CN114024755B - Service access control method, device, equipment and computer readable storage medium - Google Patents

Service access control method, device, equipment and computer readable storage medium Download PDF

Info

Publication number
CN114024755B
CN114024755B CN202111318418.3A CN202111318418A CN114024755B CN 114024755 B CN114024755 B CN 114024755B CN 202111318418 A CN202111318418 A CN 202111318418A CN 114024755 B CN114024755 B CN 114024755B
Authority
CN
China
Prior art keywords
user
information
service
request
legal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111318418.3A
Other languages
Chinese (zh)
Other versions
CN114024755A (en
Inventor
赵帅鹏
党帆
李朋伟
赵昌
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Original Assignee
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Topsec Technology Co Ltd, Beijing Topsec Network Security Technology Co Ltd, Beijing Topsec Software Co Ltd filed Critical Beijing Topsec Technology Co Ltd
Priority to CN202111318418.3A priority Critical patent/CN114024755B/en
Publication of CN114024755A publication Critical patent/CN114024755A/en
Application granted granted Critical
Publication of CN114024755B publication Critical patent/CN114024755B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present disclosure relates to a service access control method, apparatus, device, and computer-readable storage medium, the method comprising: configuring system information; receiving an access request sent by a user terminal, identifying the user identity and updating the system information; and providing corresponding service according to the updated system information. The system information is uniformly configured, the independent maintenance of the user identity information and the authority information of each proxy gateway is avoided, and the system maintenance efficiency is improved, so that the usability of the system is improved.

Description

Service access control method, device, equipment and computer readable storage medium
Technical Field
The present disclosure relates to the field of information communication technologies, and in particular, to a service access control method, apparatus, device, and computer readable storage medium.
Background
With the continuous development of information communication technology, the security of information systems is receiving attention. The authentication of the user identity and the authorization of the access authority are the most important defense lines of the information system security.
Typically, different users have different access rights to service resources in the internal system, and the service resources of the internal system are different for each proxy gateway proxy in the internal system.
However, the existing user access authorization control method needs to respectively manage the user identity information contained in each proxy gateway and the service resources of the internal system, and has high system maintenance difficulty and low usability.
Disclosure of Invention
In order to solve or at least partially solve the above technical problems, the present disclosure provides a service access control method, apparatus, device, and computer-readable storage medium to improve system maintenance efficiency, thereby improving usability of the system.
In a first aspect, an embodiment of the present disclosure provides a service access control method, including:
configuring system information;
receiving an access request sent by a user terminal, identifying the user identity and updating the system information;
and providing corresponding service according to the updated system information.
In a second aspect, an embodiment of the present disclosure provides a service access control apparatus, including:
the configuration module is used for configuring system information;
The authentication module is used for receiving an access request sent by the user terminal, identifying the user identity and updating the system information;
and the service module is used for providing corresponding service according to the updated system information.
In a third aspect, an embodiment of the present disclosure provides a service access control apparatus, including:
A memory;
A processor; and
A computer program;
wherein the computer program is stored in the memory and configured to be executed by the processor to implement the method according to the first aspect.
In a fourth aspect, embodiments of the present disclosure provide a computer-readable storage medium having stored thereon a computer program for execution by a processor to implement the method of the first aspect.
In a fifth aspect, the disclosed embodiments also provide a computer program product comprising a computer program or instructions which, when executed by a processor, implements a service access control method as described above.
The service access control method, the device, the equipment and the computer readable storage medium provided by the embodiment of the disclosure avoid independently maintaining the user identity information and the authority information of each proxy gateway by uniformly configuring the system information, and improve the system maintenance efficiency, thereby improving the usability of the system.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the disclosure and together with the description, serve to explain the principles of the disclosure.
In order to more clearly illustrate the embodiments of the present disclosure or the solutions in the prior art, the drawings that are required for the description of the embodiments or the prior art will be briefly described below, and it will be obvious to those skilled in the art that other drawings can be obtained from these drawings without inventive effort.
Fig. 1 is a flowchart of a service access control method provided in an embodiment of the present disclosure;
Fig. 2 is a schematic diagram of an application scenario provided in an embodiment of the present disclosure;
FIG. 3 is a flowchart of a method for controlling service access according to another embodiment of the present disclosure;
Fig. 4 is a signaling diagram of a service access control method according to another embodiment of the present disclosure;
fig. 5 is a schematic structural diagram of a service access control device according to an embodiment of the present disclosure;
fig. 6 is a schematic structural diagram of an embedded device according to an embodiment of the present disclosure;
Detailed Description
In order that the above objects, features and advantages of the present disclosure may be more clearly understood, a further description of aspects of the present disclosure will be provided below. It should be noted that, without conflict, the embodiments of the present disclosure and features in the embodiments may be combined with each other.
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present disclosure, but the present disclosure may be practiced otherwise than as described herein; it will be apparent that the embodiments in the specification are only some, but not all, embodiments of the disclosure.
User identity authentication and authentication are the most important defense lines in system security, and confirm the legitimacy and uniqueness of user identities, so that illegal personnel can be prevented from submerging in the system, fraudulent interests can be obtained by stealing the protected information in the system, or the integrity of the protected information in the system can be maliciously destroyed. In general, a plurality of proxy gateways exist in a system network, the system services proxied by each proxy gateway are different, the access rights of different users to the system services are also different, in general, a system administrator independently sets and maintains legal user information and access rights information associated with each gateway, for example, after a new legal user or part of system services are newly added in the system, a new legal user list and rights possessed by the new user need to be set in each proxy gateway respectively, the process is very complicated, the problems of confusion of identity authentication and rights management easily occur, the usability of the system is poor, and when the user accesses to the different system services proxied by different gateways, login is needed respectively, the efficiency is low, and the user experience is poor. In view of this problem, embodiments of the present disclosure provide a service access control method, which is described below in connection with specific embodiments.
Fig. 1 is a flowchart of a service access control method provided in an embodiment of the present disclosure. The method can be applied to an application scenario shown in fig. 2, where the application scenario includes a server 21 and a device 22, and the device 22 to be upgraded may specifically be a terminal, for example, a smart phone, a palm computer, a tablet computer, a wearable device with a display screen, a desktop computer, a notebook computer, an integrated machine, an intelligent home device, and the like. It can be appreciated that the service access control method provided by the embodiment of the present disclosure may also be applied in other scenarios.
The service access control method shown in fig. 1 is described below in conjunction with the application scenario shown in fig. 2, where the method includes the following specific steps:
S101, configuring system information.
Optionally, the system information includes legal user identity information, system service information proxied by each proxy gateway, and authority information corresponding to each legal user identity.
The system information is configured in the server 21. The system information comprises legal user identity information which is used for determining whether the user is a legal user identified in the system. The system information also includes system service information proxied by each proxy gateway in the server 21. In a typical system network, there are multiple proxy gateways and multiple system services, each proxy gateway proxies one or more different system services, and the system services proxied by each proxy gateway are different. Thus, it is necessary to configure the system service information proxied by each proxy gateway for each proxy gateway proxy its respective corresponding system service. The system information also comprises authority information corresponding to each legal user identity. A system may have a plurality of legitimate users, each legitimate user having different access rights to services in the system, e.g., some legitimate users may only access some of the services in the system, while other legitimate users may access all of the services in the system. Therefore, authority information corresponding to each legal user identity needs to be configured, and system services within the authority range of the legal user are provided according to the authority information. After the configuration of the system information is completed in the server 21, the system information is synchronized into each proxy gateway.
S102, receiving an access request sent by a user terminal, identifying the user identity and updating the system information.
The device 22 sends an access request carrying user identity information to the server 21, and after the server 21 receives the access request, the server 21 compares the user identity information with legal user identity information configured in S101, identifies the user identity, and updates the system information.
S103, providing corresponding services according to the updated system information.
The server 21 provides the corresponding system service to the device 22 according to the updated system information acquired in S102.
The embodiment of the disclosure configures system information; receiving an access request sent by a user terminal, identifying the user identity and updating the system information; corresponding services are provided according to the updated system information, and because the system information is uniformly configured, the independent maintenance of user identity information and authority information of each proxy gateway is avoided, and the system maintenance efficiency is improved, so that the usability of the system is improved.
On the basis of the above embodiment, the receiving the access request sent by the user terminal, identifying the user identity, and updating the system information includes: if the user is a legal user, allowing the user to request and generating a unique user identifier, wherein the user identifier comprises a corresponding relation with legal user identity information; or if the user is an illegal user, rejecting the access request.
The device 22 sends an access request carrying user identity information to the server 21, where the user identity information may be any information that can prove the user identity, such as an account password, a password, or a certificate, and this embodiment is not limited thereto. The system information configured in step S101 includes legal user identity information, and the server 21 compares the user identity information carried in the request with the legal user identity information in the configured system information, so as to determine whether the user who initiates the request currently is a legal user. If the user is confirmed to be a legal user through comparison, the server 21 allows the access request and generates a unique user identifier, wherein the user identifier comprises a corresponding relation with the legal user identity. According to the correspondence, the server 21 may obtain the access rights of the current user to the services in the system, and synchronize the user identifier and the accessible system services to the corresponding proxy gateway in the system, where the corresponding proxy gateway stores the user identifier in the legal user list. At the same time, the server 21 synchronizes the user identification, the system service information proxied by each proxy gateway, to the device 22. It will be appreciated that the user identity is absolutely unique, and that the user identity generated after each access request is allowed is different even for the same legitimate user. If the user is not a legitimate user in the system, the server 21 denies the access request.
Optionally, the providing the corresponding service according to the updated system information includes: receiving a service request sent by a user terminal, wherein the service request comprises the user identification and target service information; and providing corresponding service based on the user identification and the target service information.
Further, based on the user identification and the target service information, providing the corresponding service includes: if the user identification and the target service information accord with the authority information, providing a service corresponding to the target service information; or if the user identification and the target service information do not accord with the authority information, rejecting the service request.
After passing the user identity validity check, the terminal 22 initiates a request for acquiring a system service to the server 21. Specifically, the terminal 22 sends a user service request to the corresponding proxy gateway in the server 21 according to the system service information proxied by each proxy gateway synchronized in step S103, where the user service request includes the user identifier and the target service information representing the system service that the user requests to access. And after receiving the user service request, the corresponding proxy gateway judges whether the user has permission to access the system service requested to be accessed according to the legal user list and the permission information corresponding to each legal user identity synchronized in S101. If the target service is within the authority range of the legal user, the proxy gateway initiates a request to the corresponding system service, and after receiving the system service response, the proxy gateway forwards the system service data to the device 22 through the data reverse proxy, so that the user can process the data through the device 22; if the target service is not within the authority range of the legal user, the proxy gateway terminates the communication.
The embodiment of the disclosure identifies the user identity by receiving the access request sent by the user terminal and updates the system information, and comprises the following steps: if the user is a legal user, allowing the user to request and generating a unique user identifier, wherein the user identifier comprises a corresponding relation with legal user identity information; or if the user is an illegal user, rejecting the access request. Providing corresponding service according to the updated system information, including: receiving a service request sent by a user terminal, wherein the service request comprises the user identification and target service information; and providing corresponding service based on the user identification and the target service information. Wherein providing the corresponding service based on the user identification and the target service information comprises: if the user identification and the target service information accord with the authority information, providing a service corresponding to the target service information; or if the user identification and the target service information do not accord with the authority information, rejecting the service request, and after the user passes identity validity check, performing second check on the service request initiated by the user and the authority of the user by the proxy gateway, so that on the premise of ensuring the system security, all system services conforming to the authority of the user can be accessed without the user performing identity verification operation again, the working efficiency is improved, and the user experience is ensured to be good.
Fig. 3 is a flowchart of a service access control method according to another embodiment of the present disclosure. As shown in fig. 3, the method includes:
S301, configuring system information.
S302, receiving an access request sent by a user terminal, identifying the user identity and updating the system information.
And S303, providing corresponding services according to the updated system information.
Specifically, the implementation processes and principles of S301 to S303 and S101 to S103 are identical, and are not described here again.
S304, receiving a downlink request sent by a user terminal, wherein the downlink request comprises a user identifier.
After the user finishes processing the system service data, the device 22 sends a offline request to the server 21, where the offline request includes the user identifier generated in S302 and synchronized to the device 22. It will be appreciated that the user's active click to drop, direct closing of an application or web page or other closing of a service process triggers the device 22 to issue a drop request to the server 21.
S305, deleting the user identification from the system information.
After receiving the offline request sent by the device 22, the server 21 identifies the user identifier contained in the request and deletes the user identifier from the legal user list.
The embodiment of the disclosure configures system information; receiving an access request sent by a user terminal, identifying the user identity and updating the system information; providing corresponding service according to the updated system information; receiving a downlink request sent by a user terminal, wherein the downlink request comprises a user identifier; the user identification is deleted from the system information, a user can access all system services in the authority of the user through one-time verification, after the service is finished, the server deletes the user identification used in the access, and because of the uniqueness of the user identification, the server can verify the user identification and the authority information thereof generated when the user logs in the system to request the system service every time, and the user is not required to operate, so that the safety of the system is further improved on the premise of ensuring the user experience and the efficiency.
Fig. 4 is a signaling diagram of a service access control method according to another embodiment of the present disclosure. The server 21 includes an authentication gateway, a plurality of proxy gateways, and a system service. It will be appreciated that the proxy gateway 1 and the proxy gateway 2 in fig. 4 represent proxy gateways for two different proxy system services, which are used as examples only in this embodiment, and any number of proxy gateways may be present during actual use, depending on the system requirements. As shown in fig. 4, the method includes:
s401, configuring system information by an authentication gateway.
Specifically, the system information includes legal user identity information for determining whether the user is a legal user identified in the system. The system information also includes system service information proxied by each proxy gateway in the server 21. In a typical system network, there are multiple proxy gateways and multiple system services, each proxy gateway proxies one or more different system services, and the system services proxied by each proxy gateway are different. Thus, it is necessary to configure the system service information proxied by each proxy gateway for each proxy gateway proxy its respective corresponding system service. The system information also comprises authority information corresponding to each legal user identity. A system may have a plurality of legitimate users, each legitimate user having different access rights to services in the system, e.g., some legitimate users may only access some of the services in the system, while other legitimate users may access all of the services in the system. It is therefore necessary to configure the rights information corresponding to each legitimate user identity so that the legitimate user can be provided with the system services within his rights.
S402, the authentication gateway synchronizes the system information to the proxy gateway 1.
S403, the authentication gateway synchronizes the system information to the proxy gateway 2.
After the system information is configured, the authentication gateway synchronizes the system information into each proxy gateway. It should be noted that, S402 and S403 may be executed simultaneously, or may also be executed sequentially, and this embodiment is not limited to this sequence specifically, and may be executed first in S402, or may be executed first in S403, for example.
S404, the user initiates an access request through the user terminal.
S405, the user sends an access request to the authentication gateway.
S406, the authentication gateway receives the access request sent by the user terminal, identifies the user identity and updates the system information. Wherein the system information includes a user identification.
Specifically, if the user is a legal user, allowing the user to request, and generating a unique user identifier, wherein the user identifier comprises a corresponding relation with legal user identity information; or if the user is an illegal user, rejecting the access request.
The user sends an access request to the authentication gateway through the user terminal, and after the authentication gateway receives the access request sent by the user terminal, the authentication gateway compares the user identity information carried in the request with legal user identity information in the system information configured in S401, so that whether the user initiating the request currently is a legal user can be judged. If the user is a legal user through comparison, the authentication gateway allows the access request, and simultaneously generates a unique user identifier which contains a corresponding relation with the legal user identity. It will be appreciated that the user identity is absolutely unique, and that the user identity generated after each access request is allowed is different even for the same legitimate user. If the user is not a legal user in the system through comparison, the authentication gateway refuses the access request.
S407, the authentication gateway synchronizes the updated system information to the user terminal.
The authentication gateway synchronizes the user identification, the system service information proxied by each proxy gateway to the user terminal.
S408, the authentication gateway synchronizes the user identification to the proxy gateway 1.
Because the user identifier contains the corresponding relation with the legal user identity, the authentication gateway can acquire the access right of the current user to the service in the system and synchronize the user identifier to the corresponding proxy gateway 1 in the system.
S409, the proxy gateway 1 stores the user identification into a legal user list.
After receiving the user identification, the proxy gateway 1 stores the user identification into a legal user list.
S410, the authentication gateway synchronizes the user identification to the proxy gateway 2.
Because the user identifier contains the corresponding relation with the legal user identity, the authentication gateway can acquire the access right of the current user to the service in the system and synchronize the user identifier to the corresponding proxy gateway 2 in the system.
S411, the proxy gateway 2 stores the user identification in the legal user list.
After receiving the user identification, the proxy gateway 2 stores the user identification into a legal user list.
It is to be understood that S408 and S410 may be executed simultaneously, or may be in a sequential order, which is not specifically limited in this embodiment, and may be executed first in S408, or may be executed first in S410.
S412, the user initiates a service request through the user terminal.
After passing the identity information authentication, the user initiates a system service request through the user terminal.
S413, the user terminal sends a service request to the corresponding proxy gateway.
The user terminal sends the user service request to the corresponding proxy gateway according to the system service information proxied by each proxy gateway synchronized in S407. In this embodiment, the corresponding proxy gateway is the proxy gateway 1. The user service request includes a user identifier and target service information representing a system service to which the user requests access.
S414, the proxy gateway 1 provides the corresponding service based on the user identifier and the target service information in the service request.
After receiving the user service request, the proxy gateway 1 determines whether the user has permission to access the system service requested to be accessed according to the legal user list and the permission information corresponding to each legal user identity synchronized in S402. If the target service is within the authority range of the legal user, the proxy gateway 1 provides the corresponding service; if the target service is not within the authority of the legitimate user, the proxy gateway 1 terminates the communication.
S415, the proxy gateway 1 transmits the service request to the system service.
S416, the system service responds to the service request.
S417, the system service returns to the corresponding user service request.
S418, the proxy gateway 1 performs data reverse proxy on the service request response.
S419, the proxy gateway 1 transmits the system service data to the user terminal.
S420, the user processes data through the user terminal.
The proxy gateway 1 initiates a request to a corresponding system service, and after receiving a system service response, forwards system service data to the user terminal through a data reverse proxy, so that the user can process the data through the user terminal.
S421, a user initiates a downloading request through a user terminal.
After the user finishes processing the system service data, a downlink request is sent to the authentication gateway through the user terminal.
S422, the user terminal sends a downlink request to the authentication gateway.
S423, the authentication gateway receives a downlink request sent by the user terminal, wherein the downlink request comprises a user identifier.
After receiving the offline request sent by the user terminal, the authentication gateway identifies the user identifier contained in the request and sends the user identifier to the corresponding proxy gateway in the system, for example, the proxy gateway 1 and the proxy gateway 2.
S424, the authentication gateway sends the user identification in the offline request to the proxy gateway 1.
S425, the proxy gateway 1 deletes the user identifier from the legal user list.
S426, the authentication gateway sends the user identification in the offline request to the proxy gateway 2.
S427, the proxy gateway 2 deletes the user identification from the legal user list.
After receiving the user identification sent by the authentication gateway, the proxy gateway 1 and the proxy gateway 2 delete the user identification from the respective legal user list. It is to be understood that S424 and S426 may be executed simultaneously, or may be executed sequentially, and the present embodiment is not limited to this sequence specifically, and may be executed first in S424, or may be executed first in S426.
The embodiment of the disclosure configures system information; receiving an access request sent by a user terminal, identifying a user identity and updating the system information, wherein the system information comprises the user identity; providing corresponding service based on the user identification and the target service information; and receiving a downlink request sent by the user terminal, wherein the downlink request comprises a user identifier, and after the identity legitimacy of the user passes through the authentication gateway, the proxy gateway performs a second check on the service request initiated by the user and the user authority, so that on the premise of ensuring the system security, the user can access all system services conforming to the authority without performing the identity authentication operation again, the working efficiency is improved, and the user experience is ensured to be good. In addition, after the user initiates the offline request, the proxy gateway deletes the user identifier used in the access, and because of the uniqueness of the user identifier, the proxy gateway checks the user identifier of the current access user and the authority information thereof when the user logs in the system to request the system service every time, and the process does not need the user to operate, so that the security of the system is further improved on the premise of ensuring the user experience and the efficiency.
Fig. 5 is a schematic structural diagram of a service access control device according to an embodiment of the present disclosure. The service access control apparatus may execute a process flow provided by an embodiment of a service access control method, as illustrated in fig. 5, where the service access control apparatus 500 includes: a configuration module 510, an authentication module 520, a service module 530; the configuration module 510 is configured to configure system information, the authentication module 520 is configured to receive an access request sent by a user terminal, identify a user identity, update the system information, and the service module 530 is configured to provide a corresponding service according to the updated system information.
Optionally, the configuration module 510 is specifically configured to: and configuring legal user identity information, system service information proxied by each proxy gateway and authority information corresponding to each legal user identity.
Optionally, the authentication module 520 is configured to: if the user is determined to be a legal user, allowing the user to request, and generating a unique user identifier, wherein the user identifier comprises a corresponding relation with legal user identity information; or if the user is determined to be an illegal user, rejecting the access request.
Optionally, the service module 530 further includes: a receiving unit 531, configured to receive a service request sent by a user terminal, where the service request includes the user identifier and target service information; and a service unit 532, configured to provide a corresponding service based on the user identifier and the target service information.
Optionally, the service unit 532 is further configured to: confirming that the user identification and the target service information accord with the authority information, and providing the service corresponding to the target service information; or confirming that the user identification and the target service information do not accord with the authority information, and rejecting the service request.
Optionally, the service access control device further includes a cancellation module 540, configured to: receiving a downlink request sent by a user terminal, wherein the downlink request comprises a user identifier; and deleting the user identification from the system information.
The service access control device of the embodiment shown in fig. 5 may be used to implement the technical solution of the embodiment of the service access control method, and its implementation principle and technical effects are similar, and are not repeated here.
Fig. 6 is a schematic structural diagram of an embedded device according to an embodiment of the present disclosure. The embedded device may execute the process flow provided by the service access control method embodiment, as shown in fig. 6, the device 60 includes: a memory 61, a processor 62, computer programs and a communication interface 63; wherein the computer program is stored in the memory 61 and configured to be executed by the processor 62 for the service access control method as described above.
In addition, the embodiment of the present disclosure also provides a computer-readable storage medium having stored thereon a computer program that is executed by a processor to implement the service access control method described in the above embodiment.
Furthermore, the disclosed embodiments also provide a computer program product comprising a computer program or instructions which, when executed by a processor, implements a service access control method as described above.
It should be noted that in this document, relational terms such as "first" and "second" and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The foregoing is merely a specific embodiment of the disclosure to enable one skilled in the art to understand or practice the disclosure. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the disclosure. Thus, the present disclosure is not intended to be limited to the embodiments shown and described herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (8)

1. A method of service access control, the method comprising:
Configuring system information, wherein the system information comprises legal user identity information, system service information proxied by each proxy gateway and authority information corresponding to each legal user identity;
after the configuration of the system information is completed, synchronizing the system information to each proxy gateway;
receiving an access request sent by a user terminal, identifying the user identity and updating the system information;
receiving a service request sent by a user terminal, wherein the service request comprises a user identifier and target service information;
Providing corresponding services based on the user identification and the target service information;
the receiving the access request sent by the user terminal, identifying the user identity, and updating the system information comprises the following steps:
If the user is a legal user, allowing the user request to generate a unique user identifier, wherein the user identifier comprises a corresponding relation with legal user identity information, and the user identifiers generated after the same legal user is allowed to access each time are different;
According to the corresponding relation, the access authority of the user to the service in the system is obtained, the user identification and the accessible system service are synchronized to corresponding proxy gateways in the system, and the corresponding proxy gateways store the user identification in a legal user list;
the method further comprises the steps of: receiving a downlink request sent by a user terminal, wherein the downlink request comprises a user identifier;
And deleting the user identification from the system information.
2. The method of claim 1, wherein receiving the access request from the user terminal, identifying the user identity, and updating the system information comprises:
If the user is an illegal user, the access request is refused.
3. The method of claim 1, wherein providing the corresponding service based on the user identification and the target service information comprises:
If the user identification and the target service information accord with the authority information, providing a service corresponding to the target service information;
Or if the user identification and the target service information do not accord with the authority information, rejecting the service request.
4. A service access control apparatus, the apparatus comprising:
The configuration module is used for configuring system information, synchronizing the system information into each proxy gateway after the system information is configured, wherein the system information comprises legal user identity information, system service information proxied by each proxy gateway and authority information corresponding to each legal user identity;
The authentication module is used for receiving an access request sent by the user terminal, identifying the user identity and updating the system information;
The service module comprises a receiving unit and a service unit; the receiving unit is used for receiving a service request sent by a user terminal, wherein the service request comprises a user identifier and target service information;
the service unit is used for providing corresponding service based on the user identification and the target service information;
the authentication module is used for:
if the user is determined to be a legal user, allowing the user to request, and generating a unique user identifier, wherein the user identifier comprises a corresponding relation with legal user identity information, and the user identifiers generated after the same legal user is allowed to access each time are different; according to the corresponding relation, the access authority of the user to the service in the system is obtained, the user identification and the accessible system service are synchronized to corresponding proxy gateways in the system, and the corresponding proxy gateways store the user identification in a legal user list;
the device also comprises a cancellation module for: receiving a downlink request sent by a user terminal, wherein the downlink request comprises a user identifier; and deleting the user identification from the system information.
5. The apparatus of claim 4, wherein the authentication module is to:
and if the user is determined to be an illegal user, rejecting the access request.
6. The apparatus of claim 4, wherein the service unit is further configured to:
Confirming that the user identification and the target service information accord with the authority information, and providing the service corresponding to the target service information;
or confirming that the user identification and the target service information do not accord with the authority information, and rejecting the service request.
7. An embedded device, comprising:
A memory;
A processor; and
A computer program;
Wherein the computer program is stored in the memory and configured to be executed by the processor to implement the method of any of claims 1-3.
8. A computer readable storage medium, on which a computer program is stored, which computer program, when being executed by a processor, implements the method according to any of claims 1-3.
CN202111318418.3A 2021-11-09 2021-11-09 Service access control method, device, equipment and computer readable storage medium Active CN114024755B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111318418.3A CN114024755B (en) 2021-11-09 2021-11-09 Service access control method, device, equipment and computer readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111318418.3A CN114024755B (en) 2021-11-09 2021-11-09 Service access control method, device, equipment and computer readable storage medium

Publications (2)

Publication Number Publication Date
CN114024755A CN114024755A (en) 2022-02-08
CN114024755B true CN114024755B (en) 2024-06-14

Family

ID=80062486

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111318418.3A Active CN114024755B (en) 2021-11-09 2021-11-09 Service access control method, device, equipment and computer readable storage medium

Country Status (1)

Country Link
CN (1) CN114024755B (en)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113055367A (en) * 2021-03-08 2021-06-29 浪潮云信息技术股份公司 Method and system for realizing micro-service gateway authentication

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109413032B (en) * 2018-09-03 2023-04-07 中国平安人寿保险股份有限公司 Single sign-on method, computer readable storage medium and gateway
CN110311929B (en) * 2019-08-01 2022-01-07 江苏芯盛智能科技有限公司 Access control method and device, electronic equipment and storage medium
CN111400777B (en) * 2019-11-14 2023-05-02 杭州海康威视系统技术有限公司 Network storage system, user authentication method, device and equipment
CN111416826B (en) * 2020-03-24 2020-12-29 江苏易安联网络技术有限公司 System and method for safely releasing and accessing application service

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113055367A (en) * 2021-03-08 2021-06-29 浪潮云信息技术股份公司 Method and system for realizing micro-service gateway authentication

Also Published As

Publication number Publication date
CN114024755A (en) 2022-02-08

Similar Documents

Publication Publication Date Title
CN111131242B (en) Authority control method, device and system
US20200320222A1 (en) Information management method, apparatus, and information management system
CA2803839C (en) Online service access controls using scale out directory features
US9571494B2 (en) Authorization server and client apparatus, server cooperative system, and token management method
AU2011100168B4 (en) Device-bound certificate authentication
JP6675163B2 (en) Authority transfer system, control method of authorization server, authorization server and program
CN104717223B (en) Data access method and device
CN110324338B (en) Data interaction method, device, fort machine and computer readable storage medium
JP2007219935A (en) Distributed authentication system and distributed authentication method
CN101582769A (en) Authority setting method of user access network and equipment
CN108259502A (en) For obtaining the identification method of interface access rights, server-side and storage medium
CN111125674B (en) Open type data processing system, open type data system and data processing method
JP2016018507A (en) Data synchronization system, control method thereof, authorization server, and program thereof
CN109413080B (en) Cross-domain dynamic authority control method and system
WO2020244408A1 (en) Data management method, apparatus and system, and readable storage medium
JP2020535530A (en) Resource processing methods, equipment, systems and computer readable media
CN106330836B (en) Access control method of server to client
CN107358118B (en) SFS access control method and system, SFS and terminal equipment
CN114221959A (en) Service sharing method, device and system
CN108667800B (en) Access authority authentication method and device
CN114024755B (en) Service access control method, device, equipment and computer readable storage medium
CN115277237A (en) Control method and device for accessing mobile terminal to enterprise intranet
CN110401666B (en) Network authority distribution method based on user identity
CN108076009B (en) Resource sharing method, device and system
CN113114635A (en) Authority management method and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant