CN114006757B

CN114006757B - Access control method, device, architecture, medium and equipment for GIS service

Info

Publication number: CN114006757B
Application number: CN202111276175.1A
Authority: CN
Inventors: 张克飞
Original assignee: BOE Technology Group Co Ltd
Current assignee: BOE Technology Group Co Ltd
Priority date: 2021-10-29
Filing date: 2021-10-29
Publication date: 2024-04-05
Anticipated expiration: 2041-10-29
Also published as: CN114006757A

Abstract

The disclosure provides a GIS service access control method and device, a GIS cloud platform service architecture, a storage medium and electronic equipment; relates to the technical field of computers. The method comprises the following steps: receiving a GIS service access request, wherein the GIS service access request is generated by configuring a GIS functional component by a client application program; the proxy server configures a GIS service access request according to an application key of the client application program, and forwards the configured GIS service access request to the GIS server; and the GIS server verifies the configured GIS service access request, and provides the corresponding GIS service for the client application program after the verification is passed. When the client application program requests the GIS service, the authorization key of the client application program is arranged at the server, so that the authorization key can be prevented from being attacked at the client, and the security of GIS service access is improved.

Description

Access control method, device, architecture, medium and equipment for GIS service

Technical Field

The disclosure relates to the technical field of computers, in particular to a GIS service access control method, a GIS service access control device, a GIS cloud platform service architecture, a computer readable storage medium and electronic equipment.

Background

With the development of internet geographic information technology in recent years, more and more geographic information is exposed to the outside in a service manner. The GIS (Geographic Information System ) is a technology for acquiring, processing, managing and analyzing geospatial data, and any application program related to spatial location may use GIS technology.

Taking the example of a web application requesting services from a GIS platform, it is currently possible to verify an authorization key carried by a client through the GIS platform to determine whether to provide services to the web application. However, when the authorization key is used in the front-end environment, the authorization key is easy to decompil, so that the authorization key is leaked, and the security of GIS service access is reduced.

Therefore, how to guarantee the security in the GIS service opening process is important.

It should be noted that the information disclosed in the above background section is only for enhancing understanding of the background of the present disclosure and thus may include information that does not constitute prior art known to those of ordinary skill in the art.

Disclosure of Invention

The disclosure aims to provide a GIS service access control method, a GIS service access control device, a GIS cloud platform service architecture, a computer readable storage medium and electronic equipment, so as to overcome the problem of low GIS service access security caused by related technologies at least to a certain extent.

According to a first aspect of the present disclosure, there is provided an access control method for a GIS service, including:

receiving a GIS service access request, wherein the GIS service access request is generated by configuring a GIS functional component by a client application program;

the proxy server configures the GIS service access request according to the authorization key of the client application program, and forwards the configured GIS service access request to a GIS server;

and the GIS server verifies the configured GIS service access request, and provides corresponding GIS service for the client application program after the verification is passed.

In an exemplary embodiment of the disclosure, the proxy server configures the GIS service access request according to an authorization key of the client application, including:

acquiring an authorization key of the client application program;

and when the proxy service configured by the proxy server is GIS service, taking the authorization key of the client application program as a request head of the GIS service access request.

And when the proxy service configured by the proxy server is GIS service, configuring the same authorization key for a plurality of client application programs, and taking the authorization key as a request head of the GIS service access request.

the proxy server receives GIS service access requests sent by a plurality of client side application programs;

and when the proxy service configured by the proxy server is GIS service, configuring the same authorization key for the plurality of client side application programs, and taking the authorization key as a request head of the GIS service access request.

In an exemplary embodiment of the disclosure, the client application includes a client application of at least one application type, and the proxy server configures the GIS service access request according to an authorization key of the client application, including:

acquiring an authorization key and an application type of the client application;

and when the proxy service configured by the proxy server is GIS service, taking the authorization key and the application type of the client application program as a request head of the GIS service access request.

acquiring an authorization key of the client application program and a user identification of a target user;

and when the proxy service configured by the proxy server is GIS service, taking the authorization key of the client application program and the user identification of the target user as request heads of the GIS service access request.

In an exemplary embodiment of the present disclosure, the GIS server verifies the configured GIS service access request, and provides, after the verification is passed, a corresponding GIS service to the client application program, including:

the GIS server obtains a request header in the configured GIS service access request, wherein the request header contains an authorization key of the client application program;

and verifying the authorization key of the client application program, and providing GIS service for the client application program after the verification is passed.

The GIS server obtains a request header in the configured GIS service access request, wherein the request header contains an authorization key and an application type of the client application;

verifying an authorization key of the client application program;

after verification is passed, determining a resource allocation magnitude corresponding to the application program type of the client application program according to a preset resource allocation rule;

and carrying out resource allocation on the client application program according to the resource allocation magnitude.

In an exemplary embodiment of the disclosure, the GIS server obtains a request header in the configured GIS service access request, where the request header includes an authorization key of the client application and a user identifier of a target user;

verifying an authorization key of the client application program;

after verification is passed, user information of the target user is counted according to the user identification of the target user;

and providing corresponding GIS service for the target user according to the user information of the target user.

According to a second aspect of the present disclosure, there is provided an access control apparatus for a GIS service, including:

the service request receiving module is used for receiving a GIS service access request, wherein the GIS service access request is generated by configuring a GIS functional component by a client application program;

The service request configuration module is used for configuring the GIS service access request according to the authorization key of the client application program by the proxy server and forwarding the configured GIS service access request to the GIS server;

and the service request processing module is used for verifying the configured GIS service access request by the GIS server, and providing corresponding GIS service for the client application program after the verification is passed.

According to a third aspect of the present disclosure, there is provided a GIS cloud platform service architecture comprising a client application layer, a GIS capability layer and a GIS service layer, the client application layer comprising at least one client application program, the GIS capability layer comprising at least one GIS functional component, wherein,

the client application layer is used for receiving a GIS service access request, wherein the GIS service access request is generated by configuring a GIS functional component by a client application program; the proxy server configures the GIS service access request according to the authorization key of the client application program, and forwards the configured GIS service access request to a GIS server;

and the GIS service layer is used for verifying the configured GIS service access request by the GIS server, and providing corresponding GIS service for the client application program after verification.

According to a fourth aspect of the present disclosure, there is provided a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the method of any one of the above.

According to a fifth aspect of the present disclosure, there is provided an electronic device comprising: a processor; and a memory for storing executable instructions of the processor; wherein the processor is configured to perform the method of any of the above via execution of the executable instructions.

Exemplary embodiments of the present disclosure may have some or all of the following advantages:

in the access control method of the GIS service provided by the example embodiment of the disclosure, a GIS service access request is received, wherein the GIS service access request is generated by configuring a GIS function component by a client application program; the proxy server configures the GIS service access request according to the authorization key of the client application program, and forwards the configured GIS service access request to a GIS server; and the GIS server verifies the configured GIS service access request, and provides corresponding GIS service for the client application program after the verification is passed. On the one hand, when the client application program requests the GIS service, the authorization key of the client application program is arranged at the server, so that the authorization key can be prevented from being attacked at the client, and the security of GIS service access is improved; on the other hand, through freely configuring the GIS functional components, the target service requested by the user can be flexibly provided, and the user experience is improved.

It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.

Drawings

The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the disclosure and together with the description, serve to explain the principles of the disclosure. It will be apparent to those of ordinary skill in the art that the drawings in the following description are merely examples of the disclosure and that other drawings may be derived from them without undue effort.

FIG. 1 illustrates a schematic diagram of an exemplary system architecture to which the access control method and apparatus of a GIS service of embodiments of the present disclosure may be applied;

FIG. 2 schematically illustrates a flow chart of a method of access control of a GIS service according to one embodiment of the present disclosure;

FIG. 3 schematically illustrates a flow diagram of a stand-alone deployment client application in accordance with one embodiment of the present disclosure;

FIG. 4 schematically illustrates a flow diagram for implementing a multi-terminal application hybrid deployment of a key utility in accordance with one embodiment of the present disclosure;

FIG. 5 schematically illustrates a flow diagram for implementing quota accurate control in accordance with one embodiment of the disclosure;

FIG. 6 schematically illustrates a flow diagram for providing personalized services according to one embodiment of the disclosure;

fig. 7 schematically illustrates a block diagram of an access control device of a GIS service according to one embodiment of the disclosure;

fig. 8 schematically illustrates a structural schematic diagram of a computer system suitable for use in implementing the electronic device of the embodiments of the present disclosure.

Detailed Description

Example embodiments will now be described more fully with reference to the accompanying drawings. However, the exemplary embodiments may be embodied in many forms and should not be construed as limited to the examples set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of the example embodiments to those skilled in the art. The described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided to give a thorough understanding of embodiments of the present disclosure. One skilled in the relevant art will recognize, however, that the aspects of the disclosure may be practiced without one or more of the specific details, or with other methods, components, devices, steps, etc. In other instances, well-known technical solutions have not been shown or described in detail to avoid obscuring aspects of the present disclosure.

Furthermore, the drawings are merely schematic illustrations of the present disclosure and are not necessarily drawn to scale. The same reference numerals in the drawings denote the same or similar parts, and thus a repetitive description thereof will be omitted. Some of the block diagrams shown in the figures are functional entities and do not necessarily correspond to physically or logically separate entities. These functional entities may be implemented in software or in one or more hardware modules or integrated circuits or in different networks and/or processor devices and/or microcontroller devices.

Fig. 1 is a schematic diagram of an exemplary system architecture to which the access control method and apparatus of the GIS service of the embodiments of the present disclosure may be applied.

As shown in fig. 1, GIS cloud platform service architecture 100 may include GIS service layer 101, GIS capability layer 102, and client application layer 103. The GIS service layer 101 may include a GIS server, which may provide GIS services, which may be a geographic information computing service, a spatial data storage service, and the like. The GIS capability layer 102 may include at least one GIS functional component. Illustratively, the GIS function component may be a display tool component, such as a map sitting identifier, a map editor, etc., or a selection tool component for route planning. The client application layer 103 may include at least one terminal device, which may be a cloud device, or may be various electronic devices, including but not limited to desktop computers, portable computers, smart phones, tablet computers, and the like. For example, a client application, such as a browser, may be installed on the terminal device, through which a web application may be run. It should be noted that, the client application layer 103 may include one or more client applications of the same application type, or may include a plurality of client applications of different application types. For example, a plurality of web applications may be deployed at the client application layer 103, and a plurality of client applications such as a web application, a native application, and an applet may be deployed, which is not particularly limited in this disclosure. The GIS capability layer 102 runs on the GIS service layer 101, and can provide GIS services to the client application layer 103 through a standardized interface. The client application layer 103 runs on the GIS capability layer 102, and can call GIS services to the GIS capability layer 102 through a standardized interface.

It should be understood that the number of terminal devices, GIS functional components and GIS servers in fig. 1 is merely illustrative. There may be any number of terminal devices, GIS functional components, and GIS servers, as desired for implementation. For example, the GIS server may be one GIS server, a server cluster formed by a plurality of GIS servers, or a virtualization center, which is not particularly limited in this disclosure.

It should be noted that, since the application server cannot provide the GIS service for the client application, the GIS service request needs to be proxied to the GIS server by the proxy server to provide the GIS service for the client application. Thus, a proxy server may be used in example embodiments of the present disclosure to provide background services for client applications.

Illustratively, the GIS capability layer 102 may be configured to request GIS services from a proxy server, which in turn requests GIS services from the GIS server carrying authentication information, which may be an authorization key, for example. Specifically, the client application layer 103 may be configured to receive a GIS service access request, where the GIS service access request is generated by configuring a GIS functional component by a client application program; the proxy server configures a GIS service access request according to an authorization key of the client application program, and forwards the configured GIS service access request to the GIS server; the GIS service layer 101 may be configured to verify the configured GIS service access request by using a GIS server, and provide a corresponding GIS service to the client application program after the verification is passed.

In the exemplary embodiment of the present disclosure, the GIS cloud platform service architecture 100 may also be divided into an external application, a data exchange module, and a computing service module in the longitudinal direction. External applications may include client applications (e.g., web applications, native applications, applets, etc.) and proxy servers, among others. The client application may configure the GIS function component to request GIS services from the proxy server, the proxy server may configure an authorization key for the request, and proxy the request carrying the authorization key to the GIS server to cause the GIS server to provide GIS services for the client application. The data exchange module is located between the computing service module and the external application program and can be used for authenticating the validity and control of the authorization key, statistics and authentication request sources. For example, GIS service is provided when the authentication authorization key has been authorized, GIS service is denied if not authorized. For another example, the request source can be identified according to the authorization key, so that resource allocation can be performed on client application programs of different application program types, statistics of user data can be realized by counting the request source, and personalized services can be accurately provided for the user. The computing service module can comprise a bottom virtual resource layer, a GIS service layer and a GIS capability layer, wherein the bottom virtual resource layer can comprise a processor, an internal memory, an external memory and a network, the GIS service layer operates on the bottom virtual resource layer and can comprise a GIS data processing center, a GIS storage center and a GIS service center, and the GIS capability layer can interact with the GIS service layer to jointly provide GIS service for users.

The following describes the technical scheme of the embodiments of the present disclosure in detail:

taking web application-based GIS cloud platform service authorization as an example, an authorization key may be typically appended when a cloud application SDK (Software Development Kit ) is introduced, and a reference white list may be set at the cloud application console. In the reference protection mechanism, the reference request header sent by the browser to the server may contain the address of the source page of the current request page, which indicates that the current request page is entered through the source page URL (Uniform Resource Locator ). Meanwhile, the server can use the reference request head to identify the access source and perform statistical analysis, log recording, cache optimization and the like.

It can be seen that the method requests the GIS service by carrying the authorization key with the front-end js file (JavaScript code, text document with ". Js" as extension). However, using the authorization key in the front-end environment may expose the user's browsing history and be easily decompiled, such that the authorization key leaks, thereby causing GIS service abuse. In addition, when the protocol adopted by the source page is a file or data URL representing the local file, or the current request page adopts an unsafe protocol, and the source page adopts a safe protocol, the browser does not send a reference request header to the server. If the reference request head is used for authentication, the server side does not provide GIS service, otherwise, the authorization authority is required to be set as 'all permission', so that the security of GIS service access is reduced.

Based on one or more of the above problems, the present exemplary embodiment provides an access control method for GIS service. Referring to fig. 2, the access control method of the GIS service may include steps S210 to S230:

s210, a GIS service access request is received, wherein the GIS service access request is generated by configuring a GIS functional component by a client application program;

s220, the proxy server configures the GIS service access request according to the authorization key of the client application program, and forwards the configured GIS service access request to a GIS server;

and S230, the GIS server verifies the configured GIS service access request, and provides corresponding GIS service for the client application program after verification.

Next, the above steps of the present exemplary embodiment will be described in more detail.

In step S210, a GIS service access request is received, where the GIS service access request is generated by a client application configuring a GIS functional component.

In the example embodiment of the disclosure, when the client application program requests the GIS cloud platform for service, the authorization key may be selectively configured at the server to avoid leakage of the authorization key at the client, thereby enhancing security of GIS service access. For example, the client application may be hosted by a proxy server, and the provision of GIS services by the proxy server to the client application may be implemented in a reverse proxy manner. Taking a web application program as an example, after receiving a GIS service access request sent by the web application program, the proxy server can forward the GIS service access request to the GIS server first, and return the GIS service provided by the GIS server to the web application program. The proxy server may be a server with a reverse proxy function, such as an nginnx server, a Varnish server, an ATS server, and the like, which is not specifically limited in this disclosure.

The client application may configure the GIS function component to request GIS services from the proxy server. Specifically, when the client application program requests the GIS service from the proxy server, the service parameters of the GIS functional component may be configured as the GIS service, and a GIS service access request may be generated, and then the GIS service access request may be sent to the proxy server to request the GIS service. Wherein configuring the service parameters of the GIS functional component to GIS services may be configuring the service prefix of GIS functional component parameter option to '/GIS ', such as option: { server: '/GIS/. The// specified GIS background service prefix }. The GIS service access request may be an HTTP (HyperText Transfer Protool, hypertext transfer protocol) request, which may consist of a request line, a request header, a blank line, and request data. Wherein the request header consists of a key/value pair for informing the server about the information requested by the client. The request line is composed of a request method field, a URL field, and an HTTP protocol version field. The HTTP protocol request line may have a request method of GET, POST, HEAD or the like, which describes an operation that the server should perform. The URL field is used to describe which resource the request method is to be executed on. The HTTP protocol version field is used to inform the server what HTTP protocol the client uses.

According to the GIS service request method and device, the GIS functional component can be configured to request GIS service from the proxy server, and target tasks requested by the GIS functional component can be freely configured to meet actual demands of users instead of directly requesting fixed cloud service addresses, so that user experience is improved.

In step S220, the proxy server configures the GIS service access request according to the authorization key of the client application, and forwards the configured GIS service access request to the GIS server.

In example embodiments of the present disclosure, the proxy server may also configure various proxy services, such as GIS services. When the proxy server receives a GIS service access request sent by a client application program, an authorization key configured for the client application program can be obtained. When the corresponding GIS reverse proxy service is matched according to the GIS service access request, that is, the proxy service configured by the proxy server is also GIS service, the reverse proxy parameter proxy_pass configured by the proxy server can directly point to the address of the GIS server to be accessed. In the reverse proxy process, the authorization key of the client application program can be used as the request head of the GIS service access request. For example, the authorization key of the client application may be placed in the request header of the GIS service access request, such as key: an authorization key. It will be appreciated that the request header may also include, for example, host: GIS server address, user-Agent: information such as the type of application that generated the request, and the like, which is not limiting to the present disclosure.

The authorization key is a key distributed to the target application program by the host server, wherein the target server corresponds to the target application program, the target application program is registered on the host server corresponding to the host application program in advance. Different target applications correspond to different authorization keys. If the user triggers the target application program on the terminal device for the first time, the terminal device can acquire the authorization key from the target server, and if the user triggers the target application program on the terminal device before, the terminal device can directly read the authorization key from the cache or acquire the authorization key from the target server. In the disclosed embodiment, the authorization key may be an algorithmically generated 16-ary or 32-ary string that is used to uniquely identify the client application.

When the client application program requests the GIS service, the authorization key of the client application program is arranged at the server, so that the authorization key can be prevented from being attacked at the client, for example, malicious users can be prevented from stealing the authorization key in a decompiling mode, a source code viewing mode and the like, and the security of GIS service access is improved. Moreover, the user browsing history is not exposed by using the authorization key at the server, and the user privacy can be protected.

The proxy server can forward the configured GIS service access request to the GIS server, namely, proxy the GIS service access request carrying the authorization key to the GIS server, so that the GIS server can provide GIS service for the client application program. For example, the data exchange module of the GIS server may verify the validity of the authorization key to determine whether to provide GIS services to the client application.

In step S230, the GIS server verifies the configured GIS service access request, and provides the corresponding GIS service to the client application program after the verification is passed.

After the GIS server receives the configured GIS service access request forwarded by the proxy server, a request header in the GIS service access request may be obtained, where the request header includes an authorization key of a client application program requesting GIS service. The data exchange module of the GIS server may verify the authorization key of the client application. For example, the received authorization key may be matched with an authorization key stored in the GIS server, if the authorization key corresponding to the client application is matched in the GIS server, indicating that the authentication is passed, the computing service module of the GIS server may provide GIS service to the client application, otherwise the computing service module may refuse to provide GIS service to the client application.

The invention provides a GIS cloud platform service architecture based on a component development mode and with server authentication as an authentication means, and the access control method of GIS services realized by applying the GIS cloud platform service architecture can solve the problems of web-based application authentication and user privacy protection. By placing the authorization key of the client application program on the server, the authorization key can be prevented from being attacked at the client, and the security of GIS service access is improved. Moreover, through freely configuring the GIS functional components, the target service requested by the user can be flexibly provided, and the user experience is improved.

In an example embodiment, the client application may include a client application of at least one application type. For example, multiple client applications of the same application type may be deployed at the client application layer. For example, the proxy server may receive GIS service access requests sent by a plurality of client applications of the same application type, and when the proxy service configured by the proxy server is GIS service, the proxy server may configure the same authorization key for the plurality of client applications, and use the authorization key as a request header of each GIS service access request. Taking the web application program to request the GIS service, the proxy server is, for example, an nginnx server, as shown in fig. 3, and the independent deployment of multiple web application programs may be implemented according to steps 310 to 360.

Step S310, installing an Nginx server and hosting a web application program. The plurality of web application programs can be hosted by a plurality of Nginx servers, and a plurality of virtual machines can be created by one Nginx server, and each virtual machine hosts one web application program;

step s320. The nginnx server configures the key request header. The keys may be authorization keys and each nmginx server may configure an authorization key request header for a corresponding one of the web applications. If multiple virtual machines are created by an Nginx server to host multiple web applications, the Nginx server can configure a same authorization key request header for multiple web applications;

step s330. The web application configures the GIS functional component to request GIS services from the proxy server. For example, the service prefix of the GIS function component parameter option may be configured as '/GIS';

step S340, the Nginx server configures GIS proxy service. The nginix server may configure a plurality of proxy services, such as '/GIS' reverse proxy service, and when the nginix server receives a GIS service access request corresponding to the GIS reverse proxy service, a reverse proxy parameter proxy_pass configured by the nginix server may directly point to an address of the GIS server to be accessed;

And S350, forwarding the configured GIS service access request to the GIS server by the Nginx server. The authorization key of the configured Web application program can be put into a request head of a GIS service access request sent by the Web application program, and the GIS service access request carrying the authorization key is forwarded to a GIS server;

and step S360, the GIS server authenticates the authorization key of the Web application program and provides GIS service. The data exchange module of the GIS server may verify the validity of the authorization key to determine whether GIS services are provided to each client application.

In this example embodiment, the GIS service access request sent by the web application to the nmginx server does not carry the authorization key, but the nmginx server places the authorization key in the request header of the GIS service access request such that the GIS service access request sent to the GIS server carries the authorization key. By placing the authorization key of the client application program on the server, the authorization key can be prevented from being attacked at the client, for example, malicious users can be prevented from stealing the authorization key in a decompiling mode, a source code viewing mode and the like, and the security of GIS service access is improved. Moreover, the user browsing history is not exposed by using the authorization key at the server, and the user privacy can be protected. In addition, in step S320, if the nginnx server configures one and the same authorization key request header for a plurality of web applications, the GIS server may uniformly deploy the plurality of web applications according to the authorization key, which is not specifically limited in the present disclosure.

In an example embodiment, a plurality of client application programs of different application types may also be deployed at the client application layer. For example, client applications of three different application types may be included, web applications, native applications, and applets. Referring to fig. 4, a multi-terminal application hybrid deployment of one key multi-use may be implemented according to steps 410 through 460.

Step S410, installing an Nginx server and hosting a client application program. For example, one nmginx server may create multiple virtual machines, each hosting a client application of one application type;

step s420. The nginnx server configures a key request header. The ng ix server can perform unified configuration on key request headers of three client application programs with different application types, that is, can configure the same authorization key for the three client application programs with different application types;

step S430, the client application program configures the GIS function component to request GIS service from the proxy server. For example, the web application may configure the service prefix of the GIS function component parameter option to '/GIS', and the request address issued by the native application and applet may be set to "http:// -)/GIS";

Step S440. The Nginx server configures the GIS proxy service. When the Nginx server receives a GIS service access request corresponding to the GIS reverse proxy service, the reverse proxy parameter proxy_pass configured by the Nginx server can directly point to the address of the GIS server to be accessed;

and S450, forwarding the configured GIS service access request to the GIS server by the Nginx server. The configured authorization key can be put into a request head of a GIS service access request sent by each application program, and the GIS service access request carrying the authorization key is forwarded to a GIS server;

and step S460, the GIS server authenticates the authorization key and provides GIS service. The data exchange module of the GIS server may verify the validity of the authorization key to determine whether GIS services are provided to each client application.

In this example embodiment, the GIS service access requests sent by each client application to the nmginx server do not carry the authorization key, but rather the nmginx server places the authorization key in the request header of the GIS service access request such that the GIS service access request sent to the GIS server carries the authorization key. Because the key (authorization key) is stored in the client background server, namely the proxy server, the client with multiple application program types can be simultaneously served, and one key is multipurpose in a unified server deployment mode. When one key is multipurpose, the authorized key can be prevented from being attacked at the client, and the security of GIS service access is improved.

In an exemplary embodiment, the data exchange module of the GIS server may further identify the source of the request according to the authorization key, so as to allocate resources to the corresponding client application program. For example, the client application layer may deploy client applications of a plurality of different application types. When the proxy server receives a GIS service access request sent by a client application program, an authorization key and an application program type configured for the client application program can be obtained. When the proxy service configured by the proxy server is GIS service, the proxy server can take the authorization key and the application type of the client application program as the request header of the GIS service access request, so that the GIS server can allocate resources to the client application program according to the application type and the authorization key of the client application program.

After the GIS server receives the configured GIS service access request forwarded by the proxy server, a request header in the GIS service access request can be obtained, wherein the request header contains an authorization key and an application type of a client application program requesting GIS service. The data exchange module of the GIS server can verify the authorization key of the client application program, and after the verification is passed, the computing service module of the GIS server can determine the resource allocation magnitude corresponding to the application program type of the client application program according to the preset resource allocation rule, and allocate the resources to the client application program according to the resource allocation magnitude. For example, in the preset resource allocation rule, the resource allocation level corresponding to the web application program is a level a, the resource allocation level corresponding to the native application program is a level B, the resource allocation level corresponding to the applet is a level C, and different resources can be loaded or different designated resources can be cached corresponding to different resource allocation levels. For example, a first map resource of 50M may be loaded when the resource allocation level is level a, a second map resource of 10M may be loaded when the resource allocation level is level B, and a first map resource of 1M may be loaded when the resource allocation level is level C. For another example, 100 GIS services may be requested from the GIS server when the resource allocation level is level a, 50 GIS services may be requested from the GIS server when the resource allocation level is level B, and 20 GIS services may be requested from the GIS server when the resource allocation level is level C. The user may set the resource allocation level differently according to the actual requirement, which is not specifically limited in this disclosure.

By way of example, client applications of three different application types may be included, web applications, native applications, and applets. Referring to fig. 5, quota accurate control may be implemented in accordance with steps 510 through 560 based on multi-terminal application hybrid deployment, in conjunction with preset resource allocation rules.

And S510, installing an Nginx server and hosting a client application program.

Step S520. The Nginx server configures a key request header and an application type request header. Each ng inx server may configure an authorization key request header for each client application, and may also configure an application type request header for each client application;

step S530, the client application program configures the GIS function component to request GIS service from the proxy server. For example, the web application may configure the service prefix of the GIS function component parameter option to '/GIS', and the request address issued by the native application and applet may be set to "http:// -)/GIS";

step S540, the Nginx server configures GIS proxy service. When the Nginx server receives a GIS service access request corresponding to the GIS reverse proxy service, the reverse proxy parameter proxy_pass configured by the Nginx server can directly point to the address of the GIS server to be accessed;

And S550, forwarding the configured GIS service access request to the GIS server by the Nginx server. The configured authorization key and application program type can be placed in a request head of a GIS service access request sent by each application program, and the GIS service access request carrying the authorization key and the application program type is forwarded to a GIS server;

and step S560, the GIS server authenticates the authorization key and allocates resources to each client application program according to the application program type. The data exchange module of the GIS server can verify the validity of the authorization key, and after the authorization key passes the verification, the request source can be identified according to the application program type, and quota consumption statistics is performed, so that the computing service module of the GIS server can respectively perform quota control on different client side application programs, for example, data layering quota control can be realized by combining the cache function of the GIS server. For example, different client applications can load different map resources or cache designated resources, and unnecessary quota consumption caused by excessive resource allocation in a high concurrency scene can be avoided.

In this example embodiment, the GIS service access requests sent by each client application to the nmginx server do not carry the authorization key, but rather the nmginx server places the authorization key in the request header of the GIS service access request such that the GIS service access request sent to the GIS server carries the authorization key. By adopting a cross-domain limiting mechanism of a web server (proxy server), domain control is automatically carried out by the web server, quota embezzled by malicious users can be prevented, and the security of GIS service access is increased.

In an example embodiment, the data exchange module in the GIS server may also implement statistics of user data by counting the request sources, and accurately provide personalized services for the user. For example, the client application layer may deploy a plurality of client applications with different application types, and when the proxy server receives a GIS service access request sent by the client application, the proxy server may obtain an authorization key configured for the client application and a user identifier of a target user. When the proxy service configured by the proxy server is GIS service, the proxy server can take the authorization key of the client application program and the user identification of the target user as the request header of the GIS service access request, so that the GIS server performs resource allocation on the client application program according to the application program type and the authorization key of the client application program, and the GIS server counts the user information of the target user according to the user identification of the target user and the authorization key of the client application program.

After the GIS server receives the configured GIS service access request forwarded by the proxy server, a request header in the GIS service access request can be obtained, wherein the request header contains an authorization key of a client application program requesting GIS service and a user identifier of a target user. The data exchange module of the GIS server can verify the authorization key of the client application program, and after the verification is passed, the calculation service module of the GIS server can count the user information of the user according to the user identification of the target user, and provide corresponding GIS service for the target user according to the user information of the target user. For example, the historical travel route of the target user may be obtained according to the user identifier of the target user, and correspondingly, the road condition prediction service for the historical travel route may be provided for the target user, or the historical travel location of the target user, such as a plurality of scenic spots visited by the user, may be obtained according to the user identifier of the target user, and correspondingly, the scenic spot recommendation service may be provided for the target user. It should be noted that, when the GIS server records the user information, the GIS server needs to be agreed by the user.

For example, client applications of three different application types may be included, web applications, native applications, and applets. Referring to fig. 6, user information may be counted according to steps 610 through 660 and more precise personalized services may be provided to the user.

Step S610, installing an Nginx server and hosting a client application program.

Step S620. The Nginx server configures a key request header and a token request header. Key is an authorization Key that can uniquely identify the client application, token is a user identification, and can uniquely identify the user. Each ng inx server can configure an authorization key request header for each client application program, and can also configure a user identification request header for each client application program;

step S630, the client application configures the GIS functional component to request GIS service from the proxy server. For example, the web application may configure the service prefix of the GIS function component parameter option to '/GIS', and the request address issued by the native application and applet may be set to "http:// -)/GIS";

step s640. The nginnx server configures the GIS proxy service. When the Nginx server receives a GIS service access request corresponding to the GIS reverse proxy service, the reverse proxy parameter proxy_pass configured by the Nginx server can directly point to the address of the GIS server to be accessed;

And S650, forwarding the configured GIS service access request to the GIS server by the Nginx server. The configured authorization key and the user identifier can be placed in the request header of the GIS service access request sent by each application program, and the GIS service access request carrying the authorization key and the user identifier is forwarded to the GIS server;

and step S660, the GIS server authenticates the authorization key and provides personalized GIS service for the target user according to the user identification. The data exchange module of the GIS server can verify the validity of the authorization key, after the authorization key passes the verification, the user data can be counted according to the combination of the authorization key and the user identifier, such as the journey, the positioning data and the like of the user can be counted, and personalized service can be provided for the user more accurately according to the user data obtained through counting.

In this example embodiment, the GIS service access requests sent by each client application to the nmginx server do not carry the authorization key, but rather the nmginx server places the authorization key in the request header of the GIS service access request such that the GIS service access request sent to the GIS server carries the authorization key. By adopting a cross-domain limiting mechanism of the web application program, the web application program automatically performs domain control and combines the user identification of the proxy server to perform flow filtering, thereby preventing malicious users from embezzling quota and improving the security of GIS service access. In addition, the traffic filtering is moved forward from the GIS server to the client (web application program), so that the pressure of the GIS server can be reduced, and the efficiency of the GIS server for providing services is improved.

It should be noted that although the steps of the methods in the present disclosure are depicted in the accompanying drawings in a particular order, this does not require or imply that the steps must be performed in that particular order, or that all illustrated steps be performed, to achieve desirable results. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step to perform, and/or one step decomposed into multiple steps to perform, etc.

Further, in this example embodiment, an access control device for a GIS service is also provided. Referring to fig. 7, the access control apparatus 700 of GIS service may include a service request receiving module 710, a service request configuring module 720, and a service request processing module 730, wherein:

a service request receiving module 710, configured to receive a GIS service access request, where the GIS service access request is generated by a client application configuring a GIS functional component;

the service request configuration module 720 is configured to configure the GIS service access request according to the authorization key of the client application program by the proxy server, and forward the configured GIS service access request to the GIS server;

and the service request processing module 730 is configured to verify the configured GIS service access request by using the GIS server, and provide the corresponding GIS service to the client application program after the verification is passed.

In an alternative embodiment, service request configuration module 720 includes:

a first data acquisition unit, configured to acquire an authorization key of the client application program;

and the first request configuration unit is used for taking the authorization key of the client application program as a request head of the GIS service access request when the proxy service configured by the proxy server is GIS service.

and the second request configuration unit is used for configuring the same authorization key for a plurality of client application programs when the proxy service configured by the proxy server is GIS service, and taking the authorization key as a request head of the GIS service access request.

In an alternative embodiment, the client application includes a client application of at least one application type, and the service request configuration module 720 includes:

the second data acquisition unit is used for acquiring the authorization key and the application type of the client application;

and the third request configuration unit is used for taking the authorization key and the application type of the client application program as the request header of the GIS service access request when the proxy service configured by the proxy server is GIS service.

a third data acquisition unit, configured to acquire an authorization key of the client application program and a user identifier of a target user;

and the fourth request configuration unit is used for taking the authorization key of the client application program and the user identification of the target user as request heads of the GIS service access request when the proxy service configured by the proxy server is GIS service.

In an alternative embodiment, the service request processing module 730 includes:

the first request head acquisition module is used for acquiring a request head in the configured GIS service access request by the GIS server, wherein the request head contains an authorization key of the client application program;

and the first task providing module is used for verifying the authorization key of the client application program, and providing GIS service for the client application program after the verification is passed.

the second request head acquisition module is used for acquiring a request head in the configured GIS service access request by the GIS server, wherein the request head comprises an authorization key and an application type of the client application;

the second task providing module is used for verifying the authorization key of the client application program; after verification is passed, determining a resource allocation magnitude corresponding to the application program type of the client application program according to a preset resource allocation rule; and carrying out resource allocation on the client application program according to the resource allocation magnitude.

A third request header obtaining module, configured to obtain, by the GIS server, a request header in the configured GIS service access request, where the request header includes an authorization key of the client application program and a user identifier of a target user;

a third task providing module, configured to verify an authorization key of the client application; after verification is passed, user information of the target user is counted according to the user identification of the target user; and providing corresponding GIS service for the target user according to the user information of the target user.

The specific details of each module in the above-mentioned access control device for GIS service are already described in detail in the corresponding access control method for GIS service, so that they will not be described here again.

The modules in the device may be general purpose processors, including: a central processor, a network processor, etc.; but also digital signal processors, application specific integrated circuits, field programmable gate arrays or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components. The modules may also be implemented in software, firmware, etc. The processors in the device may be independent processors or may be integrated together.

Exemplary embodiments of the present disclosure also provide a computer-readable storage medium having stored thereon a program product capable of implementing the method described above in the present specification. In some possible implementations, aspects of the present disclosure may also be implemented in the form of a program product comprising program code for causing an electronic device to carry out the steps according to the various exemplary embodiments of the disclosure as described in the "exemplary methods" section of this specification, when the program product is run on an electronic device. The program product may employ a portable compact disc read-only memory (CD-ROM) and comprise program code and may be run on an electronic device, such as a personal computer. However, the program product of the present disclosure is not limited thereto, and in this document, a readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.

The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. The readable storage medium can be, for example, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium would include the following: an electrical connection having one or more wires, a portable disk, a hard disk, random Access Memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.

The computer readable signal medium may include a data signal propagated in baseband or as part of a carrier wave with readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A readable signal medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.

Program code embodied on a readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.

Program code for carrying out operations of the present disclosure may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C++ or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of remote computing devices, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., connected via the Internet using an Internet service provider).

The exemplary embodiment of the disclosure also provides an electronic device capable of implementing the method. An electronic device 800 according to such an exemplary embodiment of the present disclosure is described below with reference to fig. 8. The electronic device 800 shown in fig. 8 is merely an example and should not be construed to limit the functionality and scope of use of embodiments of the present disclosure in any way.

As shown in fig. 8, the electronic device 800 may be embodied in the form of a general purpose computing device. Components of electronic device 800 may include, but are not limited to: at least one processing unit 810, at least one memory unit 820, a bus 830 connecting the different system components (including memory unit 820 and processing unit 810), and a display unit 840.

The storage unit 820 stores program code that can be executed by the processing unit 810, so that the processing unit 810 performs steps according to various exemplary embodiments of the present disclosure described in the above section of the "exemplary method" of the present specification. For example, processing unit 810 may perform any one or more of the method steps of fig. 2-7.

Storage unit 820 may include readable media in the form of volatile storage units such as Random Access Memory (RAM) 821 and/or cache memory unit 822, and may further include Read Only Memory (ROM) 823.

The storage unit 820 may also include a program/utility 824 having a set (at least one) of program modules 825, such program modules 825 including, but not limited to: an operating system, one or more application programs, other program modules, and program data, each or some combination of which may include an implementation of a network environment.

Bus 830 may be one or more of several types of bus structures including a memory unit bus or memory unit controller, a peripheral bus, an accelerated graphics port, a processing unit, or a local bus using any of a variety of bus architectures.

The electronic device 800 may also communicate with one or more external devices 900 (e.g., keyboard, pointing device, bluetooth device, etc.), one or more devices that enable a user to interact with the electronic device 800, and/or any device (e.g., router, modem, etc.) that enables the electronic device 800 to communicate with one or more other computing devices. Such communication may occur through an input/output (I/O) interface 850. Also, electronic device 800 may communicate with one or more networks such as a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network, such as the Internet, through network adapter 860. As shown, network adapter 860 communicates with other modules of electronic device 800 over bus 830. It should be appreciated that although not shown, other hardware and/or software modules may be used in connection with electronic device 800, including, but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, data backup storage systems, and the like.

From the above description of embodiments, those skilled in the art will readily appreciate that the example embodiments described herein may be implemented in software, or may be implemented in software in combination with the necessary hardware. Thus, the technical solution according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (may be a CD-ROM, a U-disk, a mobile hard disk, etc.) or on a network, including several instructions to cause a computing device (may be a personal computer, a server, a terminal device, or a network device, etc.) to perform the method according to the exemplary embodiments of the present disclosure.

Furthermore, the above-described figures are only schematic illustrations of processes included in the method according to the exemplary embodiments of the present disclosure, and are not intended to be limiting. It will be readily appreciated that the processes shown in the above figures do not indicate or limit the temporal order of these processes. In addition, it is also readily understood that these processes may be performed synchronously or asynchronously, for example, among a plurality of modules.

It should be noted that although in the above detailed description several modules or units of a device for action execution are mentioned, such a division is not mandatory. Indeed, the features and functionality of two or more modules or units described above may be embodied in one module or unit in accordance with embodiments of the present disclosure. Conversely, the features and functions of one module or unit described above may be further divided into a plurality of modules or units to be embodied.

It is to be understood that the present disclosure is not limited to the precise arrangements and instrumentalities shown in the drawings, and that various modifications and changes may be effected without departing from the scope thereof. The scope of the present disclosure is limited only by the appended claims.

Claims

1. An access control method for a GIS service, comprising:

the proxy server configures the GIS service access request according to the authorization key of the client application program, and forwards the configured GIS service access request to a GIS server; the authorization key is a key which is distributed to the client application program through a registration server, wherein the target server corresponds to the client application program and registers the client application program in advance;

2. The GIS service access control method according to claim 1, wherein the proxy server configures the GIS service access request according to an authorization key of the client application, comprising:

Acquiring an authorization key of the client application program;

3. The GIS service access control method according to claim 1, wherein the proxy server configures the GIS service access request according to an authorization key of the client application, comprising:

4. The GIS service access control method according to claim 1, wherein the client application includes a client application of at least one application type, and the proxy server configures the GIS service access request according to an authorization key of the client application, including:

5. The GIS service access control method according to claim 1, wherein the proxy server configures the GIS service access request according to an authorization key of the client application, comprising:

6. The GIS service access control method according to claim 1, wherein the GIS server verifies the configured GIS service access request, and provides the corresponding GIS service to the client application program after the verification is passed, including:

7. The GIS service access control method according to claim 1, wherein the GIS server verifies the configured GIS service access request, and provides the corresponding GIS service to the client application program after the verification is passed, including:

verifying an authorization key of the client application program;

8. The GIS service access control method according to claim 1, wherein the GIS server verifies the configured GIS service access request, and provides the corresponding GIS service to the client application program after the verification is passed, including:

the GIS server obtains a request header in the configured GIS service access request, wherein the request header comprises an authorization key of the client application program and a user identifier of a target user;

verifying an authorization key of the client application program;

9. An access control device for a GIS service, comprising:

the service request configuration module is used for configuring the GIS service access request according to the authorization key of the client application program by the proxy server and forwarding the configured GIS service access request to the GIS server; the authorization key is a key which is distributed to the client application program through a registration server, wherein the target server corresponds to the client application program and registers the client application program in advance;

10. A GIS cloud platform service architecture, characterized in that the GIS cloud platform service architecture comprises a client application layer, a GIS capability layer and a GIS service layer, the client application layer comprising at least one client application program, the GIS capability layer comprising at least one GIS functional component, wherein,

The client application layer is used for receiving a GIS service access request, wherein the GIS service access request is generated by configuring a GIS functional component by a client application program; the proxy server configures the GIS service access request according to the authorization key of the client application program, and forwards the configured GIS service access request to a GIS server; the authorization key is a key which is distributed to the client application program through a registration server, wherein the target server corresponds to the client application program and registers the client application program in advance;

11. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the method of any of claims 1-8.

12. An electronic device, comprising:

a processor; and

a memory for storing executable instructions of the processor;

wherein the processor is configured to perform the method of any of claims 1-8 via execution of the executable instructions.