CN113111316A - Method, device and system for application authorization management - Google Patents

Method, device and system for application authorization management Download PDF

Info

Publication number
CN113111316A
CN113111316A CN202110440187.7A CN202110440187A CN113111316A CN 113111316 A CN113111316 A CN 113111316A CN 202110440187 A CN202110440187 A CN 202110440187A CN 113111316 A CN113111316 A CN 113111316A
Authority
CN
China
Prior art keywords
application
authorization
authorized
terminal
signature
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110440187.7A
Other languages
Chinese (zh)
Inventor
周永健
齐军
张福新
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Skyguard Network Security Technology Co ltd
Original Assignee
Beijing Skyguard Network Security Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Skyguard Network Security Technology Co ltd filed Critical Beijing Skyguard Network Security Technology Co ltd
Priority to CN202110440187.7A priority Critical patent/CN113111316A/en
Publication of CN113111316A publication Critical patent/CN113111316A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • G06F21/105Arrangements for software license management or administration, e.g. for managing licenses at corporate level
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • G06F21/12Protecting executable software
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/51Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability

Abstract

The invention discloses a method, a device and a system for application authorization management, and relates to the technical field of computers. One embodiment of the method comprises: receiving an authorization request aiming at an application to be authorized, which is sent by a terminal; detecting whether the authorization request comprises an application installation signature of the application to be authorized, wherein the application installation signature is derived from an installation package of the application to be authorized; if the authorization information is detected, generating authorization information for the application to be authorized, and sending the authorization information to the terminal so that the terminal can acquire the authorization of the application to be authorized; if not, authorization for the application to be authorized is denied. The implementation mode can ensure the validity of the application installed in the terminal.

Description

Method, device and system for application authorization management
Technical Field
The present invention relates to the field of computer technologies, and in particular, to a method, an apparatus, and a system for application authorization management.
Background
In order to guarantee the rights and interests of application developers and manage the applications installed in the terminal, the server generally needs to authorize the applications.
At present, a server side authorizes an application mainly by sending self device information to the server side by a terminal installed with the application, and the server side authorizes an application program installed in the terminal according to the device information of the terminal.
The existing authorization mode only considers the equipment information of the terminal in the authorization process, so that the validity of the application installed in the terminal is difficult to ensure.
Disclosure of Invention
In view of this, embodiments of the present invention provide a method, an apparatus, and a system for application authorization management, which can ensure validity of an application installed in a terminal.
To achieve the above object, according to an aspect of the embodiments of the present invention, there is provided an application authorization management method applied to an application server, including:
receiving an authorization request aiming at an application to be authorized, which is sent by a terminal;
detecting whether the authorization request comprises an application installation signature of the application to be authorized, wherein the application installation signature is derived from an installation package of the application to be authorized;
if so, generating authorization information for the application to be authorized, and sending the authorization information to the terminal so that the terminal obtains the authorization of the application to be authorized;
and if not, refusing to authorize the application to be authorized.
Optionally, the method for application authorization management may further include:
generating a corresponding application installation signature for an installation package to be issued, and adding the application installation signature to the installation package to be issued;
and issuing the installation package to be issued added with the application installation signature so that the terminal acquires and installs the installation package to be issued added with the application installation signature to obtain the application to be authorized.
Optionally, the generating authorization information for the application to be authorized includes:
and generating an authorization signature certificate with an authorization validity period for the application to be authorized according to the terminal information and the function authorization range included in the authorization request.
Optionally, after detecting that the authorization request includes the application installation signature of the application to be authorized, further includes:
determining the current authorization quantity of the application to be authorized;
and judging whether the current authorization quantity reaches a preset authorization quantity threshold value, if so, executing the step of refusing to authorize the application to be authorized, otherwise, executing the step of generating authorization information for the application to be authorized.
Optionally, the method for application authorization management may further include:
receiving an application access request sent by the terminal, wherein the application access request comprises an authorization signature certificate with an authorization validity period;
and verifying whether the authorized signature certificate with the authorized validity period is valid, and if so, sending application configuration information to the terminal so that the terminal can access the application.
Optionally, after verifying that the authorization signature certificate with authorization validity period is valid, further comprising:
and judging whether the number of the current online terminals reaches a preset access threshold value, if not, executing the step of sending the application configuration information to the terminals.
Optionally, after verifying that the authorization signature certificate with the authorization validity period is invalid, further comprising:
receiving an extended authorization request sent by the terminal;
and if the extended authorization request meets a preset extension condition, generating a new authorization signature certificate for the terminal.
Optionally, the method for application authorization management may further include:
and if the extended authorization request does not meet the preset extension condition, canceling the authorization of the terminal.
Optionally, the method for application authorization management may further include:
providing authorization through a visual interface;
and managing the authorization condition in response to the operation trigger of the authorization condition.
In a second aspect, an embodiment of the present invention provides a method for application authorization management, where the method is applied to a terminal, and includes:
acquiring an installation package of an application to be authorized;
sending an authorization request aiming at the application to be authorized to an application server based on the installation package of the application to be authorized;
and when receiving the authorization information sent by the application server, determining that the application to be authorized is authorized.
In a third aspect, an embodiment of the present invention provides an apparatus for application authorization management, where the apparatus is applied to an application server, and the apparatus includes: an interaction unit and an authorization management unit, wherein,
the interactive unit is used for receiving an authorization request aiming at the application to be authorized, which is sent by the terminal;
the authorization management unit is configured to detect whether the authorization request includes an application installation signature of the application to be authorized, where the application installation signature is derived from an installation package of the application to be authorized; if so, generating authorization information for the application to be authorized, and sending the authorization information to the terminal so that the terminal obtains the authorization of the application to be authorized; and if not, refusing to authorize the application to be authorized.
In a fourth aspect, an embodiment of the present invention provides an apparatus for application authorization management, where the apparatus is applied to a terminal, and the apparatus includes: an acquisition unit and an application authorization unit, wherein,
the acquisition unit is used for acquiring the installation package of the application to be authorized;
the application authorization unit is used for sending an authorization request aiming at the application to be authorized to an application server based on the installation package of the application to be authorized; and when receiving the authorization information sent by the application server, determining that the application to be authorized is authorized.
In a fifth aspect, an embodiment of the present invention provides a system for application authorization management, an application server having the apparatus for application authorization management provided in the above-mentioned embodiment of the claims, and a terminal having the apparatus for application authorization management provided in the above-mentioned embodiment.
One embodiment of the above invention has the following advantages or benefits: by setting the application installation signature on the installation package of the application, it can be determined whether the installation package of the application is a valid installation package by detecting whether the authorization request includes the application installation signature of the application to be authorized, wherein the application installation signature is derived from the installation package of the application to be authorized. Then, generating authorization information for the application to be authorized, and sending the authorization information to the terminal, so that the terminal obtains the authorization of the application to be authorized; thereby ensuring the effectiveness of the installation package.
Further effects of the above-mentioned non-conventional alternatives will be described below in connection with the embodiments.
Drawings
The drawings are included to provide a better understanding of the invention and are not to be construed as unduly limiting the invention. Wherein:
fig. 1 is a schematic view of an application scenario of an application authorization system according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of the main flow of a method of application authorization management according to an embodiment of the invention;
fig. 3 is a schematic diagram of a main flow of a method of application authorization management according to another embodiment of the present invention;
FIG. 4 is a schematic diagram of a main flow of a method of application authorization management according to yet another embodiment of the invention;
fig. 5 is a schematic diagram of a main flow of a method of application authorization management according to another embodiment of the present invention;
fig. 6 is a schematic diagram of a main flow of a method of application authorization management according to yet another embodiment of the present invention;
fig. 7 is a schematic diagram of a main flow of a method of application authorization management according to another embodiment of the present invention;
fig. 8 is a schematic diagram of the main elements of an apparatus applying authorization management according to an embodiment of the present invention;
fig. 9 is a schematic diagram of the main elements of an apparatus applying authorization management according to another embodiment of the present invention;
FIG. 10 is a schematic diagram of the primary devices of a system for application authorization management according to an embodiment of the present invention;
FIG. 11 is an exemplary system architecture diagram in which embodiments of the present invention may be employed;
fig. 12 is a schematic structural diagram of a computer system suitable for implementing a terminal device or a server according to an embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present invention are described below with reference to the accompanying drawings, in which various details of embodiments of the invention are included to assist understanding, and which are to be considered as merely exemplary. Accordingly, those of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the invention. Also, descriptions of well-known functions and constructions are omitted in the following description for clarity and conciseness.
The installation package refers to a file package required by the terminal to install the application. Correspondingly, the installation package of the application to be authorized refers to a file package which is acquired by the terminal and is required by the terminal for installing the application. The application to be authorized refers to an application which is installed on the terminal through the installation package of the application to be authorized and is not authorized by the application server. The installation package to be released refers to an installation package which is provided by an application developer to an application server and is not yet released to a terminal. The installation package to be issued is the installation package of the application to be authorized after being issued to the terminal.
In one implementation, the installation package installed on the terminal may originate from a variety of approaches, such as an application server authorized by an application developer, other servers that do not obtain authorization from an application developer, and so forth. Currently, due to lack of monitoring and management of installation packages, an authorized license can be obtained from an application server regardless of whether the installation package installed on a terminal originates from the application server or from other servers. This does not guarantee the validity or validity of the installation package and it is difficult to guarantee that the authorization is used correctly, for example, installation packages from other servers may be modified or recompiled, but still obtain authorization that is difficult to guarantee if they are used correctly.
The embodiment of the invention provides an application authorization management method, which is used for realizing authorization of an application installed in a terminal. The method may be used in a system comprising a terminal and an application server. Different from the prior art, the application server sets an application installation signature for the installation package, the installation package obtained by the terminal from the application server is the installation package with the application installation signature, then, the authorization request sent by the subsequent terminal to the application server includes the application installation signature, through the application installation signature, the application server can recognize that the application installed by the terminal sending the authorization request comes from a normal way, and then the subsequent authorization step can be executed for the terminal. On the contrary, if the authorization request sent by the terminal to the application server does not contain the application installation signature, it can be determined that the installation package does not originate from the application server, and the application installed by the terminal may have a use risk, so that the validity of the application is managed, the authorization request of an illegal terminal is prevented from being mixed, and the trusted terminal can be authorized correctly.
Fig. 1 is a schematic view of an application scenario of an application authorization system according to an embodiment of the present invention, as shown in fig. 1, the application authorization system may include an application server and at least one terminal, and fig. 1 takes 3 terminals as an example, where the application server 101, the terminal 102, the terminal 103, and the terminal 104 form an application authorization system. The terminal 101 is installed with the application 1010, the terminal 102 is installed with the application 1020, and the terminal 103 is installed with the application 1030. It should be noted that the application installed in the terminal may be an application client, or may also be a tool such as office software. The application server 101 may authorize the application 1010 installed by the terminal 101, the application 1020 installed by the terminal 102, and the application 1030 installed by the terminal 103, respectively, so that the application 1010 installed by the terminal 101, the application 1020 installed by the terminal 102, and the application 1030 installed by the terminal 103 can operate normally. For example, the installation package of the application 1010 installed in the terminal 101 and the installation package of the application 1020 installed in the terminal 102 both have application installation signatures, and the installation package of the application 1030 installed in the terminal 103 does not have an application installation signature, then the application server 101 successfully authorizes the application 1010 installed in the terminal 101 and the application 1020 installed in the terminal 102, and the application 1030 installed in the terminal 103 is not authorized, then the application 1010 installed in the terminal 101 and the application 1020 installed in the terminal 102 can normally operate, and the application 1030 installed in the terminal 103 cannot normally operate.
It should be noted that the application server may use the existing digital signature to generate the application installation signature for the installation package, and details are not described herein.
In the application authorization system shown in fig. 1, as shown in fig. 2, the method for application authorization management applied to the application server may include the following steps:
step S201: receiving an authorization request aiming at an application to be authorized, which is sent by a terminal;
the application to be authorized may be acquired by the terminal device from the application server, may be actively issued to the terminal device by the application server, and may also be acquired by the terminal device from other ways, such as from other servers. Since the application server sets the application installation signature for the installation package, that is, the installation package is determined to be authentic by the application installation signature, the authorization request sent by the terminal in this step includes the application installation signature obtained from the installation package.
It should be noted that the authorization request may include, in addition to the application installation signature, device information such as a terminal Identifier and hardware information of the terminal, for example, a MAC address, an Identifier of a Central Processing Unit (CPU), a UUID (universal Unique Identifier) of the terminal, and the like, and the device information is not limited.
Step S202: detecting whether the authorization request comprises an application installation signature of the application to be authorized, wherein the application installation signature is derived from an installation package of the application to be authorized; if so, executing step S203; if not, go to step S204;
step S203: generating authorization information for the application to be authorized, and sending the authorization information to the terminal so that the terminal obtains the authorization of the application to be authorized and ends the current process;
the authorization information may be an authorization license file generated by the application server for the terminal.
The terminal acquires the authorization of the application to be authorized, namely, the terminal can acquire a required specific authorization file when running/using the application.
Step S204: the application to be authorized is denied authorization.
In the embodiment shown in fig. 2, by setting the application installation signature on the installation package of the application, it can be determined whether the installation package of the application is a valid installation package by detecting whether the authorization request includes the application installation signature of the application to be authorized, wherein the application installation signature is derived from the installation package of the application to be authorized. Then, generating authorization information for the application to be authorized, and sending the authorization information to the terminal, so that the terminal obtains the authorization of the application to be authorized; thereby ensuring the effectiveness of the installation package. In addition, illegal authorization requests can be filtered through the process.
The application installation signature in the installation package to be authorized can be originated from an application developer, and can also be set by an application server. In a preferred embodiment, as shown in fig. 3, in order to better perform uniform management on application installation signatures of installation packages of different applications, the method for application authorization management may further include the following steps:
step S301: generating a corresponding application installation signature for the installation package to be issued, and adding the application installation signature to the installation package to be issued;
step S302: and issuing the installation package to be issued added with the application installation signature so that the terminal acquires and installs the installation package to be issued added with the application installation signature to obtain the application to be authorized.
And after the installation package to be issued added with the application installation signature is sent to the terminal, the installation package to be issued is the installation package of the application to be authorized at the terminal.
The application server generates the corresponding application installation signature for the installation package to be released, so that the application server can uniformly manage the application installation signatures of various installation packages, and meanwhile, the application server generates the corresponding application installation signature for the installation package to be released, so that the subsequent application server can conveniently detect the application installation signature included in the authorization request.
In this embodiment of the present invention, the implementation manner of generating the authorization information for the application to be authorized in step S203 may also be: and generating an authorization signature certificate with an authorization validity period for the application to be authorized according to the terminal information and the function authorization range included in the authorization request. The function authorization range may be obtained according to an installation package of the application to be authorized, for example, for management software of an enterprise, installation packages of the application to be authorized obtained by terminals with different permissions are different. The authorization validity period may be set accordingly according to actual requirements, for example, according to the duration of purchasing an application by a user, according to the duration of opening an authority for the user, and the like.
The authorization validity period can be managed through the authorization signature certificate, so that when a request for obtaining an authorization file is subsequently received, the authorization signature certificate can be carried in the request, and whether the application is in an authorization stage or an authorization failure stage can be determined through the authorization signature certificate, so that the efficiency of identifying the authorization validity of the application server is effectively improved.
In the embodiment of the present invention, in order to enable management of the authorization quantity, as shown in fig. 4, after detecting that the authorization request includes the application installation signature of the application to be authorized, the following steps may be further included:
step S401: determining the current authorization quantity of the application to be authorized;
the current authorization number refers to the number of terminals that have been authorized for the application, which is recorded by the application server.
Step S402: judging whether the current authorization quantity reaches a preset authorization quantity threshold value, if so, executing a step S403; otherwise, go to step S404;
the authorized number threshold may be set according to actual requirements, for example, if the number of employees at a certain level of employees in the enterprise is N, the authorized number threshold may be set for the application corresponding to the employees at the level.
Step S403: executing the step of refusing to authorize the application to be authorized, and ending the current process;
step S404: a step of generating authorization information for the application to be authorized is performed.
In this embodiment of the present invention, as shown in fig. 5, the method for managing application authorization may further include the following steps:
step S501: receiving an application access request sent by a terminal, wherein the application access request comprises an authorization signature certificate with an authorization validity period;
step S502: verifying whether the authorized signature certificate with the authorized validity period is valid, and if so, executing step S503; otherwise, access is denied.
Step S503: and sending the application configuration information to the terminal so that the terminal can access the application.
The validity of the application authorization is managed through the authorization signature certificate with the authorization validity period through the process. After the authorization permission expires, that is, the authorization signature certificate is invalid, the communication between the terminal and the server can be interrupted, and the program operation is terminated. The customer is prompted to purchase or defer the authorized license, thereby protecting the legitimate interests of the software manufacturer.
In the embodiment of the present invention, after verifying that the authorization signature certificate having the authorization validity period is valid, the method may further include: and judging whether the number of the current online terminals reaches a preset access threshold value, if so, rejecting access, and otherwise, executing the step of sending the application configuration information to the terminals. The online quantity of the terminals can be effectively controlled through the process, so that the resources of the application server are prevented from being excessively consumed, and the stability of the online terminals for acquiring the application configuration information is ensured.
In the embodiment of the present invention, after verifying that the authorization signature certificate having the authorization validity period is invalid, the method may further include: receiving an extended authorization request sent by a terminal; and if the extended authorization request meets the preset extension condition, generating a new authorization signature certificate for the terminal. The function of prolonging the authorization is realized, and the preset prolonging condition can comprise that: the user of the terminal prolongs the time for purchasing the software; the user of the terminal is an enterprise employee, and the preset extension condition may include: and continuing to continue signing after the contract is expired, and the user can continue to use the corresponding application through the terminal by the new authorized signature certificate.
In the embodiment of the present invention, the method for application authorization management may further include: and if the extended authorization request does not meet the preset extension condition, canceling the authorization of the terminal.
In the embodiment of the present invention, the method for application authorization management may further include: providing authorization through a visual interface; and managing the authorization condition in response to the operation trigger of the authorization condition. The authorization condition may be an authorized total number of each managed application, an authorized total number that exists currently, an authorized number that is online currently, information of authorized terminals, and the like. The implementation of the operation trigger in response to the authorization condition may be: the management of the application authorization condition is provided for the user through a visual management button or a management key, for example, the authorization of a certain terminal can be cancelled or removed through the management button, the total authorized amount can be modified, the authorization period can be prolonged for the application installed in the certain terminal, and the like. And realizing authorization visual management, managing the terminal authorization condition on line, and performing authorization permission recovery processing on the terminal. In addition, the authorization information and the state change are visually checked and managed, so that the checking and the management of an administrator are facilitated.
As shown in fig. 6, an embodiment of the present invention provides a method for application authorization management, which is applied to a terminal, and includes the following steps:
step S601: acquiring an installation package of an application to be authorized;
the step is mainly to get the installation package from the application server or other distribution channels authorized by the application publisher.
Step S602: sending an authorization request aiming at the application to be authorized to an application server based on an application installation signature included in an installation package of the application to be authorized;
step S603: and when receiving the authorization information sent by the application server, determining that the application to be authorized is authorized.
The method for application authorization management is further described below through interaction between the terminal and the application server, and as shown in fig. 7, the method for application authorization management may include the following steps:
step S701: the application server generates a corresponding application installation signature for the installation package to be published, and adds the application installation signature to the installation package to be published;
step S702: issuing an installation package to be issued added with an application installation signature;
step S703: the terminal acquires an installation package of the application to be authorized, and installs the installation package of the application to be authorized to obtain the application to be authorized;
in step S703, the installation package of the application to be authorized acquired by the terminal may be from the application server or from other channels, and in order to ensure the security or validity of the installation package of the application to be authorized acquired by the terminal, the application server needs to perform subsequent steps on the installation package for verification, and can authorize the application of the terminal after the verification passes.
Step S704: the terminal sends an authorization request aiming at the application to be authorized to an application server;
step S705: the application server detects whether the authorization request comprises an application installation signature of the application to be authorized; if so, go to step S706; if not, go to step S716;
step S706: the application server determines the current authorization quantity of the application to be authorized;
step S707: the application server judges whether the current authorization quantity reaches a preset authorization quantity threshold value, if so, step S716; otherwise, go to step S708;
step S708: the application server generates an authorization signature certificate with an authorization validity period for the application to be authorized according to the terminal information and the function authorization range included in the authorization request;
step S709: the application server sends the authorized signature certificate to the terminal;
step S710: the terminal acquires the authorization of the application to be authorized;
step S711: the terminal sends an application access request to an application server, wherein the application access request comprises an authorization signature certificate with an authorization validity period;
step S712: the application server verifies whether the authorized signature certificate with the authorized validity period is valid, and if so, step S713 is executed; otherwise, access is denied and step S717 is performed;
step S713: judging whether the number of the current online terminals reaches a preset access threshold value, and if so, denying access; otherwise, go to step S714;
step S714: the application server sends application configuration information to the terminal;
step S715: the terminal accesses the application and ends the current flow;
step S716: the application server refuses to authorize the application to be authorized and ends the current process;
step S717: the terminal sends an extended authorization request to the application server;
step S718: the application server verifies whether the extended authorization request meets a preset extension condition, and if so, executes step S719; otherwise, go to step S721;
step S719: the application server generates a new authorized signature certificate for the terminal;
step S720: the application server sends the new authorization signature certificate to the terminal and ends the current process;
step S721: and the application server logs off the authorization of the terminal.
In summary, the scheme provided by the present application mainly includes four parts: the method comprises the steps of manufacturing a trusted installation package part, a terminal authorization part, a verification part and an authorization visual management part. In particular, the amount of the solvent to be used,
making a trusted installation package part: the method can be completed through an application server, namely before the installation package is distributed to the terminal, the installation package is subjected to application installation signature, only when the signed software installation package is installed on the terminal and in the subsequent terminal authorization process, the terminal can pass verification when applying for authorization permission, and the application server can judge whether to generate the authorization permission for the terminal. The authorization request of an illegal terminal is prevented from being mixed.
A terminal authorization step: the terminal generates a unique identification UUID, carries information such as an application installation signature, local hardware information and a function authority range obtained from a trusted installation package, and sends the information to an application server. After the application server has sufficient authorization quantity and verifies that the application installation signature is correct, an authorization signature certificate containing the terminal information, the function authorization range and the authorization validity period is generated and returned to the terminal to serve as identity authentication of subsequent communication.
And a verification part: the step is mainly a process that the terminal acquires application configuration information and the like from the application server. That is, in HTTPS communication between a terminal and an application server, a two-way certificate authentication mechanism (the terminal authenticates the application server and the application server authenticates the terminal) may be used, and only through verification of a trusted certificate, the terminal may acquire configuration information necessary for program operation from the application server, and after loading, the application program of the terminal may be started normally.
When the authorized signature certificate is expired, the communication between the terminal and the server cannot be completed, and the terminal can try to apply for prolonging the validity period of the certificate. If the application is passed, a new signature certificate is generated to be used for subsequent communication; and if the application fails, the terminal program automatically stops running. Meanwhile, the server also logs off the expired authorization permission of the terminal.
An authorization visualization management section: the method mainly provides a visual management interface at an application server, and can display the authorization condition and the authorized terminal state information in real time. While providing some convenient authorization management operations: the method comprises the steps of authorized license postponing, authorized license quantity expanding, manual recovery of authorized licenses of a specified terminal and the like.
As shown in fig. 8, an apparatus 800 for application authorization management according to an embodiment of the present invention is applied to an application server, where the apparatus 800 for application authorization management may include: an interaction unit 801 and an authorization management unit 802, wherein,
an interaction unit 801, configured to receive an authorization request for an application to be authorized, where the authorization request is sent by a terminal;
an authorization management unit 802, configured to detect whether the authorization request includes an application installation signature of the application to be authorized, where the application installation signature is derived from an installation package of the application to be authorized; if the authorization information is detected, generating authorization information for the application to be authorized, and sending the authorization information to the terminal so that the terminal can acquire the authorization of the application to be authorized; if not, authorization for the application to be authorized is denied.
In the embodiment of the present invention, the authorization management unit 802 is configured to generate a corresponding application installation signature for the installation package to be published, and add the application installation signature to the installation package to be published; and issuing the installation package to be issued added with the application installation signature so that the terminal acquires and installs the installation package to be issued added with the application installation signature to obtain the application to be authorized.
In this embodiment of the present invention, the authorization management unit 802 is configured to generate an authorization signature certificate with an authorization validity period for the application to be authorized according to the terminal information and the function authorization scope included in the authorization request.
In the embodiment of the present invention, the authorization management unit 802 is configured to determine a current authorization number of an application to be authorized; and judging whether the current authorization quantity reaches a preset authorization quantity threshold value, if so, executing a step of refusing to authorize the application to be authorized, otherwise, executing a step of generating authorization information for the application to be authorized.
In this embodiment of the present invention, the authorization management unit 802 is configured to receive an application access request sent by a terminal, where the application access request includes an authorization signature certificate with an authorization validity period; and verifying whether the authorized signature certificate with the authorized validity period is valid, and if so, sending application configuration information to the terminal so that the terminal can access the application.
In this embodiment of the present invention, the authorization management unit 802 is configured to determine whether the number of the current online terminals reaches a preset access threshold, and if not, execute a step of sending application configuration information to the terminal.
In the embodiment of the present invention, the authorization management unit 802 is configured to receive an extended authorization request sent by a terminal; and if the extended authorization request meets the preset extension condition, generating a new authorization signature certificate for the terminal.
In this embodiment of the present invention, the authorization management unit 802 is configured to, if the extended authorization request does not meet a preset extension condition, logout the authorization of the terminal.
As shown in fig. 9, an apparatus 900 for application authorization management according to an embodiment of the present invention is applied to a terminal, where the apparatus 900 for application authorization management may include: an acquisition unit 901 and an application authorization unit 902, wherein,
an obtaining unit 901, configured to obtain an installation package of an application to be authorized;
an application authorization unit 902, configured to send an authorization request for an application to be authorized to an application server based on an installation package of the application to be authorized; and when receiving the authorization information sent by the application server, determining that the application to be authorized is authorized.
As shown in fig. 10, an embodiment of the present invention provides a system 1000 for application authorization management, where the system 1000 for application authorization management may include: an application server 1001 having the apparatus 800 for application authorization management and a terminal 1002 having the apparatus 900 for application authorization management.
Fig. 11 shows an exemplary system architecture 1100 of an apparatus or method for application authorization management to which embodiments of the present invention may be applied.
As shown in fig. 11, the system architecture 1100 may include terminal devices 1101, 1102, 1103, a network 1104 and an application server 1105. The network 1104 is a medium to provide communication links between the terminal devices 1101, 1102, 1103 and the server 1105. Network 1104 may include various connection types, such as wired, wireless communication links, or fiber optic cables, to name a few.
A user may use terminal devices 1101, 1102, 1103 to interact with a server 1105 over a network 1104 to receive or send messages or the like. Various applications may be installed on the terminal devices X01, X02, and X03, and authorization of the applications by the application server 1105 is acquired to enable the user to use the applications through the terminal devices 1101, 1102, 1103.
The terminal devices 1101, 1102, 1103 may be various electronic devices having a display screen and supporting web browsing, including but not limited to smart phones, tablet computers, laptop portable computers, desktop computers, and the like.
The application server 1105 may be a server providing various services, such as a background management server (for example only) providing support for applications accessed by users with the terminal devices 1101, 1102, 1103. The backend management server may analyze and otherwise process data such as the authorization request and the access request, and feed back a processing result (for example, an authorization signature certificate, configuration information of the application, just an example) to the terminal device.
It should be noted that the method for application authorization management provided by the embodiment of the present invention is generally executed by the application server 1105, and accordingly, the apparatus for application authorization management is generally disposed in the application server 1105.
It should be understood that the number of terminal devices, networks, and servers in fig. 11 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
Referring now to FIG. 12, shown is a block diagram of a computer system 1200 suitable for use with a terminal device implementing an embodiment of the present invention. The terminal device shown in fig. 12 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiment of the present invention.
As shown in fig. 12, the computer system 1200 includes a Central Processing Unit (CPU)1201, which can perform various appropriate actions and processes in accordance with a program stored in a Read Only Memory (ROM)1202 or a program loaded from a storage section 1208 into a Random Access Memory (RAM) 1203. In the RAM 1203, various programs and data necessary for the operation of the system 1200 are also stored. The CPU 1201, ROM 1202, and RAM 1203 are connected to each other by a bus 1204. An input/output (I/O) interface 1205 is also connected to bus 1204.
The following components are connected to the I/O interface 1205: an input section 1206 including a keyboard, a mouse, and the like; an output portion 1207 including a display device such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker; a storage section 1208 including a hard disk and the like; and a communication section 1209 including a network interface card such as a LAN card, a modem, or the like. The communication section 1209 performs communication processing via a network such as the internet. A driver 1210 is also connected to the I/O interface 1205 as needed. A removable medium 1211, such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like, is mounted on the drive 1210 as necessary, so that a computer program read out therefrom is mounted into the storage section 1208 as necessary.
In particular, according to the embodiments of the present disclosure, the processes described above with reference to the flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method illustrated in the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network through the communication section 1209, and/or installed from the removable medium 1211. The computer program performs the above-described functions defined in the system of the present invention when executed by the Central Processing Unit (CPU) 1201.
It should be noted that the computer readable medium shown in the present invention can be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present invention, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In the present invention, however, a computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The units described in the embodiments of the present invention may be implemented by software or hardware. The described units may also be provided in a processor, and may be described as: a processor includes an interaction unit and an authorization management unit. The names of these units do not in some cases form a limitation on the units themselves, and for example, an interactive unit may also be described as a "unit that receives an authorization request for an application to be authorized sent by a terminal".
As another aspect, the present invention also provides a computer-readable medium that may be contained in the apparatus described in the above embodiments; or may be separate and not incorporated into the device. The computer readable medium carries one or more programs which, when executed by a device, cause the device to comprise: receiving an authorization request aiming at an application to be authorized, which is sent by a terminal; detecting whether the authorization request comprises an application installation signature of the application to be authorized, wherein the application installation signature is derived from an installation package of the application to be authorized; if the authorization information is detected, generating authorization information for the application to be authorized, and sending the authorization information to the terminal so that the terminal can obtain the authorization of the application to be authorized; if not, authorization for the application to be authorized is denied.
According to the technical scheme of the embodiment of the invention, the application installation signature is set on the installation package of the application, so that whether the installation package of the application is a valid installation package can be determined by detecting whether the authorization request comprises the application installation signature of the application to be authorized, wherein the application installation signature is derived from the installation package of the application to be authorized. Then, generating authorization information for the application to be authorized, and sending the authorization information to the terminal, so that the terminal obtains the authorization of the application to be authorized; thereby ensuring the effectiveness of the installation package.
The above-described embodiments should not be construed as limiting the scope of the invention. Those skilled in the art will appreciate that various modifications, combinations, sub-combinations, and substitutions can occur, depending on design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (15)

1. A method for application authorization management, applied to an application server, includes:
receiving an authorization request aiming at an application to be authorized, which is sent by a terminal;
detecting whether the authorization request comprises an application installation signature of the application to be authorized, wherein the application installation signature is derived from an installation package of the application to be authorized;
if so, generating authorization information for the application to be authorized, and sending the authorization information to the terminal so that the terminal obtains the authorization of the application to be authorized;
and if not, refusing to authorize the application to be authorized.
2. The method of claim 1, further comprising:
generating a corresponding application installation signature for an installation package to be issued, and adding the application installation signature to the installation package to be issued;
and issuing the installation package to be issued added with the application installation signature so that the terminal acquires and installs the installation package to be issued added with the application installation signature to obtain the application to be authorized.
3. The method according to claim 1, wherein the generating authorization information for the application to be authorized comprises:
and generating an authorization signature certificate with an authorization validity period for the application to be authorized according to the terminal information and the function authorization range included in the authorization request.
4. The method of claim 1, after detecting that the authorization request includes an application installation signature of the application to be authorized, further comprising:
determining the current authorization quantity of the application to be authorized;
and judging whether the current authorization quantity reaches a preset authorization quantity threshold value, if so, executing the step of refusing to authorize the application to be authorized, otherwise, executing the step of generating authorization information for the application to be authorized.
5. The method of claim 1, further comprising:
receiving an application access request sent by the terminal, wherein the application access request comprises an authorization signature certificate with an authorization validity period;
and verifying whether the authorized signature certificate with the authorized validity period is valid, and if so, sending application configuration information to the terminal so that the terminal can access the application.
6. The method of claim 5, after verifying that the authorized signature certificate having an authorized validity period is valid, further comprising:
and judging whether the number of the current online terminals reaches a preset access threshold value, if not, executing the step of sending the application configuration information to the terminals.
7. The method of claim 5, further comprising, after verifying that the authorization signature certificate having an authorization validity period is invalid:
receiving an extended authorization request sent by the terminal;
and if the extended authorization request meets a preset extension condition, generating a new authorization signature certificate for the terminal.
8. The method of claim 7, further comprising:
and if the extended authorization request does not meet the preset extension condition, canceling the authorization of the terminal.
9. The method of any of claims 1 to 8, further comprising:
providing authorization through a visual interface;
and managing the authorization condition in response to the operation trigger of the authorization condition.
10. A method for managing application authorization is applied to a terminal and comprises the following steps:
acquiring an installation package of an application to be authorized;
sending an authorization request aiming at the application to be authorized to an application server based on an application installation signature included in an installation package of the application to be authorized;
and when receiving the authorization information sent by the application server, determining that the application to be authorized is authorized.
11. An apparatus for application authorization management, applied to an application server, includes: an interaction unit and an authorization management unit, wherein,
the interactive unit is used for receiving an authorization request aiming at the application to be authorized, which is sent by the terminal;
the authorization management unit is configured to detect whether the authorization request includes an application installation signature of the application to be authorized, where the application installation signature is derived from an installation package of the application to be authorized; if so, generating authorization information for the application to be authorized, and sending the authorization information to the terminal so that the terminal obtains the authorization of the application to be authorized; and if not, refusing to authorize the application to be authorized.
12. An apparatus for application authorization management, applied to a terminal, includes: an acquisition unit and an application authorization unit, wherein,
the acquisition unit is used for acquiring the installation package of the application to be authorized;
the application authorization unit is used for sending an authorization request aiming at the application to be authorized to an application server based on the installation package of the application to be authorized; and when receiving the authorization information sent by the application server, determining that the application to be authorized is authorized.
13. A system for application authorization management, comprising: an application server having the apparatus for application authority management of claim 11 and a terminal having the apparatus for application authority management of claim 12.
14. An electronic device, comprising:
one or more processors;
a storage device for storing one or more programs,
when executed by the one or more processors, cause the one or more processors to implement the method of any one of claims 1-10.
15. A computer-readable medium, on which a computer program is stored, which, when being executed by a processor, carries out the method according to any one of claims 1-10.
CN202110440187.7A 2021-04-22 2021-04-22 Method, device and system for application authorization management Pending CN113111316A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110440187.7A CN113111316A (en) 2021-04-22 2021-04-22 Method, device and system for application authorization management

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110440187.7A CN113111316A (en) 2021-04-22 2021-04-22 Method, device and system for application authorization management

Publications (1)

Publication Number Publication Date
CN113111316A true CN113111316A (en) 2021-07-13

Family

ID=76719873

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110440187.7A Pending CN113111316A (en) 2021-04-22 2021-04-22 Method, device and system for application authorization management

Country Status (1)

Country Link
CN (1) CN113111316A (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103856621A (en) * 2012-12-06 2014-06-11 北京三星通信技术研究有限公司 Method and device for authorization between user devices
US20170026376A1 (en) * 2015-07-24 2017-01-26 Canon Kabushiki Kaisha Authorization delegation system, control method, authorization server, and storage medium
CN107743115A (en) * 2016-12-22 2018-02-27 腾讯科技(深圳)有限公司 A kind of identity identifying method of terminal applies, device and system
CN112115425A (en) * 2020-09-21 2020-12-22 北京指掌易科技有限公司 Software authorization permission method and device and electronic equipment

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103856621A (en) * 2012-12-06 2014-06-11 北京三星通信技术研究有限公司 Method and device for authorization between user devices
US20170026376A1 (en) * 2015-07-24 2017-01-26 Canon Kabushiki Kaisha Authorization delegation system, control method, authorization server, and storage medium
CN107743115A (en) * 2016-12-22 2018-02-27 腾讯科技(深圳)有限公司 A kind of identity identifying method of terminal applies, device and system
CN112115425A (en) * 2020-09-21 2020-12-22 北京指掌易科技有限公司 Software authorization permission method and device and electronic equipment

Similar Documents

Publication Publication Date Title
CN111201530B (en) System and method for security application monitoring
CN110912938B (en) Access verification method and device for network access terminal, storage medium and electronic equipment
CN110414268B (en) Access control method, device, equipment and storage medium
EP3275159B1 (en) Technologies for secure server access using a trusted license agent
CN105164633B (en) The configuration and verifying carried out by trusted provider
US10482257B2 (en) System and method to enforce the secure boot policy of a platform on a virtual machine
US8918856B2 (en) Trusted intermediary for network layer claims-enabled access control
KR101530809B1 (en) Dynamic platform reconfiguration by multi-tenant service providers
US10212151B2 (en) Method for operating a designated service, service unlocking method, and terminal
CN104010044A (en) Application limitation installing method, manager and terminal based on trusted execution environment technology
CN110602088A (en) Block chain-based right management method, block chain-based right management device, block chain-based right management equipment and block chain-based right management medium
CN111526111B (en) Control method, device and equipment for logging in light application and computer storage medium
US20220103544A1 (en) Authentication in a computer network system
CN111966422A (en) Localized plug-in service method and device, electronic equipment and storage medium
US9455972B1 (en) Provisioning a mobile device with a security application on the fly
US10158623B2 (en) Data theft deterrence
CN113111316A (en) Method, device and system for application authorization management
CN116707849A (en) Cloud service access authority setting method and cloud management platform for enclave instance
US11777938B2 (en) Gatekeeper resource to protect cloud resources against rogue insider attacks
CN114329534A (en) Authority determination method and device, computer equipment and computer readable storage medium
CN112367347B (en) Encryption equipment access method, device and computer readable storage medium
CN113765876B (en) Report processing software access method and device
CN114021094B (en) Remote server login method, electronic device and storage medium
CN112395021B (en) Power metering equipment application software loading control method and device
US11711366B2 (en) Scalable onboarding for internet-connected devices

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination