CN114143106A - Approval method and device, electronic equipment and storage medium - Google Patents
Approval method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN114143106A CN114143106A CN202111484413.8A CN202111484413A CN114143106A CN 114143106 A CN114143106 A CN 114143106A CN 202111484413 A CN202111484413 A CN 202111484413A CN 114143106 A CN114143106 A CN 114143106A
- Authority
- CN
- China
- Prior art keywords
- approval
- application
- user
- token
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 52
- 238000012550 audit Methods 0.000 claims description 21
- 238000004590 computer program Methods 0.000 claims description 8
- 230000008569 process Effects 0.000 description 14
- 230000004044 response Effects 0.000 description 10
- 238000010586 diagram Methods 0.000 description 8
- 238000001514 detection method Methods 0.000 description 7
- 230000006870 function Effects 0.000 description 6
- 230000009471 action Effects 0.000 description 3
- 238000013475 authorization Methods 0.000 description 2
- 238000007726 management method Methods 0.000 description 2
- 238000006467 substitution reaction Methods 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 230000006399 behavior Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000015556 catabolic process Effects 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 238000006731 degradation reaction Methods 0.000 description 1
- 231100000290 environmental risk assessment Toxicity 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000004806 packaging method and process Methods 0.000 description 1
- 238000012502 risk assessment Methods 0.000 description 1
- 239000010979 ruby Substances 0.000 description 1
- 229910001750 ruby Inorganic materials 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
- H04L9/3213—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
Abstract
The application provides an approval method, an approval device, electronic equipment and a storage medium, which are used for solving the problem that an approval server suffers from security risks such as network malicious attack, information leakage and the like. The method comprises the following steps: receiving an approval request sent by a terminal device, wherein the approval request comprises: a user identifier and an application identifier; acquiring a user token corresponding to the terminal equipment according to the user identification, and acquiring an application token corresponding to the terminal equipment according to the application identification; sending a user token and an application token to an approval server so that the approval server can approve according to the user token and the application token and return an approval result; and receiving an approval result sent by the approval server, wherein the approval result represents whether the user corresponding to the user identification has the authority to access the application program corresponding to the application identification.
Description
Technical Field
The application relates to the technical field of computer security and network security, in particular to an approval method, an approval device, electronic equipment and a storage medium.
Background
Zero trust represents a new generation of network security protection concept, and the key point of the method is to break the default 'trust', namely, the default does not trust any person, equipment and system inside and outside the enterprise network, and rebuild the trust basis of access control based on identity authentication and authorization, thereby ensuring identity trust, equipment trust, application trust and link trust.
In the current approval method, a user generally submits an approval request to an approval server through a terminal device, however, in a zero-trust network environment, for example: when the existing network environment is in safety consideration, the network of the terminal device of the user and the network of the approval server cannot be directly communicated, or the approval server and the identity authority system are not in the same level network environment, the approval server can be directly connected by the terminal device used by the user (namely, the approval server is exposed to the user), and the approval server has safety risks of network malicious attack, information leakage and the like.
Disclosure of Invention
An object of the embodiments of the present application is to provide an approval method, an approval apparatus, an electronic device, and a storage medium, which are used to solve the problem that an approval server suffers from security risks such as network malicious attack and information leakage.
The embodiment of the application provides an approval method, which comprises the following steps: receiving an approval request sent by a terminal device, wherein the approval request comprises: a user identifier and an application identifier; acquiring a user token corresponding to the terminal equipment according to the user identification, and acquiring an application token corresponding to the terminal equipment according to the application identification; sending a user token and an application token to an approval server so that the approval server can approve according to the user token and the application token and return an approval result; and receiving an approval result sent by the approval server, wherein the approval result represents whether the user corresponding to the user identification has the authority to access the application program corresponding to the application identification. In the implementation process, the electronic device executes an approval request sent by the receiving terminal device, approves the user token and the application token according to the approval request, and then controls whether the corresponding user of the terminal identification has the authority of accessing the application according to the approval result, so that the electronic device transmits the approval request sent by the user, the terminal device can effectively interact with the approval server, and meanwhile, the approval server is prevented from being directly exposed to the terminal device of the user, namely, the approval server is prevented from suffering from network malicious attack and information leakage security risk.
Optionally, in this embodiment of the application, obtaining the user token corresponding to the terminal device according to the user identifier includes: forwarding the user identification to an authentication server so that the authentication server returns a user token corresponding to the user identification; and receiving the user token sent by the authentication server. In the implementation process, the user identifier is forwarded to the authentication server, so that the authentication server returns the user token corresponding to the user identifier, and receives the user token sent by the authentication server, thereby preventing the authentication server from being directly exposed to the terminal equipment of the user, i.e. preventing the authentication server from suffering from network malicious attack and information leakage security risk.
Optionally, in this embodiment of the application, obtaining the application token corresponding to the terminal device according to the application identifier includes: forwarding the user identification to the authority server so that the authority server returns an application token corresponding to the user identification; and receiving the application token sent by the authority server. In the implementation process, the user identifier is forwarded to the authority server, so that the authority server returns the application token corresponding to the user identifier, and receives the application token sent by the authority server, thereby preventing the authority server from being directly exposed to the terminal equipment of the user, namely preventing the authority server from suffering from network malicious attack and information leakage security risk.
Optionally, in this embodiment of the application, after receiving the approval result sent by the approval server, the method further includes: judging whether the approval result is approved or not; if so, analyzing the authority information corresponding to the user token and the application token from the approval result, and sending the authority information to the authority server so that the authority server updates the authority information corresponding to the user token and the application token. In the implementation process, the permission information corresponding to the user token and the application token is analyzed from the approval result under the condition that the approval is passed, and the permission information is sent to the permission server, so that the permission server updates the permission information corresponding to the user token and the application token, the permission server updates the permission information corresponding to the user token and the application token in time, the problems of unauthorized access and the like caused by untimely update of the permission information are avoided, and the safety of the permission information is effectively improved.
Optionally, in this embodiment of the application, after receiving the approval result sent by the approval server, the method further includes: and sending the examination and approval result to an auditing server so that the auditing server audits the examination and approval result. In the implementation process, the approval result is sent to the audit server, so that the audit server audits the approval result, the problem that the approval process is wrong and cannot be traced is solved, and the safety of auditing the approval result by the approval server is ensured.
Optionally, in this embodiment of the application, before receiving the approval request sent by the terminal device, the method further includes: after the terminal equipment logs in, acquiring a user identifier and an application list; and sending the user identification and the application list to the terminal equipment so that the terminal equipment selects the application identification needing to be accessed from the application list, and generating an approval request according to the user identification and the application identification.
Optionally, in this embodiment of the present application, receiving an approval request sent by a terminal device includes: receiving an approval request sent by a terminal device, and judging whether the approval request meets a preset condition, wherein the preset condition comprises: the flow of the approval request is larger than a preset threshold value, or the approval request is a malicious attack; and if not, analyzing the user identification and the application identification from the approval request. In the implementation process, the examination and approval request is subjected to flow overload detection and malicious attack detection, so that the problem that the electronic equipment cannot be served due to flow overload is avoided, meanwhile, the electronic equipment is prevented from being maliciously attacked by the terminal equipment, and the safety of the examination and approval request received by the electronic equipment is effectively improved.
The embodiment of the application further provides an approval apparatus, which includes: the approval request receiving module is used for receiving an approval request sent by the terminal equipment, and the approval request comprises: a user identifier and an application identifier; the identification token acquisition module is used for acquiring a user token corresponding to the terminal equipment according to the user identification and acquiring an application token corresponding to the terminal equipment according to the application identification; the identification token approval module is used for sending the user token and the application token to the approval server so that the approval server can approve according to the user token and the application token and return an approval result; and the approval result receiving module is used for receiving the approval result sent by the approval server, and the approval result represents whether the user corresponding to the user identifier has the authority to access the application program corresponding to the application identifier.
Optionally, in this embodiment of the present application, the identification token obtaining module includes: the user identification sending module is used for forwarding the user identification to the authentication server so as to enable the authentication server to return a user token corresponding to the user identification; and the user token receiving module is used for receiving the user token sent by the authentication server.
Optionally, in this embodiment of the present application, the identification token obtaining module includes: the user identifier forwarding module is used for forwarding the user identifier to the authority server so as to enable the authority server to return the application token corresponding to the user identifier; and the application token receiving module is used for receiving the application token sent by the authority server.
Optionally, in an embodiment of the present application, the approval apparatus further includes: the approval result judging module is used for judging whether the approval result is approved or not; and the permission information sending module is used for analyzing the permission information corresponding to the user token and the application token from the approval result and sending the permission information to the permission server if the approval result is approved, so that the permission server updates the permission information corresponding to the user token and the application token.
Optionally, in an embodiment of the present application, the approval apparatus further includes: and the approval result sending module is used for sending the approval result to the auditing server so that the auditing server audits the approval result.
Optionally, in an embodiment of the present application, the approval apparatus further includes: the application list acquisition module is used for acquiring the user identification and the application list after the terminal equipment logs in; and the application list sending module is used for sending the user identification and the application list to the terminal equipment so that the terminal equipment selects the application identification needing to be accessed from the application list and generates an approval request according to the user identification and the application identification.
Optionally, in an embodiment of the present application, the approval request receiving module includes: the approval request judging module is used for receiving an approval request sent by the terminal equipment and judging whether the approval request meets preset conditions or not, wherein the preset conditions comprise: the flow of the approval request is larger than a preset threshold value, or the approval request is a malicious attack; and the examination and approval request analysis module is used for analyzing the user identifier and the application identifier from the examination and approval request if the examination and approval request does not meet the preset item.
An embodiment of the present application further provides an electronic device, including: a processor and a memory, the memory storing processor-executable machine-readable instructions, the machine-readable instructions when executed by the processor performing the method as described above.
Embodiments of the present application also provide a computer-readable storage medium having a computer program stored thereon, where the computer program is executed by a processor to perform the method as described above.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings needed to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and for those skilled in the art, other related drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a schematic flow chart of an approval method provided by an embodiment of the present application;
fig. 2 is a schematic diagram of a network structure of an electronic device according to an embodiment of the present application;
FIG. 3 is a schematic flow chart illustrating the process of updating the permission information according to the approval result according to the embodiment of the present application;
FIG. 4 is a schematic flow chart illustrating auditing of approval results according to an embodiment of the present application;
FIG. 5 is a schematic structural diagram of an approval apparatus provided in an embodiment of the present application;
fig. 6 shows a schematic structural diagram of an electronic device provided in an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only some of the embodiments of the present application, and not all of the embodiments. The components of the embodiments of the present application, generally described and illustrated in the figures herein, can be arranged and designed in a wide variety of different configurations. Thus, the following detailed description of the embodiments of the present application, as presented in the figures, is not intended to limit the scope of the embodiments of the present application, as claimed, but is merely representative of selected embodiments of the present application. All other embodiments obtained by a person skilled in the art based on the embodiments of the present application without any creative effort belong to the protection scope of the embodiments of the present application.
Before introducing the approval method provided by the embodiments of the present application, some concepts related to the embodiments of the present application are introduced:
the zero trust system is that under the assumption that a default subject (user, equipment, application and service) is not trusted, the environment is unsafe and the operation is not in compliance, dynamic security protection, dynamic trust management and dynamic approval supervision are carried out on the subject, the object, the behavior and relevant environment elements of the subject through real-time, dynamic and all-link multi-dimensional identity authentication, environmental risk assessment, dynamic access control, fine marking of data grade, hierarchical classification accurate authorization, intensified approval, dynamic audit and other measures, active risk assessment, active early warning response and active cooperative management of two core assets of functions and data are realized, the whole process of the big data is ensured to be known, manageable, controllable and searchable, and an intelligent deep defense system of the big data with safety, credibility and compliance is formed.
Token identity (token identity), also called token or identity token, refers to an identity of an authorized access token generated for a target object, where the target object may be a user, an application, a website, or the like.
It should be noted that the approval method provided in the embodiment of the present application may be executed by an electronic device, where the electronic device refers to a server or a device terminal having a function of executing a computer program, and the device terminal includes: a smart phone, a personal computer, a tablet computer, a personal digital assistant, or a mobile internet device, etc. A server refers to a device that provides computing services over a network, such as: x86 server and non-x 86 server, non-x 86 server includes: mainframe, minicomputer, and UNIX server.
It is understood that, since the electronic device may be a server between the terminal device and the approval server, the electronic device is responsible for performing operations of receiving and forwarding approval requests and the like sent by the terminal device, and is close to the front of the terminal device in the whole zero trust hierarchy, the electronic device may also be referred to as a front server.
Application scenarios to which the approval method is applicable are described below, where the application scenarios include, but are not limited to: when the terminal equipment of the user and the approval server (namely, the approval center) cannot directly communicate with each other through a network, or the approval server (namely, the approval center) and the authority server (namely, the server for operating the identity authority system) are not in the same-level network environment, or the approval server needs to communicate with the terminal equipment of the user under the zero-trust network environment, the terminal equipment can communicate with the approval server and the authority server through the electronic equipment (namely, the front-end server). If the approval server is directly exposed to the terminal equipment of the user, various security risks such as network malicious attack, traffic overload, internal information leakage and the like can be brought to the approval server, and the risks can be avoided by using the approval method, so that the security of the approval server in a zero-trust network environment is improved, and an enterprise is helped to construct a zero-trust system and the like.
Please refer to fig. 1, which is a schematic flow chart of an approval method provided in an embodiment of the present application; the main idea of the approval method is that an approval request sent by a receiving terminal device is executed through an electronic device, a user token and an application token are approved according to the approval request, and then whether a user corresponding to a terminal identifier has the authority to access the application or not is controlled according to an approval result, so that the electronic device transmits the approval request sent by the user, the terminal device can effectively interact with an approval server, meanwhile, the approval server is prevented from being directly exposed to the terminal device of the user, and the security risk that the approval server is subjected to network malicious attack and information leakage is avoided. The embodiment of the approval method may include:
step S110: the electronic equipment receives an approval request sent by the terminal equipment, wherein the approval request comprises: a user identification and an application identification.
Optionally, before the electronic device receives the approval request sent by the terminal device, the electronic device may further obtain an application identifier selected by the user, and generate the approval request according to the application identifier, where the embodiment includes:
step S111: the electronic equipment acquires the user identification and the application list after the terminal equipment logs in.
Please refer to fig. 2, which is a schematic diagram of a network structure of an electronic device according to an embodiment of the present application; the embodiment of step S111 described above is, for example: the terminal device sends a login request to the electronic device, where the login request includes information to be authenticated (e.g., a user name and a password, and may also include a verification code, etc.). After receiving the login request sent by the terminal equipment, the electronic equipment forwards the login request to the authentication server so that the authentication server returns a login response. After receiving a login request sent by the electronic equipment, the authentication server analyzes information to be authenticated from the login request, checks the information to be authenticated (for example, whether a User name, a password and/or a check code are correct or not) according to the information to be authenticated, if the check is successful, encapsulates a User identifier (User ID) and a User Token (User Token) in a login success response, and sends the login success response to the electronic equipment, otherwise, sends a login failure response to the electronic equipment. After receiving the login success response sent by the authentication server, the electronic device may first forward the login success response to the terminal device, and obtain a User identifier (User ID) and a User Token (User Token) from the login success response; then, an application list may be obtained from memory databases such as Memcached and Redis, where the application list includes a plurality of pieces of application information, and each piece of application information may include: application identification, application name, and application introduction, among other fields.
Step S112: the electronic equipment sends the user identification and the application list to the terminal equipment so that the terminal equipment selects the application identification needing to be accessed from the application list, and generates an approval request according to the user identification and the application identification.
The embodiment of step S112 described above is, for example: after acquiring the user identifier and the application list, the electronic device sends the user identifier and the application list to the terminal device. After receiving the user identifier and the application list, the terminal device may compare and verify the user identifier in the login success response and the user identifier received this time; and if the comparison and verification are consistent and pass, displaying the application list on a display screen of the terminal equipment. After seeing the application list, the user can select an application needing to be accessed from the application list. The terminal equipment responds to the selection operation of the user, obtains the application identification selected by the user, generates an approval request according to the user identification and the application identification, and then sends the approval request to the electronic equipment.
The implementation of the step S110 may include: after receiving the approval request sent by the terminal device, the electronic device can also perform security detection on the approval request sent by the terminal device, and after the security detection is passed, the user identifier and the application identifier are analyzed from the approval request. The security measures described above include, but are not limited to: traffic overload detection, malicious attack detection and the like, and the specific processes are as follows: judging whether the approval request meets preset conditions or not, wherein the preset conditions comprise: the flow of the approval request is larger than a preset threshold value, or the approval request is a malicious attack. And if the approval request does not meet the preset condition, analyzing the user identifier and the application identifier from the approval request. If the approval request meets the preset condition and the condition of overload of the traffic is detected, the traffic can be processed by using the modes of current limiting, service degradation, fusing and the like. If the approval request meets the preset condition and the malicious attack condition is detected, adding an Internet Protocol (IP) address of the terminal device into a blacklist, or limiting the access times of the terminal device, and the like; wherein the specific malicious attack detection uses an attack feature library to match the approval request.
After step S110, step S120 is performed: the electronic equipment acquires the user token corresponding to the terminal equipment according to the user identification, and acquires the application token corresponding to the terminal equipment according to the application identification.
Optionally, if the user token expires, the user token may be obtained again according to the user identifier. The embodiment of obtaining the user token (UserToken) corresponding to the terminal device according to the user identifier in step S120 may include:
step S121: and the electronic equipment forwards the user identification to the authentication server so that the authentication server returns a user token corresponding to the user identification.
The embodiment of the step S121 includes: the electronic device mentioned above is the user identifier obtained after the user logs in, and certainly, the user identifier may also be obtained from an authentication response corresponding to the authentication request sent by the terminal device, specifically, for example: the terminal device sends an authentication request to the electronic device through a hypertext Transfer Protocol (HTTP) or a Hypertext Transfer Protocol Security (HTTPs), where the authentication request includes a user identifier. The electronic equipment receives an authentication request sent by the terminal equipment, analyzes the user identification from the authentication request after the authentication request is subjected to security check, and then forwards the user identification to the authentication server.
Step S122: the electronic device receives a user token sent by the authentication server.
The embodiment of step S122 is, for example: the electronic device receives a User identifier (User ID) sent by an authentication server through an HTTP protocol or an HTTPS protocol, and can randomly generate a User Token (User Token) corresponding to the User identifier, then stores a corresponding relationship between the User identifier and the User Token in a database, and sends the User Token corresponding to the User identifier to the electronic device, wherein the database comprises: in-memory databases, relational databases, and non-relational databases, relational databases that may be used, for example: mysql, PostgreSQL, Oracle, SQLSever, etc., non-relational databases that may be used include: grakn database, Neo4j database, Hadoop subsystem HBase, MongoDB and CouchDB.
The embodiment of the step S120 of obtaining the application token corresponding to the terminal device according to the application identifier may include:
step S123: and the electronic equipment forwards the user identification to the authority server so that the authority server returns the application token corresponding to the user identification.
Step S124: the electronic device receives the application token sent by the entitlement server.
The embodiments of the above steps S123 to S124 are, for example: the electronic equipment sends the user identification to the authority server through an HTTP protocol or an HTTPS protocol so that the authority server returns the application token corresponding to the user identification. After receiving the user identifier sent by the electronic device through an HTTP protocol or an HTTPs protocol, the rights server retrieves an application token corresponding to the user identifier from a database of the rights server, and sends the application token corresponding to the user identifier to the electronic device, where the database includes: a memory database, a relational database, and a non-relational database. And the electronic equipment receives the application token sent by the authority server through an HTTP protocol or an HTTPS protocol.
After step S120, step S130 is performed: and the electronic equipment sends the user token and the application token to the approval server so that the approval server carries out approval according to the user token and the application token and returns an approval result.
The embodiment of step S130 described above is, for example: after obtaining the user token and the application token, the electronic device may send the user token and the application token to the approval server through an HTTP protocol or an HTTPs protocol, where the user token and the application token are used to apply for a right of a user corresponding to the user identifier to access an application corresponding to the application identifier. After receiving the user token and the application token, the approval server can inquire the user authority information corresponding to the user token in an authority information table of a database of the approval server; if the user permission information comprises the application identification corresponding to the application token, setting the approval result as approval passing, packaging the approved user token and the approved application token in the approval result, and then returning the approval result; and if the user permission information does not comprise the application identifier corresponding to the application token, setting the approval result as that the approval is not passed, and returning the approval result that the approval is not passed.
After step S130, step S140 is performed: and the electronic equipment receives the approval result sent by the approval server, and the approval result represents whether the user corresponding to the user identification has the authority to access the application program corresponding to the application identification.
The embodiment of step S140 described above is, for example: the electronic equipment receives the approval result sent by the approval server through an HTTP (hyper text transport protocol) protocol or an HTTPS (hypertext transfer protocol transport protocol) protocol, and if the approval result is approved, the approval result can be forwarded to the authority server, so that the authority server analyzes the approved user token and application token from the approval result, and stores the approved user token and application token into a database of the authority server. Wherein, the approval result represents whether the user corresponding to the user identifier has the right to access the application program corresponding to the application identifier, and the database comprises: a memory database, a relational database, and a non-relational database.
In the implementation process, the electronic device executes an approval request sent by the receiving terminal device, approves the user token and the application token according to the approval request, and then controls whether the corresponding user of the terminal identification has the authority of accessing the application according to the approval result, so that the electronic device transmits the approval request sent by the user, the terminal device can effectively interact with the approval server, and meanwhile, the approval server is prevented from being directly exposed to the terminal device of the user, namely, the approval server is prevented from suffering from network malicious attack and information leakage security risk.
Please refer to fig. 3, which is a schematic flow chart illustrating the process of updating the authority information according to the approval result according to the embodiment of the present application; optionally, after receiving the approval result sent by the approval server, the authority information may be updated according to the approval result, and an implementation manner of the method may include:
step S210: and the electronic equipment judges whether the approval result is approved or not.
The embodiment of step S210 described above is, for example: the electronic equipment judges whether the approval result passes by approval by using an executable program compiled or interpreted by a preset programming language; among these, preset programming languages that can be used are, for example: C. c + +, Java, BASIC, JavaScript, LISP, Shell, Perl, Ruby, Python, and PHP, among others.
After step S210, step S220 is performed: and if the approval result is that the approval is passed, the electronic equipment analyzes the authority information corresponding to the user token and the application token from the approval result and sends the authority information to the authority server so that the authority server updates the authority information corresponding to the user token and the application token.
The embodiment of the step S220 includes: it can be understood that, the application program corresponding to the application identifier may also have permission information set therein, that is, if the application program has permission information set therein, the permission server may also update the permission information corresponding to the user token and the application token, and the specific process is, for example: and under the condition that the approval result is approved, the electronic equipment can analyze the user token and the application token from the approval result, search the authority information corresponding to the user token and the application token in a database of the electronic equipment and send the authority information to the authority server. After receiving the authority information corresponding to the user token and the application token, the authority server searches the old authority information corresponding to the user token and the application token, and updates the old authority information by using the received authority information.
Optionally, in a specific implementation process, the electronic device may further map an HTTP link address or a Uniform Resource Locator (URL) address accessed by the terminal device, so that a user cannot obtain information such as a real directory access path of the approval server through a network bale plucking tool or a web page bale plucking tool, and certainly, may also map HTTP link addresses or URL addresses of the authority server, the authentication server, and the audit server, so that a user cannot obtain information such as a real directory access path of the servers through a network bale plucking tool or a web page bale plucking tool. When the electronic equipment receives each request, the key (namely, the server) generated by the server is analyzed from the request, and then the server is compared with the database field built in the system to obtain the real access content and the relevant path, so that the internal data and the directory structure of the approval server are prevented from leaking, and the potential safety hazard that the data and the directory address of the approval server leak is reduced.
Please refer to fig. 4, which is a schematic flow chart illustrating auditing approval results according to an embodiment of the present application; optionally, after receiving the approval result sent by the approval server, the approval result may be audited, and the implementation manner of auditing the approval result may include:
step S310: and the electronic equipment sends the examination and approval result to the audit server so that the audit server audits the examination and approval result and returns the audit result.
After step S310, step S320 is performed: and the electronic equipment receives the auditing result sent by the auditing server.
The embodiments of the above steps S310 to S320 are, for example: the electronic device sends the approval result to the audit server through a Transmission Control Protocol (TCP) or a User Datagram Protocol (UDP). And after receiving the approval result sent by the electronic equipment, the audit server audits the approval result and returns the audit result. After the electronic device receives the audit result sent by the audit server through a TCP protocol or a UDP protocol, the electronic device can send the audit result to the terminal device when the terminal device sends an audit result query request.
Please refer to fig. 5, which is a schematic structural diagram of an approval apparatus provided in an embodiment of the present application; the embodiment of the present application provides an approval apparatus 400, including:
an approval request receiving module 410, configured to receive an approval request sent by a terminal device, where the approval request includes: a user identification and an application identification.
The identification token obtaining module 420 is configured to obtain a user token corresponding to the terminal device according to the user identification, and obtain an application token corresponding to the terminal device according to the application identification.
And the identification token approval module 430 is configured to send the user token and the application token to the approval server, so that the approval server performs approval according to the user token and the application token, and returns an approval result.
And the approval result receiving module 440 is configured to receive an approval result sent by the approval server, where the approval result represents whether a user corresponding to the user identifier has a right to access the application program corresponding to the application identifier.
Optionally, in this embodiment of the present application, the identification token obtaining module includes:
and the user identifier sending module is used for forwarding the user identifier to the authentication server so that the authentication server returns a user token corresponding to the user identifier.
And the user token receiving module is used for receiving the user token sent by the authentication server.
Optionally, in this embodiment of the present application, the identification token obtaining module includes:
and the user identifier forwarding module is used for forwarding the user identifier to the authority server so as to enable the authority server to return the application token corresponding to the user identifier.
And the application token receiving module is used for receiving the application token sent by the authority server.
Optionally, in an embodiment of the present application, the approval apparatus further includes:
and the approval result judging module is used for judging whether the approval result is approved or not.
And the permission information sending module is used for analyzing the permission information corresponding to the user identifier and the application identifier from the approval result and sending the permission information to the permission server if the approval result is approved, so that the permission server updates the permission information corresponding to the user token and the application token.
Optionally, in an embodiment of the present application, the approval apparatus further includes:
and the approval result sending module is used for sending the approval result to the auditing server so that the auditing server audits the approval result.
Optionally, in an embodiment of the present application, the approval apparatus further includes:
and the application list acquisition module is used for acquiring the user identifier and the application list after the terminal equipment logs in.
And the application list sending module is used for sending the user identification and the application list to the terminal equipment so that the terminal equipment selects the application identification needing to be accessed from the application list and generates an approval request according to the user identification and the application identification.
Optionally, in an embodiment of the present application, the approval request receiving module includes:
the approval request judging module is used for receiving an approval request sent by the terminal equipment and judging whether the approval request meets preset conditions or not, wherein the preset conditions comprise: the flow of the approval request is larger than a preset threshold value, or the approval request is a malicious attack.
And the examination and approval request analysis module is used for analyzing the user identifier and the application identifier from the examination and approval request if the examination and approval request does not meet the preset item.
It should be understood that the apparatus corresponds to the above-mentioned embodiments of the approval method, and can perform the steps related to the above-mentioned embodiments of the method, and the specific functions of the apparatus can be referred to the above description, and the detailed description is appropriately omitted here to avoid redundancy. The device includes at least one software function that can be stored in memory in the form of software or firmware (firmware) or solidified in the Operating System (OS) of the device.
Please refer to fig. 6 for a schematic structural diagram of an electronic device according to an embodiment of the present application. An electronic device 500 provided in an embodiment of the present application includes: a processor 510 and a memory 520, the memory 520 storing machine readable instructions executable by the processor 510, the machine readable instructions when executed by the processor 510 performing the method as above.
Embodiments of the present application also provide a computer-readable storage medium 530, where the computer-readable storage medium 530 stores thereon a computer program, and when the computer program is executed by the processor 510, the computer program performs the method as described above.
The computer-readable storage medium 530 may be implemented by any type of volatile or nonvolatile storage device or combination thereof, such as a Static Random Access Memory (SRAM), an Electrically Erasable Programmable Read-Only Memory (EEPROM), an Erasable Programmable Read-Only Memory (EPROM), a Programmable Read-Only Memory (PROM), a Read-Only Memory (ROM), a magnetic Memory, a flash Memory, a magnetic disk, or an optical disk.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The apparatus embodiments described above are merely illustrative, and for example, the flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved.
In addition, functional modules of the embodiments in the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
In this document, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions.
The above description is only an alternative embodiment of the embodiments of the present application, but the scope of the embodiments of the present application is not limited thereto, and any person skilled in the art can easily conceive of changes or substitutions within the technical scope of the embodiments of the present application, and all the changes or substitutions should be covered by the scope of the embodiments of the present application.
Claims (10)
1. An approval method, comprising:
receiving an approval request sent by a terminal device, wherein the approval request comprises: a user identifier and an application identifier;
acquiring a user token corresponding to the terminal equipment according to the user identification, and acquiring an application token corresponding to the terminal equipment according to the application identification;
sending the user token and the application token to an approval server so that the approval server carries out approval according to the user token and the application token and returns an approval result;
and receiving the approval result sent by the approval server, wherein the approval result represents whether the user corresponding to the user identifier has the right to access the application program corresponding to the application identifier.
2. The method of claim 1, wherein the obtaining the user token corresponding to the terminal device according to the user identifier comprises:
forwarding a user identifier to an authentication server so that the authentication server returns a user token corresponding to the user identifier;
and receiving the user token sent by the authentication server.
3. The method of claim 1, wherein the obtaining the application token corresponding to the terminal device according to the application identifier comprises:
forwarding a user identifier to an authority server so that the authority server returns an application token corresponding to the user identifier;
and receiving the application token sent by the authority server.
4. The method according to claim 3, wherein after said receiving the approval result sent by the approval server, further comprising:
judging whether the approval result is approved or not;
and if so, analyzing the authority information corresponding to the user token and the application token from the approval result, and sending the authority information to the authority server so that the authority server updates the authority information corresponding to the user token and the application token.
5. The method according to claim 1, wherein after said receiving said approval result sent by said approval server, further comprising:
and sending the examination and approval result to an auditing server so that the auditing server audits the examination and approval result.
6. The method according to claim 1, wherein before the receiving the approval request sent by the terminal device, further comprising:
after the terminal equipment logs in, acquiring a user identifier and an application list;
and sending the user identifier and the application list to the terminal equipment so that the terminal equipment selects the application identifier needing to be accessed from the application list, and generating the approval request according to the user identifier and the application identifier.
7. The method according to claim 1, wherein the receiving of the approval request sent by the terminal device comprises:
receiving an approval request sent by the terminal equipment, and judging whether the approval request meets a preset condition, wherein the preset condition comprises the following steps: the flow of the approval request is larger than a preset threshold value, or the approval request is a malicious attack;
and if not, analyzing the user identifier and the application identifier from the approval request.
8. An approval apparatus, comprising:
the system comprises an approval request receiving module, which is used for receiving an approval request sent by terminal equipment, wherein the approval request comprises: a user identifier and an application identifier;
the identification token acquisition module is used for acquiring a user token corresponding to the terminal equipment according to the user identification and acquiring an application token corresponding to the terminal equipment according to the application identification;
the identification token approval module is used for sending the user token and the application token to an approval server so that the approval server can approve according to the user token and the application token and return an approval result;
and the approval result receiving module is used for receiving the approval result sent by the approval server, and the approval result represents whether the user corresponding to the user identifier has the right to access the application program corresponding to the application identifier.
9. An electronic device, comprising: a processor and a memory, the memory storing machine-readable instructions executable by the processor, the machine-readable instructions when executed by the processor performing the method of any of claims 1 to 7.
10. A computer-readable storage medium, having stored thereon a computer program which, when executed by a processor, performs the method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111484413.8A CN114143106B (en) | 2021-12-07 | 2021-12-07 | Approval method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111484413.8A CN114143106B (en) | 2021-12-07 | 2021-12-07 | Approval method and device, electronic equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114143106A true CN114143106A (en) | 2022-03-04 |
| CN114143106B CN114143106B (en) | 2024-01-23 |
Family
ID=80385027
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111484413.8A Active CN114143106B (en) | 2021-12-07 | 2021-12-07 | Approval method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114143106B (en) |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102685086A (en) * | 2011-04-14 | 2012-09-19 | 天脉聚源(北京)传媒科技有限公司 | File access method and system |
| US20140068702A1 (en) * | 2012-08-31 | 2014-03-06 | Avaya Inc. | Single sign-on system and method |
| US20140298423A1 (en) * | 2012-12-20 | 2014-10-02 | Bank Of America Corporation | Facilitating separation-of-duties when provisioning access rights in a computing system |
| KR20150109233A (en) * | 2014-03-19 | 2015-10-01 | (주)원더피플 | method and server for performing log-in for application |
| CN106295938A (en) * | 2015-06-08 | 2017-01-04 | 宁波网信息技术有限公司 | The storage of medical document based on cloud service and utilize system and using method thereof |
| CN108573371A (en) * | 2018-04-18 | 2018-09-25 | 平安科技(深圳)有限公司 | The data measures and procedures for the examination and approval, device, computer equipment and storage medium |
| CN108712385A (en) * | 2018-04-18 | 2018-10-26 | 平安科技(深圳)有限公司 | Data capture method, device, computer equipment and storage medium |
| CN112769826A (en) * | 2021-01-08 | 2021-05-07 | 深信服科技股份有限公司 | Information processing method, device, equipment and storage medium |
| CN113743882A (en) * | 2021-08-02 | 2021-12-03 | 深圳兆日科技股份有限公司 | Resource management method, device, equipment and storage medium |
-
2021
- 2021-12-07 CN CN202111484413.8A patent/CN114143106B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102685086A (en) * | 2011-04-14 | 2012-09-19 | 天脉聚源(北京)传媒科技有限公司 | File access method and system |
| US20140068702A1 (en) * | 2012-08-31 | 2014-03-06 | Avaya Inc. | Single sign-on system and method |
| US20140298423A1 (en) * | 2012-12-20 | 2014-10-02 | Bank Of America Corporation | Facilitating separation-of-duties when provisioning access rights in a computing system |
| KR20150109233A (en) * | 2014-03-19 | 2015-10-01 | (주)원더피플 | method and server for performing log-in for application |
| CN106295938A (en) * | 2015-06-08 | 2017-01-04 | 宁波网信息技术有限公司 | The storage of medical document based on cloud service and utilize system and using method thereof |
| CN108573371A (en) * | 2018-04-18 | 2018-09-25 | 平安科技(深圳)有限公司 | The data measures and procedures for the examination and approval, device, computer equipment and storage medium |
| CN108712385A (en) * | 2018-04-18 | 2018-10-26 | 平安科技(深圳)有限公司 | Data capture method, device, computer equipment and storage medium |
| CN112769826A (en) * | 2021-01-08 | 2021-05-07 | 深信服科技股份有限公司 | Information processing method, device, equipment and storage medium |
| CN113743882A (en) * | 2021-08-02 | 2021-12-03 | 深圳兆日科技股份有限公司 | Resource management method, device, equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114143106B (en) | 2024-01-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10778626B2 (en) | Determining authenticity of reported user action in cybersecurity risk assessment | |
| US10862870B2 (en) | Privacy as a service by offloading user identification and network protection to a third party | |
| US11288398B2 (en) | Systems, methods, and devices for obfuscation of browser fingerprint data on the world wide web | |
| US9954841B2 (en) | Distinguish valid users from bots, OCRs and third party solvers when presenting CAPTCHA | |
| CN107135073B (en) | Interface calling method and device | |
| US9614863B2 (en) | System and method for analyzing mobile cyber incident | |
| US20160212100A1 (en) | Transparent proxy system with automated supplemental authentication for protected access resources | |
| CN110290148B (en) | Defense method, device, server and storage medium for WEB firewall | |
| US8745733B2 (en) | Web content ratings | |
| CN111400722B (en) | Method, apparatus, computer device and storage medium for scanning small program | |
| CN107682361B (en) | Website vulnerability scanning method and device, computer equipment and storage medium | |
| KR20180082504A (en) | Methods and equipment for application information risk management | |
| CN109547426B (en) | Service response method and server | |
| CN105100084A (en) | Method and system for preventing cross-site request forgery attack | |
| CN112749088B (en) | Application program detection method and device, electronic equipment and storage medium | |
| CN111083093B (en) | Method and device for calling terminal capability, electronic equipment and storage medium | |
| CN113190839A (en) | Web attack protection method and system based on SQL injection | |
| US20230291758A1 (en) | Malware Detection Using Document Object Model Inspection | |
| Toreini et al. | DOMtegrity: ensuring web page integrity against malicious browser extensions | |
| CN113438336B (en) | Network request method, device, equipment and storage medium | |
| CN114143106B (en) | Approval method and device, electronic equipment and storage medium | |
| CN113709136B (en) | Access request verification method and device | |
| KR20160109241A (en) | Method and apparatus for secure accecss to resources | |
| CN113326506A (en) | Applet monitoring method and device | |
| CN114006735A (en) | Data protection method and device, computer equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |