CN113836510A - Token-based application access control method and device, equipment and storage medium thereof - Google Patents

Token-based application access control method and device, equipment and storage medium thereof Download PDF

Info

Publication number
CN113836510A
CN113836510A CN202110931768.0A CN202110931768A CN113836510A CN 113836510 A CN113836510 A CN 113836510A CN 202110931768 A CN202110931768 A CN 202110931768A CN 113836510 A CN113836510 A CN 113836510A
Authority
CN
China
Prior art keywords
token
token value
authenticated
information
user
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110931768.0A
Other languages
Chinese (zh)
Other versions
CN113836510B (en
Inventor
雅志业
王毅
史志伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Changchun Jida Zhengyuan Information Technology Co ltd
Beijing Jida Zhengyuan Information Technology Co ltd
Original Assignee
Changchun Jida Zhengyuan Information Technology Co ltd
Beijing Jida Zhengyuan Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Changchun Jida Zhengyuan Information Technology Co ltd, Beijing Jida Zhengyuan Information Technology Co ltd filed Critical Changchun Jida Zhengyuan Information Technology Co ltd
Priority to CN202110931768.0A priority Critical patent/CN113836510B/en
Publication of CN113836510A publication Critical patent/CN113836510A/en
Application granted granted Critical
Publication of CN113836510B publication Critical patent/CN113836510B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/33User authentication using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/108Network architectures or network communication protocols for network security for controlling access to devices or network resources when the policy decisions are valid for a limited amount of time
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a token-based application access control method, a token-based application access control device, token-based application access control equipment and a token-based storage medium, wherein the token-based application access control method comprises the following steps: acquiring a corresponding voucher token value according to the user access information; comparing the token value with an authenticated token value stored in a connection information structure; the connection information structure stores authenticated token information; the authenticated token information comprises an authenticated token value; and if the token value is the same as the authenticated token value, the token value is not expired and the token value has corresponding access right, allowing the user to access the application. The technical scheme provided by the invention is used for improving the speed of the user accessing the application.

Description

Token-based application access control method and device, equipment and storage medium thereof
Technical Field
The invention relates to the technical field of security access control, in particular to a token-based application access control method, a token-based application access control device, token-based application access control equipment and a token-based storage medium.
Background
At present, due to the popularization of rich and diverse applications and networks, access control strategies based on applications are more and more frequent in https environments, and the requirements are more diverse, wherein the mode of one switch of the iptables scheme cannot meet the flexible setting of different application access controls under the same IP address or port, and particularly under the zero-trust application scene, a user needs to realize real-time blocking according to contents through a gateway so as to achieve the purpose of fine-grained application access control. However, in the prior art, access information of users is generally stored in a centralized manner in the form of a database, and when access control is realized, content recombination and search are required, so that efficiency is low, and blocking performance of a gateway is also indirectly influenced.
Disclosure of Invention
The embodiment of the invention provides a token-based application access control method and device, which are used for improving the speed of a user for accessing an application.
In a first aspect, an embodiment of the present invention provides a token-based application access control method, including:
acquiring a corresponding voucher token value according to the user access information;
comparing the token value with an authenticated token value stored in a connection information structure; the connection information structure stores authenticated token information; the authenticated token information comprises an authenticated token value;
and if the token value is the same as the authenticated token value, is not expired and has corresponding access authority, allowing the user to access the application.
In a second aspect, an embodiment of the present invention further provides a token-based application access control apparatus, including:
the certificate establishing module is used for acquiring a corresponding certificate token value according to the user access information;
the certificate comparison module is used for comparing the token value with the authenticated token value stored in the connection information structure body; the connection information structure stores authenticated token information; the authenticated token information comprises an authenticated token value;
an access pass-block module for allowing a user to access an application when the token value is the same as the authenticated token value, is not expired, and has a corresponding access right; in other cases, the user is blocked from accessing the application.
In a third aspect, an embodiment of the present invention further provides a computer device, where the computer device includes: the token-based application access control method comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, wherein the processor executes the program to realize the token-based application access control method according to any embodiment of the invention.
In a fourth aspect, an embodiment of the present invention further provides a computer-readable storage medium, on which a computer program is stored, where the computer program is executed by a processing apparatus to implement the token-based application access control method according to any embodiment of the present invention.
In the invention, when a user authenticates and accesses an application through an access control gateway at a client, a corresponding connection information structure body is established in a session cache, corresponding authenticated token information is stored in the connection information structure body, the authenticated token information comprises an authenticated token value, when the user accesses the application again, the token value is obtained according to the user access information, the token value is directly compared with the authenticated token value stored in the connection information structure body, and if the token value is the same as the authenticated token value, is within an access-allowed time range and has corresponding access authority, the user is allowed to directly access the application. In the embodiment, the authenticated token information accessed by the user is directly and independently stored through the connection information structure body instead of being stored in a database form in a centralized manner, so that the process of searching the database information is omitted, the access rate of the user to the application is improved, in addition, when the authenticated token information in the connection information structure body is expired or has no right, the user access can be blocked in real time and rapidly, and the safety performance of the user access is improved.
Drawings
Fig. 1 is a flowchart of an application access control method based on token according to an embodiment of the present invention;
fig. 2 is a flowchart of another token-based application access control method according to an embodiment of the present invention;
fig. 3 is a flowchart of another token-based application access control method according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of a binary red-black tree according to an embodiment of the present invention;
fig. 5 is a flowchart of another token-based application access control method according to an embodiment of the present invention;
FIG. 6 is a diagram illustrating a multi-task process model according to an embodiment of the present invention;
fig. 7 is a signaling diagram of a token-based application access control procedure according to an embodiment of the present invention;
fig. 8 is a schematic structural diagram of an application access control device based on token according to an embodiment of the present invention;
fig. 9 is a schematic structural diagram of a computer device according to an embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not limiting of the invention. It should be further noted that, for the convenience of description, only some of the structures related to the present invention are shown in the drawings, not all of the structures.
For ease of understanding, a brief introduction will be made to the token-based application access process, in which five body parts are involved: the system comprises a policy center, an authentication center, a gateway, an application system and a client. The policy center can dynamically determine an access policy of a user to a specific application, and issues the access policy to the gateway and the authentication center in real time; the gateway and the authentication center can receive an access control strategy issued by the strategy center in real time, and realize dynamic blocking of a certain application (especially for certain applications of the same IP or port) according to the strategy, specifically, the gateway finds a corresponding user account and/or a user terminal account according to a token value, finds a strategy corresponding to the user account, finds all connections corresponding to the token value and disconnects according to the corresponding strategy, so as to realize accurate blocking of the certain application; the authentication center can verify the authentication information submitted by the user, generate a token value, acquire a corresponding user account and/or a user terminal account and the like, and verify whether the token value is valid.
When the client accesses the application through the gateway, the token value is put into the http request message and is used for verifying the user access state according to the token value and judging the user access authority by the gateway; the application side can provide application access.
When a user accesses the application system through the client every time, in order to realize access control, the application system needs to be accessed through the gateway, and the gateway can realize communication and blocking between the client and the application system, so that the safety performance of user access is effectively improved. It should be noted that, when a user accesses an application system through a gateway, the gateway detects user access information, if it is detected that no token value exists in the user access information, the user side is forced to transfer to an authentication center, the user submits information such as a user name, a password, an identity identifier and the like through the client side to complete authentication, the authentication center generates an authenticated token value according to the information submitted by the client side, and the token value may be a random number or information including a user role. The authentication center can directly feed back the authenticated token value to the client, the client accesses the gateway through the user access information carrying the authenticated token value, the gateway detects whether the authenticated token value exists in the system content of the gateway, and if the authenticated token value exists, the link between the client and the application system can be established through the gateway.
The embodiment of the invention has the following specific scheme:
example one
Fig. 1 is a flowchart of an application access control method based on a token according to an embodiment of the present invention, where this embodiment is applicable to a case where a user client accesses an application, and the method may be executed by an application access control device based on a token, and specifically includes the following steps:
and S110, acquiring a corresponding token value according to the user access information.
When a user client accesses an application system, a gateway detects user access information, if no token value in the user access information is detected, the user client is forced to transfer to an authentication center, the user information (user name, password, identity identification and the like) needs to be authenticated through the authentication center, and if the authentication is passed, the authentication center sends the authenticated token value to the client. When the user client accesses the application through the gateway again, the user access information is sent to the gateway, the gateway can obtain the authenticated token value obtained by the client from the authentication center from the user access information, specifically, when the client accesses the application system each time, the authenticated token value is put into an http request message header for the gateway to verify the user access state and judge the user access authority, and if the user has the access authority, the connection between the client and the application system is established. And simultaneously, establishing a connection information structure body in a session cache of the gateway, wherein the connection information structure body comprises an authenticated token value sent by an authentication center, a corresponding user account and a user terminal account, access authority, timeout information, an accessible application list and the like, the information forms authenticated token information accessed by a corresponding user, and the connection structure body comprises the authenticated token information.
The process of sending the authenticated token information to the gateway by the authentication center may be: after the authentication center authenticates user information and generates an authenticated token value, the authentication center forces the client to be connected with the application system through the gateway, the client carries the authenticated token value and is connected with the application system through the gateway, if the gateway detects that the authenticated token value does not exist in the memory, the gateway sends the authenticated token value to the authentication center again, the authentication center verifies whether the authenticated token value is valid, if the authenticated token value is valid, the authenticated token information is sent to the gateway, and the gateway establishes a connection information structure body in a session cache mode; in another example, the process of the authentication center sending the authenticated token information to the gateway may further be: after the authentication center authenticates the user information and generates an authenticated token value, the authentication center directly generates authenticated token information according to the authenticated token value, sends the authenticated token value to the client, sends the authenticated token information to the gateway, and stores the authenticated token information in a session cache mode.
S120, comparing the token value with the authenticated token value stored in the connection information structure body; the connection information structure stores authenticated token information; the authenticated token information includes an authenticated token value.
It should be noted that the token value in the user access information is an authenticated token value authenticated by the authentication center, but the authenticated token value and the authenticated token information are changed in real time according to a issued policy and a user right, and the token value obtained by the client is an authenticated token value corresponding to the last authentication, and does not change with the update of the authenticated token information in the gateway.
In this embodiment, a corresponding connection information structure is established for the authenticated token value, and the connection information structure stores authenticated token information including the authenticated token value. When the user access request corresponding to the token value appears again, the corresponding connection information is directly found through the connection information structure body, the connection or blocking operation is directly completed, and the user access speed is improved. In the existing application access control scheme, the application system first searches for cache data after receiving access request information of a user, but the cache data generally stores access connection information of all users in a centralized manner in the form of a database, for example, in a session manner, the data search speed is slow, so that the access speed of the user is influenced. In the embodiment, each piece of connection information is stored independently in a connection information structure mode, and a database information searching process is omitted.
Illustratively, when a user client accesses an application through a gateway in a TCP mode, the gateway generates a connection information structure in a session cache, if the current TCP connection is not disconnected, the connection information structure in the user access process and related information stored by the structure are always stored in the session cache, and when the user accesses an application system each time, the gateway acquires a token value in user access information and directly compares the token value with an authenticated token value in the session cache, so that the user access speed is improved.
S130, if the token value is the same as the authenticated token value, the token value is not expired and the token value has corresponding access authority, allowing the user to access the application.
When the user accesses the application, the application system obtains the token value in the access request and directly compares the token value with the authenticated token value in the connection information structure body in the session connection cache, and if the token value is the same as the authenticated token value, the user access is verified. At this time, whether the login time of the authenticated token value is expired or not needs to be judged, if so, the user needs to be blocked from accessing the application so as to improve the safety performance of accessing the application, if the login time of the authenticated token value is within the valid period range, whether the user has the access right of the corresponding application needs to be judged, if so, the user is allowed to access the application, and the user client can be directly connected with the application system through the connection information structure body so as to accelerate the user access rate.
In addition, when the token value is different from the authenticated token value or the connection information structure does not have the authenticated token value, for example, when the current session is closed, the authenticated token value in the connection information structure is lost, and the connection information structure does not have the authenticated token value, the embodiment can continue to search for other storage locations in the memory where the token value is stored, and search and verify the authority of the token value; if the token value is the same as the authenticated token value but is expired, the user can be directly blocked from accessing the application; if the token value is the same as the authenticated token value and is not expired, but the access right is not available (the right is modified by issuing the strategy in real time), the user can also be directly blocked from accessing the application. According to the embodiment, the user access application can be blocked quickly and in real time through the gateway, the performance of user access control is further improved, and the purpose of fine-granularity application access control is achieved.
In the embodiment of the invention, after a user obtains an authentication token value at an authentication center, a gateway establishes a corresponding connection information structure body in a session cache, the corresponding authenticated token value is stored in the connection information structure body, when the user accesses an application again, the token value in the user access information is compared with the authenticated token value stored in the connection information structure body, if the token value is the same as the authenticated token value, the login of the authenticated token value is not overdue, and the authenticated token value has corresponding access right, the user is allowed to directly access the application, in the embodiment, the authenticated token information accessed by the user is directly stored separately through the connection information structure body instead of being stored in a database form in a centralized manner, the process of searching database information is omitted, the access rate of the user to the application is improved, in addition, when the authenticated token information in the connection information structure body is overdue or has no right, the user access can be blocked in real time and rapidly, and the efficiency of the user security access is improved.
In another embodiment, the construction process of the connection information structure may be detailed, and the authenticated token information includes: as shown in fig. 2, fig. 2 is a flowchart of another token-based application access control method according to an embodiment of the present invention, and specifically includes the following steps:
s210, obtaining authenticated token information generated by the authentication center according to the authentication information submitted by the user.
S220, creating a corresponding connection information structure body in a session cache according to the authenticated token value; and storing the authenticated token information in the corresponding connection information structure.
Compared to the first embodiment, in the present embodiment, in step S120: before "comparing the token value with the authenticated token value stored in the connection information structure", the above steps S210 and S220 are also included.
When a user accesses an application for the first time, the token value needs to be obtained through the authentication center, which is equivalent to that the user needs to register a user name and a password to establish an identity, so that subsequent access is facilitated, otherwise, the user cannot utilize the token value to realize application access. The user authenticates the user information by submitting authentication information (user name, password and the like) to the authentication center, and if the authentication is successful, the authenticated token value corresponding to the user access is fed back to the client, so that the corresponding access authority, the validity period and the like are given to the user. And the client writes the authenticated token value into an http request message header, so that the user can conveniently access the http request message again, and establishes the connection between the application system and the user client according to the authenticated token value.
In addition, after the gateway acquires the authenticated token information, a corresponding connection information structure body is established for the authenticated token information, and the authenticated token information accessed by the user is stored, so that when the user accesses the application again, the token value directly realizes the user application access through the corresponding connection information structure body.
Optionally, a pointer variable is set in the connection information structure, and the pointer variable points to the authenticated token information, and a connection information structure storing connection information accessed by the user is established in the session cache, specifically, the connection information structure may be set with the pointer variable, each session (for example, TCP connection) uses one connection information structure to store the connection information, and after a request for accessing the application by the user client is authenticated by the authentication center, the authenticated token information is stored in a memory pointed by the pointer variable. When the user client accesses again, the authenticated token value is directly obtained through the connection information structure body, and the application is directly accessed according to the authenticated token value, so that the user access speed is greatly improved, and the user access waiting time is reduced.
It should be noted that the above-mentioned pointer variable is a way to implement a connection information structure, and this embodiment includes but is not limited to this structure establishment way, and other types of connection information structures including an authenticated token value may also be established according to the user requirement.
And S230, acquiring a corresponding token value according to the user access information.
S240, comparing the token value with the authenticated token value stored in the connection information structure; the connection information structure stores authenticated token information; the authenticated token information includes an authenticated token value.
S250, if the token value is the same as the authenticated token value and is not expired, allowing the user to access the application; if the token value is the same as the authenticated token value and has expired, the user is blocked from accessing the application.
In this embodiment, a specific formation process of the connection information structure is described in detail, and a corresponding connection information structure is established for each authenticated token value, so that a user directly accesses through the connection information structure when accessing next time, user access time is shortened, and the user access points to the authenticated token value directly through a pointer variable, thereby facilitating the user to directly access an application.
In another embodiment, the authenticated token information may be stored in a memory cache in a form of a binary red-black tree on the basis of establishing the connection information structure to form a secondary storage, where it should be noted that in this embodiment, the token information at least includes an authenticated token value, a user account, a user terminal account, a user access right, timeout information, and an accessible application list, as shown in fig. 3, fig. 3 is a flowchart of another token-based application access control method provided in this embodiment of the present invention, and specifically includes the following steps:
s310, a first red-black binary tree is created by taking the authenticated token value in the authenticated token information as an index.
S320, creating a second binary red-black tree by taking the user account and the user terminal account in the authenticated token information as indexes.
Although a token value is carried in an http request message during single sign-on, no relevant information is cached in a session, token relevant information in a connection information structure body can be removed, similarly, token information cached in the session can be lost when a user closes a browser and updates the session, the token value can only be verified again by going to an authentication center, authentication takes a long time, the user access waiting time is too long, and when the user accesses an application through a gateway, the blocking efficiency of the gateway is indirectly influenced, and real-time dynamic blocking cannot be realized.
In this embodiment, a binary red-black tree is also established in the memory cache to avoid the problem that the token verification needs to be performed again by connecting the authentication center after the session cache is cleared. It should be noted that, in the embodiment, the red and black binary tree is used to store the authenticated token information, rather than performing centralized storage through the database, and the red and black binary tree can improve the retrieval speed of the token information compared with the database. In this embodiment, a copy of authenticated token information is cached in each session through the connection information structure, a copy of authenticated token information is cached in the gateway memory through the binary red-black tree, and when the authenticated token information cannot be found in the cached session, the authenticated token information in the binary red-black tree can be searched in the memory. That is, in this embodiment, the authenticated token information is stored in the "second-level cache" mode, and not only one piece of authenticated token information is cached in each session, but also the authenticated token information is cached in the local memory, which may also be referred to as a "double-cache mechanism". Under the condition that the session information cache is lost under the conditions of single sign-on, browser closing and the like, if the authenticated token information is not found in the session cache, the authenticated token information cached in the memory is searched, but the authentication center is not requested to authenticate the token value again.
As shown in fig. 4, fig. 4 is a schematic structural diagram of a binary Red-Black Tree according to an embodiment of the present invention, where the binary Red-Black Tree is called Red-Black Tree, also called "Red-Black Tree", and is a balanced binary Tree. Each node of the binary red-black tree has a storage bit to represent the color of the node, and the storage bit can be red or black; the root node is black; each leaf node (NIL or NIL) is black; and if a node is red, its children must be black; all paths from a node to the descendants of the node contain the same number of black nodes, ensuring that no one path is two times longer than the other paths. Thus, a red-black tree is a binary tree that is relatively near equilibrium.
The insertion and deletion of the red-black tree is essentially performed according to the rules of a binary search tree. However, after the basic operation is completed, if a certain characteristic of the red-black tree is violated, some rotation operation is required to balance the red-black nodes. The red and black tree has wide application, is mainly used for storing ordered data, and has the time complexity of O (logN) and high efficiency. It is complex, but its worst case runtime is very good and in practice efficient: it can search, insert and delete in O (logN) time, where N is the number of nodes in the red and black tree.
In the embodiment, the authenticated token value in the authenticated token information is used as an index to create a first binary red-black tree, so that a user can conveniently search the authenticated token value according to the token value by using an access request; and the user account and the user terminal account in the authenticated token information are used as indexes to create a second binary tree of red and black, so that the authenticated token information can be searched according to the user account and the user terminal account when a strategy is conveniently issued and the authentication center returns an authentication result. Optionally, each node of the first red-black binary tree and each node of the second red-black binary tree are arranged in a one-to-one correspondence manner, and the corresponding nodes store the same authenticated token information; and the same storage structure body is adopted for storage; each node stores corresponding authenticated token information, and the first red-black binary tree and the second red-black binary tree share the node and the storage structure, so that the memory is saved, the management can be facilitated, and repeated application and release of the memory are reduced. The two red and black binary trees are established, so that the authenticated token value can be conveniently searched according to different indexes, and the searching efficiency is improved.
S330, obtaining a corresponding voucher token value according to the user access information.
S340, comparing the token value with the authenticated token value stored in the connection information structure; the connection information structure stores authenticated token information; the authenticated token information includes an authenticated token value.
S350, judging whether the token value is the same as the authenticated token value; if yes, go to step S360, otherwise go to step S370.
S360, if the token value is the same as the authenticated token value, the token value is not expired and the token value has corresponding access authority, allowing the user to access the application.
S370, if the connection information structure body does not have authenticated token information or the token value is different from the authenticated token value, judging whether an issuing strategy exists or not; issuing a strategy, wherein the issuing strategy comprises at least one of blocking, permission changing and secondary authentication; if the issuing strategy exists, searching the second binary tree of red and black according to the user account and/or the user terminal account, and controlling the user to access the application according to the issuing strategy.
Under the condition that the session information cache is lost under the conditions of single sign-on, browser closing and the like, if the authenticated token value is not found in the session cache or the token value is different from the authenticated token value due to the fact that the authenticated token value is changed, searching the authenticated token value through the first red and black binary tree.
Before the authenticated token value is searched through the first binary red-black tree, firstly, it needs to be determined whether an issued policy is issued to the gateway and the authentication center by the policy center, the issued policy may include at least one of blocking, permission change and secondary authentication, the blocking may be a policy for blocking user access according to a user account and a user terminal account, the permission change may be a policy for performing permission change on user access according to the user account and the user terminal account, and similarly, the secondary authentication may be a policy for performing secondary authentication on user access according to the user account and the user terminal account. If the issuing strategy exists, the authenticated token information of the second binary red-black tree can be searched for by using the user account and/or the user terminal account as indexes, and the permission or blocking of the user to access the application is controlled according to the issuing strategy. Illustratively, a user account can be found according to token information, a strategy corresponding to the user account can be found, and all connections corresponding to the token information are found and disconnected according to the corresponding strategy, so that accurate blocking of some applications is realized.
And S380, if the issuing strategy does not exist, searching token information through the first binary red-black tree cached in the memory.
If the strategy center does not issue the strategy, the authenticated token information is searched by using the token value as an index through the first binary red-black tree, so that the corresponding authenticated token value can be conveniently and quickly locked.
S390, if the authenticated token information is the same as the authenticated token value in the first binary red-black tree and has access right, allowing the user to access the application; and if the authenticated token information is the same as the authenticated token value in the first binary red-black tree and has no access authority, blocking the user from accessing the application.
When the policy is not issued, if the token value is the same as the authenticated token value in the first binary red-black tree, it is necessary to examine whether the user access request corresponding to the token value has an access right, if so, the user can be directly allowed to access the application, and if not, the user is directly prevented from accessing the application. Optionally, if there is no authenticated token information in the first binary red-black tree, returning to the authentication page requires the user to go to the authentication center for re-authentication, which is not described in detail in this embodiment.
In this embodiment, the system stores the authenticated token information by using a "second-level cache", where not only one authenticated token information is cached in each session, but also the authenticated token information is cached in the local memory, which may also be referred to as a "double-cache mechanism". Under the condition that the session information cache is lost under the conditions of single sign-on, browser closing and the like, if the authenticated token information is not found in the session cache, the authenticated token information cached in the memory is searched instead of requesting the authentication center to authenticate the token value again, and the user access rate is improved.
In another embodiment, a plurality of work processes may work simultaneously, and when one process receives blocking information, the blocking information needs to be transferred to other processes, so as to block the connection of the related token in all the processes. As shown in fig. 5, fig. 5 is a flowchart of another token-based application access control method provided in the embodiment of the present invention, which specifically includes the following steps:
s410, adding array information in the message structure body of each work process; the array information is used to send the authenticated token value to other work processes.
Since nginx has multiple working processes working simultaneously, as shown in fig. 6, fig. 6 is a schematic diagram of a multi-working-process model provided in an embodiment of the present invention, and when one process receives blocking information, the blocking information needs to be distributed to other processes, so as to block the connection of related tokens in all processes. The system modifies the original nginx message mechanism and is suitable for communication among working processes of the system.
In a multi-process state, when judging that a user has no authority to access an application, an original message mechanism can only block access connection in one working process, and existing connections of the user in other processes can still be accessed continuously, so that accurate real-time blocking of all processes cannot be realized.
And S420, when the work process is blocked, controlling the work process to send the blocked authenticated token value to other work processes.
In this embodiment, array information is added to the message structure of each work process, the data information can send the authenticated token value in the current work process to other work processes, and when a work process is blocked, the blocked work process sends the blocked authenticated token value to other work processes, so that the other work processes can conveniently perform blocking operation according to the authenticated token value.
S430, controlling other working processes to judge whether the blocked authenticated token value is equal to the token value in the local access connection; and if so, controlling other work processes to block the local access connection.
After the other working processes obtain the blocked authenticated token value, firstly judging whether the token value in the access connection of the local working process is the blocked authenticated token value, if so, directly controlling the other working processes to block the local access connection.
In the embodiment, the array information containing the authenticated token value is set in each work process to realize smooth communication among the work processes, so that when a certain authenticated token value is blocked, synchronous blocking of the token value in a plurality of work processes is realized, and the blocking accuracy and the blocking efficiency are improved.
In a specific example of this embodiment, the specific process of the user access is specifically detailed in this embodiment, when the user accesses the application through the browser, after inputting the URL address, and in the case that the user does not authenticate, the browser automatically jumps to the authentication address of the unified authentication center, at this time, the unified authentication gateway login page is displayed, the user starts authentication according to the authentication mode set by the unified authentication, and after the authentication is completed, the browser jumps to the original access application address again, and successfully accesses the application. As shown in fig. 7, fig. 7 is a signaling diagram of an application access control process based on token according to an embodiment of the present invention, and the steps are as follows:
in the data preparation phase: when an application program is initialized, two binary trees are created in a memory by using the hongnx self-contained red-black tree; (after the authentication center passes the authentication and returns the authority information, a token connection information structure body is created, a token binary tree is inserted according to the token value, another token binary tree is inserted according to the value of the user account and/or the user terminal account.) the strategy center issues an access control strategy to the gateway and the authentication center, wherein the strategy comprises blocking, future authority change and other strategies.
In the first access application stage of the user through the gateway: the user accesses the gateway proxy address https:// GWIP: ProxyPort (the purpose is to access the application through the gateway) through the browser; the gateway acquires authenticated token information; if the gateway can not obtain the authenticated token information, returning the redirection information of the authentication login page; after receiving the redirection information, the user can redirect to the proxy address of the authentication center on the gateway; the authentication center returns a login page after receiving the user request; the user submits authentication information according to an authentication mode set by an authentication center; the authentication center verifies the user information, if the user information passes the verification, a token value is generated, a cookie is written, the generated authenticated token information (comprising the authenticated token value, a user account number, a user terminal account number, user access authority, a timeout period and an accessible application list) is returned to the gateway, and then redirection information is returned to redirect the proxy address applied to the gateway; (after the authentication center passes the authentication and returns the authority information, a connection information structure body (session cache information) based on the authenticated token value is created, meanwhile, one token binary tree is inserted according to the authenticated token value, another binary tree (memory binary tree cache information) is inserted according to the values of the user ID (user account) and the terminal ID (user terminal account), and the corresponding token information is stored in the two binary trees.
The user is redirected to the initially accessed application agent address again, and the authenticated token value is brought in the request; the user (or client) accesses the gateway proxy address https:// gateway IP: Port (for the purpose of accessing the application through the gateway) through the browser, the token value requested is located in the http header field cookie; the gateway obtains the token value in the request, first checks whether the token value exists in a connection cache (connection information structure) of the session, generally, the authenticated token value exists in the session connection cache, compares the token value in the cookie with the authenticated token value cached in the session connection, if the token value is equal to the authenticated token value, and the token value is not expired, and has the right to access the application, the token value is released, and the user is allowed to access the application.
If the session connection cache has no authenticated token value or is not equal, searching corresponding cache information in the binary tree of the memory, checking whether a strategy is issued to the gateway or not before searching, if the strategy is not issued, searching the authenticated token value stored in the first binary tree, checking whether the application is authorized to be accessed or not after finding, and if the application is not expired, releasing the application if the application is authorized to be accessed.
If any policy (such as blocking, policy change, secondary authentication, etc.) is issued, the user ID/terminal ID is searched as a binary tree created by KEY (index). And if the related authenticated token information is not found in the binary memory tree, re-authenticating by the authentication center. That is, the session cache and the binary tree have no cache condition, the authentication center is required to be removed for re-authentication, the authentication pass receives the authority information (including the accessible application list) returned by the authentication center, and the gateway updates or inserts the binary tree according to the userID and/or terminaliD in the authority information. And then judging whether the user has the right to access the application, if so, releasing the application, and if not, blocking the application, namely, the possibility of updating the secondary cache exists.
If the token value is verified successfully, the gateway can detect whether the user has the authority to access the application in the accessible valid period range, and if the user has the authority, the gateway proxies the user request to the intranet application; the application system receives the request and returns application information; the user successfully accesses the application.
In addition, after receiving the blocking command, the gateway clears the cache in the binary red-black tree, and then searches all connections according to the token value and disconnects the connections. Because one woker working process receives the blocking information, the related token value is sent to all other working processes, the token values received by the other working processes are compared whether to be equal to the token in the local connection, and the connection is closed if the token values are equal to the token in the local connection, so that synchronous blocking of multiple working processes is realized, and the blocking accuracy is improved.
Example two
Fig. 8 is a schematic structural diagram of an application access control device based on token according to an embodiment of the present invention. As shown in fig. 8, the apparatus includes:
the credential establishing module 510 is configured to establish corresponding credential token information according to the user access information;
a credential comparison module 520, configured to compare token information with an authenticated token value stored in the connection information structure; the connection information structure body comprises an authenticated token value and connection information thereof;
an access pass block module 530 for allowing the user to access the application when the token value is the same as the authenticated token value, is not expired, and has corresponding access rights.
In the embodiment, when a user client side authenticates and accesses an application through a gateway, a corresponding connection information structure body is established in a session cache, a corresponding authenticated token value and connection information thereof are stored in the connection information structure body, when the user accesses the application again, token information is generated according to the user access information, the token information is directly compared with the authenticated token value stored in the connection information structure body, if the token value is the same as the authenticated token value, is within a time range allowing access and has corresponding access authority, the user is allowed to directly access the application, in the embodiment, the connection information accessed by the user is directly and separately stored through the connection information structure body instead of being stored in a database form in a centralized manner, a database information searching process is omitted, the access rate of the user to the application is improved, in addition, when the authenticated token information in the connection information structure body is overdue or has no authority, the user access can be blocked in real time and rapidly, and the safety performance of the user access is improved.
Optionally, the token-based application access control apparatus further includes: the authentication information acquisition module is used for acquiring authenticated token information generated by the authentication center according to the authentication information submitted by the user; the structure body creation module is used for creating a corresponding connection information structure body in the session cache according to the authenticated token value; storing the authenticated token information in a corresponding connection information structure; the connection information structure body is provided with a pointer variable, and the pointer variable is pointed to the authenticated token information.
Optionally, the token-based application access control apparatus further includes: and the binary tree creating module is used for storing the authenticated token value in a memory cache in a form of a red-black binary tree.
Optionally, the binary tree creating module is specifically configured to: creating a first binary red-black tree by taking a token value in the authenticated token values as an index; creating a second binary red-black tree by taking the user account and the user terminal account in the authenticated token value as indexes; each node of the first binary red-black tree and each node of the second binary red-black tree are arranged in a one-to-one correspondence manner; and the same storage structure body is adopted for storage; each node stores a corresponding authenticated token value.
Optionally, the token-based application access control apparatus further includes: the array adding module is used for adding array information in the message structure body of each work process; the array information is used for sending the authenticated token value to other work processes; the blocking information sending module is used for controlling the working process to send the blocked authenticated token value to other working processes when the working process is blocked; the connection blocking module is used for controlling other working processes to judge whether the blocked authenticated token value is equal to the authenticated token value in the local access connection; and if so, controlling other work processes to block the local access connection.
EXAMPLE III
Fig. 9 is a schematic structural diagram of a computer device according to an embodiment of the present invention. FIG. 9 illustrates a block diagram of a computer device 312 suitable for use in implementing embodiments of the present invention. The computer device 312 shown in FIG. 9 is only an example and should not bring any limitations to the functionality or scope of use of embodiments of the present invention. Device 312 is a typical token-based computing device for application access control.
As shown in fig. 9, computer device 312 is in the form of a general purpose computing device. The components of computer device 312 may include, but are not limited to: one or more processors 316, a storage device 328, and a bus 318 that couples the various system components including the storage device 328 and the processors 316.
Bus 318 represents one or more of any of several types of bus structures, including a memory bus or memory controller, a peripheral bus, an accelerated graphics port, and a processor or local bus using any of a variety of bus architectures. By way of example, such architectures include, but are not limited to, an Industry Standard Architecture (ISA) bus, a Micro Channel Architecture (MCA) bus, an enhanced ISA bus, a Video Electronics Standards Association (VESA) local bus, and a Peripheral Component Interconnect (PCI) bus.
Computer device 312 typically includes a variety of computer system readable media. Such media may be any available media that is accessible by computer device 312 and includes both volatile and nonvolatile media, removable and non-removable media.
Storage 328 may include computer system readable media in the form of volatile Memory, such as Random Access Memory (RAM) 330 and/or cache Memory 332. The computer device 312 may further include other removable/non-removable, volatile/nonvolatile computer system storage media. By way of example only, storage system 334 may be used to read from and write to non-removable, nonvolatile magnetic media (not shown in FIG. 9, and commonly referred to as a "hard drive"). Although not shown in FIG. 9, a magnetic disk drive for reading from and writing to a removable, nonvolatile magnetic disk (e.g., a "floppy disk") and an optical disk drive for reading from or writing to a removable, nonvolatile optical disk (e.g., a Compact disk-Read Only Memory (CD-ROM), a Digital Video disk (DVD-ROM), or other optical media) may be provided. In these cases, each drive may be connected to bus 318 by one or more data media interfaces. Storage 328 may include at least one program product having a set (e.g., at least one) of program modules that are configured to carry out the functions of embodiments of the invention.
Program 336 having a set (at least one) of program modules 326 may be stored, for example, in storage 328, such program modules 326 including, but not limited to, an operating system, one or more application programs, other program modules, and program data, each of which may comprise an implementation of a network environment, or some combination thereof. Program modules 326 generally carry out the functions and/or methodologies of embodiments of the invention as described herein.
The computer device 312 may also communicate with one or more external devices 314 (e.g., keyboard, pointing device, camera, display 324, etc.), with one or more devices that enable a user to interact with the computer device 312, and/or with any devices (e.g., network card, modem, etc.) that enable the computer device 312 to communicate with one or more other computing devices. Such communication may occur via input/output (I/O) interfaces 322. Also, computer device 312 may communicate with one or more networks (e.g., a Local Area Network (LAN), Wide Area Network (WAN), etc.) and/or a public Network, such as the internet, via Network adapter 320. As shown, network adapter 320 communicates with the other modules of computer device 312 via bus 318. It should be appreciated that although not shown in the figures, other hardware and/or software modules may be used in conjunction with the computer device 312, including but not limited to: microcode, device drivers, Redundant processing units, external disk drive Arrays, disk array (RAID) systems, tape drives, and data backup storage systems, to name a few.
The processor 316 executes various functional applications and data processing by running programs stored in the storage 328, for example, implementing the token-based application access control method provided by the above-described embodiment of the present invention.
Example four
Embodiments of the present invention provide a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processing device, implements an identity authentication and authorization method as in the embodiments of the present invention. The computer readable medium of the present invention described above may be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In contrast, in the present disclosure, a computer readable signal medium may comprise a propagated data signal with computer readable program code embodied therein, either in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: electrical wires, optical cables, RF (radio frequency), etc., or any suitable combination of the foregoing.
In some embodiments, the clients, servers may communicate using any currently known or future developed network Protocol, such as HTTP (HyperText Transfer Protocol), and may interconnect with any form or medium of digital data communication (e.g., a communications network). Examples of communication networks include a local area network ("LAN"), a wide area network ("WAN"), the Internet (e.g., the Internet), and peer-to-peer networks (e.g., ad hoc peer-to-peer networks), as well as any currently known or future developed network.
The computer readable medium may be embodied in the electronic device; or may exist separately without being assembled into the electronic device.
The computer readable medium carries one or more programs which, when executed by the electronic device, cause the electronic device to: acquiring a corresponding voucher token value according to the user access information; comparing the token value with the authenticated token value stored in the connection information structure; the connection information structure stores authenticated token information; the authenticated token information includes an authenticated token value; if the token value is the same as the authenticated token value, is not expired and has corresponding access authority, allowing the user to access the application; otherwise, the user is blocked from accessing the application.
Computer program code for carrying out operations for the present disclosure may be written in any combination of one or more programming languages, including but not limited to an object oriented programming language such as Java, Smalltalk, C + +, and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The units described in the embodiments of the present disclosure may be implemented by software or hardware. Where the name of an element does not in some cases constitute a limitation on the element itself.
The functions described herein above may be performed, at least in part, by one or more hardware logic components. For example, without limitation, exemplary types of hardware logic components that may be used include: field Programmable Gate Arrays (FPGAs), Application Specific Integrated Circuits (ASICs), Application Specific Standard Products (ASSPs), systems on a chip (SOCs), Complex Programmable Logic Devices (CPLDs), and the like.
In the context of this disclosure, a machine-readable medium may be a tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. The machine-readable medium may be a machine-readable signal medium or a machine-readable storage medium. A machine-readable medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
It is to be noted that the foregoing is only illustrative of the preferred embodiments of the present invention and the technical principles employed. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, although the present invention has been described in greater detail by the above embodiments, the present invention is not limited to the above embodiments, and may include other equivalent embodiments without departing from the spirit of the present invention, and the scope of the present invention is determined by the scope of the appended claims.

Claims (10)

1. A token-based application access control method is characterized by comprising the following steps:
acquiring a corresponding voucher token value according to the user access information;
comparing the token value with an authenticated token value stored in a connection information structure; the connection information structure stores authenticated token information; the authenticated token information comprises an authenticated token value;
and if the token value is the same as the authenticated token value, is not expired and has corresponding access authority, allowing the user to access the application.
2. The token-based application access control method of claim 1, wherein the authenticated token information comprises: an authenticated token value, a user account, a user terminal account, user access rights, timeout information, and a list of accessible applications.
3. The token-based application access control method of claim 1,
before comparing the token value with the authenticated token value stored in the connection information structure, the method further includes:
acquiring authenticated token information generated by an authentication center according to authentication information submitted by a user;
creating a corresponding connection information structure body in the session cache according to the authenticated token value; storing the authenticated token information in the corresponding connection information structure;
and a pointer variable is arranged in the connection information structural body, and the pointer variable points to the authenticated token information.
4. The token-based application access control method of claim 1, further comprising:
storing the authenticated token information in a memory cache in a form of a binary red-black tree;
storing the authenticated token information in a memory cache in a form of a binary red-black tree, including:
creating a first binary red-black tree by taking the authenticated token value in the authenticated token information as an index;
creating a second binary red-black tree by taking the user account and/or the user terminal account in the authenticated token information as an index;
each node of the first binary red-black tree and each node of the second binary red-black tree are arranged in a one-to-one correspondence manner; and the same storage structure body is adopted for storage; each node stores the corresponding authenticated token information.
5. The token-based application access control method of claim 4, further comprising:
if the connection information structure body does not have the authenticated token value, or the token value is different from the authenticated token value, searching the authenticated token value through a first red-black binary tree cached in a memory;
if the token value is the same as the authenticated token value in the first binary red-black tree, the token value is not expired and the token value has access right, allowing a user to access the application; otherwise, the user is blocked from accessing the application.
6. The token-based application access control method of claim 5, wherein before searching the authenticated token value through the first binary red-black tree cached in the memory, the method further comprises:
judging whether an issuing strategy exists or not; the issuing strategy comprises at least one of blocking, permission changing and secondary authentication;
if the issuing strategy exists, searching the second binary red-black tree according to the user account and/or the user terminal account, and controlling the user to access the application according to the issuing strategy.
7. The token-based application access control method of claim 5, wherein there are a plurality of work processes for a user to access an application;
the token-based application access control method further comprises the following steps:
adding array information in a message structure body of each work process; the array information is used for sending the authenticated token value to other work processes;
when the work process is blocked, controlling the work process to send the blocked authenticated token value to other work processes;
controlling other working processes to judge whether the blocked authenticated token value is equal to the authenticated token value in the local access connection; and if so, controlling other working processes to block the local access connection.
8. A token-based application access control apparatus, comprising:
the certificate establishing module is used for acquiring a corresponding certificate token value according to the user access information;
the certificate comparison module is used for comparing the token value with the authenticated token value stored in the connection information structure body; the connection information structure stores authenticated token information; the authenticated token information comprises an authenticated token value;
and the access pass-resistance module is used for allowing the user to access the application when the token value is the same as the authenticated token value, the token value is not expired and the token value has corresponding access right.
9. A computer device, the device comprising: memory, processor and computer program stored on the memory and executable on the processor, the processor implementing a token-based application access control method according to any of claims 1-8 when executing the program.
10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processing device, carries out a token-based application access control method according to any one of claims 1 to 8.
CN202110931768.0A 2021-08-13 2021-08-13 Token-based application access control method and device, equipment and storage medium thereof Active CN113836510B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110931768.0A CN113836510B (en) 2021-08-13 2021-08-13 Token-based application access control method and device, equipment and storage medium thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110931768.0A CN113836510B (en) 2021-08-13 2021-08-13 Token-based application access control method and device, equipment and storage medium thereof

Publications (2)

Publication Number Publication Date
CN113836510A true CN113836510A (en) 2021-12-24
CN113836510B CN113836510B (en) 2022-07-12

Family

ID=78960599

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110931768.0A Active CN113836510B (en) 2021-08-13 2021-08-13 Token-based application access control method and device, equipment and storage medium thereof

Country Status (1)

Country Link
CN (1) CN113836510B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114418657A (en) * 2021-12-28 2022-04-29 航天信息股份有限公司 Method for acquiring billing data, electronic device and medium
CN114866331A (en) * 2022-05-31 2022-08-05 新华三信息安全技术有限公司 Dynamic access authentication method under zero trust network, gateway equipment and storage medium
CN115033608A (en) * 2022-08-12 2022-09-09 广东采日能源科技有限公司 Energy storage system information grading processing method and system

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130173665A1 (en) * 2012-01-03 2013-07-04 Oracle International Corporation System and method for efficient representation of dynamic ranges of numeric values
US20140130180A1 (en) * 2012-11-07 2014-05-08 International Business Machines Corporation Control of access to files
CN108319509A (en) * 2017-12-20 2018-07-24 瑞斯康达科技发展股份有限公司 A kind of event management method, system and main control device
CN109617907A (en) * 2019-01-04 2019-04-12 平安科技(深圳)有限公司 Authentication method, electronic device and computer readable storage medium
CN111291364A (en) * 2018-12-07 2020-06-16 阿里巴巴集团控股有限公司 Kernel security detection method, device, equipment and storage medium
CN112564916A (en) * 2020-12-01 2021-03-26 上海艾融软件股份有限公司 Access client authentication system applied to micro-service architecture

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130173665A1 (en) * 2012-01-03 2013-07-04 Oracle International Corporation System and method for efficient representation of dynamic ranges of numeric values
US20140130180A1 (en) * 2012-11-07 2014-05-08 International Business Machines Corporation Control of access to files
CN108319509A (en) * 2017-12-20 2018-07-24 瑞斯康达科技发展股份有限公司 A kind of event management method, system and main control device
CN111291364A (en) * 2018-12-07 2020-06-16 阿里巴巴集团控股有限公司 Kernel security detection method, device, equipment and storage medium
CN109617907A (en) * 2019-01-04 2019-04-12 平安科技(深圳)有限公司 Authentication method, electronic device and computer readable storage medium
CN112564916A (en) * 2020-12-01 2021-03-26 上海艾融软件股份有限公司 Access client authentication system applied to micro-service architecture

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114418657A (en) * 2021-12-28 2022-04-29 航天信息股份有限公司 Method for acquiring billing data, electronic device and medium
CN114866331A (en) * 2022-05-31 2022-08-05 新华三信息安全技术有限公司 Dynamic access authentication method under zero trust network, gateway equipment and storage medium
CN114866331B (en) * 2022-05-31 2024-02-09 新华三信息安全技术有限公司 Dynamic access authentication method and device under zero trust network and storage medium
CN115033608A (en) * 2022-08-12 2022-09-09 广东采日能源科技有限公司 Energy storage system information grading processing method and system
CN115033608B (en) * 2022-08-12 2022-11-04 广东采日能源科技有限公司 Energy storage system information grading processing method and system

Also Published As

Publication number Publication date
CN113836510B (en) 2022-07-12

Similar Documents

Publication Publication Date Title
CN113836510B (en) Token-based application access control method and device, equipment and storage medium thereof
US10949526B2 (en) User device authentication
US8220032B2 (en) Methods, devices, and computer program products for discovering authentication servers and establishing trust relationships therewith
CN107181720B (en) Software Defined Networking (SDN) secure communication method and device
US6339423B1 (en) Multi-domain access control
US8132242B1 (en) Automated authentication of software applications using a limited-use token
EP1427160B1 (en) Methods and systems for authentication of a user for sub-locations of a network location
US8640202B2 (en) Synchronizing user sessions in a session environment having multiple web services
US7913077B2 (en) Preventing IP spoofing and facilitating parsing of private data areas in system area network connection requests
WO2017028804A1 (en) Web real-time communication platform authentication and access method and device
US8838959B2 (en) Method and apparatus for securely synchronizing password systems
US7043455B1 (en) Method and apparatus for securing session information of users in a web application server environment
CN110999213A (en) Hybrid authentication system and method
US9147062B2 (en) Renewal of user identification information
US9584615B2 (en) Redirecting access requests to an authorized server system for a cloud service
US20210084020A1 (en) System and method for identity and authorization management
US20190373016A1 (en) Providing cross site request forgery protection at an edge server
CN112491776B (en) Security authentication method and related equipment
CN112511565B (en) Request response method and device, computer readable storage medium and electronic equipment
CN111147525A (en) Authentication method, system, server and storage medium based on API gateway
US7308578B2 (en) Method and apparatus for authorizing execution for applications in a data processing system
US7899918B1 (en) Service accounting in a network
JP7513584B2 (en) Method, computer program product, and system for managing shared authentication credentials - Patents.com
US11405379B1 (en) Multi-factor message-based authentication for network resources
CN114090996A (en) Multi-party system mutual trust authentication method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant