterprise server is under huge load pressure, and certain unimportant interfaces need to be subjected to access control, so that the system throughput is reduced, the system load is reduced, and the service capacity of key functions is improved.
(2) Client access rights control. Enterprises often offer diversified enterprise services for various users, some services are universal, but some services are only targeted to specific client groups. Identifying and controlling the access rights set of the client, limiting the range of interfaces accessible to the user, is the key point for achieving this functionality.
Based on this, an embodiment of the present application provides a user access control method, including: receiving a user access request; when the user access request is a peak period user access request, determining the type of the user access request to be a peak flow type request. And responding to the peak period user access request, and sending a token query request to the data analysis layer, wherein the token query request is used for enabling the data analysis layer to query whether the first target cluster has an access token. And receiving a token query result sent by the data analysis layer. And when the token query result is that no token is available, rejecting the peak period user to access the request. When the user accesses the limited function, determining the type of the user access request as an unauthorized access request. And responding the unauthorized access request, and sending an authority inquiry request to the authority module, wherein the authority inquiry request is used for enabling the authority module to inquire whether the first target cluster has the target authority of the user. And receiving the authority inquiry request result sent by the authority module. And when the result of the authority inquiry request is that the target authority of the user does not exist, refusing the unauthorized access request.
In order to facilitate understanding of the technical solutions provided in the embodiments of the present application, a user access control method provided in the embodiments of the present application is described below with reference to the accompanying drawings. It should be noted that the method can be applied to the access control layer of the B/S architecture internet application. Referring to fig. 1, fig. 1 is a flowchart of a user access control method according to an embodiment of the present application. As shown in fig. 1, the method may include S101-S109:
s101: a user access request is received.
When a user sends an access request through the interface, the access control layer receives the user access request.
It should be noted that different users have different access request types, such as peak traffic class requests and unauthorized access class requests. It is to be understood that the server access control layer is used for unified access control.
It is understood that an interface (or web site interface) refers to a tool that an enterprise deploys on a server, accepts customer requests, and provides services to the customers. Generally, a client-oriented interface will provide a specific service function.
S102: and when the user access request is a request received in a peak period, determining that the type of the user access request is a peak traffic type request.
When the user sends an access request at the peak traffic period, the type of the user access request at the time is determined to be a peak traffic type request. Referring to fig. 2, fig. 2 is a schematic view illustrating an access control flow for a peak traffic class request according to an embodiment of the present application. As shown in fig. 2, peak users have access to the access control layer.
S103: and responding to the peak period user access request, and sending a token query request to the data analysis layer, wherein the token query request is used for enabling the data analysis layer to query whether the first target cluster has an access token.
And the access control layer responds to the user access request in the peak period, detects the system load and sends a token query request to the data analysis layer. The token query request is used for enabling the data analysis layer to query whether the first target cluster has the access token. As shown in fig. 2, the access control layer sends a request to check the token to the data analysis layer.
In some embodiments, the first target cluster is a Redis cluster. The Redis cluster can be used for efficient data reading and writing, and is used for storing data such as user marks, authority data, access tokens and the like during user access control.
It can be understood that the data analysis layer is used for analyzing the user behavior and judging whether the access or operation of the user is abnormal or not.
S104: and receiving a token query result sent by the data analysis layer.
And the access control layer receives the token query result sent by the data analysis layer.
It should be noted that, after the data analysis layer receives the token query request sent by the access control layer, the data analysis layer calculates data in a first target cluster, for example, a Redis cluster, and obtains a token query result according to a calculation result. And sending the obtained token query result to an access control layer.
S105: and when the token query result is that no token is available, rejecting the peak period user to access the request.
And the data analysis layer calculates the data in the first target cluster, such as the Redis cluster, and finds that no token is available, namely the token query result is no available token, and the access control layer rejects the peak period user access request of the user. As shown in fig. 2, the access control layer receives the token query result sent by the data analysis layer as an unavailable token, and at this time, the access control layer denies the access request of the user.
Through the operation, the token bucket algorithm is used for limiting the peak flow, and the effect of flow peak clipping is achieved. The token bucket flow control refers to flow control in a virtual token bucket mode. The system will produce tokens at a constant rate for a client and the resulting tokens will be placed in the bucket until the bucket is full. When a user sends a service request, the tokens in the bucket are consumed, if no token exists in the bucket, the service request is rejected, and if a token exists in the bucket, one token is consumed and the service request is accepted.
S106: when the user accesses the limited function, determining the type of the user access request as an unauthorized access request.
When the user accesses the limited function, the type of the user access request at the moment is determined to be an unauthorized access type request. As an example, restricted functions are functions that are only targeted to a particular customer population. Referring to fig. 3, fig. 3 is a schematic view of an access control flow for an unauthorized access class request according to an embodiment of the present application. As shown in fig. 3, the user has access to control layer limited functionality.
S107: responding the unauthorized access request, and sending an authority inquiry request to the authority module; the permission query request is used for enabling the permission module to query whether the first target cluster has the target permission of the user.
The access control layer responds to the unauthorized access request and sends an authority inquiry request to the authority module; the permission query request is used for enabling the permission module to query whether the first target cluster has the target permission of the user. As shown in fig. 3, the access control layer sends a permission query request to the permission module to enable the permission module to check whether the user has permission to access the restricted function.
It should be noted that the authority module is used for checking the user authority.
S108: and receiving the authority inquiry request result sent by the authority module.
And the access control layer receives the permission query request result sent by the permission module.
S109: and when the result of the authority inquiry request is that the target authority of the user does not exist, refusing the unauthorized access request.
And when the access control layer receives the authority inquiry request result sent by the authority module, the access control layer refuses the unauthorized access request of the user when the target authority of the user does not exist. Referring to fig. 3, when the result of the permission query request sent by the permission module is that the user has no permission to access the restricted function, the access control layer denies the access request of the user.
It should be noted that the target authority of the user is generated after the user logs in the user module and is stored in a first target cluster, where the first target cluster is, for example, a Redis cluster.
In addition to the two user access requests described above, there may be user access in the following situations:
(1) the client access traffic is abnormal. Outside of normal clients, there may be a possibility that web crawlers (web tools that download enterprise server content in bulk) and the like will make abnormal web access. The web crawler often downloads and copies the content provided by the enterprise server in batches, and creates a large number of network requests which have no value to the enterprise. The web crawler not only occupies the bandwidth and server resources of an enterprise, but also can use the downloaded content to create illegal behaviors such as a simulation station (a counterfeit website) and the like. Enterprises need to detect and prevent and control these.
(2) And controlling abnormal behaviors of the client. Not all visitors are law-conscious users, and some novice users may attempt to attack internet applications to profit. For example, an attacker may try to steal the account of another user by brute force cracking or the like, or may try to reuse the coupon by replay attack, and for such a behavior, interface level checking and access control are also required.
For the above two user access requests, the following method applied to the access control layer is also provided in the embodiments of the present application.
On one hand, when the access times of the user in unit time exceed the preset times, determining the type of the user access request as an abnormal flow type request;
responding to the abnormal traffic request, and sending a blacklist query request to a blacklist control layer; the blacklist query request is used for enabling the blacklist control layer to query whether the user is a blacklist user according to the blacklist in the first target cluster;
receiving a blacklist query request result sent by a blacklist control layer;
and according to the result of the blacklist query request, performing access control on the user.
In specific implementation, according to the result of the blacklist query request, access control is performed on the user, and the method comprises the following steps:
and when the result of the blacklist query request is that the user is the blacklist user, rejecting the abnormal traffic class request.
When the result of the blacklist query request is that the user is not a blacklist user, sending a user access message to a second target cluster so that a data analysis layer consumes the user access message received by the second target cluster, sending an abnormal user access message to return to the second target cluster when the user access is determined to be abnormal, then enabling a blacklist control layer to consume the abnormal user access message received by the second target cluster, and adding the user into a blacklist;
and when the user is added into the blacklist, rejecting the abnormal traffic class request.
It is to be understood that the second target cluster is a Kafka cluster, as an example, and the users are able to generate and consume messages at a large scale, and in the flow control, the users receive and broadcast messages of the types "user access", "user behavior", "abnormal user", and so on. It should be noted that the preset times are selected according to actual situations, for example, fifty thousand times per hour.
The blacklist control layer is used for recording and marking the limited users or limited user behaviors.
It should be noted that, when processing the user access request, the server may use other resources in the first target cluster and the second target cluster, for example, the Redis cluster and the Kafka cluster, which is efficient.
In specific application, referring to fig. 4, fig. 4 is a schematic view of an access control flow for an abnormal traffic class request provided in the embodiment of the present application, as shown in fig. 4:
1. when a user of a specific IP (or a specific equipment serial number) continuously accesses the server application and sends an access request to the interface, the user request is determined to be an abnormal traffic class request.
2. The traffic access layer will check if the IP (or device) is blacklisted. The flow access layer comprises an access control layer and a blacklist control layer.
Specifically, A-1: the access control layer, upon receiving a request, asynchronously sends a "user access" type message to the Kafka cluster.
A-2: the data analysis layer will start a daemon process that continuously consumes and analyzes "user access" type messages. The daemon process refers to a special process running in the system background and used for executing a specific system task.
B-1: when the data analysis layer finds that the access of one user is abnormal, an 'abnormal user' message is pushed to the Kafka cluster.
B-2: the blacklist control layer starts a daemon process, consumes abnormal user messages continuously, and marks corresponding users (namely IP or clients) as abnormal users when consuming one 'abnormal user' message.
3. If the access control layer finds that the user's IP has been marked as blacklisted, the request is denied.
On the other hand, when the user accesses the special type transaction, determining the type of the user access request as an abnormal behavior type request;
responding to the user access request, and sending an abnormal behavior query request to a blacklist control layer; the abnormal behavior query request is used for enabling the blacklist control layer to query whether the user behavior is an abnormal behavior in the abnormal behavior list according to the abnormal behavior list in the first target cluster;
receiving an abnormal behavior query request result sent by a blacklist control layer;
and according to the abnormal behavior query request result, performing access control on the abnormal behavior request.
When the method is specifically implemented, according to the result of the abnormal behavior query request, performing access control on the abnormal behavior request, wherein the access control comprises the following steps:
and rejecting the abnormal behavior request when the abnormal behavior query request result indicates that the behavior of the user is the abnormal behavior in the abnormal behavior list.
When the abnormal behavior query request result is that the user behavior is not the abnormal behavior in the abnormal behavior list, sending a user behavior message to a second target cluster so that a data analysis layer consumes the user behavior message received by the second target cluster, sending the abnormal user behavior message to return to the second target cluster when the user behavior is determined to be abnormal, then enabling a blacklist control layer to consume the abnormal user behavior message received by the second target cluster, and adding the user into the abnormal behavior list;
and when the user is added into the abnormal behavior list, rejecting the abnormal behavior request.
In specific application, referring to fig. 5, fig. 5 is a schematic view of an access control flow for an abnormal behavior class request according to an embodiment of the present application, as shown in fig. 5:
1. the user sends an access request through the interface, attempting to access the high-risk transaction.
2. The traffic access layer will check if the secondary user's action to access the high risk transaction is blacklisted.
Specifically, A-1: the access control layer, upon receiving a request, asynchronously sends a "user action" type message to the Kafka cluster.
A-2: the data analysis layer will start a daemon process, continuously consume the "user behavior" type messages, and perform analysis.
B-1: when the data analysis layer finds that the access of one user is abnormal, an 'abnormal user behavior' message is pushed to the Kafka cluster.
B-2: the blacklist control layer starts a daemon process, consumes abnormal user messages continuously, and marks corresponding abnormal user behaviors as forbidden every time one abnormal user behavior message is consumed.
3. If the user's behavior is found to have been marked as prohibited, the request is denied.
It should be noted that, by performing corresponding control on different access requests of a user through the above implementation, peak access, abnormal traffic access, restricted access, abnormal behavior access, and the like can be identified and limited without affecting normal service processing, and the control requirement of internet application on user access is met. In addition, the problem that the existing development frameworks such as SpringBoot and the like cannot perform specially customized access restriction on specific users and specific interfaces can be solved, authority verification, access control and the like on specific IP (or specific equipment serial numbers) and specific interfaces are realized, and common Redis clusters and Kafka clusters of Internet applications can be effectively utilized. In addition, different access times can be set for each interface, for example, 10000 times per second is set for the query interface, and 5000 times per second is set for the dynamic account interface, so that the flexibility of interface setting is increased.
The user access control method provided by the embodiment of the application comprises the following steps: receiving a user access request; and when the user access request is a request received in a peak period, determining that the type of the user access request is a peak traffic type request. And responding to the peak period user access request, and sending a token query request to the data analysis layer, wherein the token query request is used for enabling the data analysis layer to query whether the first target cluster has an access token. And receiving a token query result sent by the data analysis layer. And when the token query result is that no token is available, rejecting the peak period user to access the request. When the user accesses the limited function, determining the type of the user access request as an unauthorized access request. And responding the unauthorized access request, and sending an authority inquiry request to the authority module, wherein the authority inquiry request is used for enabling the authority module to inquire whether the first target cluster has the target authority of the user. And receiving the authority inquiry request result sent by the authority module. And when the result of the authority inquiry request is that the target authority of the user does not exist, refusing the unauthorized access request. By the method provided by the embodiment of the application, when the user is a peak period user or a user with limited access function, different access control can be performed according to different user access requests, and the stability and the safety of network application are improved.
Referring to fig. 6, fig. 6 is a schematic diagram of a user access control device according to an embodiment of the present application, where the device includes:
a first receiving unit 601, configured to receive a user access request;
a first determining unit 602, configured to determine that the type of the user access request is a peak traffic class request, when the user access request is a request received during a peak period;
a first response unit 603, configured to respond to the peak user access request, and send a token query request to a data analysis layer, where the token query request is used for enabling the data analysis layer to query whether an access token exists in a first target cluster;
a second receiving unit 604, configured to receive a token query result sent by the data analysis layer;
a first rejecting unit 605, configured to reject the peak period user access request when the token query result is that no token is available;
a second determining unit 606, configured to determine, when the user accesses the restricted function, that the type of the user access request is an unauthorized access type request;
a second response unit 607, configured to respond to the unauthorized access type request and send an authority query request to the authority module; the permission query request is used for enabling the permission module to query whether a first target cluster has target permission of the user;
a third receiving unit 608, configured to receive a result of the permission query request sent by the permission module;
a second rejecting unit 609, configured to reject the unauthorized access request when the result of the permission query request is that the target permission of the user does not exist.
Optionally, in some implementations of this embodiment, the apparatus further includes:
a third determining unit, configured to determine that the type of the user access request is an abnormal traffic type request when the number of times of access within the user unit time exceeds a preset number of times;
a third response unit, configured to send a blacklist query request to a blacklist control layer in response to the abnormal traffic class request; the blacklist query request is used for enabling the blacklist control layer to query whether the user is the blacklist user according to a blacklist in a first target cluster;
a fourth receiving unit, configured to receive a result of the blacklist query request sent by the blacklist control layer;
and the first control unit is used for carrying out access control on the user according to the result of the blacklist query request.
Optionally, in some implementations of this embodiment, the first control unit includes:
and the first rejection subunit is configured to reject the abnormal traffic class request when the result of the blacklist query request is that the user is a blacklist user.
Optionally, in some implementations of this embodiment, the first control unit includes:
a first sending subunit, configured to send, when the result of the blacklist query request is that the user is not a blacklist user, a user access message to a second target cluster, so that the data analysis layer consumes the user access message received by the second target cluster, and when it is determined that the user access is abnormal, send an abnormal user access message back to the second target cluster, and then make the blacklist control layer consume the abnormal user access message received by the second target cluster, and add the user to the blacklist;
and the second rejection subunit is used for rejecting the abnormal traffic class request when the user is added into the blacklist.
Optionally, in some implementations of this embodiment, the apparatus further includes:
the fourth determining unit is used for determining the type of the user access request as an abnormal behavior type request when the user accesses a special type transaction;
the fourth response unit is used for responding to the user access request and sending an abnormal behavior query request to the blacklist control layer; the abnormal behavior query request is used for enabling the blacklist control layer to query whether the user behavior is an abnormal behavior in the abnormal behavior list according to the abnormal behavior list in the first target cluster;
a fifth receiving unit, configured to receive an abnormal behavior query request result sent by the blacklist control layer;
and the second control unit is used for performing access control on the abnormal behavior request according to the abnormal behavior query request result.
Optionally, in some implementations of this embodiment, the second control unit includes:
a third rejecting subunit, configured to reject the abnormal behavior class request when the result of the abnormal behavior query request is that the behavior of the user is an abnormal behavior in the abnormal behavior list.
Optionally, in some implementations of this embodiment, the second control unit includes:
a second sending subunit, configured to send a user behavior message to a second target cluster when the abnormal behavior query request result indicates that the behavior of the user is not an abnormal behavior in the abnormal behavior list, so that the data analysis layer consumes the user behavior message received by the second target cluster, and when it is determined that the user behavior is abnormal, send an abnormal user behavior message back to the second target cluster, and then cause the blacklist control layer to consume the abnormal user behavior message received by the second target cluster, and add the user to the abnormal behavior list;
and the fourth rejecting subunit is used for rejecting the abnormal behavior class request when the user is added into the abnormal behavior list.
The embodiment of the application provides a user access control device, which receives a user access request; and when the user access request is a request received in a peak period, determining that the type of the user access request is a peak traffic type request. And responding to the peak period user access request, and sending a token query request to the data analysis layer, wherein the token query request is used for enabling the data analysis layer to query whether the first target cluster has an access token. And receiving a token query result sent by the data analysis layer. And when the token query result is that no token is available, rejecting the peak period user to access the request. When the user accesses the limited function, determining the type of the user access request as an unauthorized access request. And responding the unauthorized access request, and sending an authority inquiry request to the authority module, wherein the authority inquiry request is used for enabling the authority module to inquire whether the first target cluster has the target authority of the user. And receiving the authority inquiry request result sent by the authority module. And when the result of the authority inquiry request is that the target authority of the user does not exist, refusing the unauthorized access request. By the device provided by the embodiment of the application, when the user is a peak period user or a user with limited access function, different access control can be performed according to different user access requests, and the stability and the safety of network application are improved.
As can be seen from the above description of the embodiments, those skilled in the art can clearly understand that all or part of the steps in the above embodiment methods can be implemented by software plus a necessary general hardware platform. Based on such understanding, the technical solution of the present application may be essentially or partially implemented in the form of a software product, which may be stored in a storage medium, such as a ROM/RAM, a magnetic disk, an optical disk, etc., and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network communication device such as a media gateway, etc.) to execute the method according to the embodiments or some parts of the embodiments of the present application.
It should be noted that, in the present specification, the embodiments are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments may be referred to each other. The method disclosed by the embodiment corresponds to the system disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the system part for description.
It should also be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (8)
1. A method for user access control, the method comprising:
receiving a user access request;
when the user access request is a request received in a peak period, determining that the type of the user access request is a peak traffic type request;
responding to the peak period user access request, and sending a token query request to a data analysis layer, wherein the token query request is used for enabling the data analysis layer to query whether an access token exists in a first target cluster;
receiving a token query result sent by the data analysis layer;
when the token query result is that no token is available, rejecting the peak period user access request;
when the user accesses the limited function, determining the type of the user access request as an unauthorized access request;
responding the unauthorized access request, and sending an authority inquiry request to an authority module; the permission query request is used for enabling the permission module to query whether a first target cluster has target permission of the user;
receiving an authority inquiry request result sent by the authority module;
and when the permission query request result indicates that the target permission of the user does not exist, rejecting the unauthorized access request.
2. The method of claim 1, further comprising:
when the number of times of access of the user in unit time exceeds a preset number of times, determining the type of the user access request as an abnormal traffic request;
responding to the abnormal traffic request, and sending a blacklist query request to a blacklist control layer; the blacklist query request is used for enabling the blacklist control layer to query whether the user is the blacklist user according to a blacklist in a first target cluster;
receiving a blacklist query request result sent by the blacklist control layer;
and performing access control on the user according to the result of the blacklist query request.
3. The method of claim 2, wherein the performing access control on the user according to the result of the blacklist query request comprises:
and when the result of the blacklist query request is that the user is a blacklist user, rejecting the abnormal traffic class request.
4. The method of claim 2, wherein the performing access control on the user according to the result of the blacklist query request comprises:
when the result of the blacklist query request is that the user is not a blacklist user, sending a user access message to a second target cluster so that the data analysis layer consumes the user access message received by the second target cluster, and when the user access is determined to be abnormal, sending an abnormal user access message back to the second target cluster, and then enabling the blacklist control layer to consume the abnormal user access message received by the second target cluster and adding the user into the blacklist;
and when the user is added into the blacklist, rejecting the abnormal traffic class request.
5. The method of claim 1, further comprising:
when the user accesses a special type transaction, determining the type of the user access request as an abnormal behavior request;
responding to the user access request, and sending an abnormal behavior query request to a blacklist control layer; the abnormal behavior query request is used for enabling the blacklist control layer to query whether the user behavior is an abnormal behavior in the abnormal behavior list according to the abnormal behavior list in the first target cluster;
receiving an abnormal behavior query request result sent by the blacklist control layer;
and performing access control on the abnormal behavior request according to the abnormal behavior query request result.
6. The method according to claim 5, wherein the performing access control on the abnormal behavior class request according to the result of the abnormal behavior query request includes:
and rejecting the abnormal behavior request when the abnormal behavior query request result indicates that the user behavior is the abnormal behavior in the abnormal behavior list.
7. The method according to claim 5, wherein the performing access control on the user according to the abnormal behavior query request result comprises:
when the abnormal behavior query request result is that the user behavior is not the abnormal behavior in the abnormal behavior list, sending a user behavior message to a second target cluster so that the data analysis layer consumes the user behavior message received by the second target cluster, sending an abnormal user behavior message to return to the second target cluster when the user behavior is determined to be abnormal, then enabling the blacklist control layer to consume the abnormal user behavior message received by the second target cluster, and adding the user to the abnormal behavior list;
and when the user is added into the abnormal behavior list, rejecting the abnormal behavior class request.
8. A user access control apparatus, characterized in that the apparatus comprises:
a first receiving unit, configured to receive a user access request;
a first determining unit, configured to determine that the type of the user access request is a peak traffic class request, when the user access request is a request received during a peak period;
a first response unit, configured to respond to the peak user access request, and send a token query request to a data analysis layer, where the token query request is used for enabling the data analysis layer to query whether an access token exists in a first target cluster;
the second receiving unit is used for receiving the token query result sent by the data analysis layer;
a first rejecting unit, configured to reject the peak period user access request when the token query result is that no token is available;
the second determining unit is used for determining the type of the user access request as an unauthorized access request when the user accesses the limited function;
the second response unit is used for responding the unauthorized access request and sending an authority inquiry request to the authority module; the permission query request is used for enabling the permission module to query whether a first target cluster has target permission of the user;
the third receiving unit is used for receiving the authority inquiry request result sent by the authority module;
and the second refusing unit is used for refusing the unauthorized access request when the result of the authority inquiry request is that the target authority of the user does not exist.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011552612.3A CN112615875A (en) | 2020-12-24 | 2020-12-24 | User access control method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011552612.3A CN112615875A (en) | 2020-12-24 | 2020-12-24 | User access control method and device |
Publications (1)
Publication Number | Publication Date |
---|---|
CN112615875A true CN112615875A (en) | 2021-04-06 |
Family
ID=75245498
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202011552612.3A Pending CN112615875A (en) | 2020-12-24 | 2020-12-24 | User access control method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN112615875A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113315637A (en) * | 2021-05-31 | 2021-08-27 | 中国农业银行股份有限公司 | Security authentication method, device and storage medium |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102137111A (en) * | 2011-04-20 | 2011-07-27 | 北京蓝汛通信技术有限责任公司 | Method and device for preventing CC (Challenge Collapsar) attack and content delivery network server |
CN108418821A (en) * | 2018-03-06 | 2018-08-17 | 北京焦点新干线信息技术有限公司 | Redis and Kafka-based high-concurrency scene processing method and device for online shopping system |
CN112118237A (en) * | 2020-09-04 | 2020-12-22 | 紫光云(南京)数字技术有限公司 | Resource access management method |
-
2020
- 2020-12-24 CN CN202011552612.3A patent/CN112615875A/en active Pending
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102137111A (en) * | 2011-04-20 | 2011-07-27 | 北京蓝汛通信技术有限责任公司 | Method and device for preventing CC (Challenge Collapsar) attack and content delivery network server |
CN108418821A (en) * | 2018-03-06 | 2018-08-17 | 北京焦点新干线信息技术有限公司 | Redis and Kafka-based high-concurrency scene processing method and device for online shopping system |
CN112118237A (en) * | 2020-09-04 | 2020-12-22 | 紫光云(南京)数字技术有限公司 | Resource access management method |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113315637A (en) * | 2021-05-31 | 2021-08-27 | 中国农业银行股份有限公司 | Security authentication method, device and storage medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US8255532B2 (en) | Metric-based monitoring and control of a limited resource | |
US7591004B2 (en) | Using trusted communication channel to combat user name/password theft | |
CN101166091B (en) | A dynamic password authentication method and service end system | |
JP4685876B2 (en) | System and method for providing multiple credential authentication protocols | |
US8341707B2 (en) | Near real-time multi-party task authorization access control | |
US5926549A (en) | Process for verifying the preservation of the integrity of an unprotected request sent by a client to a server by verifying the integrity of the response | |
CN110166451B (en) | Lightweight electronic document transfer control system and method | |
CN102110200A (en) | Authentication method capable of being executed by computer | |
CN110690972A (en) | Token authentication method and device, electronic equipment and storage medium | |
CN105871577A (en) | Method and device for managing resource privilege | |
JP2010026662A (en) | Information leakage prevention system | |
CN102739638A (en) | Establishing privileges through claims of valuable assets | |
US20070055666A1 (en) | Personalisation | |
CN111880919B (en) | Data scheduling method, system and computer equipment | |
EP2255505B1 (en) | Selective filtering of network traffic requests | |
CN112615875A (en) | User access control method and device | |
Rottermanner et al. | Privacy and data protection in smartphone messengers | |
CN101785242A (en) | Identity assertion | |
US20020129273A1 (en) | Secure content server apparatus and method | |
JP2003258795A (en) | Computer aggregate operating method, implementation system therefor, and processing program therefor | |
CN115022008A (en) | Access risk assessment method, device, equipment and medium | |
WO2006059852A1 (en) | Method and system for providing resources by using virtual path | |
CN108494805B (en) | CC attack processing method and device | |
CN115589577B (en) | Communication service access management method and device, electronic equipment and storage medium | |
JP2001236320A (en) | Terminal specifying method for www |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210406 |
|
RJ01 | Rejection of invention patent application after publication |