CN114006757A

CN114006757A - GIS service access control method, device, framework, medium and equipment

Info

Publication number: CN114006757A
Application number: CN202111276175.1A
Authority: CN
Inventors: 张克飞
Original assignee: BOE Technology Group Co Ltd
Current assignee: BOE Technology Group Co Ltd
Priority date: 2021-10-29
Filing date: 2021-10-29
Publication date: 2022-02-01
Anticipated expiration: 2041-10-29
Also published as: CN114006757B

Abstract

The disclosure provides a GIS service access control method, a GIS service access control device, a GIS cloud platform service framework, a storage medium and an electronic device; relates to the technical field of computers. The method comprises the following steps: receiving a GIS service access request, wherein the GIS service access request is generated by configuring a GIS functional component by a client application program; the proxy server configures the GIS service access request according to the application key of the client application program and forwards the configured GIS service access request to the GIS server; and the GIS server verifies the configured GIS service access request and provides corresponding GIS service for the client application program after the verification is passed. According to the method and the device, when the client application program requests the GIS service, the authorization key of the client application program is placed in the server, so that the authorization key can be prevented from being attacked at the client, and the security of GIS service access is improved.

Description

GIS service access control method, device, framework, medium and equipment

Technical Field

The present disclosure relates to the field of computer technologies, and in particular, to an access control method for a GIS service, an access control device for a GIS service, a GIS cloud platform service architecture, a computer-readable storage medium, and an electronic device.

Background

With the development of internet geographic information technology in recent years, more and more geographic information is opened to the outside in a service manner. The GIS (Geographic Information System) is a technology for acquiring, processing, managing and analyzing geospatial data, and all applications related to spatial positions can adopt the GIS technology.

Taking the example that the web application requests the service from the GIS platform, it is currently possible to verify the authorization key carried by the client through the GIS platform to determine whether to provide the service to the web application. However, when the authorization key is used in a front-end environment, the authorization key is easily decompiled, so that the authorization key is leaked, and the security of GIS service access is reduced.

Therefore, how to ensure the security in the GIS service opening process is very important.

It is to be noted that the information disclosed in the above background section is only for enhancement of understanding of the background of the present disclosure, and thus may include information that does not constitute prior art known to those of ordinary skill in the art.

Disclosure of Invention

The present disclosure is directed to providing an access control method for a GIS service, an access control device for a GIS service, a GIS cloud platform service architecture, a computer-readable storage medium, and an electronic device, thereby overcoming, at least to some extent, the problem of low security of GIS service access due to related technologies.

According to a first aspect of the present disclosure, there is provided an access control method for a GIS service, including:

receiving a GIS service access request, wherein the GIS service access request is generated by configuring a GIS functional component by a client application program;

the proxy server configures the GIS service access request according to the authorization key of the client application program and forwards the configured GIS service access request to a GIS server;

and the GIS server verifies the configured GIS service access request and provides corresponding GIS service for the client application program after the verification is passed.

In an exemplary embodiment of the disclosure, the configuring, by the proxy server, the GIS service access request according to the authorization key of the client application includes:

obtaining an authorization key of the client application program;

and when the proxy service configured by the proxy server is the GIS service, taking the authorization key of the client application program as a request header of the GIS service access request.

and when the proxy service configured by the proxy server is the GIS service, configuring the same authorization key for a plurality of client application programs, and using the authorization key as a request header of the GIS service access request.

the proxy server receives GIS service access requests sent by a plurality of client application programs;

and when the proxy service configured by the proxy server is the GIS service, configuring the same authorization key for the plurality of client application programs, and using the authorization key as a request header of the GIS service access request.

In an exemplary embodiment of the disclosure, the client application includes a client application of at least one application type, and the configuring, by the proxy server, the GIS service access request according to an authorization key of the client application includes:

obtaining an authorization key and an application program type of the client application program;

and when the proxy service configured by the proxy server is the GIS service, taking the authorization key and the application program type of the client application program as a request header of the GIS service access request.

obtaining an authorization key of the client application program and a user identifier of a target user;

and when the proxy service configured by the proxy server is the GIS service, taking the authorization key of the client application program and the user identification of the target user as the request head of the GIS service access request.

In an exemplary embodiment of the present disclosure, the verifying the configured GIS service access request by the GIS server, and providing the corresponding GIS service to the client application after the verification is passed includes:

the GIS server acquires a request header in the configured GIS service access request, wherein the request header comprises an authorization key of the client application program;

and verifying the authorization key of the client application program, and providing GIS service to the client application program after the verification is passed.

the GIS server acquires a request header in the configured GIS service access request, wherein the request header comprises an authorization key and an application program type of the client application program;

verifying an authorization key of the client application;

after the verification is passed, determining a resource allocation magnitude corresponding to the application program type of the client application program according to a preset resource allocation rule;

and performing resource allocation on the client application program according to the resource allocation magnitude.

In an exemplary embodiment of the present disclosure, the GIS server obtains a request header in the configured GIS service access request, where the request header includes an authorization key of the client application and a user identifier of a target user;

verifying an authorization key of the client application;

after the verification is passed, counting the user information of the target user according to the user identification of the target user;

and providing corresponding GIS service for the target user according to the user information of the target user.

According to a second aspect of the present disclosure, there is provided an access control device of a GIS service, including:

the service request receiving module is used for receiving a GIS service access request, and the GIS service access request is generated by configuring a GIS functional component by a client application program;

the service request configuration module is used for configuring the GIS service access request by the proxy server according to the authorization key of the client application program and forwarding the configured GIS service access request to the GIS server;

and the service request processing module is used for verifying the configured GIS service access request by the GIS server and providing corresponding GIS service for the client application program after the verification is passed.

According to a third aspect of the present disclosure, there is provided a GIS cloud platform service architecture comprising a client application layer, a GIS capability layer and a GIS service layer, the client application layer comprising at least one client application, the GIS capability layer comprising at least one GIS functional component, wherein,

the client application layer is used for receiving a GIS service access request, and the GIS service access request is generated by configuring a GIS functional component by a client application program; the proxy server configures the GIS service access request according to the authorization key of the client application program and forwards the configured GIS service access request to a GIS server;

and the GIS service layer is used for verifying the configured GIS service access request by the GIS server and providing corresponding GIS service for the client application program after the verification is passed.

According to a fourth aspect of the present disclosure, there is provided a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the method of any one of the above.

According to a fifth aspect of the present disclosure, there is provided an electronic device comprising: a processor; and a memory for storing executable instructions of the processor; wherein the processor is configured to perform the method of any one of the above via execution of the executable instructions.

Exemplary embodiments of the present disclosure may have some or all of the following benefits:

in the access control method for the GIS service provided by the disclosed example embodiment, by receiving a GIS service access request, the GIS service access request is generated by configuring a GIS functional component by a client application; the proxy server configures the GIS service access request according to the authorization key of the client application program and forwards the configured GIS service access request to a GIS server; and the GIS server verifies the configured GIS service access request and provides corresponding GIS service for the client application program after the verification is passed. On one hand, when the client application program requests the GIS service, the authorization key of the client application program is placed at the server, so that the authorization key can be prevented from being attacked at the client, and the security of GIS service access is improved; on the other hand, by freely configuring the GIS functional components, the target service requested by the user can be flexibly provided, and the user experience is improved.

It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.

Drawings

The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present disclosure and together with the description, serve to explain the principles of the disclosure. It is to be understood that the drawings in the following description are merely exemplary of the disclosure, and that other drawings may be derived from those drawings by one of ordinary skill in the art without the exercise of inventive faculty.

Fig. 1 is a schematic diagram illustrating an exemplary system architecture to which the access control method and apparatus for GIS services of the present disclosure may be applied;

fig. 2 schematically shows a flow chart of an access control method of GIS services according to one embodiment of the present disclosure;

FIG. 3 schematically illustrates a flow diagram for independently deploying a client application according to one embodiment of the present disclosure;

FIG. 4 schematically illustrates a flow diagram for implementing a one-key-multi-use multi-terminal application hybrid deployment, according to one embodiment of the present disclosure;

FIG. 5 schematically shows a flow diagram for implementing quota accurate control, according to one embodiment of the present disclosure;

FIG. 6 schematically shows a flow diagram for providing personalized services according to one embodiment of the present disclosure;

fig. 7 schematically shows a block diagram of an access control device of a GIS service according to one embodiment of the present disclosure;

FIG. 8 schematically illustrates a structural diagram of a computer system suitable for use with an electronic device that implements an embodiment of the disclosure.

Detailed Description

Example embodiments will now be described more fully with reference to the accompanying drawings. Example embodiments may, however, be embodied in many different forms and should not be construed as limited to the examples set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of example embodiments to those skilled in the art. The described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided to give a thorough understanding of embodiments of the disclosure. One skilled in the relevant art will recognize, however, that the subject matter of the present disclosure can be practiced without one or more of the specific details, or with other methods, components, devices, steps, and the like. In other instances, well-known technical solutions have not been shown or described in detail to avoid obscuring aspects of the present disclosure.

Furthermore, the drawings are merely schematic illustrations of the present disclosure and are not necessarily drawn to scale. The same reference numerals in the drawings denote the same or similar parts, and thus their repetitive description will be omitted. Some of the block diagrams shown in the figures are functional entities and do not necessarily correspond to physically or logically separate entities. These functional entities may be implemented in the form of software, or in one or more hardware modules or integrated circuits, or in different networks and/or processor devices and/or microcontroller devices.

Fig. 1 is a schematic diagram illustrating an exemplary system architecture of an access control method and apparatus for GIS service to which an embodiment of the present disclosure may be applied.

As shown in fig. 1, the GIS cloud platform services architecture 100 may include a GIS services layer 101, a GIS capabilities layer 102, and a client application layer 103. The GIS service layer 101 may include GIS servers, which may provide GIS services, which may be geographic information computing services, spatial data storage services, and the like. GIS capability layer 102 may include at least one GIS functional component. Illustratively, the GIS function component may be a display tool component, such as a map coordinate recognizer, a map editor, etc., or a selection tool component for route planning. The client application layer 103 may include at least one terminal device, and the terminal device may be a cloud device, and may also be various electronic devices including but not limited to a desktop computer, a portable computer, a smart phone, a tablet computer, and the like. For example, a client application such as a browser may be installed on the terminal device, and a web application may be run through the browser. It should be noted that the client application layer 103 may include one or more client applications of the same application type, or may include a plurality of client applications of different application types. For example, a plurality of web applications may be deployed in the client application layer 103, and a plurality of client applications such as web applications, native applications, and applets may also be deployed, which is not specifically limited by this disclosure. The GIS capability layer 102 runs on the GIS service layer 101, and can provide GIS services to the client application layer 103 through a standardized interface. The client application layer 103 runs on the GIS capability layer 102, and can call GIS services to the GIS capability layer 102 through a standardized interface.

It should be understood that the number of terminal devices, GIS functional components and GIS servers in fig. 1 is merely illustrative. According to the implementation requirement, any number of terminal devices, GIS functional components and GIS servers can be provided. For example, the GIS server may be one GIS server, or a server cluster formed by a plurality of GIS servers, or may be a virtualization center, which is not specifically limited in this disclosure.

It should be noted that, since the application server cannot provide the GIS service for the client application, the GIS service request needs to be proxied to the GIS server through the proxy server to provide the GIS service for the client application. Accordingly, a proxy server may be used in example embodiments of the present disclosure to provide background services for client applications.

For example, the GIS capability layer 102 may be configured to request GIS services from a proxy server, which in turn requests GIS services from the GIS server with authentication information, e.g., the authentication information may be an authorization key. Specifically, the client application layer 103 may be configured to receive a GIS service access request, where the GIS service access request is generated by configuring a GIS functional component by a client application; the proxy server configures the GIS service access request according to the authorization key of the client application program and forwards the configured GIS service access request to the GIS server; the GIS service layer 101 may be configured to verify the configured GIS service access request by the GIS server, and provide the corresponding GIS service to the client application after the verification is passed.

In the exemplary embodiment of the present disclosure, the GIS cloud platform service architecture 100 may also be divided into an external application, a data exchange module, and a computing service module in the vertical direction. The external applications may include, among other things, client applications (e.g., web applications, native applications, applets, etc.) and proxy servers. The client application program can configure the GIS function component to request GIS service from the proxy server, the proxy server can configure an authorization key for the request, and proxy the request carrying the authorization key to the GIS server, so that the GIS server provides the GIS service for the client application program. The data exchange module is positioned between the calculation service module and an external application program and can be used for identifying the validity of the authorization key and controlling, counting and identifying the source of the request. For example, GIS services are provided when the authentication authorization key is authorized and are denied if not. For another example, the request source may be authenticated according to the authorization key, so as to perform resource allocation on the client application programs of different application program types, and also statistics of the user data may be implemented by counting the request source, and personalized services may be accurately provided for the user. The computing service module can comprise a bottom virtual resource layer, a GIS service layer and a GIS capability layer, the bottom virtual resource layer can comprise a processor, an internal memory, an external memory and a network, the GIS service layer runs on the bottom virtual resource layer and can comprise a GIS data processing center, a GIS storage center and a GIS service center, and the GIS capability layer can interact with the GIS service layer to provide GIS service for users together.

The technical solution of the embodiment of the present disclosure is explained in detail below:

taking GIS cloud platform service authorization based on web applications as an example, an authorization key may be attached when a cloud application SDK (Software Development Kit) is introduced, and a Referer white list is set on a cloud application console. In the refer protection mechanism, a refer request header sent by the browser to the server may include an address of a source page of the current request page, which indicates that the current request page is entered through a source page URL (Uniform Resource Locator). Meanwhile, the server can use the refer request head to identify the access source, and perform statistical analysis, log recording, cache optimization and the like.

It can be seen that the method requests the GIS service by carrying the authorization key by a front-end js file (JavaScript code, text document with ". js" as extension). However, using the authorization key in the front-end environment may expose the browsing history of the user and may be easily decompiled, so that the authorization key is leaked, thereby causing misuse of the GIS service. In addition, when the protocol adopted by the source page is the "file" or "data" URL representing the local file, or when the current request page adopts the non-secure protocol and the source page adopts the secure protocol, the browser does not send the refer request header to the server. At this time, if the Referer request header is used for authentication, the service end does not provide the GIS service, otherwise, the authorization authority needs to be set as 'all permission', thereby reducing the security of GIS service access.

In view of one or more of the above problems, the present exemplary embodiment provides an access control method for a GIS service. Referring to fig. 2, the access control method of the GIS service may include steps S210 to S230:

step S210, receiving a GIS service access request, wherein the GIS service access request is generated by configuring a GIS functional component by a client application program;

s220, the proxy server configures the GIS service access request according to the authorization key of the client application program and forwards the configured GIS service access request to a GIS server;

and step 230, the GIS server verifies the configured GIS service access request, and provides corresponding GIS service to the client application program after the verification is passed.

The above steps of the present exemplary embodiment will be described in more detail below.

In step S210, a GIS service access request is received, where the GIS service access request is generated by configuring a GIS functional component by a client application.

In the embodiment of the disclosure, when a client application requests a service from a GIS cloud platform, an authorization key can be configured at a server to avoid the authorization key from being leaked at the client, so that the security of GIS service access is enhanced. Illustratively, the client application program can be hosted by a proxy server, and the GIS service provided by the proxy server to the client application program is realized by a reverse proxy mode. Taking the web application as an example, after receiving the GIS service access request sent by the web application, the proxy server may forward the GIS service access request to the GIS server, and return the GIS service provided by the GIS server to the web application. The proxy server may be a server having a reverse proxy function, such as an Nginx server, a Varnish server, and an ATS server, which is not specifically limited in this disclosure.

The client application may configure the GIS function component to request GIS services from the proxy server. Specifically, when the client application requests the proxy server for the GIS service, the service parameters of the GIS functional component may be configured as the GIS service, and a GIS service access request is generated, and then the GIS service access request is sent to the proxy server to request the GIS service. The configuration of the service parameters of the GIS functional component into the GIS service may be to configure the service prefix of the GIS functional component parameter option into '/GIS', such as option: { server: '/GIS/.',// specifies GIS background service prefix }. The GIS service access request may be an HTTP (HyperText Transfer protocol) request, which may consist of a request line, a request header, an empty line, and request data. The request header is composed of a key word/value pair and is used for informing the server of information related to the request of the client. The request line consists of a request method field, a URL field and an HTTP protocol version field. The HTTP protocol request line may have GET, POST, HEAD, etc. request methods that describe the operations that the server should perform. The URL field is used to describe which resource the request method is to be performed on. The HTTP protocol version field is used to inform the server which HTTP protocol the client uses.

According to the method and the device, the GIS functional component can be configured to request GIS service from the proxy server, and the target task requested by the GIS functional component can be freely configured to meet the actual requirement of a user instead of directly requesting a fixed cloud service address, so that the user experience is improved.

In step S220, the proxy server configures the GIS service access request according to the authorization key of the client application, and forwards the configured GIS service access request to the GIS server.

In the example embodiment of the present disclosure, the proxy server may also configure various proxy services, such as GIS services. When the proxy server receives a GIS service access request sent by a client application program, the proxy server can acquire an authorization key configured for the client application program. When the corresponding GIS reverse proxy service is matched according to the GIS service access request, namely, the proxy service configured by the proxy server is also the GIS service, the reverse proxy parameter proxy _ pass configured by the proxy server can directly point to the address of the GIS server to be accessed. In the reverse proxy process, the authorization key of the client application can be used as the request header of the GIS service access request. For example, the authorization key of the client application may be placed in the request header of the GIS service access request, such as key: an authorization key. It will be appreciated that the request header may also include, for example, host: GIS server address, user-Agent: the type of application requested, etc. is generated, and the disclosure is not limited in this respect.

The authorization key is a key which is obtained by registering the target application program on the host server corresponding to the host application program in advance by the target server corresponding to the target application program and is distributed to the target application program by the host server. Different target applications correspond to different authorization keys. If the user triggers the target application program on the terminal device for the first time, the terminal device can acquire the authorization key from the target server, and if the user triggers the target application program on the terminal device before, the terminal device can directly read the authorization key from the cache and also can acquire the authorization key from the target server. In the disclosed embodiment, the authorization key may be a 16-ary or 32-ary character string generated by an algorithm to uniquely identify the client application.

According to the method and the system, when the client application program requests the GIS service, the authorization key of the client application program is placed at the server, so that the authorization key can be prevented from being attacked at the client, for example, a malicious user is prevented from stealing the authorization key in modes of decompiling, checking a source code and the like, and the security of GIS service access is improved. Moreover, the browsing history of the user is not exposed when the authorization key is used at the server side, and the privacy of the user can be protected.

The proxy server can forward the configured GIS service access request to the GIS server, namely proxy the GIS service access request carrying the authorization key to the GIS server, so that the GIS server can provide GIS service for the client application program. For example, the data exchange module of the GIS server may verify the validity of the authorization key and then decide whether to provide GIS services to the client application.

In step S230, the GIS server verifies the configured GIS service access request, and provides the corresponding GIS service to the client application after the verification is passed.

After receiving the configured GIS service access request forwarded by the proxy server, the GIS server may obtain a request header in the GIS service access request, where the request header includes an authorization key of a client application requesting GIS service. The data exchange module of the GIS server may verify the authorization key of the client application. For example, the received authorization key may be matched with an authorization key stored in the GIS server, if the authorization key corresponding to the client application is matched in the GIS server, it indicates that the verification is passed, and the calculation service module of the GIS server may provide the GIS service to the client application, otherwise, the calculation service module may refuse to provide the GIS service to the client application.

The access control method of the GIS service, which is realized by applying the GIS cloud platform service framework, can solve the problems of web-based application program authentication and user privacy protection. The authorization key of the client application program is arranged at the server, so that the authorization key can be prevented from being attacked at the client, and the security of GIS service access is improved. Moreover, the GIS functional components are freely configured, so that the target service requested by the user can be flexibly provided, and the user experience is improved.

In an example embodiment, the client application may include a client application of at least one application type. For example, multiple client applications of the same application type may be deployed at the client application layer. For example, the proxy server may receive GIS service access requests from a plurality of client applications of the same application type, and when the proxy service configured by the proxy server is a GIS service, the proxy server may configure the same authorization key for the plurality of client applications, and use the authorization key as a request header of each GIS service access request. Taking the example where the web application requests the GIS service and the proxy server is an Nginx server, as shown in fig. 3, independent deployment of multiple web applications may be implemented according to steps 310 to S360.

Step S310. install Nginx server, and host web application. The web application programs can be hosted by a plurality of Nginx servers, or a plurality of virtual machines can be created by one Nginx server, and each virtual machine hosts one web application program;

and S320, configuring a key request header by the Nginx server. The key may be an authorization key, and each of the Nginx servers may configure an authorization key request header for a corresponding one of the web applications. If a plurality of virtual machines are created by a Nginx server to host a plurality of web applications, the Nginx server can configure a same authorization key request header for the plurality of web applications;

step S330. the Web application configures the GIS function component to request GIS service from the proxy server. For example, the service prefix of the GIS function component parameter option may be configured as '/GIS';

and S340, configuring the GIS proxy service by the Nginx server. When the Nginx server receives a GIS service access request corresponding to the GIS reverse proxy service, a reverse proxy parameter proxy _ pass configured by the Nginx server can directly point to an address of the GIS server to be accessed;

and S350, forwarding the configured GIS service access request to the GIS server by the Nginx server. The configured authorization key of the Web application program can be put into a request header of a GIS service access request sent by the Web application program, and the GIS service access request carrying the authorization key is forwarded to a GIS server;

and S360, the GIS server authenticates the authorization key of the Web application program and provides GIS service. The data exchange module of the GIS server may verify the validity of the authorization key to decide whether to provide GIS services to each client application.

In this example embodiment, the GIS service access request sent by the web application to the Nginx server does not carry the authorization key, but the Nginx server puts the authorization key into the request header of the GIS service access request, so that the GIS service access request sent to the GIS server carries the authorization key. The authorization key of the client application program is arranged at the server, so that the authorization key can be prevented from being attacked at the client, for example, a malicious user is prevented from stealing the authorization key through decompiling, checking a source code and the like, and the security of GIS service access is improved. Moreover, the browsing history of the user is not exposed when the authorization key is used at the server side, and the privacy of the user can be protected. In addition, in step S320, if the Nginx server configures one same authorization key request header for multiple web applications, the GIS server may also uniformly deploy the multiple web applications according to the authorization key, which is not specifically limited by the present disclosure.

In an example embodiment, a plurality of client applications of different application types may also be deployed at the client application layer. For example, client applications may include three different application types, a web application, a native application, and an applet. Referring to fig. 4, a one-key multi-purpose multi-terminal application hybrid deployment may be implemented according to steps 410 to S460.

Step S410, installing an Nginx server and hosting a client application program. For example, a Nginx server may create multiple virtual machines, each hosting a client application of an application type;

step S420. the Nginx server configures the key request header. The Nginx server can uniformly configure key request headers of client application programs of three different application types, namely the same authorization key can be configured for the client application programs of the three different application types;

step S430, the client application configures the GIS function component to request GIS service from the proxy server. For example, the web application may configure the service prefix of the GIS functional component parameter option as '/GIS', and the request addresses issued by the native application and the applet may be set to "http://./GIS";

and S440, configuring the GIS proxy service by the Nginx server. When the Nginx server receives a GIS service access request corresponding to the GIS reverse proxy service, the reverse proxy parameter proxy _ pass configured by the Nginx server can directly point to the address of the GIS server to be accessed;

and S450, forwarding the configured GIS service access request to a GIS server by the Nginx server. The configured authorization key can be put into a request header of a GIS service access request sent by each application program, and the GIS service access request carrying the authorization key is forwarded to a GIS server;

and S460, the GIS server authenticates the authorization key and provides GIS service. The data exchange module of the GIS server may verify the validity of the authorization key to decide whether to provide GIS services to each client application.

In this example embodiment, the GIS service access request sent by each client application to the nginnx server does not carry an authorization key, but the nginnx server puts the authorization key into the request header of the GIS service access request, so that the GIS service access request sent to the GIS server carries the authorization key. Because the key (authorization key) is stored in the client background server, namely the proxy server, the client with various application program types can be served simultaneously, and one key is multipurpose by uniformly deploying the server. When one key is used for multiple purposes, the authorization key can be prevented from being attacked at the client, and the security of GIS service access is increased.

In an example embodiment, the data exchange module of the GIS server may further authenticate the source of the request according to the authorization key, so as to perform resource allocation for the client application. For example, the client application layer may deploy client applications of a plurality of different application types. When the proxy server receives a GIS service access request sent by a client application program, the proxy server can acquire an authorization key and an application program type configured for the client application program. When the proxy service configured by the proxy server is the GIS service, the proxy server may use the authorization key and the application type of the client application as a request header of the GIS service access request, so that the GIS server performs resource allocation on the client application according to the application type and the authorization key of the client application.

After receiving the configured GIS service access request forwarded by the proxy server, the GIS server can acquire a request header in the GIS service access request, wherein the request header comprises an authorization key and an application program type of a client application program requesting the GIS service. The data exchange module of the GIS server can verify the authorization key of the client application program, and after the verification is passed, the calculation service module of the GIS server can determine the resource allocation magnitude corresponding to the application program type of the client application program according to a preset resource allocation rule and perform resource allocation on the client application program according to the resource allocation magnitude. For example, in the preset resource allocation rule, the resource allocation magnitude corresponding to the web application is a level a, the resource allocation magnitude corresponding to the native application is a level B, the resource allocation magnitude corresponding to the applet is a level C, and different resources can be loaded or different designated resources can be cached corresponding to different resource allocation magnitudes. For example, 50M of the first map resource may be loaded when the resource allocation level is a level, 10M of the second map resource may be loaded when the resource allocation level is a level B, and 1M of the first map resource may be loaded when the resource allocation level is a level C. For another example, when the resource allocation level is a level a, the request may be made to the GIS server for 100 GIS services, when the resource allocation level is a level B, the request may be made to the GIS server for 50 GIS services, and when the resource allocation level is a level C, the request may be made to the GIS server for 20 GIS services. The user can set the resource allocation magnitude differently according to actual requirements, which is not specifically limited by the present disclosure.

Illustratively, client applications may include three different application types, web applications, native applications, and applets. Referring to fig. 5, quota precise control may be implemented based on multi-end application hybrid deployment according to steps 510 to S560, in combination with a preset resource allocation rule.

Step S510, installing an Nginx server and hosting a client application program.

Step S520. the Nginx server configures the key request header and the application type request header. Each Nginx server can configure an authorization key request header for each client application program and can also configure an application program type request header for each client application program;

step S530, the client application program configures the GIS function component to request GIS service from the proxy server. For example, the web application may configure the service prefix of the GIS functional component parameter option as '/GIS', and the request addresses issued by the native application and the applet may be set to "http://./GIS";

step S540. the Nginx server configures the GIS proxy service. When the Nginx server receives a GIS service access request corresponding to the GIS reverse proxy service, the reverse proxy parameter proxy _ pass configured by the Nginx server can directly point to the address of the GIS server to be accessed;

and S550, forwarding the configured GIS service access request to the GIS server by the Nginx server. The configured authorization key and the application program type can be placed into a request header of a GIS service access request sent by each application program, and the GIS service access request carrying the authorization key and the application program type is forwarded to a GIS server;

and S560, the GIS server authenticates the authorization key and distributes resources to each client application program according to the application program type. The data exchange module of the GIS server can verify the validity of the authorization key, and after the verification is passed, the data exchange module can also identify the request source according to the type of the application program and carry out quota consumption statistics, so that the calculation service module of the GIS server respectively carries out quota control on different client application programs, for example, the data hierarchical quota control can be realized by combining the cache function of the GIS server. For example, different client application programs may load different map resources or cache specified resources, which may avoid unnecessary quota consumption due to excessive resource allocation in a high concurrency scenario.

In this example embodiment, the GIS service access request sent by each client application to the nginnx server does not carry an authorization key, but the nginnx server puts the authorization key into the request header of the GIS service access request, so that the GIS service access request sent to the GIS server carries the authorization key. By adopting a cross-domain limiting mechanism of a web server (proxy server) and automatically performing domain control by the web server, quota stealing by malicious users can be prevented, and security of GIS service access is improved.

In an example embodiment, the data exchange module in the GIS server may further perform statistics on the user data through a statistics request source, and provide a personalized service for the user accurately. For example, the client application layer may deploy a plurality of client applications of different application types, and when the proxy server receives a GIS service access request sent by a client application, the proxy server may obtain an authorization key configured for the client application and a user identifier of a target user. When the proxy service configured by the proxy server is the GIS service, the proxy server may use the authorization key of the client application and the user identifier of the target user as a request header of the GIS service access request, so that the GIS server performs resource allocation on the client application according to the application type of the client application and the authorization key, so that the GIS server counts the user information of the target user according to the user identifier of the target user and the authorization key of the client application.

After receiving the configured GIS service access request forwarded by the proxy server, the GIS server may obtain a request header in the GIS service access request, where the request header includes an authorization key of a client application requesting GIS service and a user identifier of a target user. The data exchange module of the GIS server can verify the authorization key of the client application program, and after the verification is passed, the calculation service module of the GIS server can count the user information of the target user according to the user identification of the target user and provide the corresponding GIS service for the target user according to the user information of the target user. For example, a historical travel route of the target user can be obtained according to the user identifier of the target user, correspondingly, a road condition prediction service for the historical travel route can be provided for the target user, a historical travel location of the target user, such as a plurality of scenic spots that the user has gone through, can also be obtained according to the user identifier of the target user, and correspondingly, a scenic spot recommendation service can be provided for the target user. It should be noted that the GIS server needs to be approved by the user when recording the user information.

For example, client applications may include three different application types, a web application, a native application, and an applet. Referring to fig. 6, the user information may be counted according to steps 610 to 660, and more accurate personalized services may be provided for the user.

Step S610, installing an Nginx server and hosting a client application program.

And S620, configuring a key request header and a token request header by the Nginx server. Key is an authorization Key and can uniquely identify a client application program, and token is a user identifier and can uniquely identify a user. Each Nginx server can configure an authorization key request header for each client application program, and can also configure a user identification request header for each client application program;

step S630, the client application configures the GIS function component to request GIS service from the proxy server. For example, the web application may configure the service prefix of the GIS functional component parameter option as '/GIS', and the request addresses issued by the native application and the applet may be set to "http://./GIS";

and step S640, configuring the GIS proxy service by the Nginx server. When the Nginx server receives a GIS service access request corresponding to the GIS reverse proxy service, the reverse proxy parameter proxy _ pass configured by the Nginx server can directly point to the address of the GIS server to be accessed;

and S650, forwarding the configured GIS service access request to the GIS server by the Nginx server. The configured authorization key and the user identifier can be placed into a request header of a GIS service access request sent by each application program, and the GIS service access request carrying the authorization key and the user identifier is forwarded to a GIS server;

and S660, the GIS server authenticates the authorization key and provides personalized GIS service for the target user according to the user identification. The data exchange module of the GIS server can verify the validity of the authorization key, and after the verification is passed, the data of the user can be counted according to the combination of the authorization key and the user identifier, for example, the travel and the positioning data of the user can be counted, and personalized service can be provided for the user more accurately according to the user data obtained through counting.

In this example embodiment, the GIS service access request sent by each client application to the nginnx server does not carry an authorization key, but the nginnx server puts the authorization key into the request header of the GIS service access request, so that the GIS service access request sent to the GIS server carries the authorization key. By adopting a cross-domain limiting mechanism of the web application program, the web application program automatically controls the domain, and performs flow filtration by combining with the user identification of the proxy server, quota embezzlement by a malicious user can be prevented, and the security of GIS service access is improved. Moreover, the flow filtration is moved forward from the GIS server to the client (web application program), so that the pressure of the GIS server can be reduced, and the efficiency of the GIS server for providing service is improved.

It should be noted that although the various steps of the methods of the present disclosure are depicted in the drawings in a particular order, this does not require or imply that these steps must be performed in this particular order, or that all of the depicted steps must be performed, to achieve desirable results. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step execution, and/or one step broken down into multiple step executions, etc.

Further, in the present exemplary embodiment, an access control device for a GIS service is also provided. Referring to fig. 7, the access control device 700 of the GIS service may include a service request receiving module 710, a service request configuring module 720, and a service request processing module 730, wherein:

the service request receiving module 710 is configured to receive a GIS service access request, where the GIS service access request is generated by configuring a GIS functional component by a client application;

a service request configuration module 720, configured by the proxy server according to the authorization key of the client application program, and forwarding the configured GIS service access request to the GIS server;

and the service request processing module 730 is used for verifying the configured GIS service access request by the GIS server, and providing the corresponding GIS service to the client application program after the verification is passed.

In an alternative embodiment, the service request configuration module 720 includes:

a first data acquisition unit configured to acquire an authorization key of the client application;

and the first request configuration unit is used for taking an authorization key of the client application program as a request header of the GIS service access request when the proxy service configured by the proxy server is the GIS service.

and the second request configuration unit is used for configuring the same authorization key for a plurality of client application programs when the proxy service configured by the proxy server is the GIS service, and taking the authorization key as a request header of the GIS service access request.

In an alternative embodiment, the client application comprises a client application of at least one application type, and the service request configuration module 720 comprises:

the second data acquisition unit is used for acquiring the authorization key and the application program type of the client application program;

and the third request configuration unit is used for taking the authorization key and the application program type of the client application program as the request header of the GIS service access request when the proxy service configured by the proxy server is the GIS service.

a third data obtaining unit, configured to obtain an authorization key of the client application and a user identifier of a target user;

and the fourth request configuration unit is used for taking the authorization key of the client application program and the user identifier of the target user as the request header of the GIS service access request when the proxy service configured by the proxy server is the GIS service.

In an alternative embodiment, the service request processing module 730 includes:

a first request header obtaining module, configured to obtain, by the GIS server, a request header in the configured GIS service access request, where the request header includes an authorization key of the client application program;

and the first task providing module is used for verifying the authorization key of the client application program and providing GIS service to the client application program after the verification is passed.

a second request header obtaining module, configured to obtain, by the GIS server, a request header in the configured GIS service access request, where the request header includes an authorization key and an application type of the client application;

the second task providing module is used for verifying the authorization key of the client application program; after the verification is passed, determining a resource allocation magnitude corresponding to the application program type of the client application program according to a preset resource allocation rule; and performing resource allocation on the client application program according to the resource allocation magnitude.

a third request header obtaining module, configured to obtain, by the GIS server, a request header in the configured GIS service access request, where the request header includes an authorization key of the client application program and a user identifier of a target user;

the third task providing module is used for verifying the authorization key of the client application program; after the verification is passed, counting the user information of the target user according to the user identification of the target user; and providing corresponding GIS service for the target user according to the user information of the target user.

The details of each module in the access control device for GIS services are described in detail in the access control method for GIS services, and therefore are not described herein again.

Each module in the above apparatus may be a general-purpose processor, including: a central processing unit, a network processor, etc.; but may also be a digital signal processor, an application specific integrated circuit, a field programmable gate array or other programmable logic device, discrete gate or transistor logic, discrete hardware components. The modules may also be implemented in software, firmware, etc. The processors in the above device may be independent processors or may be integrated together.

Exemplary embodiments of the present disclosure also provide a computer-readable storage medium having stored thereon a program product capable of implementing the above-described method of the present specification. In some possible embodiments, various aspects of the disclosure may also be implemented in the form of a program product comprising program code for causing an electronic device to perform the steps according to various exemplary embodiments of the disclosure described in the above-mentioned "exemplary methods" section of this specification, when the program product is run on the electronic device. The program product may employ a portable compact disc read only memory (CD-ROM) and include program code, and may be run on an electronic device, such as a personal computer. However, the program product of the present disclosure is not limited thereto, and in this document, a readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.

The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium include: an electrical connection having one or more wires, a portable disk, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.

A computer readable signal medium may include a propagated data signal with readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A readable signal medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.

Program code embodied on a readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.

Program code for carrying out operations for the present disclosure may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device and partly on a remote computing device, or entirely on the remote computing device or server. In the case of a remote computing device, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., through the internet using an internet service provider).

The exemplary embodiment of the present disclosure also provides an electronic device capable of implementing the above method. An electronic device 800 according to such an exemplary embodiment of the present disclosure is described below with reference to fig. 8. The electronic device 800 shown in fig. 8 is only an example and should not bring any limitations to the functionality and scope of use of the embodiments of the present disclosure.

As shown in fig. 8, electronic device 800 may take the form of a general purpose computing device. The components of the electronic device 800 may include, but are not limited to: at least one processing unit 810, at least one memory unit 820, a bus 830 connecting the various system components including the memory unit 820 and the processing unit 810, and a display unit 840.

The storage unit 820 stores program code that may be executed by the processing unit 810 to cause the processing unit 810 to perform steps according to various exemplary embodiments of the present disclosure described in the "exemplary methods" section above in this specification. For example, processing unit 810 may perform any one or more of the method steps of fig. 2-7.

The storage unit 820 may include readable media in the form of volatile storage units, such as a random access storage unit (RAM)821 and/or a cache storage unit 822, and may further include a read only storage unit (ROM) 823.

Storage unit 820 may also include a program/utility 824 having a set (at least one) of program modules 825, such program modules 825 including, but not limited to: an operating system, one or more application programs, other program modules, and program data, each of which, or some combination thereof, may comprise an implementation of a network environment.

Bus 830 may be any of several types of bus structures including a memory unit bus or memory unit controller, a peripheral bus, an accelerated graphics port, a processing unit, or a local bus using any of a variety of bus architectures.

The electronic device 800 may also communicate with one or more external devices 900 (e.g., keyboard, pointing device, bluetooth device, etc.), with one or more devices that enable a user to interact with the electronic device 800, and/or with any devices (e.g., router, modem, etc.) that enable the electronic device 800 to communicate with one or more other computing devices. Such communication may occur via input/output (I/O) interfaces 850. Also, the electronic device 800 may communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network, such as the internet) via the network adapter 860. As shown, the network adapter 860 communicates with the other modules of the electronic device 800 via the bus 830. It should be appreciated that although not shown, other hardware and/or software modules may be used in conjunction with the electronic device 800, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data backup storage systems, among others.

Through the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein may be implemented by software, or by software in combination with necessary hardware. Therefore, the technical solution according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, etc.) or on a network, and includes several instructions to enable a computing device (which may be a personal computer, a server, a terminal device, or a network device, etc.) to execute the method according to the exemplary embodiments of the present disclosure.

Furthermore, the above-described figures are merely schematic illustrations of processes included in methods according to exemplary embodiments of the present disclosure, and are not intended to be limiting. It will be readily understood that the processes shown in the above figures are not intended to indicate or limit the chronological order of the processes. In addition, it is also readily understood that these processes may be performed synchronously or asynchronously, e.g., in multiple modules.

It should be noted that although in the above detailed description several modules or units of the device for action execution are mentioned, such a division is not mandatory. Indeed, the features and functionality of two or more modules or units described above may be embodied in one module or unit, according to embodiments of the present disclosure. Conversely, the features and functions of one module or unit described above may be further divided into embodiments by a plurality of modules or units.

It will be understood that the present disclosure is not limited to the precise arrangements described above and shown in the drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the present disclosure is limited only by the appended claims.

Claims

1. An access control method for a GIS service, comprising:

2. The method of claim 1, wherein the proxy server configuring the GIS service access request according to the authorization key of the client application comprises:

obtaining an authorization key of the client application program;

3. The method of claim 1, wherein the proxy server configuring the GIS service access request according to the authorization key of the client application comprises:

4. The method of claim 1, wherein the client application comprises at least one application type client application, and wherein the proxy server configures the GIS service access request according to an authorization key of the client application, comprising:

5. The method of claim 1, wherein the proxy server configuring the GIS service access request according to the authorization key of the client application comprises:

6. The method of claim 1, wherein the step of verifying the configured GIS service access request by the GIS server and providing the corresponding GIS service to the client application after the verification is passed comprises:

7. The method of claim 1, wherein the step of verifying the configured GIS service access request by the GIS server and providing the corresponding GIS service to the client application after the verification is passed comprises:

verifying an authorization key of the client application;

8. The method of claim 1, wherein the step of verifying the configured GIS service access request by the GIS server and providing the corresponding GIS service to the client application after the verification is passed comprises:

the GIS server acquires a request header in the configured GIS service access request, wherein the request header comprises an authorization key of the client application program and a user identifier of a target user;

verifying an authorization key of the client application;

9. An access control device for a GIS service, comprising:

10. A GIS cloud platform service architecture, which is characterized in that the GIS cloud platform service architecture comprises a client application layer, a GIS capability layer and a GIS service layer, wherein the client application layer comprises at least one client application program, the GIS capability layer comprises at least one GIS functional component, wherein,

11. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the method of any one of claims 1 to 8.

12. An electronic device, comprising:

a processor; and

a memory for storing executable instructions of the processor;

wherein the processor is configured to perform the method of any of claims 1-8 via execution of the executable instructions.