CN113468591A - Data access method, system, electronic device and computer readable storage medium - Google Patents

Data access method, system, electronic device and computer readable storage medium Download PDF

Info

Publication number
CN113468591A
CN113468591A CN202110632705.5A CN202110632705A CN113468591A CN 113468591 A CN113468591 A CN 113468591A CN 202110632705 A CN202110632705 A CN 202110632705A CN 113468591 A CN113468591 A CN 113468591A
Authority
CN
China
Prior art keywords
data
identity information
access
client
authentication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110632705.5A
Other languages
Chinese (zh)
Inventor
赵少东
麦竣朗
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Power Supply Bureau Co Ltd
Original Assignee
Shenzhen Power Supply Bureau Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Power Supply Bureau Co Ltd filed Critical Shenzhen Power Supply Bureau Co Ltd
Priority to CN202110632705.5A priority Critical patent/CN113468591A/en
Publication of CN113468591A publication Critical patent/CN113468591A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Automation & Control Theory (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a data access method, a system, electronic equipment and a computer readable storage medium, wherein the data access method comprises the following steps: acquiring an access request of a client, wherein the access request comprises identity information; authenticating the identity information to obtain authentication authority; obtaining access data corresponding to the access request according to the authentication authority; encrypting the access data according to a preset data encryption strategy; and sending the encrypted access data to the client. The invention can protect the server information, prevent the untrusted user from stealing the server information and improve the safety degree of the local information.

Description

Data access method, system, electronic device and computer readable storage medium
Technical Field
The present invention relates to the field of data security technologies, and in particular, to a data access method, a data access system, an electronic device, and a computer-readable storage medium.
Background
With the rapid development of computer technology and INTERNET and the frequent occurrence of network information security events in recent years, the information security problems of computers and servers gradually permeate into various industry fields and become the focus of attention of people. In order to prevent the occurrence of computer information security events in advance and avoid loss, the supervision of computer data becomes a key link for guaranteeing the computer information security. However, when the client accesses the server information, certain identity authentication is often lacked, and the server information is easily stolen by other unauthorized clients, so that the risk problem of information leakage occurs.
Disclosure of Invention
The technical problem to be solved by the present invention is to provide a data access method, system, electronic device and computer readable storage medium, which can protect server information, prevent an untrusted user from stealing server information, and improve the security of local information.
In order to solve the above technical problem, an embodiment of the present invention provides a data access method, including:
acquiring an access request of a client, wherein the access request comprises identity information;
authenticating the identity information to obtain authentication authority;
obtaining access data corresponding to the access request according to the authentication authority;
encrypting the access data according to a preset data encryption strategy;
and sending the encrypted access data to the client.
Further, the authenticating the identity information to obtain an authentication right includes:
verifying the accuracy of the identity information;
and if the identity information is accurate, acquiring a preset authentication authority corresponding to the client according to the identity information.
Further, the authenticating the identity information to obtain an authentication right includes:
judging whether the identity information is stored in a preset blacklist strategy or not;
and if the identity information is not stored in the blacklist strategy, acquiring a preset authentication authority corresponding to the client according to the identity information.
Further, the authenticating the identity information to obtain an authentication right includes:
judging whether the identity information is stored in a preset white list strategy or not;
and if the identity information is stored in the white list strategy, acquiring a preset authentication authority corresponding to the client according to the identity information.
Further, the data access method further comprises the following steps:
acquiring authentication log information generated according to the authentication of the identity information;
and analyzing the authentication log information according to a preset audit rule to obtain a first audit result.
Further, the data access method further comprises the following steps:
acquiring data log information generated by calling the access data;
and analyzing the data log information according to a preset audit rule to obtain a second audit result.
Further, the data access method further comprises the following steps:
obtaining a key pair in the data encryption strategy, wherein the key pair comprises a decryption private key;
and sending the decryption private key to the client so that the client decrypts the encrypted access data according to the decryption private key.
The present invention also provides a data access system, comprising:
the system comprises an acquisition module, a storage module and a processing module, wherein the acquisition module is used for acquiring an access request of a client, and the access request comprises identity information;
the authentication module is used for authenticating the identity information to obtain authentication authority;
the calling module is used for acquiring access data corresponding to the access request according to the authentication authority;
the encryption module is used for encrypting the access data according to a preset data encryption strategy;
and the sending module is used for sending the encrypted access data to the client.
The present invention also provides an electronic device comprising:
at least one processor, and,
a memory communicatively coupled to the at least one processor;
wherein the memory stores instructions that are executed by the at least one processor to cause the at least one processor to implement the data access method when executing the instructions.
The present invention also provides a computer-readable storage medium having stored thereon computer-executable instructions for causing a computer to perform the data access method.
The embodiment of the invention has the beneficial effects that: the method comprises the steps of obtaining an access request of a client, authenticating the identity information to obtain authentication authority, obtaining access data corresponding to the access request according to the authentication authority, encrypting the access data according to a preset data encryption strategy, sending the encrypted access data to the client, protecting server information, preventing an untrusted user from stealing server information, and improving the safety degree of local information.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a flowchart illustrating a data access method according to an embodiment of the present invention.
Fig. 2 is a schematic flowchart of step S200 according to an embodiment of the present invention.
Fig. 3 is another specific flowchart of step S200 according to an embodiment of the present invention.
Fig. 4 is a schematic flowchart of another specific process of step S200 according to a first embodiment of the present invention.
FIG. 5 is a diagram of an embodiment of a data access method according to the present invention.
Fig. 6 is a schematic block diagram of a data access system according to a second embodiment of the present invention.
Detailed Description
The following description of the embodiments refers to the accompanying drawings, which are included to illustrate specific embodiments in which the invention may be practiced.
It should be noted that, in the embodiment of the present invention, a specific example is used for explaining, when a client accesses data information of a server, the client connects a nginn (engine x) and a gateway to forward an access request to a security system in the server, the security system performs security authentication, audit and the like on the access request, determines security of the client according to an authentication result and an audit result of the security authentication, and encrypts and returns access data requested by the client to the client after determining the security. In addition, the server can communicate with the trusted client in advance through the data encryption strategy, namely the server can send the preset data encryption strategy to the trusted client, so that the client can decrypt and acquire the encrypted access data according to the received data encryption strategy, and the whole data access process is completed. On the other hand, the development framework of the security system is integrated in the WASF framework, so that the security problems such as SQL (Structured Query Language) injection and script attack can be effectively prevented.
Referring to fig. 1, an embodiment of the invention provides a data access method, including:
step S100, obtaining an access request of a client, wherein the access request comprises identity information;
step S200, authenticating identity information to obtain authentication authority;
step S300, obtaining access data corresponding to the access request according to the authentication authority;
s400, encrypting access data according to a preset data encryption strategy;
and step S500, sending the encrypted access data to the client.
In step S100, the server can obtain an access request for requesting to access data from the client, where the access request includes identity information of the client. Specifically, when accessing data information of the server, the client generates a corresponding access request, and the access request is forwarded to the security system in the server through the nginn and the gateway connected between the server and the client, that is, the server obtains the access request of the client through the proxy server nginn and the gateway. The access data required by the client can be determined through the access request, and the authentication, authorization and the like of the subsequent steps are performed on the access data through the security system; the identity information refers to information used for identifying the identity of the client in the access request, and may be specifically stored in a request header of the access request in the form of a token, and the server may call the token in the request header of the access request through an API (Application Programming Interface) Interface generated by the security system as the identity information of the client.
In step S200, the acquired identity information is authenticated to obtain a corresponding authentication authority. The authentication authority refers to determining the trust degree of the identity information after authenticating the identity information, and determining that the client corresponding to the identity information is the client with the trust degree, so that the client is endowed with corresponding authority permission. Specifically, information of the client, API interface information, aging information, and the like can be analyzed from the identity information TOKEN, and the information of the client can determine the identity of the client requesting to access data; the API interface information can determine whether the client has the authority to call an API interface of a security system of the server; the age information can determine a valid authorization time for the request, etc.
As shown in fig. 2, step S200 specifically includes:
step S211, verifying the accuracy of the identity information;
step S212, if the identity information is accurate, obtaining an authentication right corresponding to the preset client according to the identity information.
In step S211 and step S212, the security system of the server verifies the accuracy of the identity information, and verifies whether the client indicated by the identity information is a client authorized by the security system in the server, if the identity information is verified to be accurate, an authentication right pre-assigned by the client is obtained according to the identity information, and the authentication right can determine that the client has a right to call an API interface of the access data; and if the authentication identity information is not accurate, determining that the client is an unauthorized user and does not have the request permission for accessing the data, namely rejecting the request of the client for accessing the data. Specifically, the identity information TOKEN is analyzed to obtain the client information in the TOKEN, the client information identifies information such as the specific identity of the client, and the security system of the server verifies the client information to determine whether the client is an authorized client, so as to determine whether the client is accurate.
Referring to fig. 3 again, step S200 further includes:
step S221, judging whether the identity information is stored in a preset blacklist strategy;
in step S222, if the identity information is not stored in the blacklist policy, an authentication right corresponding to a preset client is obtained according to the identity information.
In step S221 and step S222, it is determined whether the identity information is stored in a preset blacklist policy, and if the identity information is stored in the blacklist policy, it is determined that the client corresponding to the identity information is not authorized and cannot obtain the corresponding authentication right; if the identity information is not stored in the blacklist policy, it is determined that the client corresponding to the identity information is authorized by the security system of the server, and the corresponding authentication authority can be obtained. Specifically, a blacklist strategy is preset in the security system at the beginning, API information of an unauthorized client is stored in the blacklist strategy, and the corresponding client is determined not to have the calling authority of an API interface for accessing data of the security system according to the stored API information; obtaining corresponding API information by analyzing the identity information TOKEN, comparing the API information with the API information stored in the blacklist strategy in a one-to-one manner, and judging whether the same API information exists or not, wherein if the same API interface exists, the client does not have the calling permission of the API interface for accessing data of the security system; if the same API interface is not stored, the client side is provided with the calling authority of the API interface of the security system for accessing the data.
Referring to fig. 4 again, step S200 further includes:
step S231, judging whether the identity information is stored in a preset white list strategy;
step S232, if the identity information is stored in the white list policy, obtaining a preset authentication right corresponding to the client according to the identity information.
In steps S231 and S232, it is determined whether the identity information is stored in a preset white list policy, and if the identity information is not stored in the white list policy, it is determined that the client corresponding to the identity information is not authorized and cannot obtain the corresponding authentication right; if the identity information is stored in the white list policy, it is determined that the client corresponding to the identity information is authorized by the security system of the server, and the corresponding authentication authority can be obtained. Specifically, a white list strategy is preset in the security system at the beginning, the white list strategy stores the API information of authorized clients, and the corresponding clients are determined to have the calling authority of the API interface for accessing data of the security system according to the stored API information; obtaining corresponding API information by analyzing the identity information TOKEN, comparing the API information with the API information stored in the white list strategy in a one-to-one mode, and judging whether the same API information exists or not, wherein if the same API interface does not exist, the client does not have the calling permission of the API interface for accessing data of the security system; if the same API interface is stored, it indicates that the client has the calling authority of the API interface for accessing data of the security system.
In some embodiments, the method further includes obtaining aging information of the identity information, judging whether the identity information is overdue according to the aging information, and if the identity information is overdue, indicating that the client does not have the calling authority of the API interface of the access data of the security system; if the identity information is not expired, the client still has the calling authority of the API interface of the security system for accessing the data.
In practical application, after the client side is determined to have the authentication authority of the API interface with the access data of the security system, the time efficiency of the client side is verified, namely, the time efficiency information of the identity information is obtained to verify whether the authority is overdue or not, if the authority is overdue, the corresponding authentication authority cannot be continuously called, and if the authority is not overdue, the client side is allowed to call the corresponding authentication authority.
As described with reference to fig. 2, fig. 3, and fig. 4, the steps S211, S212, S221, S222, S231, and S232 mentioned in this embodiment may be combined arbitrarily to obtain different verification processes.
For example, combine example one: firstly, verifying the accuracy of identity information, then verifying the identity information through a preset blacklist strategy and a preset white list strategy after the identity information is verified to be accurate, verifying whether the identity information is stored in a corresponding blacklist strategy or a white list strategy, if the identity information is not stored in the blacklist strategy but is stored in the white list strategy, distributing corresponding authentication authority to the identity information, if the identity information is stored in the blacklist strategy but is not stored in the white list strategy, rejecting the identity information to request to access data, if the identity information is stored in the blacklist strategy and the white list strategy at the same time, distributing corresponding authentication authority to the identity information by taking the priority of the white list strategy as a main part, and if the identity information is not stored in the blacklist strategy and the white list strategy at the same time, rejecting the identity information to request to access data.
Example two of the combinations: firstly, the accuracy of the identity information is verified, after the identity information is verified accurately, the identity information is verified through a preset white list strategy, whether the identity information is stored in the corresponding white list strategy is verified, if the identity information is stored in the white list strategy, the corresponding authentication authority is distributed to the identity information, and if the identity information is not stored in the white list strategy, the identity information is refused to request to access the data.
Example three of the combinations: the method comprises the steps of firstly verifying the accuracy of identity information, then verifying the identity information through a preset blacklist strategy after the identity information is verified accurately, verifying whether the identity information is stored in the corresponding blacklist strategy or not, if the identity information is not stored in the blacklist strategy, distributing corresponding authentication authority to the identity information, and if the identity information is stored in the blacklist strategy, rejecting the identity information to request to access data.
In step S300, step S400 and step S500, an API interface of the security system is called according to the corresponding authentication authority to obtain the access data requested by the client, and the API interface is further configured with a corresponding data encryption policy. The data encryption strategy can encrypt the access data before returning the access data to the client, namely, the encrypted access data is returned to the client.
The Data Encryption policy includes a plurality of Encryption types, for example, Data Encryption policies based on information such as a telephone number and an identification number of a user accessing the client, and Data Encryption policies based on different Encryption algorithms include, but are not limited to, DES (Data Encryption Standard) Encryption Algorithm, 3DES (Triple Data Encryption Algorithm ) Encryption Algorithm, AES (Advanced Encryption Standard), RSA (RSA Algorithm, public key cipher) Encryption Algorithm, MD5(Message Digest Algorithm MD 5) Encryption Algorithm, BASE64 (binary Data is represented based on 64 printable characters), and a combined Encryption Algorithm of MD5, and specific Encryption policies may be selected according to actual needs, and the server may allocate different Data Encryption policies to API interfaces corresponding to different clients, namely, the method has certain unicity from the perspective of safety protection, ensures different encryption modes among different clients, and improves safety.
In some embodiments, the method further includes obtaining a key pair in the data encryption policy, where the key pair includes a decryption private key, and sending the decryption private key to the client, so that the client can decrypt the encrypted access data according to the decryption private key. Specifically, after the client receives the encrypted access data, the client needs to decrypt the encrypted access data to obtain accurate access data, and therefore the server needs to return a decryption key in the data encryption policy to the client in advance or synchronously, so that the client can obtain the decryption key, and the server has the capability of decrypting the encrypted access data to obtain accurate access data. In practical application, the server may send the decryption key to the client while or after sending the encrypted access data, or may send the decryption key to the client after authenticating the client and before sending the encrypted access data, and a specific time for sending the decryption key may be adjusted according to an actual requirement, which is not specifically limited in the embodiment of the present invention.
In some embodiments, the security system of the server further obtains authentication log information generated according to the authentication identity information, and analyzes the authentication log information according to a preset audit rule to obtain a first audit result. The authentication log information refers to log information generated by the security system in the process of authenticating the identity information of the client, for example, the authentication result of the identity information, the analysis of the identity information, the content of the identity information and the like are integrated into the log information, a corresponding first auditing result can be generated by analyzing the log information, and a user can manually audit through the first auditing result to determine whether the security system has an authentication vulnerability and the like; the auditing rule is that sensitive words of corresponding authentication information or rules such as system operation boundaries are set, and the authentication link in the security system is audited; the first audit result is related audit information displayed in the security system, and can be displayed in various display forms such as a data table, a sector graph, a line graph and the like, so that a user can visually look up the audit result, and the authentication loophole or the problem in the current security system can be conveniently found.
In some embodiments, the method further includes the steps of obtaining, by the server, data log information generated according to the call access data, and analyzing the data log information according to a preset audit rule to obtain a second audit result. The data log information refers to log information generated in the process that the security system calls the API according to the authentication authority of the client to obtain the corresponding access data, for example, the obtaining amount of the access data, the parameter field of the access data, the parameter structure of the access data, the parameter message data, the interface calling information and the like are all integrated in the data log information. The safety system can generate a corresponding second audit result by analyzing the data log information, and a user can manually check and audit the second audit result to determine whether the safety system has a bug problem or not in the process of calling the API to acquire the access data; the auditing rule is a rule for setting sensitive information and the like of corresponding parameter calling, and auditing a data calling link in the security system; the second audit result is related audit information displayed in the security system, and can be displayed in various display forms such as a data table, a sector graph, a line graph and the like, so that a user can visually look up the second audit result, and interface data call holes or problems in the current security system can be conveniently found.
In an application example which may be implemented, referring to fig. 5, in an initial stage, a server acquires an access request of a client through a nginnx and a gateway, enters a security authentication link, verifies identity information in the access request, verifies a blacklist policy and a whitelist policy after the authentication is passed, acquires a corresponding authentication authority after the authentication is passed, authenticates timeliness of the authentication authority, and can schedule access data requested by the client through an API component after the authentication is passed; and if any verification link fails in the security authentication link, ending the request of the client. After the access data requested by the client is scheduled through the API component, the access data is encrypted according to a preset data encryption strategy in a data security link, the encrypted access data is returned to the client, and the request process of the client is finished. On the other hand, the safety system also comprises an auditing link, wherein the auditing link is used for respectively analyzing and auditing the safety auditing information generated in the safety authenticating process and the data log information in the data scheduling process through a preset safety auditing rule to obtain and display a corresponding auditing result, so that a user can intuitively know the system condition in the current time period or the historical time period by looking up the auditing result.
In the embodiment of the invention, the access request of the client is acquired, the access request comprises identity information, the identity information is authenticated to obtain the authentication authority, the access data corresponding to the access request is acquired according to the authentication authority, the access data is encrypted according to the preset data encryption strategy, and the encrypted access data is sent to the client, so that the server information can be protected, an untrusted user is prevented from stealing the server information, and the safety degree of local information is improved.
In a second aspect, a second embodiment of the present invention provides a data access system. It should be noted that the data access system mentioned in the first embodiment of the present invention is used for executing the data access method mentioned in the first embodiment of the present invention, and the step flow in the data access method is executed in the form of unit modules.
In some embodiments, referring to FIG. 6, a block diagram of a data access system in an embodiment of the invention is shown. The method specifically comprises the following steps: an acquisition module 100, an authentication module 200, a calling module 300, an encryption module 400 and a sending module 500,
the obtaining module 100 is configured to obtain an access request of a client, where the access request includes identity information;
the authentication module 200 is configured to authenticate the identity information to obtain an authentication right;
the calling module 300 is configured to obtain access data corresponding to the access request according to the authentication authority;
the encryption module 400 is configured to encrypt the access data according to a preset data encryption policy;
the sending module 500 is configured to send the encrypted access data to the client.
It should be noted that, in the embodiment of the present invention, specific contents to be executed by each unit module of the obtaining module 100, the authenticating module 200, the invoking module 300, the encrypting module 400, and the sending module 500 have been discussed in detail in the embodiment of the first aspect, and therefore, no further description is given.
In the embodiment of the present invention, an access request of a client is obtained through an obtaining module 100, where the access request includes identity information, an authenticating module 200 authenticates the identity information to obtain an authentication authority, a calling module 300 obtains access data corresponding to the access request according to the authentication authority, an encrypting module 400 encrypts the access data according to a preset data encryption policy, and a sending module 500 sends the encrypted access data to the client, so as to protect server information, prevent an untrusted user from stealing server information, and improve the security degree of local information.
In a third aspect, a third embodiment of the present invention further provides an electronic device, including: at least one processor, and a memory communicatively coupled to the at least one processor;
the processor is used for executing the data access method in the first embodiment of the invention by calling the computer program stored in the memory.
The memory, as a non-transitory computer-readable storage medium, may be used to store a non-transitory software program and a non-transitory computer-executable program, such as the data access method in the embodiments of the first aspect of the present application. The processor implements the data access method in the first embodiment of the present invention by executing the non-transitory software program and the instructions stored in the memory.
The memory may include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the stored data area may store data access methods performed in the embodiments of the first aspect described above. Further, the memory may include high speed random access memory, and may also include non-transitory memory, such as at least one disk storage device, flash memory device, or other non-transitory solid state storage device. In some embodiments, the memory optionally includes memory located remotely from the processor, and these remote memories may be connected to the terminal over a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The non-transitory software programs and instructions required to implement the data access methods in the embodiments of the first aspect described above are stored in a memory and, when executed by one or more processors, perform the data access methods in the embodiments of the first aspect described above.
In a fourth aspect, a fourth embodiment of the present invention further provides a computer-readable storage medium storing computer-executable instructions for: and executing the data access method in the first embodiment of the invention.
In some embodiments, the computer-readable storage medium stores computer-executable instructions, which are executed by one or more control processors, for example, by one of the processors in the electronic device of the third aspect, and may cause the one or more processors to execute the data access method in the first embodiment of the present invention.
The above described embodiments of the device are merely illustrative, wherein the units illustrated as separate components may or may not be physically separate, i.e. may be located in one place, or may also be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment.
One of ordinary skill in the art will appreciate that all or some of the steps, systems, and methods disclosed above may be implemented as software, firmware, hardware, and suitable combinations thereof. Some or all of the physical components may be implemented as software executed by a processor, such as a central processing unit, digital signal processor, or microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit. Such software may be distributed on computer readable media, which may include computer storage media (or non-transitory media) and communication media (or transitory media). The term computer storage media includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data, as is well known to those of ordinary skill in the art. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, Digital Versatile Disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can accessed by a computer. In addition, communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media as known to those skilled in the art.
In summary, compared with the prior art, the embodiment of the invention has the following beneficial effects: the authority judgment of the user identity information is carried out according to the verification result, and the development method of the data service interface is completed by carrying out the corresponding business scheduling process after the authority passes, so that the problem of complex development of managing the multi-data API interface is solved, the development of the API service interface is automated, the labor is saved, and the development efficiency of the API interface is improved.
The above disclosure is only for the purpose of illustrating the preferred embodiments of the present invention, and it is therefore to be understood that the invention is not limited by the scope of the appended claims.

Claims (10)

1. A method of data access, comprising:
acquiring an access request of a client, wherein the access request comprises identity information;
authenticating the identity information to obtain authentication authority;
obtaining access data corresponding to the access request according to the authentication authority;
encrypting the access data according to a preset data encryption strategy;
and sending the encrypted access data to the client.
2. The data access method of claim 1, wherein the authenticating the identity information to obtain an authentication right comprises:
verifying the accuracy of the identity information;
and if the identity information is accurate, acquiring a preset authentication authority corresponding to the client according to the identity information.
3. The data access method of claim 1 or 2, wherein the authenticating the identity information to obtain an authentication right comprises:
judging whether the identity information is stored in a preset blacklist strategy or not;
and if the identity information is not stored in the blacklist strategy, acquiring a preset authentication authority corresponding to the client according to the identity information.
4. The data access method of claim 1 or 2, wherein the authenticating the identity information to obtain an authentication right comprises:
judging whether the identity information is stored in a preset white list strategy or not;
and if the identity information is stored in the white list strategy, acquiring a preset authentication authority corresponding to the client according to the identity information.
5. The data access method of claim 1, further comprising:
acquiring authentication log information generated according to the authentication of the identity information;
and analyzing the authentication log information according to a preset audit rule to obtain a first audit result.
6. The data access method of claim 1 or 5, further comprising:
acquiring data log information generated by calling the access data;
and analyzing the data log information according to a preset audit rule to obtain a second audit result.
7. The data access method of claim 1, further comprising:
obtaining a key pair in the data encryption strategy, wherein the key pair comprises a decryption private key;
and sending the decryption private key to the client so that the client decrypts the encrypted access data according to the decryption private key.
8. A data access system, comprising:
the system comprises an acquisition module, a storage module and a processing module, wherein the acquisition module is used for acquiring an access request of a client, and the access request comprises identity information;
the authentication module is used for authenticating the identity information to obtain authentication authority;
the calling module is used for acquiring access data corresponding to the access request according to the authentication authority;
the encryption module is used for encrypting the access data according to a preset data encryption strategy;
and the sending module is used for sending the encrypted access data to the client.
9. An electronic device, comprising:
at least one processor, and,
a memory communicatively coupled to the at least one processor;
wherein the memory stores instructions for execution by the at least one processor to cause the at least one processor, when executing the instructions, to implement the data access method of any one of claims 1 to 7.
10. A computer-readable storage medium having stored thereon computer-executable instructions for causing a computer to perform the data access method of any one of claims 1 to 7.
CN202110632705.5A 2021-06-07 2021-06-07 Data access method, system, electronic device and computer readable storage medium Pending CN113468591A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110632705.5A CN113468591A (en) 2021-06-07 2021-06-07 Data access method, system, electronic device and computer readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110632705.5A CN113468591A (en) 2021-06-07 2021-06-07 Data access method, system, electronic device and computer readable storage medium

Publications (1)

Publication Number Publication Date
CN113468591A true CN113468591A (en) 2021-10-01

Family

ID=77868691

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110632705.5A Pending CN113468591A (en) 2021-06-07 2021-06-07 Data access method, system, electronic device and computer readable storage medium

Country Status (1)

Country Link
CN (1) CN113468591A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114826661A (en) * 2022-03-18 2022-07-29 浪潮卓数大数据产业发展有限公司 Data access method, device and medium based on open API

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114826661A (en) * 2022-03-18 2022-07-29 浪潮卓数大数据产业发展有限公司 Data access method, device and medium based on open API

Similar Documents

Publication Publication Date Title
US10671733B2 (en) Policy enforcement via peer devices using a blockchain
US9166966B2 (en) Apparatus and method for handling transaction tokens
US8572689B2 (en) Apparatus and method for making access decision using exceptions
US8572686B2 (en) Method and apparatus for object transaction session validation
US8726339B2 (en) Method and apparatus for emergency session validation
US8752123B2 (en) Apparatus and method for performing data tokenization
US8752124B2 (en) Apparatus and method for performing real-time authentication using subject token combinations
US8806602B2 (en) Apparatus and method for performing end-to-end encryption
US20140351924A1 (en) Method and system for providing limited secure access to sensitive data
US8726341B2 (en) Apparatus and method for determining resource trust levels
CN114553540B (en) Zero trust-based Internet of things system, data access method, device and medium
US8572690B2 (en) Apparatus and method for performing session validation to access confidential resources
CN111914293A (en) Data access authority verification method and device, computer equipment and storage medium
US8752157B2 (en) Method and apparatus for third party session validation
US8572724B2 (en) Method and apparatus for network session validation
US8584202B2 (en) Apparatus and method for determining environment integrity levels
CN113468591A (en) Data access method, system, electronic device and computer readable storage medium
CN109587134B (en) Method, apparatus, device and medium for secure authentication of interface bus
CN111538973A (en) Personal authorization access control system based on state cryptographic algorithm
CN108900595B (en) Method, device and equipment for accessing data of cloud storage server and computing medium
US8572688B2 (en) Method and apparatus for session validation to access third party resources
US8584201B2 (en) Method and apparatus for session validation to access from uncontrolled devices
US9159065B2 (en) Method and apparatus for object security session validation
CN114024682A (en) Cross-domain single sign-on method, service equipment and authentication equipment
US8726340B2 (en) Apparatus and method for expert decisioning

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination