CN113934994A - Method and device for constructing method-level authority - Google Patents
Method and device for constructing method-level authority Download PDFInfo
- Publication number
- CN113934994A CN113934994A CN202111072415.6A CN202111072415A CN113934994A CN 113934994 A CN113934994 A CN 113934994A CN 202111072415 A CN202111072415 A CN 202111072415A CN 113934994 A CN113934994 A CN 113934994A
- Authority
- CN
- China
- Prior art keywords
- request
- request method
- url
- url path
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/95—Retrieval from the web
- G06F16/955—Retrieval from the web using information identifiers, e.g. uniform resource locators [URL]
Abstract
The invention discloses a method and a device for constructing method-level authority, wherein the method comprises the following steps: based on the metadata rule of the service development platform, acquiring request method information contained in the service development platform, and obtaining an application service list according to all the request method information, wherein the request method information comprises a URL path; for any request method in an application service list, constructing a first association relation between a URL path included by the request method and a request method authority corresponding to the request method; acquiring second association relations between the plurality of request method authorities and corresponding roles; and respectively constructing a first mapping relation between the URL path included by each request method and the matched role in the second association relation based on the first association relation and the second association relation corresponding to each request method, and storing the first mapping relation into a target database. Therefore, the method level authority control aiming at all application systems can be quickly, efficiently and accurately constructed by implementing the method level authority control method.
Description
Technical Field
The invention relates to the technical field of system authority management, in particular to a method and a device for realizing method-level authority control.
Background
The system authority management is always an indispensable important component of an application system, and different users have different requirements on system functions. At present, a set of authority mechanism can be simply and quickly established for a newly developed system by using a popular method level authority framework Spring Security. However, some historical systems which have been developed for a long time are not thoroughly considered in the design stage, and with the development of own services, some previous method-level authority designs cannot meet the current service requirements. When the new method level authority framework Spring Security is introduced, manual and mechanical operation is frequent, related jar packages of Spring need to be upgraded, corresponding authority annotations are added to each method, and the efficiency is low. Meanwhile, the method URL of each module is counted manually by designers, so that misoperation is easy, the accuracy is low and the efficiency is low.
Therefore, how to quickly, efficiently and accurately construct the method-level authority control for all application systems is a technical problem to be solved in the field.
Disclosure of Invention
The invention aims to provide a method-level authority construction method and a device, which can quickly, efficiently and accurately construct method-level authority control aiming at all application systems.
In order to solve the above technical problem, a first aspect of the present invention discloses a method for constructing method-level permissions, where the method includes:
based on a metadata rule of a service development platform, acquiring request method information contained in the service development platform, and storing all the request method information into a target data table to obtain an application service list, wherein the request method information comprises a URL path;
for any request method in the application service list, constructing a first association relation between a URL path included in the request method and a request method authority corresponding to the request method to obtain the first association relation corresponding to the request method;
acquiring second association relations between the plurality of request method authorities and corresponding roles;
and respectively constructing a first mapping relation between the URL path included by each request method and the role matched in the second association relation based on the first association relation and the second association relation corresponding to each request method, and storing the first mapping relation into a target database.
As an optional implementation manner, in the first aspect of the present invention, after storing the first mapping relationship in the target database, the method further includes:
for any request method in the application service list, determining a URL mode to which a URL path included in the request method belongs, establishing a third association relation between the URL path included in the request method and the corresponding URL mode, and obtaining a third association relation corresponding to the request method;
and constructing a second mapping relation between the URL mode in the third association relation and the matched role in the second association relation based on a first mapping relation between the URL path included by each request method and the matched role in the second association relation and a third association relation corresponding to each request method, and storing the second mapping relation into the target database.
As an optional implementation manner, in the first aspect of the present invention, the determining, for any one request method in the application service manifest, a URL pattern to which a URL path included in the request method belongs includes:
analyzing the application service list to obtain at least one URL mode;
for a URL path included in any request method in the application service list, analyzing the URL path included in the request method, and determining a characteristic value contained in the URL path included in the request method;
and determining the URL mode to which the URL path included in the request method belongs according to the characteristic value.
As an optional implementation manner, in the first aspect of the present invention, the analyzing the application service manifest to obtain at least one URL pattern includes:
acquiring URL paths included by all the request methods in the application service list;
analyzing and extracting characteristic values of all URL paths to obtain a first characteristic value set;
merging the same characteristic values in the first characteristic value set to obtain a second characteristic value set;
and determining the URL mode corresponding to each characteristic value in the second characteristic value set.
As an optional implementation manner, in the first aspect of the present invention, after storing the first mapping relationship in the target database, the method further includes:
detecting an operation request sent by a user, wherein the operation request comprises user basic information and a target URL path;
determining one or more user roles according to the user basic information;
searching a role corresponding to the target URL path in the target database according to the target URL path;
judging whether a role corresponding to the target URL path exists in the user roles;
if the role corresponding to the target URL path exists in the user roles, executing the operation corresponding to the operation request sent by the user;
and if the role corresponding to the target URL path does not exist in the user roles, prompting the user that no operation authority exists.
As an alternative implementation, in the first aspect of the present invention, the method further includes:
constructing a request interceptor;
after the operation request sent by the user is detected, the method further comprises the following steps:
intercepting the operation request through the request interceptor, analyzing the operation request when the interception is successful, obtaining the user basic information included in the operation request, and extracting the target URL path in the operation request based on a Filter Security filter.
As an optional implementation manner, in the first aspect of the present invention, the user basic information includes a target user identifier;
the determining the user role according to the user basic information comprises the following steps:
acquiring a fourth incidence relation between a preset user identifier and a role;
and determining the user role corresponding to the target user identification based on the fourth incidence relation.
The second aspect of the present invention discloses a method level authority constructing device, which includes:
the acquisition module is used for acquiring request method information contained in a service development platform based on a metadata rule of the service development platform, and storing all the request method information into a target data table to obtain an application service list, wherein the request method information comprises a URL path;
the first association module is used for constructing a first association relation between a URL path included by the request method and a request method authority corresponding to the request method for any request method in the application service list to obtain the first association relation corresponding to the request method;
the second association module is used for acquiring a second association relation between the plurality of request method authorities and the corresponding roles;
and the first mapping module is used for respectively constructing a first mapping relation between the URL path included by each request method and the role matched in the second association relation based on the first association relation and the second association relation corresponding to each request method, and storing the first mapping relation into a target database.
As an alternative embodiment, in the second aspect of the present invention, the apparatus further comprises:
a third association module, configured to determine, for any one of the request methods in the application service list, a URL pattern to which a URL path included in the request method belongs, establish a third association relationship between the URL path included in the request method and a corresponding URL pattern, and obtain a third association relationship corresponding to the request method;
and the second mapping module is used for constructing a second mapping relation between the URL pattern in the third association relation and the role matched in the second association relation based on the first mapping relation between the URL path included in each request method and the role matched in the second association relation and the third association relation corresponding to each request method, and storing the second mapping relation into the target database.
As an alternative embodiment, in the second aspect of the present invention, the third associating module includes:
the analysis submodule is used for analyzing the application service list to obtain at least one URL mode;
a first determining submodule, configured to analyze, for a URL path included in any one of the request methods in the application service manifest, the URL path included in the request method, and determine a feature value included in the URL path included in the request method;
and the second determining submodule is used for determining the URL mode to which the URL path included by any request method belongs according to the characteristic value included in the URL path included by the request method.
As an optional implementation manner, in the second aspect of the present invention, the manner in which the analysis submodule analyzes the application service list to obtain the at least one URL pattern specifically includes:
acquiring URL paths included by all the request methods in the application service list;
analyzing and extracting characteristic values of all URL paths to obtain a first characteristic value set;
merging the same characteristic values in the first characteristic value set to obtain a second characteristic value set;
and determining the URL mode corresponding to each characteristic value in the second characteristic value set.
As an alternative embodiment, in the second aspect of the present invention, the apparatus further comprises:
the detection module is used for detecting an operation request sent by a user, wherein the operation request comprises user basic information and a target URL path;
the role determining module is used for determining one or more user roles according to the user basic information;
the role searching module is used for searching a role corresponding to the target URL path in the target database according to the target URL path;
the judging module is used for judging whether a role corresponding to the target URL path exists in the user roles; if the role corresponding to the target URL path exists in the user roles, executing the operation corresponding to the operation request sent by the user; and if the role corresponding to the target URL path does not exist in the user roles, prompting the user that no operation authority exists.
As an alternative embodiment, in the second aspect of the present invention, the apparatus further comprises:
the construction module is used for constructing a request interceptor;
the device further comprises:
and the interception module is used for intercepting the operation request through the request interceptor after the operation request sent by the user is detected, analyzing the operation request when the interception is successful, obtaining the user basic information included in the operation request, and extracting the target URL path in the operation request based on a Filter Security filter.
As an optional implementation manner, in the second aspect of the present invention, the user basic information includes a target user identifier;
the role determination module determines a user role according to the user basic information, and specifically includes:
acquiring a fourth incidence relation between a preset user identifier and a role;
and determining the user role corresponding to the target user identification based on the fourth incidence relation.
The third aspect of the present invention discloses another method-level authority constructing device, which includes:
a memory storing executable program code;
a processor coupled with the memory;
the processor calls the executable program code stored in the memory to execute the method for constructing the method-level permission disclosed by the first aspect of the invention.
The fourth aspect of the present invention discloses a computer-readable storage medium, in which computer instructions are stored, and when the computer instructions are called, the computer instructions are used for executing the method for constructing the method-level permissions disclosed in the first aspect of the present invention.
Compared with the prior art, the embodiment of the invention has the following beneficial effects:
in the embodiment of the invention, based on a metadata rule of a service development platform, request method information contained in the service development platform is obtained, wherein the request method information comprises a URL path, and all the request method information is stored in a target data table to obtain an application service list; for any request method in the application service list, constructing a first association relation between a URL path included in the request method and a request method authority corresponding to the request method to obtain the first association relation corresponding to the request method; acquiring second association relations between the plurality of request method authorities and corresponding roles; and respectively constructing a first mapping relation between the URL path included by each request method and the role matched in the second association relation based on the first association relation and the second association relation corresponding to each request method, and storing the first mapping relation into a target database. Therefore, the method level authority control aiming at all application systems can be quickly, efficiently and accurately constructed by implementing the method level authority control method.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
FIG. 1 is a flow chart illustrating a method for constructing method-level permissions according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of an application service list according to an embodiment of the present invention;
FIG. 3 is a flow chart illustrating another method for constructing method-level permissions, disclosed in an embodiment of the present invention;
FIG. 4 is a flowchart illustrating step S105 of another method-level privilege construction method disclosed in the embodiment of the present invention;
FIG. 5 is a diagram of a background domain model according to an embodiment of the present disclosure;
FIG. 6 is a diagram of background privilege constructing function module relationships disclosed in an embodiment of the present invention;
FIG. 7 is a flowchart illustrating a method for constructing a further method-level privilege, according to an embodiment of the present invention;
FIG. 8 is a schematic structural diagram of a method-level privilege constructing apparatus according to an embodiment of the present invention;
FIG. 9 is a schematic structural diagram of an apparatus for constructing a further method-level right according to the embodiment of the present invention;
FIG. 10 is a schematic structural diagram of an apparatus for constructing a further method-level right according to the embodiment of the present invention;
fig. 11 is a schematic structural diagram of another method-level right construction apparatus disclosed in the embodiment of the present invention.
Detailed Description
In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The terms "first," "second," and the like in the description and claims of the present invention and in the above-described drawings are used for distinguishing between different objects and not for describing a particular order. Furthermore, the terms "include" and "have," as well as any variations thereof, are intended to cover non-exclusive inclusions. For example, a process, method, apparatus, article, or article that comprises a list of steps or elements is not limited to only those steps or elements listed, but may alternatively include other steps or elements not listed, or inherent to such process, method, article, or article.
Reference herein to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the invention. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. It is explicitly and implicitly understood by one skilled in the art that the embodiments described herein can be combined with other embodiments.
The invention discloses a method level authority construction method and device, which can quickly, efficiently and accurately construct method level authority control aiming at all application systems. The following are detailed below.
Example one
Referring to fig. 1, fig. 1 is a schematic flow chart illustrating a method for constructing method-level permissions according to an embodiment of the present invention. The method for constructing the method-level authority described in fig. 1 may be applied to a portable computer or a server, and the embodiment of the present invention is not limited thereto. As shown in fig. 1, the method for constructing the method-level right may include the following operations:
s101, based on metadata rules of a service development platform, request method information contained in the service development platform is obtained, all the request method information is stored in a target data table, and an application service list is obtained, wherein the request method information comprises a URL path.
In the embodiment of the present invention, optionally, the service development platform may be a CAP intelligent service development platform. The CAP platform is an intelligent service development platform integrating modeling development, operation, monitoring and analysis. The service development platform can also be a historical system which is realized based on a CAP platform and has undergone long-term service development. The API export function provided by the technical service development platform can be used for quickly acquiring the request method information contained in the service development platform.
Referring to fig. 2, fig. 2 is a schematic diagram of an application service list according to an embodiment of the present invention. The application service list comprises a plurality of request methods, and the request method information of the request methods comprises information such as entity types, request method Chinese names, request method English names, URL paths/method rest paths, method descriptions and the like.
In the embodiment of the invention, the request method information contained in the service development platform is automatically acquired through the metadata rule of the service development platform, so that a large amount of tedious manual mechanical operation is avoided, and the possibility of manual misoperation is reduced.
S102, for any request method in the application service list, constructing a first association relation between the URL path included in the request method and the request method authority corresponding to the request method, and obtaining the first association relation corresponding to the request method.
In the embodiment of the present invention, optionally, for any request method, the URL path included in the request method is used as the permission data value of the request method permission corresponding to the request method, and a corresponding relationship between the URL path included in the request method and the request method permission corresponding to the request method is constructed, so as to obtain the first association relationship corresponding to the request method.
S103, acquiring a second association relation between the plurality of request method authorities and the corresponding roles.
In the embodiment of the present invention, optionally, one request method permission may correspond to one role, or may correspond to multiple roles. Similarly, a role may correspond to one request method right or to multiple request rights. In addition, the second association relationship may be configured in advance by a developer, or may be obtained according to an existing authority-role relationship of a historical system, and the embodiment of the present invention is not limited.
S104, respectively constructing a first mapping relation between the URL path included by each request method and the role matched in the second association relation based on the first association relation and the second association relation corresponding to each request method, and storing the first mapping relation into a target database.
In the embodiment of the present invention, according to the correspondence between the URL path included in the request method obtained in step S102 and the request method permission corresponding to the request method, and the association between the plurality of request method permissions obtained in step S103 and the corresponding roles, the request method permission is used as a median to construct a mapping relationship between the URL path included in each request method and the role matched in the second association relationship, so as to obtain the first mapping relationship, that is, to obtain the method-level permission allocation. In this embodiment, a URL path included in one request method may correspond to one role or may correspond to a plurality of roles. Similarly, a role may correspond to a URL path included in one request method, or may correspond to URL paths included in a plurality of request methods.
It can be seen that, by implementing the method for constructing based on the method-level authority described in fig. 1, request method information included in the service development platform is obtained through a metadata rule of the service development platform, the request method information includes a URL path, and all the request method information is stored in a target data table to obtain an application service list; for any request method in an application service list, constructing a first association relation between a URL path included by the request method and a request method authority corresponding to the request method to obtain the first association relation corresponding to the request method; acquiring second association relations between the plurality of request method authorities and corresponding roles; and respectively constructing a first mapping relation between the URL path included by each request method and the matched role in the second association relation based on the first association relation and the second association relation corresponding to each request method, and storing the first mapping relation into a target database. The method level authority control aiming at all application systems can be quickly, efficiently and accurately constructed.
In an alternative embodiment, referring to fig. 3, fig. 3 is a flowchart illustrating another method level privilege constructing method disclosed in the embodiment of the present invention. As shown in fig. 3, the method for constructing the method-level right further includes the following operations:
s105, for any request method in the application service list, determining the URL mode to which the URL path included in the request method belongs, establishing a third association relationship between the URL path included in the request method and the corresponding URL mode, and obtaining the third association relationship corresponding to the request method.
In this embodiment of the present invention, optionally, the service system may perform system analysis based on the application service list to obtain at least one URL Pattern (URL Pattern). For example, by means of an intelligent algorithm or a manual analysis method, the service list is analyzed to determine a plurality of URL patterns, where each URL Pattern represents a resource set that can be operated. And determining a corresponding URL mode according to the URL path included by the request method, and establishing an association relation between the URL path included by the request method and the corresponding URL mode. In this embodiment, a URL path included in one request method may correspond to one URL pattern, or may correspond to a plurality of URL patterns.
In an alternative embodiment, as shown in fig. 4, fig. 4 is a flowchart of step S105 in another method-level privilege construction method. Step S105 is to determine, for any request method in the application service list, a URL pattern to which a URL path included in the request method belongs, and specifically includes the following steps:
s1051, analyzing the application service list to obtain at least one URL mode.
In the embodiment of the present invention, optionally, step S1051 specifically includes the following steps:
the method comprises the following steps of firstly, obtaining URL paths included by all request methods in an application service list.
And secondly, analyzing and extracting the characteristic values of all URL paths to obtain a first characteristic value set.
And thirdly, combining the same characteristic values in the first characteristic value set to obtain a second characteristic value set.
And fourthly, determining the URL mode corresponding to each characteristic value in the second characteristic value set.
S1052, for the URL path included by any request method in the application service list, analyzing the URL path included by the request method, and determining the characteristic value included in the URL path included by the request method.
In the embodiment of the invention, the URL path included in the request method comprises one or more characteristic values.
S1053, according to the characteristic value, determining the URL mode to which the URL path included in the request method belongs.
In the embodiment of the invention, one or more URL modes to which the URL path included in the request method belongs are determined according to one or more characteristic values included in the URL path included in the request method.
S106, based on a first mapping relation between the URL path included by each request method and the matched role in the second association relation and a third association relation corresponding to each request method, constructing a second mapping relation between the URL pattern in the third association relation and the matched role in the second association relation, and storing the second mapping relation into a target database.
In the embodiment of the invention, the mapping relation between the URL mode and the role is constructed.
As shown in fig. 5 and fig. 6, fig. 5 is a background domain model diagram disclosed in the embodiment of the present invention, and fig. 6 is a relation diagram of a background authority building function module disclosed in the embodiment of the present invention. In an alternative embodiment, a domain model between user-role-privilege-URL patterns is constructed. And the configuration management unit module is used for managing the user, the role, the authority and the authorization and granting the operation authority to the role. And meanwhile, determining a corresponding URL pattern according to the reference relationship between the authority and the URL.
Therefore, the optional embodiment can create the mapping relationship between the URL pattern and the role, and implement the method-level authority control for all application systems.
Example two
Referring to fig. 7, fig. 7 is a flowchart illustrating a method for constructing method-level permissions according to an embodiment of the present invention. The method for constructing the method-level authority described in fig. 7 may be applied to a portable computer, and may also be applied to a server, which is not limited in the embodiment of the present invention. As shown in fig. 7, the method for constructing the method-level right may include the following operations:
s701, acquiring request method information contained in the service development platform based on the metadata rule of the service development platform, and storing all the request method information into a target data table to obtain an application service list, wherein the request method information comprises a URL path.
S702, for any request method in the application service list, constructing a first association relation between the URL path included in the request method and the request method authority corresponding to the request method to obtain the first association relation corresponding to the request method.
S703, acquiring a second association relation between the plurality of request method authorities and the corresponding roles.
S704, respectively constructing a first mapping relation between the URL path included by each request method and the role matched in the second association relation based on the first association relation and the second association relation corresponding to each request method, and storing the first mapping relation into a target database.
S705, for any request method in the application service list, determining the URL mode to which the URL path included in the request method belongs, establishing a third association relationship between the URL path included in the request method and the corresponding URL mode, and obtaining the third association relationship corresponding to the request method.
S706, based on the first mapping relation between the URL path included by each request method and the matched role in the second association relation and the third association relation corresponding to each request method, constructing a second mapping relation between the URL pattern in the third association relation and the matched role in the second association relation, and storing the second mapping relation into a target database.
In the embodiment of the present invention, please refer to other specific descriptions for steps S101 to S106 in the first embodiment for other descriptions of steps S701 to S706, which is not described again in the embodiment of the present invention.
In the embodiment of the present invention, optionally, the method for constructing the method-level permission further includes the following operations:
s707, detecting an operation request sent by the user, wherein the operation request comprises user basic information and a target URL path.
In the embodiment of the present invention, the method for constructing the method-level right further includes: and constructing a request interceptor.
In this embodiment of the present invention, optionally, after step S707, detecting an operation request sent by a user, the method for constructing the method-level permission further includes:
intercepting the operation request through the request interceptor, analyzing the operation request when the interception is successful to obtain user basic information included in the operation request, and extracting a target URL path in the operation request based on a Filter Security filter.
In the embodiment of the invention, the main function of the filter security filter is to extract the URL path included in the current request.
S708, determining one or more user roles according to the user basic information. Wherein the user basic information comprises a target user identification.
In this embodiment of the present invention, optionally, step S708, determining a user role according to the user basic information specifically includes: acquiring a fourth incidence relation between a preset user identifier and a role; and determining the user role corresponding to the target user identification based on the fourth incidence relation.
In this embodiment, one user may correspond to one role or may correspond to a plurality of roles. Similarly, a role may correspond to one user or to multiple users.
And S709, searching a role corresponding to the target URL path in the target database according to the target URL path.
In this embodiment, according to the target URL path extracted by the filter, one or more roles corresponding to the target URL path are directly searched in a target database in which the first mapping relationship and the second mapping relationship are stored. Or, in a target database storing the first mapping relation and the second mapping relation, firstly, acquiring a URL mode corresponding to a target URL path, and then searching one or more corresponding roles according to the determined URL mode.
S710, judging whether a role corresponding to the target URL path exists in the user roles; if the user role has a role corresponding to the target URL path, step S711 is executed; if there is no role corresponding to the target URL path in the user roles, step S712 is executed.
And S711, executing the operation corresponding to the operation request sent by the user.
And S712, prompting the user that no operation authority exists.
It can be seen that, when the method for constructing based on the method-level permission described in fig. 7 is implemented, the operation request of the user is obtained by constructing the method-level permission authorization rule, the user role and the target URL path included in the operation request are extracted according to the operation request of the user, and the method requested in the operation request is authorized according to the role permission required by the target URL path and the role permission owned by the user. The method level authority control aiming at all application systems can be quickly, efficiently and accurately constructed.
EXAMPLE III
Referring to fig. 8, fig. 8 is a schematic structural diagram of a method-level privilege constructing apparatus according to an embodiment of the present invention. The method-level authority constructing device described in fig. 8 may be applied to a portable computer, and may also be applied to a server, which is not limited in the embodiment of the present invention. As shown in fig. 8, the method-level right construction device may include: an obtaining module 801, a first associating module 802, a second associating module 803, and a first mapping module 804, wherein:
an obtaining module 801, configured to obtain request method information included in a service development platform based on a metadata rule of the service development platform, and store all the request method information in a target data table to obtain an application service list, where the request method information includes a URL path.
In the embodiment of the present invention, optionally, the service development platform may be a CAP intelligent service development platform. The CAP platform is an intelligent service development platform integrating modeling development, operation, monitoring and analysis. The service development platform can also be a historical system which is realized based on a CAP platform and has undergone long-term service development. The API export function provided by the technical service development platform can be used for quickly acquiring the request method information contained in the service development platform.
Referring to fig. 2, fig. 2 is a schematic diagram of an application service list according to an embodiment of the present invention. The application service list comprises a plurality of request methods, and the request method information of the request methods comprises information such as entity types, request method Chinese names, request method English names, URL paths/method rest paths, method descriptions and the like.
In the embodiment of the invention, the request method information contained in the service development platform is automatically acquired through the metadata rule of the service development platform, so that a large amount of tedious manual mechanical operation is avoided, and the possibility of manual misoperation is reduced.
The first association module 802 is configured to, for any request method in the application service list, construct a first association relationship between a URL path included in the request method and a request method permission corresponding to the request method, and obtain the first association relationship corresponding to the request method.
In the embodiment of the present invention, optionally, for any request method, the URL path included in the request method is used as the permission data value of the request method permission corresponding to the request method, and a corresponding relationship between the URL path included in the request method and the request method permission corresponding to the request method is constructed, so as to obtain the first association relationship corresponding to the request method.
A second association module 803, configured to obtain a second association relationship between multiple request method permissions and corresponding roles.
In the embodiment of the present invention, optionally, one request method permission may correspond to one role, or may correspond to multiple roles. Similarly, a role may correspond to one request method right or to multiple request rights. In addition, the second association relationship may be configured in advance by a developer, or may be obtained according to an existing authority-role relationship of a historical system, and the embodiment of the present invention is not limited.
The first mapping module 804 is configured to respectively construct a first mapping relationship between the URL path included in each request method and a role matched in the second association relationship based on the first association relationship and the second association relationship corresponding to each request method, and store the first mapping relationship in the target database.
In the embodiment of the present invention, according to the correspondence between the URL path included in the request method obtained by the first association module 802 and the request method permission corresponding to the request method, and the association between the plurality of request method permissions obtained by the second association module 803 and the corresponding roles, the request method permission is used as an intermediate value to construct the mapping relationship between the URL path included in each request method and the role matched in the second association relationship, so as to obtain the first mapping relationship, that is, to obtain the method-level permission allocation. In this embodiment, a URL path included in one request method may correspond to one role or may correspond to a plurality of roles. Similarly, a role may correspond to a URL path included in one request method, or may correspond to URL paths included in a plurality of request methods.
It can be seen that, by implementing the method-level-authority-based construction apparatus described in fig. 8, request method information included in the service development platform is obtained through a metadata rule of the service development platform, the request method information includes a URL path, and all the request method information is stored in a target data table to obtain an application service list; for any request method in an application service list, constructing a first association relation between a URL path included by the request method and a request method authority corresponding to the request method to obtain the first association relation corresponding to the request method; acquiring second association relations between the plurality of request method authorities and corresponding roles; and respectively constructing a first mapping relation between the URL path included by each request method and the matched role in the second association relation based on the first association relation and the second association relation corresponding to each request method, and storing the first mapping relation into a target database. The method level authority control aiming at all application systems can be quickly, efficiently and accurately constructed.
In an alternative embodiment, as shown in fig. 9, fig. 9 is a schematic structural diagram of a device for constructing still another method-level right disclosed in the embodiment of the present invention. The method level authority constructing device further comprises the following steps: a third association module 805, a second mapping module 806, wherein:
the third association module 805 is configured to determine, for any request method in the application service list, a URL pattern to which a URL path included in the request method belongs, establish a third association relationship between the URL path included in the request method and a corresponding URL pattern, and obtain a third association relationship corresponding to the request method.
In this embodiment of the present invention, optionally, the service system may perform system analysis based on the application service list to obtain at least one URL Pattern (URL Pattern). For example, by means of an intelligent algorithm or a manual analysis method, the service list is analyzed to determine a plurality of URL patterns, where each URL Pattern represents a resource set that can be operated. And determining a corresponding URL mode according to the URL path included by the request method, and establishing an association relation between the URL path included by the request method and the corresponding URL mode. In this embodiment, a URL path included in one request method may correspond to one URL pattern, or may correspond to a plurality of URL patterns.
In this embodiment of the present invention, optionally, the third association module 805 includes: an analysis sub-module 8051, a first determination sub-module 8052, and a second determination sub-module 8053.
The analyzing submodule 8051 is configured to analyze the application service list to obtain at least one URL pattern.
Further optionally, the analyzing sub-module 8051 analyzes the application service list to obtain at least one URL pattern, where the method specifically includes:
and acquiring URL paths included by all request methods in the application service list.
Analyzing and extracting the characteristic values of all URL paths to obtain a first characteristic value set.
And combining the same characteristic values in the first characteristic value set to obtain a second characteristic value set.
And determining the URL mode corresponding to each characteristic value in the second characteristic value set.
The first determining sub-module 8052 is configured to, for a URL path included in any request method in the application service manifest, analyze the URL path included in the request method, and determine a feature value included in the URL path included in the request method.
In the embodiment of the invention, the URL path included in the request method comprises one or more characteristic values.
The second determining submodule 8053 is configured to determine, according to the feature value included in the URL path included in any request method, a URL pattern to which the URL path included in the request method belongs.
In the embodiment of the invention, one or more URL modes to which the URL path included in the request method belongs are determined according to one or more characteristic values included in the URL path included in the request method.
The second mapping module 806 is configured to construct, based on a first mapping relationship between the URL path included in each request method and the role matched in the second association relationship and a third association relationship corresponding to each request method, a second mapping relationship between the URL pattern in the third association relationship and the role matched in the second association relationship, and store the second mapping relationship in the target database.
Therefore, the optional embodiment can create the mapping relationship between the URL pattern and the role, and implement the method-level authority control for all application systems.
In an optional embodiment, as shown in fig. 10, fig. 10 is a schematic structural diagram of a device for constructing a method-level right according to another embodiment of the present invention, where the device for constructing a method-level right further includes a detecting module 807, a role determining module 808, a role searching module 809, and a determining module 810, where:
the detecting module 807 is configured to detect an operation request sent by a user, where the operation request includes user basic information and a target URL path.
In this embodiment of the present invention, further optionally, the apparatus further includes: a building module 811 and an intercepting module 812. Wherein:
a construction module 811 for constructing a request interceptor.
The intercepting module 812 is configured to intercept the operation request sent by the user through the request interceptor after detecting the operation request, and when the interception is successful, parse the operation request to obtain user basic information included in the operation request, and extract a target URL path in the operation request based on the filter security filter.
In the embodiment of the invention, the main function of the filter security filter is to extract the URL path included in the current request.
And a role determination module 808, configured to determine one or more user roles according to the user basic information. Wherein the user basic information comprises a target user identification.
In this embodiment of the present invention, optionally, the role determination module 808 determines the role of the user according to the user basic information, and specifically includes: acquiring a fourth incidence relation between a preset user identifier and a role; and determining the user role corresponding to the target user identification based on the fourth incidence relation.
In this embodiment, one user may correspond to one role or may correspond to a plurality of roles. Similarly, a role may correspond to one user or to multiple users.
And the role searching module 809 is configured to search, according to the target URL path, a role corresponding to the target URL path in the target database.
In this embodiment, according to the target URL path extracted by the filter, one or more roles corresponding to the target URL path are directly searched in a target database in which the first mapping relationship and the second mapping relationship are stored. Or, in a target database storing the first mapping relation and the second mapping relation, firstly, acquiring a URL mode corresponding to a target URL path, and then searching one or more corresponding roles according to the determined URL mode.
The judging module 810 is configured to judge whether a role corresponding to the target URL path exists in the user roles; if the role corresponding to the target URL path exists in the user roles, executing the operation corresponding to the operation request sent by the user; and if the role corresponding to the target URL path does not exist in the user roles, prompting the user that no operation authority exists.
It can be seen that, when the method for constructing based on the method-level permission described in fig. 10 is implemented, the operation request of the user is obtained by constructing the method-level permission authorization rule, the user role and the target URL path included in the operation request are extracted according to the operation request of the user, and the method requested in the operation request is authorized according to the role permission required by the target URL path and the role permission owned by the user. The method level authority control aiming at all application systems can be quickly, efficiently and accurately constructed.
Example four
Referring to fig. 11, fig. 11 is a schematic structural diagram of another method-level privilege constructing device disclosed in the embodiment of the present invention. As shown in fig. 11, the method-level right construction device may include:
a memory 1101 storing executable program code;
a processor 1102 coupled with a memory 1101;
the processor 1102 calls the executable program code stored in the memory 1101 to execute the steps in the method for constructing the method-level rights described in the first embodiment of the present invention or the second embodiment of the present invention.
EXAMPLE five
The embodiment of the invention discloses a computer storage medium, which stores computer instructions, and the computer instructions are used for executing steps in the method for constructing the method-level authority described in the first embodiment or the second embodiment of the invention when being called.
EXAMPLE six
An embodiment of the present invention discloses a computer program product, which includes a non-transitory computer-readable storage medium storing a computer program, and the computer program is operable to cause a computer to execute the steps in the method for constructing method-level permissions described in the first embodiment or the second embodiment.
The above-described embodiments of the apparatus are merely illustrative, and the modules described as separate components may or may not be physically separate, and the components shown as modules may or may not be physical modules, may be located in one place, or may be distributed on a plurality of network modules. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above detailed description of the embodiments, those skilled in the art will clearly understand that the embodiments may be implemented by software plus a necessary general hardware platform, and may also be implemented by hardware. Based on such understanding, the above technical solutions may be embodied in the form of a software product, which may be stored in a computer-readable storage medium, where the storage medium includes a Read-Only Memory (ROM), a Random Access Memory (RAM), a Programmable Read-Only Memory (PROM), an Erasable Programmable Read-Only Memory (EPROM), a One-time Programmable Read-Only Memory (OTPROM), an Electrically Erasable Programmable Read-Only Memory (EEPROM), a Compact Disc-Read-Only Memory (CD-ROM), or other disk memories, CD-ROMs, or other magnetic disks, A tape memory, or any other medium readable by a computer that can be used to carry or store data.
Finally, it should be noted that: the method and apparatus for constructing method level permissions disclosed in the embodiments of the present invention are only preferred embodiments of the present invention, and are only used for illustrating the technical solutions of the present invention, not for limiting the same; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those skilled in the art; the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and the modifications or the substitutions do not make the essence of the corresponding technical solutions depart from the spirit and scope of the technical solutions of the embodiments of the present invention.
Claims (10)
1. A method for constructing method-level permissions, the method comprising:
based on a metadata rule of a service development platform, acquiring request method information contained in the service development platform, and storing all the request method information into a target data table to obtain an application service list, wherein the request method information comprises a URL path;
for any request method in the application service list, constructing a first association relation between a URL path included in the request method and a request method authority corresponding to the request method to obtain the first association relation corresponding to the request method;
acquiring second association relations between the plurality of request method authorities and corresponding roles;
and respectively constructing a first mapping relation between the URL path included by each request method and the role matched in the second association relation based on the first association relation and the second association relation corresponding to each request method, and storing the first mapping relation into a target database.
2. The method for building method-level authority according to claim 1, wherein after storing the first mapping relationship in a target database, the method further comprises:
for any request method in the application service list, determining a URL mode to which a URL path included in the request method belongs, establishing a third association relation between the URL path included in the request method and the corresponding URL mode, and obtaining a third association relation corresponding to the request method;
and constructing a second mapping relation between the URL mode in the third association relation and the matched role in the second association relation based on a first mapping relation between the URL path included by each request method and the matched role in the second association relation and a third association relation corresponding to each request method, and storing the second mapping relation into the target database.
3. The method for constructing method-level authority according to claim 2, wherein the determining, for any request method in the application service manifest, a URL pattern to which a URL path included in the request method belongs includes:
analyzing the application service list to obtain at least one URL mode;
for a URL path included in any request method in the application service list, analyzing the URL path included in the request method, and determining a characteristic value contained in the URL path included in the request method;
and determining the URL mode to which the URL path included in the request method belongs according to the characteristic value.
4. The method for constructing method level rights according to claim 3, wherein the analyzing the application service manifest to obtain at least one URL pattern comprises:
acquiring URL paths included by all the request methods in the application service list;
analyzing and extracting characteristic values of all URL paths to obtain a first characteristic value set;
merging the same characteristic values in the first characteristic value set to obtain a second characteristic value set;
and determining the URL mode corresponding to each characteristic value in the second characteristic value set.
5. The method for building method-level authority according to any one of claims 1-4, wherein after storing the first mapping relationship in a target database, the method further comprises:
detecting an operation request sent by a user, wherein the operation request comprises user basic information and a target URL path;
determining one or more user roles according to the user basic information;
searching a role corresponding to the target URL path in the target database according to the target URL path;
judging whether a role corresponding to the target URL path exists in the user roles;
if the role corresponding to the target URL path exists in the user roles, executing the operation corresponding to the operation request sent by the user;
and if the role corresponding to the target URL path does not exist in the user roles, prompting the user that no operation authority exists.
6. The method of constructing method-level permissions of claim 5 further comprising:
constructing a request interceptor;
after the operation request sent by the user is detected, the method further comprises the following steps:
intercepting the operation request through the request interceptor, analyzing the operation request when the interception is successful, obtaining the user basic information included in the operation request, and extracting the target URL path in the operation request based on a Filter Security filter.
7. The method for constructing method-level permissions of claim 5 wherein said user base information includes target user identification;
the determining the user role according to the user basic information comprises the following steps:
acquiring a fourth incidence relation between a preset user identifier and a role;
and determining the user role corresponding to the target user identification based on the fourth incidence relation.
8. An apparatus for method level privilege construction, the apparatus comprising:
the acquisition module is used for acquiring request method information contained in a service development platform based on a metadata rule of the service development platform, and storing all the request method information into a target data table to obtain an application service list, wherein the request method information comprises a URL path;
the first association module is used for constructing a first association relation between a URL path included by the request method and a request method authority corresponding to the request method for any request method in the application service list to obtain the first association relation corresponding to the request method;
the second association module is used for acquiring a second association relation between the plurality of request method authorities and the corresponding roles;
and the first mapping module is used for respectively constructing a first mapping relation between the URL path included by each request method and the role matched in the second association relation based on the first association relation and the second association relation corresponding to each request method, and storing the first mapping relation into a target database.
9. An apparatus for implementing method level entitlement control, the apparatus comprising:
a memory storing executable program code;
a processor coupled with the memory;
the processor calls the executable program code stored in the memory to execute the method for building method level rights according to any one of claims 1-7.
10. A computer-readable storage medium having stored thereon computer program instructions for performing, when invoked, the method of constructing method level rights according to any one of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111072415.6A CN113934994A (en) | 2021-09-14 | 2021-09-14 | Method and device for constructing method-level authority |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111072415.6A CN113934994A (en) | 2021-09-14 | 2021-09-14 | Method and device for constructing method-level authority |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113934994A true CN113934994A (en) | 2022-01-14 |
Family
ID=79275715
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111072415.6A Pending CN113934994A (en) | 2021-09-14 | 2021-09-14 | Method and device for constructing method-level authority |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113934994A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20230246985A1 (en) * | 2022-02-02 | 2023-08-03 | T-Mobile Innovations Llc | Real-time Chat Service File Transfer Across Different Networks |
-
2021
- 2021-09-14 CN CN202111072415.6A patent/CN113934994A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20230246985A1 (en) * | 2022-02-02 | 2023-08-03 | T-Mobile Innovations Llc | Real-time Chat Service File Transfer Across Different Networks |
| US11895066B2 (en) * | 2022-02-02 | 2024-02-06 | T-Mobile Innovations Llc | Real-time chat service file transfer across different networks |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109687991B (en) | User behavior identification method, device, equipment and storage medium | |
| CN105893848A (en) | Precaution method for Android malicious application program based on code behavior similarity matching | |
| CN104520871A (en) | Vulnerability vector information analysis | |
| CN104778410A (en) | Application program integrity verification method | |
| EP2880579A1 (en) | Conjoint vulnerability identifiers | |
| CN113779585A (en) | Unauthorized vulnerability detection method and device | |
| CN108460025A (en) | Criminal case automates measurement of penalty method, apparatus and computer readable storage medium | |
| CN113934994A (en) | Method and device for constructing method-level authority | |
| CN115238247A (en) | Data processing method based on zero trust data access control system | |
| CN112580105B (en) | Data permission protection method and system based on interactive class and non-interactive class | |
| CN117376228A (en) | Network security testing tool determining method and device | |
| CN110442466B (en) | Method, device, computer equipment and storage medium for preventing repeated access request | |
| CN112433936A (en) | Test method, test device and storage medium | |
| CN105487936A (en) | Information system security evaluation method for classified protection under cloud environment | |
| CN109446054B (en) | Processing method and terminal equipment for override operation request based on big data | |
| CN116032652A (en) | Gateway authentication method and system based on intelligent interactive touch panel | |
| CN114969834B (en) | Page authority control method, device, storage medium and equipment | |
| CN114944016A (en) | Method and device for acquiring electronic signature | |
| CN114386025A (en) | Abnormality detection method, abnormality detection device, electronic apparatus, and storage medium | |
| KR101582420B1 (en) | Method and apparatus for checking integrity of processing module | |
| CN114493901A (en) | Data access application processing method and device, computer equipment and storage medium | |
| US20170149831A1 (en) | Apparatus and method for verifying detection rule | |
| WO2021096346A1 (en) | A computer-implemented system for management of container logs and its method thereof | |
| CN111949363A (en) | Service access management method, computer equipment, storage medium and system | |
| CN115809466B (en) | Security requirement generation method and device based on STRIDE model, electronic equipment and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |