CN113364800A - Resource access control method, device, electronic equipment and medium - Google Patents
Resource access control method, device, electronic equipment and medium Download PDFInfo
- Publication number
- CN113364800A CN113364800A CN202110696512.6A CN202110696512A CN113364800A CN 113364800 A CN113364800 A CN 113364800A CN 202110696512 A CN202110696512 A CN 202110696512A CN 113364800 A CN113364800 A CN 113364800A
- Authority
- CN
- China
- Prior art keywords
- resource
- target
- acl
- access request
- vpn
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/105—Multiple levels of security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4641—Virtual LANs, VLANs, e.g. virtual private networks [VPN]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present disclosure relates to a resource access control method, apparatus, electronic device, and medium; wherein, the method comprises the following steps: receiving a login request sent by a Virtual Private Network (VPN) client, wherein the login request comprises account identification and authentication information of a login account; after the login account is authenticated according to the authentication information, confirming authorized target resources of the login account according to the account identifier and a preset intranet resource authorization rule; determining a target Access Control List (ACL) of the login account according to the target resource, wherein the target ACL comprises identification information of the target resource and an enabling rule of the target resource; sending a target ACL to the VPN client; and receiving a target access request sent by the VPN client. The embodiment of the disclosure improves the refinement degree of intranet resource access control management, and the configuration flexibility and the usability of a specific scene.
Description
Technical Field
The present disclosure relates to the field of network communications, and in particular, to a resource access control method, apparatus, electronic device, and medium.
Background
The current mobile office has become a general demand, and through Virtual Private Network (VPN) technique, mobile office personnel can visit intranet resource at the intranet safety, but the intranet resource authority that different office personnel accessible is different, along with intranet resource quantity and mobile office personnel's rapid growth to and the network environment of the change of immediacy, how to carry out high-efficient nimble access control management to intranet resource, is an important problem of current VPN technique.
In the prior art, a Role-Based Access Control (RBAC) model is generally used to perform Access Control management on an Access user, so that the user can Access a pre-authorized resource.
In the prior art, the RBAC model mainly considers the limitation of the authority of a person, and creates a role first, associates a resource accessible to the role for the role, and associates an appropriate role for a user. When the magnitude of the user, role and resource is large, the association relationship becomes complex, and the configuration thereof lacks flexibility in some scenes. For example: when some sudden network security conditions occur and the access right of all users to a certain specific resource in a certain specific time period needs to be removed quickly, the association relationship between the users and roles and the resource needs to be removed quickly, and the resource is reconfigured according to the original association relationship after the sudden conditions are over; for another example: for some resources, the non-office time may not need to be accessed, and the resources should be closed, and then opened in the office time period to reduce the risk of resource exposure, the prior art needs to periodically establish and remove the association relationship between the user and the role and the resources to solve the problem, and when the magnitude of the user, the role and the resources is large, the workload is huge and errors are easy to occur. It can be seen that the prior art cannot realize independent control of the starting conditions of the intranet resources, the refinement degree of access control management of the intranet resources is low, and the configuration flexibility and the usability of a specific scene are poor.
Disclosure of Invention
To solve the technical problem or at least partially solve the technical problem, the present disclosure provides a resource access control method, apparatus, electronic device, and medium.
In a first aspect, the present disclosure provides a resource access control method, including:
receiving a login request sent by a Virtual Private Network (VPN) client, wherein the login request comprises account identification and authentication information of a login account;
after the login account is authenticated according to the authentication information, confirming authorized target resources of the login account according to the account identification and a preset intranet resource authorization rule;
determining a target Access Control List (ACL) of the login account according to the target resource, wherein the target ACL comprises identification information of the target resource and an enabling rule of the target resource;
sending the target ACL to the VPN client so that the VPN client filters the resource access request received by the VPN client according to the identification information of the target resource in the target ACL to obtain a to-be-selected access request for accessing the target resource, and filters the to-be-selected access request according to the enabling rule of the target resource to obtain the target access request according with the enabling rule of the target resource;
and receiving a target access request sent by the VPN client.
In a second aspect, the present disclosure provides a resource access control method, including:
sending a login request to a VPN gateway, wherein the login request comprises account identification and authentication information of a login account;
receiving a target ACL sent by the VPN gateway;
filtering the resource access request received by the VPN client according to the identification information of the target resource in the target ACL, and acquiring a to-be-selected access request for accessing the target resource;
filtering the access request to be selected according to the enabling rule of the target resource to obtain the target access request which accords with the enabling rule of the target resource;
and sending the target access request to the VPN gateway.
In a third aspect, the present disclosure provides a resource access control apparatus, including:
the system comprises a receiving module, a login module and a processing module, wherein the receiving module is used for receiving a login request sent by a Virtual Private Network (VPN) client, and the login request comprises account identification and authentication information of a login account;
the determining module is used for confirming the authorized target resource of the login account according to the account identifier and a preset intranet resource authorization rule after the login account is authenticated according to the authentication information;
the determining module is further configured to determine a target access control list ACL of the login account according to the target resource, where the target ACL includes identification information of the target resource and an enabling rule of the target resource;
a sending module, configured to send the target ACL to the VPN client, so that the VPN client filters a resource access request received by the VPN client according to identification information of a target resource in the target ACL, obtains a candidate access request for accessing the target resource, and filters the candidate access request according to an enabling rule of the target resource, so as to obtain a target access request conforming to the enabling rule of the target resource;
and the receiving module is also used for receiving the target access request sent by the VPN client.
In a fourth aspect, the present disclosure provides a resource access control apparatus, including:
the system comprises a sending module, a receiving module and a sending module, wherein the sending module is used for sending a login request to a VPN gateway, and the login request comprises account identification and authentication information of a login account;
the receiving module is used for receiving the target ACL sent by the VPN gateway;
the filtering module is used for filtering the resource access request received by the VPN client according to the identification information of the target resource in the target ACL to obtain a to-be-selected access request for accessing the target resource;
the determining module is used for filtering the access request to be selected according to the enabling rule of the target resource and obtaining the target access request which accords with the enabling rule of the target resource;
and the sending module is also used for sending the target access request to the VPN gateway.
In a fifth aspect, the present disclosure also provides an electronic device, including:
one or more processors;
a storage device for storing one or more programs,
when the one or more programs are executed by the one or more processors, the one or more processors implement the resource access control method according to any one of the embodiments of the present invention.
In a sixth aspect, the present disclosure also provides a computer-readable storage medium on which a computer program is stored, which when executed by a processor, implements the resource access control method according to any one of the embodiments of the present invention.
Compared with the prior art, the technical scheme provided by the embodiment of the disclosure has the following advantages:
the ACL containing the enabling rule is preset for each intranet resource in advance, and the ACL of the authorized resource is pushed to the VPN client only, so that the independent control of the enabling condition of the intranet resource is realized while the access control of account authority dimension is realized. The refinement degree of intranet resource access control management is improved, and the configuration flexibility and the usability of a specific scene are improved.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present disclosure and together with the description, serve to explain the principles of the disclosure.
In order to more clearly illustrate the embodiments or technical solutions in the prior art of the present disclosure, the drawings used in the description of the embodiments or prior art will be briefly described below, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without inventive exercise.
Fig. 1 is a schematic flowchart of a resource access control method provided by an embodiment of the present disclosure;
fig. 2 is a schematic flowchart of another resource access control method provided by the embodiment of the present disclosure;
FIG. 3 is a schematic diagram of data interaction provided by embodiments of the present disclosure;
fig. 4 is a schematic flowchart of a resource access control apparatus according to an embodiment of the present disclosure;
fig. 5 is a schematic flowchart of another resource access control apparatus provided in the embodiment of the present disclosure;
fig. 6 is a schematic structural diagram of an electronic device provided in an embodiment of the present disclosure.
Detailed Description
In order that the above objects, features and advantages of the present disclosure may be more clearly understood, aspects of the present disclosure will be further described below. It should be noted that the embodiments and features of the embodiments of the present disclosure may be combined with each other without conflict.
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present disclosure, but the present disclosure may be practiced in other ways than those described herein; it is to be understood that the embodiments disclosed in the specification are only a few embodiments of the present disclosure, and not all embodiments.
Fig. 1 is a schematic flowchart of a resource access control method according to an embodiment of the present disclosure. The present embodiment is applicable to a case where the VPN gateway transmits the ACL information associated with the visitor to the VPN client. The method of the embodiment can be executed by a resource access control device, which can be implemented in a hardware/software manner and can be configured in an electronic device; wherein the electronic device may comprise a VPN gateway. The resource access control method described in any embodiment of the present application can be implemented. As shown in fig. 1, the method specifically includes the following steps:
s110, receiving a login request sent by the VPN client, wherein the login request comprises account identification and authentication information of a login account.
In this embodiment, the VPN client is a client having a Secure Socket Layer (SSL) protocol, which supports a user to access an intranet resource through an extranet network, so that the user can safely access the intranet resource through the extranet network without causing a potential safety hazard to the intranet resource. The VPN client can be installed on a terminal device, and the terminal device can comprise intelligent devices such as a computer and a tablet computer.
The account identifier of the login account may be an account name of the login account, and the authentication information may be an account password of the login account registered on the VPN client.
And S120, after the login account is authenticated according to the authentication information, confirming the authorized target resource of the login account according to the account identifier and the preset intranet resource authorization rule.
In this embodiment, the VPN gateway needs to authenticate the login user of the VPN client to determine that the identity information of the resource visitor is legal, thereby reducing the probability of malicious access and leakage of the resource.
The intranet resource authorization rule may be an account-resource association rule, or an account-role-resource association rule of the RBAC model. This embodiment is not limited to this.
Wherein, the target resource authorized by the login account is the resource which can be accessed by the login account from the server connected with the VPN gateway.
S130, determining a target Access Control List (ACL) of the login account according to the target resource, wherein the target ACL comprises identification information of the target resource and an enabling rule of the target resource.
In this embodiment, the VPN gateway may select, from a predetermined candidate Access Control List (ACL), an ACL having an association relationship with a target resource as a target Access Control List ACL of the login account.
The identification information of the target resource may be a name, or a number, or a combination of the name and the number of the target resource. The enabling rule of the target resource includes an accessible period of the target resource. Outside the accessible period, the target resource is not accessible by any user.
S140, sending the target ACL to the VPN client so that the VPN client filters the resource access request received by the VPN client according to the identification information of the target resource in the target ACL to obtain a to-be-selected access request for accessing the target resource, and filters the to-be-selected access request according to the enabling rule of the target resource to obtain the target access request according with the enabling rule of the target resource.
In this embodiment, the target ACL enables the VPN client to filter the received resource access request. And realizing the multi-screening of the resource access request at the VPN client side, thereby avoiding the problem that the invalid resource access request enters the tunnel to reduce the tunnel utilization rate.
S150, receiving a target access request sent by the VPN client.
In this embodiment, after the VPN client filters the received resource access request, the filtered target access request is sent to the VPN gateway, so that the VPN gateway sends the target access request to the server, thereby obtaining the target resource.
When a user needs to access intranet resources of the company through an extranet network, a resource access request of the intranet resources can be sent to the VPN gateway through logging in the VPN client, the VPN gateway sends the resource access request to the server, the intranet resources returned by the server are sent to the VPN client, and the VPN client displays the intranet resources to the user.
It should be noted that the VPN client may send the encrypted target resource access request to the VPN gateway, and the VPN gateway decrypts the received encrypted target resource access request, forwards the decrypted target resource access request to the server, and obtains the target intranet resource to be accessed according to the response information of the server.
Correspondingly, after receiving the target intranet resources sent by the server, the VPN gateway can encrypt the target intranet resources and send the encrypted target intranet resources to the VPN client through the SSLVPN tunnel. Therefore, the transmission security of the intranet resources is improved.
The method and the device can preset ACL containing the enabling rule for each intranet resource in advance, and realize independent control of the enabling condition of the intranet resources while realizing account authority dimension access control by only pushing the ACL of the authorized resources to the VPN client. The refinement degree of intranet resource access control management is improved, and the configuration flexibility and the usability of a specific scene are improved.
In this embodiment, optionally, before determining the target access control list ACL of the login account according to the target resource, the method of this embodiment further includes:
when any intranet resource is configured, an access control list ACL is configured for any intranet resource, and the ACL of any intranet resource comprises identification information and an enabling rule of any intranet resource.
In this embodiment, the VPN gateway configures an access control list ACL for each intranet resource, so that resource management of each intranet resource is explicitly divided. The configuration time of the ACL associated with each intranet resource is variable, and a configuration person can update the configuration time of the ACL associated with each intranet resource in real time according to actual requirements, so that the ACL of the intranet resources has stronger timeliness.
It should be noted that each intranet resource corresponds to one access control list. Therefore, independent division of intranet resources is achieved, and the problem of redundant storage of resources is solved.
In this embodiment, optionally, the ACL of any intranet resource further includes the last modification time of the ACL;
after sending the target ACL to the VPN client, the method of this embodiment further includes:
recording the sending time of sending the target ACL to the VPN client;
and when the last modification time of the target ACL is later than the sending time, resending the target ACL to the VPN client and updating the sending time.
In this embodiment, since the resource publisher may modify the resource published on the server at irregular intervals, at this time, the configuration time of the ACL corresponding to the resource may be modified again, thereby ensuring timeliness of the resource.
When the last modification time of the target ACL is detected to be later than the sending time, the configuration time of the target ACL received by the VPN client is not updated, and the VPN gateway needs to resend the modified target ACL to the VPN client, so that the VPN client can synchronize the relevant information in time. Therefore, real-time modification and real-time effect of the ACL can be guaranteed, and the reliability of filtering and the flexibility of configuration are further improved.
Fig. 2 is a schematic flowchart of a resource access control method according to an embodiment of the present disclosure. The embodiment can be applied to the condition that the VPN client determines the resource access request according to the ACL information of the authorized resources of the target account provided by the VPN gateway. The method of the embodiment can be executed by a resource access control device, which can be implemented in a hardware/software manner and can be configured in an electronic device; wherein the electronic device may comprise a VPN client. The resource access control method described in any embodiment of the present application can be implemented. As shown in fig. 2, the method specifically includes the following steps:
s210, sending a login request to the VPN gateway, wherein the login request comprises account identification and authentication information of a login account.
In this embodiment, when the VPN client receives and detects that the user logs in, a login request is sent to the VPN gateway, so that the VPN gateway can perform identity verification on an account identifier of the login account according to the authentication information of the login account.
And S220, receiving the target ACL sent by the VPN gateway.
In this embodiment, the VPN client may perform data interaction through a communication connection with the VPN gateway, so as to receive the target ACL sent by the VPN gateway.
The target ACL information may include an identification of an accessible authorized resource of the login account and an accessible period of the authorized resource.
S230, filtering the resource access request received by the VPN client according to the identification information of the target resource in the target ACL, and obtaining the access request to be selected for accessing the target resource.
In this embodiment, the VPN gateway may filter the resource access request according to the target ACL to obtain a candidate access request for accessing the target resource. Specifically, the VPN gateway may filter, from the resource access requests, resource access requests that are not associated with the identification information of the target resource, to obtain candidate access requests for accessing the target resource.
When receiving a resource access request sent by a login account, a VPN client can screen the resource access request through ACL information associated with authorized resources of the login account sent by a VPN gateway, so that the problem that the utilization rate of a tunnel is reduced when an invalid access request enters the tunnel is avoided. The VPN client can obtain the target ACL associated with the authorized resource of the login account according to the information interaction with the VPN gateway, so that the authorized resource of the login account can be effectively known, and the problem that the information receiving delay of the VPN client is caused by the fact that related personnel need to modify the association relationship between the authorized resource and the access account in an emergency is solved.
S240, filtering the access request to be selected according to the enabling rule of the target resource, and obtaining the target access request which accords with the enabling rule of the target resource.
In this embodiment, after the resource access request received by the VPN client is filtered once by using the identification information of the target resource, the selected access request may be filtered twice according to the enabling rule of the target resource, so as to obtain an effective target access request.
In this embodiment, the system time of the VPN gateway is used instead of the system time of the terminal device where the VPN client or the VPN client is located, so that the problem that a hacker modifies the system time of the terminal device where the VPN client or the VPN client is located can be avoided, the limitation and filtering of the resource accessible time are bypassed, and the stability and the security of the filtering are improved.
And S250, sending a target access request to the VPN gateway.
In this embodiment, after determining the target access request of the login account, the VPN client sends the target access request to the VPN gateway, so that the VPN gateway sends the target access request to the server to obtain the target resource.
The method of the embodiment may further include: sending response information of the resource access request to the terminal equipment; the response information of the resource access request comprises the identifier of the filtered resource access request, and the terminal device is the device where the VPN client is located.
In this embodiment, after receiving a resource access request triggered on the terminal device, the VPN client filters the multiple resource access requests to obtain a response to the resource access request. The VPN client end feeds back the filtering result to the terminal equipment, so that the login user on the terminal equipment can know the auditing information of the sent resource access request in time,
according to the embodiment of the disclosure, the system time of the VPN gateway can be used instead of the system time of the terminal device where the VPN client or the VPN client is located, so that the problem that a hacker modifies the system time of the terminal device where the VPN client or the VPN client is located can be avoided, the limitation and the filtering of the resource accessible time are bypassed, and the stability and the safety of the filtering are improved.
In this embodiment, optionally, the method of this embodiment further includes:
and receiving the target ACL retransmitted by the VPN gateway.
In this embodiment, after updating the target ACL, the VPN gateway resends the updated target ACL to the VPN client, so that the VPN client can obtain the updated target ACL, and thus, multiple times of filtering of multiple received resource access requests can be performed by using the new target ACL, and the filtering accuracy of the resource access requests can be further improved.
In this embodiment, optionally, the identification information of the target resource includes uniform resource locator URL information, and the enabling rule includes an accessible time period of any intranet resource;
filtering the resource access request received by the VPN client according to the identification information of the target resource in the target ACL, wherein the resource access request comprises the following steps:
filtering a resource access request received by the VPN client according to URL information of target resources in the target ACL;
filtering the access request to be selected according to the enabling rule of the target resource, wherein the filtering comprises the following steps:
and filtering the access request to be selected according to the accessible time period of the current system time of the VPN gateway matched with the target resource.
In this embodiment, the VPN client blocks a resource access request associated with URL information that is not a target resource, and obtains a candidate access request for accessing the target resource.
The VPN client can filter out the access requests to be selected corresponding to the accessible time periods which do not accord with the current system time matching target resources, so that the target access requests with high accuracy are obtained, and the target access requests sent to the VPN gateway are effective and available.
In this embodiment, optionally, the filtering, according to the identification information of the target resource in the target ACL, the resource access request received by the VPN client includes:
acquiring a driver layer data packet of a resource access request from a network card driver layer of a terminal device where a VPN client is located;
analyzing a driver layer data packet of the resource access request into a resource access request in an application layer format;
and filtering the resource access request in the application layer format according to the identification information of the target resource in the target ACL.
In this embodiment, when filtering the resource access request, the VPN client obtains, analyzes, and filters the resource access request at the network card driver layer of the terminal device, and filters the resource access request that does not hit the identification information of the target resource in the target ACL to obtain the resource access request that hits the identification information of the target resource in the target ACL.
In this embodiment, when the VPN client filters the resource access request, the filtering process is performed at the network card driver layer of the terminal device, and the resource access request is acquired, analyzed, matched and blocked at the driver layer, so that the problem that a hacker user performs a filtering operation at an application layer to access unauthorized resources is solved, and the reliability of filtering is improved.
Fig. 3 provides an interaction diagram of a VPN client and a VPN gateway. Wherein, include:
s1, the VPN client receives user login information;
s2, configuring resource information by the VPN gateway, where each piece of resource information includes name information and URL information of a resource, and optionally, a resource group may be configured for multiple resources.
The VPN gateway can divide a plurality of resource information into one resource group and configures the resource information for the resource group. In this embodiment, the number of resource information included in one resource group is not limited.
S3, VPN gateway configures user and role, and configures the association relationship between role and resource/resource group and the association relationship between role and user.
S4, configuring an ACL rule by the VPN gateway, wherein the ACL rule comprises identification information of the resource, accessible time period information and last configuration time.
Wherein the last configuration time is a last update time of the ACL rule, and wherein the configuration accessible time period information may be configured in a weekly/yearly accessible time period manner.
And S5, the VPN client sends a login request to the VPN gateway.
S6, after the user authentication is successful, the VPN gateway inquires the association relationship between the user and the role and the association relationship between the role and the resource/resource group, and confirms the authorized resource list of the user.
S7, VPN gateway determines the ACL rule set of the user according to the authorized resource list of the user, the ACL rule set contains the ACL rule of each resource authorized by the user.
S8, the VPN gateway responds to the login request and sends an ACL rule set to the VPN client.
And S9, the VPN gateway records the sending time of the ACL rule set, and when the last updating time of any ACL rule in the ACL rule set is later than the sending time, any ACL rule is sent to the VPN client again.
And S10, when detecting that the user accesses the intranet resource, the VPN client acquires and analyzes the resource access request from the network card driving layer.
The execution sequence of S9 and S10 is not limited.
And S11, the VPN client matches the URL in the ACL rule with the URL obtained after analysis, blocks the resource access request which does not hit any ACL rule, matches the accessible time period of the hit ACL rule with the system time of the VPN gateway, and filters the candidate resource access request which does not meet the accessible time period.
The VPN client matches URLs in ACL rules one by one according to the analyzed URLs in the resource access requests, blocks the resource access requests which do not hit any ACL rule, obtains candidate resource access requests, matches the accessible time periods of the hit ACL rules according to the system time of the VPN gateway, filters the candidate resource access requests which do not meet the accessible time periods, and obtains filtered resource access requests.
And S12, the VPN client encrypts the filtered resource access request by VPN.
And S13, the VPN client sends the filtered resource access request encrypted by the VPN to the VPN gateway.
And S14, the VPN gateway receives the VPN encrypted and filtered resource access request sent by the VPN client and decrypts the VPN.
Compared with the prior art, the technical scheme provided by the embodiment of the disclosure has the following advantages:
on one hand, the ACL containing the enabling rule is preset for each intranet resource in advance, and the ACL of the authorized resource is pushed to the VPN client only, so that the independent control of the enabling condition of the intranet resource is realized while the access control of the account authority dimension is realized. The refinement degree of intranet resource access control management is improved, and the configuration flexibility and the usability of a specific scene are improved.
On the other hand, the embodiment of the disclosure can ensure real-time modification and real-time validation of the ACL through a comparison mechanism of the ACL sending time and the ACL modification time, and further improves the reliability of filtering and the flexibility of configuration.
On the other hand, the system time of the VPN gateway is used instead of the system time of the terminal device where the VPN client or the VPN client is located, so that the problem that a hacker modifies the system time of the terminal device where the VPN client or the VPN client is located can be avoided, the limitation and the filtering of the resource accessible time are bypassed, and the stability and the safety of the filtering are improved.
On the other hand, when the VPN client side filters the resource access request, the filtering process is performed on the network card driver layer of the terminal device, and the resource access request is acquired, analyzed, matched and blocked on the driver layer, so that the problems that a hacker user performs a filtering operation on an application layer to access unauthorized resources and the like are solved, and the filtering reliability is improved.
Fig. 4 is a schematic structural diagram of a resource access control apparatus according to an embodiment of the present disclosure; the device is configured in the electronic equipment, and can realize the resource access control method in any embodiment of the application. The device specifically comprises the following steps:
a receiving module 410, configured to receive a login request sent by a VPN client, where the login request includes an account identifier and authentication information of a login account;
the determining module 420 is configured to, after the login account is authenticated according to the authentication information, determine, according to the account identifier and a preset intranet resource authorization rule, a target resource for which the login account is authorized;
the determining module 420 is further configured to determine a target access control list ACL of the login account according to the target resource, where the target ACL includes identification information of the target resource and an enabling rule of the target resource;
a sending module 430, configured to send the target ACL to the VPN client, so that the VPN client filters a resource access request received by the VPN client according to identification information of a target resource in the target ACL, obtains a candidate access request for accessing the target resource, and filters the candidate access request according to an enabling rule of the target resource, to obtain a target access request meeting the enabling rule of the target resource;
the receiving module 410 is further configured to receive a target access request sent by the VPN client.
In this embodiment, optionally, the apparatus of this embodiment further includes: a configuration module;
the configuration module is used for configuring an access control list ACL for any intranet resource when any intranet resource is configured, wherein the ACL of any intranet resource comprises identification information and an enabling rule of any intranet resource.
In this embodiment, optionally, the ACL of any intranet resource further includes the last modification time of the ACL; the device of the embodiment further comprises: a recording module;
the recording module is used for recording the sending time of the target ACL sent to the VPN client;
the sending module 430 is further configured to, when the last modification time of the target ACL is later than the sending time, resend the target ACL to the VPN client, and update the sending time:
according to the resource access control device provided by the embodiment of the invention, the ACL containing the enabling rule is preset for each intranet resource in advance, and the ACL of the authorized resource is pushed to the VPN client only, so that the independent control of the enabling condition of the intranet resource is realized while the account authority dimension access control is realized. The refinement degree of intranet resource access control management is improved, and the configuration flexibility and the usability of a specific scene are improved.
The resource access control device provided by the embodiment of the invention can execute the resource access control method provided by any embodiment of the invention, and has corresponding functional modules and beneficial effects of the execution method.
Fig. 5 is a schematic structural diagram of a resource access control apparatus according to an embodiment of the present disclosure; the device is configured in the electronic equipment, and can realize the resource access control method in any embodiment of the application. The device specifically comprises the following steps:
a sending module 510, configured to send a login request to a VPN gateway, where the login request includes an account identifier and authentication information of a login account;
a receiving module 520, configured to receive a target ACL sent by the VPN gateway;
a filtering module 530, configured to filter, according to the identification information of the target resource in the target ACL, the resource access request received by the VPN client, and obtain an access request to be selected for accessing the target resource;
the determining module 540 is configured to filter the access request to be selected according to the enabling rule of the target resource, and obtain a target access request meeting the enabling rule of the target resource;
the sending module 510 is further configured to send the target access request to the VPN gateway.
In this embodiment, optionally, the receiving module 520 is further configured to receive the target ACL retransmitted by the VPN gateway.
In this embodiment, optionally, the identification information of the target resource includes uniform resource locator URL information, and the enabling rule includes an accessible time period of any intranet resource;
the filtering module 530 is specifically configured to:
filtering the resource access request received by the VPN client according to the URL information of the target resource in the target ACL;
the filtering module 530 is specifically configured to:
and filtering the access request to be selected according to the accessible time period of the VPN gateway matched with the target resource by the current system time.
In this embodiment, optionally, the filtering module 530 is specifically configured to:
acquiring a driver layer data packet of a resource access request from a network card driver layer of a terminal device where the VPN client is located;
analyzing a driver layer data packet of the resource access request into a resource access request in an application layer format;
and filtering the resource access request in the application layer format according to the identification information of the target resource in the target ACL.
By the resource access control device provided by the embodiment of the invention, the system time of the VPN gateway is used instead of the system time of the terminal equipment where the VPN client side or the VPN client side is located, so that the condition that a hacker modifies the system time of the terminal equipment where the VPN client side or the VPN client side is located can be avoided, the limitation and the filtration of the resource access time are bypassed, and the stability and the safety of the filtration are improved.
The resource access control device provided by the embodiment of the invention can execute the resource access control method provided by any embodiment of the invention, and has corresponding functional modules and beneficial effects of the execution method.
Fig. 6 is a schematic structural diagram of an electronic device provided in an embodiment of the present disclosure. As shown in fig. 6, the electronic device includes a processor 610, a memory 620, an input device 630, and an output device 640; the number of the processors 610 in the electronic device may be one or more, and one processor 610 is taken as an example in fig. 6; the processor 610, the memory 620, the input device 630, and the output device 640 in the electronic apparatus may be connected by a bus or other means, and fig. 6 illustrates an example of connection by a bus.
The memory 620 is used as a computer-readable storage medium for storing software programs, computer-executable programs, and modules, such as program instructions/modules corresponding to the resource access control method in the embodiments of the present invention. The processor 610 executes various functional applications and data processing of the electronic device by executing software programs, instructions and modules stored in the memory 620, that is, implements the resource access control method provided by the embodiment of the present invention.
The memory 620 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store data created according to the use of the terminal, and the like. Further, the memory 620 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid state storage device. In some examples, the memory 620 can further include memory located remotely from the processor 610, which can be connected to an electronic device through a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The input device 630 may be used to receive input numeric or character information and generate key signal inputs related to user settings and function control of the electronic device, and may include a keyboard, a mouse, and the like. The output device 640 may include a display device such as a display screen.
The embodiment of the disclosure also provides a storage medium containing computer executable instructions, and the computer executable instructions are used for realizing the resource access control method provided by the embodiment of the invention when being executed by a computer processor.
Of course, the storage medium provided by the embodiment of the present invention contains computer-executable instructions, and the computer-executable instructions are not limited to the operations of the method described above, and may also perform related operations in the resource access control method provided by any embodiment of the present invention.
From the above description of the embodiments, it is obvious for those skilled in the art that the present invention can be implemented by software and necessary general hardware, and certainly, can also be implemented by hardware, but the former is a better embodiment in many cases. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which can be stored in a computer-readable storage medium, such as a floppy disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a FLASH Memory (FLASH), a hard disk or an optical disk of a computer, and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device) to execute the methods according to the embodiments of the present invention.
It should be noted that, in the embodiment of the above search apparatus, each included unit and module are merely divided according to functional logic, but are not limited to the above division as long as the corresponding functions can be implemented; in addition, specific names of the functional units are only for convenience of distinguishing from each other, and are not used for limiting the protection scope of the present invention.
It is noted that, in this document, relational terms such as "first" and "second," and the like, may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The foregoing are merely exemplary embodiments of the present disclosure, which enable those skilled in the art to understand or practice the present disclosure. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the disclosure. Thus, the present disclosure is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (11)
1. A method for resource access control, the method comprising:
receiving a login request sent by a Virtual Private Network (VPN) client, wherein the login request comprises account identification and authentication information of a login account;
after the login account is authenticated according to the authentication information, confirming authorized target resources of the login account according to the account identification and a preset intranet resource authorization rule;
determining a target Access Control List (ACL) of the login account according to the target resource, wherein the target ACL comprises identification information of the target resource and an enabling rule of the target resource;
sending the target ACL to the VPN client so that the VPN client filters the resource access request received by the VPN client according to the identification information of the target resource in the target ACL to obtain a to-be-selected access request for accessing the target resource, and filters the to-be-selected access request according to the enabling rule of the target resource to obtain the target access request according with the enabling rule of the target resource;
and receiving a target access request sent by the VPN client.
2. The method of claim 1, wherein prior to said determining a target Access Control List (ACL) for said login account from said target resource, said method further comprises:
when any intranet resource is configured, an access control list ACL is configured for any intranet resource, wherein the ACL of any intranet resource comprises identification information and an enabling rule of any intranet resource.
3. The method according to claim 2, wherein the ACL for any intranet resource further includes a last modification time of the ACL;
after sending the target ACL to the VPN client, the method further includes:
recording the sending time of the target ACL sent to the VPN client;
and when the last modification time of the target ACL is later than the sending time, resending the target ACL to the VPN client and updating the sending time.
4. A method for resource access control, the method comprising:
sending a login request to a VPN gateway, wherein the login request comprises account identification and authentication information of a login account;
receiving a target ACL sent by the VPN gateway;
filtering a resource access request received by a VPN client according to the identification information of the target resource in the target ACL, and acquiring a to-be-selected access request for accessing the target resource;
filtering the access request to be selected according to the enabling rule of the target resource to obtain the target access request which accords with the enabling rule of the target resource;
and sending the target access request to the VPN gateway.
5. The method of claim 4, further comprising:
and receiving the target ACL retransmitted by the VPN gateway.
6. The method according to claim 5, wherein the identification information of the target resource comprises Uniform Resource Locator (URL) information, and the enabling rule comprises an accessible time period of any intranet resource;
filtering the resource access request received by the VPN client according to the identification information of the target resource in the target ACL, wherein the resource access request comprises the following steps:
filtering a resource access request received by a VPN client according to URL information of target resources in the target ACL;
the filtering the access request to be selected according to the enabling rule of the target resource comprises the following steps:
and filtering the access request to be selected according to the accessible time period of the VPN gateway matched with the target resource by the current system time.
7. The method of claim 4, wherein filtering resource access requests received by VPN clients according to identification information of target resources in the target ACL comprises:
acquiring a driver layer data packet of a resource access request from a network card driver layer of a terminal device where a VPN client is located;
analyzing a driver layer data packet of the resource access request into a resource access request in an application layer format;
and filtering the resource access request in the application layer format according to the identification information of the target resource in the target ACL.
8. An apparatus for resource access control, the apparatus comprising:
the system comprises a receiving module, a login module and a processing module, wherein the receiving module is used for receiving a login request sent by a Virtual Private Network (VPN) client, and the login request comprises account identification and authentication information of a login account;
the determining module is used for confirming the authorized target resource of the login account according to the account identifier and a preset intranet resource authorization rule after the login account is authenticated according to the authentication information;
the determining module is further configured to determine a target access control list ACL of the login account according to the target resource, where the target ACL includes identification information of the target resource and an enabling rule of the target resource;
a sending module, configured to send the target ACL to the VPN client, so that the VPN client filters a resource access request received by the VPN client according to identification information of a target resource in the target ACL, obtains a candidate access request for accessing the target resource, and filters the candidate access request according to an enabling rule of the target resource, so as to obtain a target access request conforming to the enabling rule of the target resource;
and the receiving module is also used for receiving the target access request sent by the VPN client.
9. An apparatus for resource access control, the apparatus comprising:
the system comprises a sending module, a receiving module and a sending module, wherein the sending module is used for sending a login request to a VPN gateway, and the login request comprises account identification and authentication information of a login account;
the receiving module is used for receiving the target ACL sent by the VPN gateway;
the filtering module is used for filtering the resource access request received by the VPN client according to the identification information of the target resource in the target ACL and obtaining the access request to be selected for accessing the target resource;
the determining module is used for filtering the access request to be selected according to the enabling rule of the target resource and obtaining the target access request which accords with the enabling rule of the target resource;
and the sending module is also used for sending the target access request to the VPN gateway.
10. An electronic device, comprising:
one or more processors;
a storage device for storing one or more programs,
when executed by the one or more processors, cause the one or more processors to implement a resource access control method as claimed in any one of claims 1 to 3, or to implement a resource access control method as claimed in any one of claims 4 to 7.
11. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out a resource access control method according to any one of claims 1 to 3, or carries out a resource access control method according to any one of claims 4 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110696512.6A CN113364800A (en) | 2021-06-23 | 2021-06-23 | Resource access control method, device, electronic equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110696512.6A CN113364800A (en) | 2021-06-23 | 2021-06-23 | Resource access control method, device, electronic equipment and medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113364800A true CN113364800A (en) | 2021-09-07 |
Family
ID=77535804
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110696512.6A Pending CN113364800A (en) | 2021-06-23 | 2021-06-23 | Resource access control method, device, electronic equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113364800A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114157485A (en) * | 2021-12-03 | 2022-03-08 | 北京天融信网络安全技术有限公司 | Resource access method and device and electronic equipment |
| CN114189527A (en) * | 2021-10-28 | 2022-03-15 | 海南视联通信技术有限公司 | Information synchronization method and device, electronic equipment and storage medium |
| CN115296866A (en) * | 2022-07-19 | 2022-11-04 | 天翼云科技有限公司 | Access method and device for edge node |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101212374A (en) * | 2006-12-29 | 2008-07-02 | 北大方正集团有限公司 | Method and system for remote access to campus network resources |
| WO2017161706A1 (en) * | 2016-03-25 | 2017-09-28 | 中兴通讯股份有限公司 | Method of controlling access to network resource in local area network, device, and gateway equipment |
| CN109088875A (en) * | 2018-08-24 | 2018-12-25 | 郑州云海信息技术有限公司 | A kind of access authority method of calibration and device |
| CN109347855A (en) * | 2018-11-09 | 2019-02-15 | 南京医渡云医学技术有限公司 | Data access method, device, system, Electronic Design and computer-readable medium |
| CN112039894A (en) * | 2020-08-31 | 2020-12-04 | 北京天融信网络安全技术有限公司 | Network access control method, device, storage medium and electronic equipment |
-
2021
- 2021-06-23 CN CN202110696512.6A patent/CN113364800A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101212374A (en) * | 2006-12-29 | 2008-07-02 | 北大方正集团有限公司 | Method and system for remote access to campus network resources |
| WO2017161706A1 (en) * | 2016-03-25 | 2017-09-28 | 中兴通讯股份有限公司 | Method of controlling access to network resource in local area network, device, and gateway equipment |
| CN109088875A (en) * | 2018-08-24 | 2018-12-25 | 郑州云海信息技术有限公司 | A kind of access authority method of calibration and device |
| CN109347855A (en) * | 2018-11-09 | 2019-02-15 | 南京医渡云医学技术有限公司 | Data access method, device, system, Electronic Design and computer-readable medium |
| CN112039894A (en) * | 2020-08-31 | 2020-12-04 | 北京天融信网络安全技术有限公司 | Network access control method, device, storage medium and electronic equipment |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114189527A (en) * | 2021-10-28 | 2022-03-15 | 海南视联通信技术有限公司 | Information synchronization method and device, electronic equipment and storage medium |
| CN114157485A (en) * | 2021-12-03 | 2022-03-08 | 北京天融信网络安全技术有限公司 | Resource access method and device and electronic equipment |
| CN115296866A (en) * | 2022-07-19 | 2022-11-04 | 天翼云科技有限公司 | Access method and device for edge node |
| CN115296866B (en) * | 2022-07-19 | 2024-03-12 | 天翼云科技有限公司 | Access method and device for edge node |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11354400B2 (en) | Systems and methods for offline usage of SaaS applications | |
| US9860249B2 (en) | System and method for secure proxy-based authentication | |
| US9819491B2 (en) | System and method for secure release of secret information over a network | |
| EP3108612B1 (en) | Fingerprint based authentication for single sign on | |
| EP3075099B1 (en) | Secure proxy to protect private data | |
| US8347403B2 (en) | Single point authentication for web service policy definition | |
| CN107122674B (en) | Access method of oracle database applied to operation and maintenance auditing system | |
| US7987357B2 (en) | Disabling remote logins without passwords | |
| US20130061298A1 (en) | Authenticating session passwords | |
| CN113347072B (en) | VPN resource access method, device, electronic equipment and medium | |
| US8977857B1 (en) | System and method for granting access to protected information on a remote server | |
| JPH09128337A (en) | Method and apparatus for protection of masquerade attack in computer network | |
| CN107483495B (en) | Big data cluster host management method, management system and server | |
| US9584523B2 (en) | Virtual private network access control | |
| US10885525B1 (en) | Method and system for employing biometric data to authorize cloud-based transactions | |
| CN113364800A (en) | Resource access control method, device, electronic equipment and medium | |
| CN109547402B (en) | Data protection method and device, electronic equipment and readable storage medium | |
| US20200052908A1 (en) | Method and system for managing public-key client certificates | |
| US11394698B2 (en) | Multi-party computation (MPC) based authorization | |
| CN112507320A (en) | Access control method, device, system, electronic equipment and storage medium | |
| US20180039771A1 (en) | Method of and server for authorizing execution of an application on an electronic device | |
| CN106295384B (en) | Big data platform access control method and device and authentication server | |
| KR102118380B1 (en) | An access control system of controlling server jobs by users | |
| US11177958B2 (en) | Protection of authentication tokens | |
| KR20060058546A (en) | Method and apparatus for providing database encryption and access control |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210907 |