CN114218538A - Authority control method and device, computer equipment and storage medium - Google Patents
Authority control method and device, computer equipment and storage medium Download PDFInfo
- Publication number
- CN114218538A CN114218538A CN202111400294.3A CN202111400294A CN114218538A CN 114218538 A CN114218538 A CN 114218538A CN 202111400294 A CN202111400294 A CN 202111400294A CN 114218538 A CN114218538 A CN 114218538A
- Authority
- CN
- China
- Prior art keywords
- state information
- login state
- interface
- service request
- role
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 57
- 238000004590 computer program Methods 0.000 claims abstract description 25
- 238000012545 processing Methods 0.000 claims description 7
- 238000013507 mapping Methods 0.000 claims 3
- 238000012423 maintenance Methods 0.000 abstract description 8
- 238000002955 isolation Methods 0.000 abstract description 5
- 230000004048 modification Effects 0.000 abstract description 5
- 238000012986 modification Methods 0.000 abstract description 5
- 238000007726 management method Methods 0.000 description 9
- 238000012795 verification Methods 0.000 description 7
- 238000007781 pre-processing Methods 0.000 description 6
- 238000010586 diagram Methods 0.000 description 5
- 238000013475 authorization Methods 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 238000011161 development Methods 0.000 description 3
- 230000018109 developmental process Effects 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 2
- 238000004422 calculation algorithm Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000006855 networking Effects 0.000 description 2
- 230000002441 reversible effect Effects 0.000 description 2
- OKTJSMMVPCPJKN-UHFFFAOYSA-N Carbon Chemical compound [C] OKTJSMMVPCPJKN-UHFFFAOYSA-N 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000008571 general function Effects 0.000 description 1
- 229910021389 graphene Inorganic materials 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000003032 molecular docking Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 230000003252 repetitive effect Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 239000000243 solution Substances 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 230000033772 system development Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F12/00—Accessing, addressing or allocating within memory systems or architectures
- G06F12/02—Addressing or allocation; Relocation
- G06F12/08—Addressing or allocation; Relocation in hierarchically structured memory systems, e.g. virtual memory systems
- G06F12/0802—Addressing of a memory level in which the access to the desired data or data block requires associative addressing means, e.g. caches
- G06F12/0877—Cache access modes
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/107—License processing; Key processing
- G06F21/1078—Logging; Metering
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Multimedia (AREA)
- Technology Law (AREA)
- Storage Device Security (AREA)
Abstract
The application relates to a permission control method, a device, a computer device, a storage medium and a computer program product, firstly receiving a service request, obtaining login state information and a service request object corresponding to the service request, wherein the login state information comprises a user identifier and a channel identifier, then determining whether the corresponding relation between the login state information and the service request object exists in the corresponding relation between the configured login state information and the service request object, the service request object comprises an interface, if so, determining that the login state information has the permission to use the service request object, and issuing the login state information to a downstream service module. By adopting the method, the authority control of users from different channels can be realized by one set of system and the same database without repeated deployment, the code modification is not needed, the maintenance cost is low, the user operation and the data isolation can be realized, the system safety can be improved, and the use is reliable.
Description
Technical Field
The present application relates to the field of big data access technologies, and in particular, to a method and an apparatus for controlling permissions, a computer device, a storage medium, and a computer program product.
Background
With the development of times and the progress of technology, the system is continuously developed and perfected from the development and use of the original single enterprise to the existing cross-platform, multi-system, multi-channel and multi-user integrated docking development mode. The system safety becomes an unavoidable problem in the system development process, and the authority control is inseparable from the system safety. The method aims at solving the problem that different channels, different systems and different users need to consider the override problem, so that user responsibility is defined, channel access authority is controlled, users with small authority can be prevented from using high-authority management operation, and the method has great significance for protecting system data safety.
The traditional authority control is realized based on Shiro, which is an open source security framework, can process authentication, authorization, management session and password encryption, can realize the authority coding through programming, injection and label modes, and can be used together with Spring or independently. However, when the method is used, once the user right is changed, the code needs to be modified, and the maintenance cost is high.
Disclosure of Invention
In view of the above, it is necessary to provide a method, an apparatus, a computer device, a storage medium, and a computer program product for controlling rights, which can reduce maintenance cost and use reliability, in response to the problem that the maintenance cost of the conventional rights control is high.
In a first aspect, the present application provides a method for controlling a right. The method comprises the following steps:
receiving a service request, and acquiring login state information and a service request object corresponding to the service request; the login state information comprises a user identifier and a channel identifier;
determining whether the corresponding relation between the login state information and a service request object exists in the corresponding relation between the configured login state information and the service request object, wherein the service request object comprises an interface;
if the login state information exists, the login state information is determined to have the authority of using the service request object, and the service request corresponding to the login state information is sent to a downstream service module.
In one embodiment, the service request object further includes roles and menus, and the correspondence is a correspondence of login state information, roles, menus, and interfaces, where in the correspondence, one login state information corresponds to at least one role, one role corresponds to at least one menu, and one menu corresponds to at least one interface.
In one embodiment, the correspondence is stored by a two-layer cache structure, wherein the first-layer cache structure stores the correspondence between the login state information and the role, and the second-layer cache structure stores the correspondence between the role and the interface.
In one embodiment, the method further comprises:
after obtaining the login state information corresponding to the service request, refreshing the first-layer cache structure;
and after the login state information corresponding to the service request is obtained, if the interval between the current time and the last time of obtaining the login state information is greater than the preset interval, refreshing the second-layer cache structure.
In one embodiment, the manner for acquiring the corresponding relationship between the configured login state information and the service request object includes:
calling a refreshed resource table interface in user service to acquire all application program interfaces in the system;
and acquiring the service name and the interface path of each application program interface to obtain a preset interface identification list.
In one embodiment, the obtaining the service name and the interface path where each application program interface is located to obtain a preset interface identifier list includes:
respectively calculating the message abstract of the character string consisting of the service name and the interface path where each application program interface is located;
respectively carrying out hexadecimal coding on each message abstract to obtain an interface identifier of each application service interface;
and obtaining a preset interface identification list according to the interface identification of each application service interface.
In one embodiment, the method further comprises:
receiving a configuration relation setting instruction sent by an operator, wherein the configuration relation setting instruction comprises a corresponding relation between login state information and a role and a corresponding relation between the role and a menu;
and updating the corresponding relation among the login state information, the role, the menu and the interface according to the configuration relation setting instruction.
In one embodiment, when the channel identifier in the login state information is an end user channel, the menu matched with the login state information is a virtual menu identifier.
In a second aspect, the application further provides an authority control device. The device comprises:
the request receiving module is used for receiving a service request and acquiring login state information and a service request object corresponding to the service request; the login state information comprises a user identifier and a channel identifier;
the corresponding relation determining module is used for determining whether the corresponding relation between the login state information and the service request object exists in the configured corresponding relation between the login state information and the service request object, and the service request object comprises an interface;
and the authority processing module is used for determining that the login state information has the authority to use the service request object when the corresponding relation determining module determines that the corresponding relation exists, and issuing the login state information to a downstream service module.
In one embodiment, the service request object further includes roles and menus, and the correspondence is a correspondence of login state information, roles, menus, and interfaces, where in the correspondence, one login state information corresponds to at least one role, one role corresponds to at least one menu, and one menu corresponds to at least one interface.
In one embodiment, the correspondence is stored by a two-layer cache structure, wherein the first-layer cache structure stores the correspondence between the login state information and the role, and the second-layer cache structure stores the correspondence between the role and the interface.
In one embodiment, the permission control device further includes an updating module, where the updating module is configured to refresh the first-layer cache structure after obtaining the login state information corresponding to the service request; and after the login state information corresponding to the service request is obtained, if the interval between the current time and the last time of obtaining the login state information is greater than the preset interval, refreshing the second-layer cache structure.
In one embodiment, the permission control device further comprises a configuration corresponding relation obtaining module, wherein the configuration corresponding relation obtaining module is used for calling a resource table refreshing interface in user service and obtaining all application program interfaces in the system; and acquiring the service name and the interface path of each application program interface to obtain a preset interface identification list.
In one embodiment, the configuration correspondence obtaining module is further configured to calculate a message digest of a character string composed of a service name and an interface path where each application program interface is located, respectively; respectively carrying out hexadecimal coding on each message abstract to obtain an interface identifier of each application service interface; and obtaining a preset interface identification list according to the interface identification of each application service interface.
In one embodiment, the permission control device further comprises a configuration module, wherein the configuration module is used for receiving a configuration relationship setting instruction sent by an operator, and the configuration relationship setting instruction comprises a corresponding relationship between login state information and a role and a corresponding relationship between the role and a menu; and updating the corresponding relation among the login state information, the role, the menu and the interface according to the configuration relation setting instruction.
In one embodiment, when the channel identifier in the login state information is an end user channel, the menu matched with the login state information is a virtual menu identifier.
In a third aspect, the present application also provides a computer device. The computer device comprises a memory storing a computer program and a processor implementing the following steps when executing the computer program:
receiving a service request, and acquiring login state information and a service request object corresponding to the service request; the login state information comprises a user identifier and a channel identifier;
determining whether the corresponding relation between the login state information and a service request object exists in the corresponding relation between the configured login state information and the service request object, wherein the service request object comprises an interface;
if the login state information exists, the login state information is determined to have the authority of using the service request object, and the service request corresponding to the login state information is sent to a downstream service module.
In a fourth aspect, the present application further provides a computer-readable storage medium. The computer-readable storage medium having stored thereon a computer program which, when executed by a processor, performs the steps of:
receiving a service request, and acquiring login state information and a service request object corresponding to the service request; the login state information comprises a user identifier and a channel identifier;
determining whether the corresponding relation between the login state information and a service request object exists in the corresponding relation between the configured login state information and the service request object, wherein the service request object comprises an interface;
if the login state information exists, the login state information is determined to have the authority of using the service request object, and the service request corresponding to the login state information is sent to a downstream service module.
In a fifth aspect, the present application further provides a computer program product. The computer program product comprising a computer program which when executed by a processor performs the steps of:
receiving a service request, and acquiring login state information and a service request object corresponding to the service request; the login state information comprises a user identifier and a channel identifier;
determining whether the corresponding relation between the login state information and a service request object exists in the corresponding relation between the configured login state information and the service request object, wherein the service request object comprises an interface;
if the login state information exists, the login state information is determined to have the authority of using the service request object, and the service request corresponding to the login state information is sent to a downstream service module.
The method, the device, the computer equipment, the storage medium and the computer program product for controlling the authority firstly receive a service request, acquire login state information and a service request object corresponding to the service request, wherein the login state information comprises a user identifier and a channel identifier, then determine whether the corresponding relation between the login state information and the service request object exists in the corresponding relation between the configured login state information and the service request object, the service request object comprises an interface, if so, determine that the login state information has the authority of using the service request object, and issue the login state information to a downstream service module. By introducing the user identification and the channel identification into the login state information and then performing service request object matching and authority authentication on the login state information, the authority control of users from different channel sources can be realized without repeatedly deploying one set of system and the same database, the code modification is not needed, the maintenance cost is low, the user operation and the data isolation can be realized, the system safety is favorably improved, and the use is reliable.
Drawings
FIG. 1 is a diagram of an application environment of a rights control method in one embodiment;
FIG. 2 is a flow diagram illustrating a method for controlling permissions in one embodiment;
FIG. 3 is a flow chart illustrating a method for controlling permissions in another embodiment;
FIG. 4 is a block diagram of an embodiment of a rights control unit;
FIG. 5 is a diagram illustrating an internal structure of a computer device according to an embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.
The authority control method provided by the embodiment of the application can be applied to the application environment shown in fig. 1. The user can send a service request through a request channel, the service request reaches the gateway after passing through the reverse proxy, the gateway judges the permission of the received service request and related information so as to determine whether the request is rejected or passed, and the request is issued to a downstream service module after passing. The authority system can preprocess the related data, for example, configure the corresponding relation in the application, can be directly called when in use, and has high working efficiency.
In one embodiment, as shown in fig. 2, a method for controlling a right is provided, which is described by taking the method as an example for being applied to the gateway in fig. 1, and includes the following steps:
The login state information comprises a user identifier and a channel identifier. The user identifier is used for representing identity information of a user, the channel identifier may include a channel type identifier, the channel type identifier is used for representing a type of a channel, and the device identifier may be used for representing information of specific devices in a certain channel type. It is understood that the login state information is a binary in the form of (clientId, userId). When the same user logs in through different channels (e.g., fic/ops/app/pc), the corresponding service request objects are different, e.g., the set of interfaces that can be called is different.
Specifically, a service request can be received from a request channel through a gateway, and login state information and a service request object corresponding to the service request are acquired. The type of service request is not limited, and may be, for example, a login request. The type of service request object is also not exclusive and may include, for example, an interface, and may include others, as long as those skilled in the art recognize that the implementation is possible. Further, the type of the request channel is not unique, and in the present application, the request channel may include three levels, namely, an operator-oriented management system (ops), a business system (fic) oriented to each organization, and a guest-oriented system oriented to the C-end user. Wherein towards C end user's again can include app cell-phone end, pc webpage end, third party incoming end etc. from the channel source to the guest system, and the third party incoming end can include panel computer, thing networking equipment and portable wearable equipment, and thing networking equipment can be intelligent audio amplifier, intelligent TV, intelligent air conditioner, intelligent mobile unit etc. portable wearable equipment can be intelligent wrist-watch, intelligent bracelet, head-mounted device etc..
In step 400, in the configured corresponding relationship between the login state information and the service request object, it is determined whether the corresponding relationship between the login state information and the service request object exists.
The service request object includes an Interface, which is generally an API (Application Program Interface). Correspondingly, the configured corresponding relationship between the login state information and the service request object may include the corresponding relationship between the login state information and the interface.
Specifically, after receiving the login state information and the service request object, searching the configured corresponding relationship between the login state information and the service request object, and determining whether the corresponding relationship between the login state information and the service request object exists. The corresponding relation between the configured login state information and the service request object is preprocessed, and the corresponding relation between the configured login state information and the service request object is used for representing the service request object opening right corresponding to the login state information in the corresponding relation. In this embodiment, the configured corresponding relationship between the login state information and the service request object is stored in the Remote Dictionary Server (REDIS), which may reduce the working pressure of the gateway.
Specifically, if the corresponding relationship between the received login state information and the service request object exists in the configured corresponding relationship between the login state information and the service request object, the received login state information and the service request object are considered to pass through authority authentication, and the login state information has authority for using the service request object. It is to be understood that, in other embodiments, if there is no corresponding relationship between the received login state information and the received service request object in the configured corresponding relationship between the login state information and the service request object, the gateway may reject the service request corresponding to the login state information, considering that the login state information does not have the right to use the service request object.
Further, the method for controlling the authority may further include step 800.
Specifically, if there is no correspondence between the received login state information and the service request object in the configured correspondence between the login state information and the service request object, it is considered that the received login state information and the service request object cannot pass the authorization authentication, and the login state information does not have the authorization to use the service request object. In this case, the service request is rejected, so that illegal access can be effectively prevented, and the system security is improved.
The method comprises the steps of firstly receiving a service request, obtaining login state information and a service request object corresponding to the service request, wherein the login state information comprises a user identifier and a channel identifier, then determining whether the corresponding relation between the login state information and the service request object exists in the corresponding relation between the configured login state information and the service request object, wherein the service request object comprises an interface, if so, determining that the login state information has the authority of using the service request object, and issuing the login state information to a downstream service module. By introducing the user identification and the channel identification into the login state information and then performing service request object matching and authority authentication on the login state information, the authority control of users from different channel sources can be realized without repeatedly deploying one set of system and the same database, the code modification is not needed, the maintenance cost is low, the user operation and the data isolation can be realized, the system safety is favorably improved, and the use is reliable.
In one embodiment, the service request object further includes roles and menus, and the correspondence is the correspondence of login state information, roles, menus, and interfaces, where in the correspondence, one login state information corresponds to at least one role, one role corresponds to at least one menu, and one menu corresponds to at least one interface.
The type of the service request object is not unique, and when the service request object further includes a role and a menu, the corresponding relationship is the corresponding relationship of login state information, the role, the menu and the interface. Specifically, in the correspondence, one login state information corresponds to at least one role, one role corresponds to at least one menu, and one menu corresponds to at least one interface. In this embodiment, one login state information corresponds to two or more roles, one role corresponds to two or more menus, and one menu corresponds to two or more interfaces, that is, one login state information has a plurality of roles, each role has a plurality of menus, each menu includes a plurality of interface permissions, and the relationship between them is many-to-many:
the login state information comprises a user identifier and a channel identifier, the expandability of the system is enhanced, and the method can be adapted to multi-level channel users. The menu is a system menu bar, and is an interface for displaying commands which can be executed by the system in a hierarchical manner. The user (specifically, the login state information) can have different roles, the permission of the menu bar operated by each role is different, and the function realization of each menu is composed of a plurality of interfaces. The four-level linkage authority management of ' user (login state) ' -role-menu-interface ' is realized, the concept of the menu is added on the basis of the access control of the role, and the authority management and control of the multi-channel system are more precise.
In one embodiment, the correspondence is stored by a two-layer cache structure, wherein the first-layer cache structure stores the correspondence between the login state information and the role, and the second-layer cache structure stores the correspondence between the role and the interface.
Specifically, when the corresponding relationship is the corresponding relationship of the login state information, the role, the menu and the interface, the corresponding relationship can be stored through a two-layer cache structure, the two-layer cache structure comprises a first-layer cache structure and a second-layer cache interface, the corresponding relationship of the login state information and the role is stored in the first-layer cache structure, the corresponding relationship of the role and the interface is stored in the second-layer cache structure, and the corresponding relationship of the role and the menu is stored in the first-layer cache structure or the second-layer cache structure. In an extensible manner, the correspondence between the role and the menu may be stored in the first-layer cache structure or the second-layer cache structure, or may be directly stored in the database. Taking caching the corresponding relation in the REDIS as an example, a double-layer hashmap structure can be adopted, the first-layer hashmap structure caches the user-role associated relation, the key value is global, authUserRole: < clientId > < userId >, the value is the role id held by the login state, the second-layer hashmap structure cache is the role-interface associated relation, and some associated relations are hidden: the key value is global: authRoleResource: < roleID >, the splicing amount is roleID, and the key value can be traversed from the value of the first layer, and the value is all the interfaces resource held by the role.
In one embodiment, as shown in fig. 3, the method for controlling authority further includes steps 310 and 320.
In step 310, after the login state information corresponding to the service request is obtained, the first-layer cache structure is refreshed.
After the login state information corresponding to the service request is acquired, the first-layer cache structure is refreshed, specifically, the permission data stored in the first-layer cache structure, for example, the corresponding relationship between the configured login state information and the role, is refreshed, so that accurate permission data can be acquired in time, and the system safety performance is improved.
In step 320, after obtaining the login state information corresponding to the service request, if the current time and the time interval of obtaining the login state information last time are greater than the preset time interval, the second-layer cache structure is refreshed.
Specifically, the time when the login state information corresponding to the service request is currently acquired and the time when the login state information corresponding to the service request is acquired next time are recorded, and if the interval time between the two times is greater than the preset time interval, the second-layer cache structure is refreshed, or the time when the login state information corresponding to the service request is currently acquired is taken as a timing starting point, the time when the login state information corresponding to the service request is acquired next time is taken as a timing ending point, and when the time interval between the timing starting point and the timing ending point is greater than the preset time interval, the second-layer cache structure is refreshed, so that the pressure of the data storage interface can be prevented from being too large. The second-layer cache structure is refreshed, and specifically, the permission data stored in the second-layer cache structure, for example, the corresponding relationship between the configured role and the interface, is refreshed, so that accurate permission data can be obtained in time, and the security performance of the system is improved. The value of the preset time interval is not exclusive and may be, for example, 30 seconds. It is understood that in other embodiments, the preset time interval may have other values as long as the skilled person realizes the preset time interval.
Further, the right control method may further include step 330.
In step 330, after obtaining the login state information corresponding to the service request, if the current time and the time interval between the last time and the last time when the login state information is obtained are less than or equal to the preset time interval, only the first-layer cache structure is refreshed.
Specifically, the time when the login state information corresponding to the service request is currently obtained and the time when the login state information corresponding to the service request is obtained next time are recorded, and if the interval time between the two times is less than or equal to the preset time interval, considering that the current service request is frequent, only the first-layer cache structure is refreshed, and the second-layer cache structure is not refreshed, so that the workload of the second-layer cache structure can be effectively reduced.
In one embodiment, the manner of obtaining the corresponding relationship between the configured login state information and the service request object includes steps 110 and 120.
Step 110, calling a refresh resource table interface in a user service (user) to obtain all application program interfaces in the system.
Specifically, all application program interfaces in the system are obtained by calling a refresh resource table interface in user services, the essence of the interface is obtained by calling an 'obtaining api list' in basic data services (bds), the interface firstly depends on service discovery, all services of the system are traversed during calling, and the inquired interface can be persisted in a resource table.
And step 120, acquiring service names and interface paths of the application program interfaces to obtain a preset interface identification list.
The service name and the interface path of each application program interface are information of the interface, and the preset interface identification list is obtained by obtaining the service name and the interface path of each application program interface, so that the preset interface identification list depends on the information of the interface, has uniqueness and tamper resistance, controls the authority and increases a layer of protection, and the safety is improved.
In one embodiment, step 120 includes steps 122 through 126.
And step 122, respectively calculating the message digests of the character strings consisting of the service names and the interface paths where the application program interfaces are located.
Specifically, the character string of the server where the application program is located and the character string of the interface path are spliced together, hash value is obtained after hash operation is performed, a message digest of the character string composed of the service name where each application program interface is located and the interface path is obtained, and the safety of data transmission can be improved.
And step 124, respectively carrying out hexadecimal coding on each message digest to obtain the interface identifier of each application service interface.
The hexadecimal coding is performed on each Message Digest, and may be implemented by performing MD5(Message Digest Algorithm MD5, fifth version of Message Digest Algorithm) to hexadecimal coding on each Message Digest, so as to obtain the interface identifier of each application service interface. The md5 outputs 128 bits long, and only occupies 32 characters after being converted into 16-system, so that the interface identifier with limited occupied space and fixed length of character string can be obtained, and the uniqueness of the interface identifier can be kept.
And step 126, obtaining a preset interface identification list according to the interface identification of each application service interface.
After the interface identification of each application service interface is obtained, all the interface identifications are persisted into a preset interface identification list, and corresponding data can be directly called from the preset interface identification list when needed, so that the application is convenient and fast to use.
In one embodiment, as shown in fig. 3, the method for controlling authority further includes step 130 and step 140.
And step 130, receiving a configuration relationship setting instruction sent by an operator.
The configuration relation setting instruction comprises the corresponding relation between the login state information and the role and the corresponding relation between the role and the menu. Specifically, the gateway can also receive a configuration relationship setting instruction sent by an operator, the configuration relationship setting instruction includes a corresponding relationship between login state information and a role and a corresponding relationship between the role and a menu, the operator can maintain the corresponding relationship between the login state information and the role and the corresponding relationship between the role and the menu, and configurability of the system is enhanced.
And step 140, updating the corresponding relation of the login state information, the role, the menu and the interface according to the configuration relation setting instruction.
And after receiving the configuration relation instruction, updating the corresponding relation of the login state information, the role, the menu and the interface according to the corresponding relation of the login state information and the role and the corresponding relation of the role and the menu in the configuration relation instruction. In addition, a preprocessing relation instruction sent by a developer can be received, the preprocessing relation instruction comprises the corresponding relation between the menu and the interface, the corresponding relation between login state information, roles, the menu and the interface is updated according to the received preprocessing relation instruction, the requirements of users in different channels on the authority system can be met, and the expansibility of the system is enhanced.
In one embodiment, when the channel identifier in the login state information is an end user channel, the menu matched with the login state information is a virtual menu identifier. The end-user channel may be APP or personal computer, etc. since the end-user channel usually does not involve the component of menu, a virtual menu identifier is defined, for example, virtual menu identifiers 1, 2, 3, etc. are defined for different end-user channels, which is convenient for distinguishing. And the menu matched with the login state information is a virtual menu identifier so as to adapt to the whole authority system and improve the working performance of the system.
For example, in one embodiment, when a user needs to access a web page, different users (including individual users or enterprise users, etc.) may send service requests through different request channels, where a service request may be a login request, a gateway connected to a request channel device performs permission judgment on the received service request and related information, when permission verification passes, opens permission for the corresponding request channel, allows the current channel to log in, and reads the content of the service request object, for example, when the service request object includes interface information, the service request object is issued to a downstream service module, and the downstream service module allows the downstream service module to access a corresponding interface, and allows the downstream service module to access the web page content corresponding to the interface. And when the authority verification fails, the service request is refused, and the current channel cannot log in smoothly, so that the system safety is improved.
For a better understanding of the above embodiments, the following detailed description is given in conjunction with a specific embodiment. In one embodiment, the rights control method may be implemented based on the rights system of fig. 1. The whole authority system is introduced and analyzed by two modules of 'interface discovery', 'login state-interface association relationship establishment' and 'request authority verification', wherein the 'login state-interface association relationship establishment' is the core of the whole authority system, the 'interface discovery' is the basis of the whole authority system, and the 'request authority verification' is the result of the whole authority system.
The request channel comprises three layers of management systems (ops) facing to operators, business systems (fic) facing to various organizations and guest systems facing to C-end users. The ops are used as an operator and are responsible for overall control of authority, management and control of menu roles and increasing, deleting, modifying and checking of a business processing mechanism, wherein a client is divided into an app mobile phone end, a pc webpage end and a third party access end from a channel source, and besides basic general functions, the client has respective local characteristic requirements from project division. Under the framework, clear authority design is particularly important for maintaining the safety of data and business. The method needs to detect whether a login state holder has a call authority of a certain interface or not for a request with a user login state. The smallest element in the authorization system is the login state, which is a binary shaped as (clientId, userld). This means that the same user, when logging in using different channels (fic/ops/app/pc, etc.), can call different interface sets.
The preprocessing of the authority system is mainly maintained by developers and mainly comprises two parts, namely interface discovery and login state-interface association relationship establishment. As shown in fig. 1, a, all the apis in the system are acquired by calling a refresh resource table interface in a user service (user), which is obtained by calling an "acquisition api list" in a basic data service (bds), the interface first depends on service discovery, all the services in the system are traversed when called, and the queried interface is persisted in a resource table. In order to maintain uniqueness of resource id, the naming rule should at least satisfy the following condition:
(1) the id is calculated only according to the information of the interface, and does not depend on the information outside the interface. Specifically, the service name + interface path where the interface is located is obtained, and then md5 is converted into hexadecimal coding.
(2) The interface information applied to calculating the unique id can be completely recovered through a network request.
(3) The id space must be limited, preferably fixed.
For the above points, key elements in the resource table can be spliced into a feature character string, hash operation is performed to obtain a hash value, that is, md5 is converted into 16-system code, and the obtained value is resource id. md5 outputs 128 bits long, and only takes 32 characters after being converted into 16-system, which is beneficial to keeping the uniqueness of resource id.
The most direct method for establishing the login state-interface association relationship is to maintain a user-interface table, however, most users have multiple roles, and thus, a large amount of repeated data is generated, which is not beneficial to the adding and deleting operations of the roles. Therefore, a one-to-many relationship is established, maintainability can be improved, and repetitive work can be reduced. Therefore, the current association relationship is based on four-level linkage management and control of "user-role-menu-interface", that is, one user has a plurality of roles, each role has a plurality of menus, each menu contains a plurality of interface authorities, and the relationship between the roles and the menus is generally many-to-many:
the user specifically refers to a login state, namely a binary group of (clientId, userId), the system has good expandability, and can be adapted to multi-level channel users. The operator can maintain the relationship between the user and the role and the menu by himself through the ops page, and the developer needs to perform preprocessing to maintain the relationship between the menu and the interface (as shown in a step b of a dotted line box in fig. 1). Since the C-side channel does not involve the menu component, we define a virtual menu ID to fit the entire rights hierarchy.
The request permission verification means that when the request reaches the gateway, the legality of the request needs to be verified according to the previously established login state-interface association relation. The request permission verification is to perform interface permission verification while receiving the login request. The legality check is to check whether the login user has a calling authority of a certain interface, that is, a role and an interface list owned by the user are obtained from the redis and are compared. Specifically, firstly, when a channel user sends a service request, the service request reaches a gateway after passing through a reverse proxy, secondly, the gateway obtains a role and an interface list owned by the user from redis through login state information, and judges the authority so as to determine whether to reject the request or pass the request and send the request to a downstream service module.
Because the gateway request pressure is large, the database operation is not directly performed generally, so that the permission data is stored in the redis, and a double-layer hashmap structure is adopted: the first-layer cache is the association relation of users and roles: the key value is global, authUserRole: < clientId > < userId >, and the value is the role id held by the login state; and the second layer cache is the incidence relation of role-interface, and hides some incidence relations: the key value is global: authRoleResource: < roleID >, the splicing amount is roleID, and the key value can be traversed from the value of the first layer, and the value is all the interfaces resource held by the role. The authority data is refreshed after the user logs in, in order to avoid too much redis pressure caused by frequent login, the second layer of the authority cache is refreshed only when the login interval exceeds 30 seconds, and the first layer of the cache is refreshed every login.
The scheme realizes four-level linkage authority management of ' user (login state) ' -role-menu-interface ', adds the concept of menu on the basis of role access control, and has more precise authority control on a multi-channel system. Meanwhile, the concept of a login state is introduced, a set of system and the same database are realized, the authority control of users from different channels can be realized without repeated deployment, and the user operation and the data isolation are realized. In order to enhance the configurability and the expansibility of the system, when the user authority is verified, a state switch and a channel list are added in the configuration item of the gateway so as to meet the requirements of different channel users on the authority system. The method realizes the interface of developers for preprocessing the authority system and the maintenance of operators for user-role and role-menu relations, can modify the user-role and role-menu relations without modifying codes, and is convenient and quick. The calculation of resource id depends on the information of the interface itself, and the interface has uniqueness and tamper resistance, so that a layer of protection is added for the control of authority, and the security is improved. And by adopting the Redis cache with a double-layer structure, the logic is clear, and the query performance is optimized.
It should be understood that, although the steps in the flowcharts related to the embodiments are shown in sequence as indicated by the arrows, the steps are not necessarily executed in sequence as indicated by the arrows. The steps are not performed in the exact order shown and described, and may be performed in other orders, unless explicitly stated otherwise. Moreover, at least a part of the steps in the flowcharts related to the above embodiments may include multiple steps or multiple stages, which are not necessarily performed at the same time, but may be performed at different times, and the order of performing the steps or stages is not necessarily sequential, but may be performed alternately or alternately with other steps or at least a part of the steps or stages in other steps.
Based on the same inventive concept, the embodiment of the present application further provides an authority control device for implementing the above-mentioned authority control method. The implementation scheme for solving the problem provided by the device is similar to the implementation scheme recorded in the method, so the specific limitations in one or more embodiments of the right control device provided below can be referred to the limitations of the right control method in the above, and are not described herein again.
In one embodiment, as shown in fig. 4, there is provided an authority control apparatus including: the device comprises a request receiving module, a corresponding relation determining module and a permission processing module, wherein:
the request receiving module is used for receiving the service request and acquiring login state information and a service request object corresponding to the service request; the login state information comprises a user identifier and a channel identifier;
the corresponding relation determining module is used for determining whether the corresponding relation between the login state information and the service request object exists in the configured corresponding relation between the login state information and the service request object, and the service request object comprises an interface;
and the authority processing module is used for determining that the login state information has the authority to use the service request object when the corresponding relation determining module determines that the corresponding relation exists, and issuing the login state information to the downstream service module.
In one embodiment, the permission control device further includes an updating module, where the updating module is configured to refresh the first-layer cache structure after obtaining the login state information corresponding to the service request; and after the login state information corresponding to the service request is obtained, if the current time and the time interval of obtaining the login state information last time are greater than the preset time interval, refreshing the second-layer cache structure.
In one embodiment, the permission control device further comprises a configuration module, wherein the configuration module is used for receiving a configuration relationship setting instruction sent by an operator, and the configuration relationship setting instruction comprises a corresponding relationship between login state information and a role and a corresponding relationship between the role and a menu; and updating the corresponding relation of the login state information, the role, the menu and the interface according to the configuration relation setting instruction.
The modules in the above-mentioned right control device can be implemented wholly or partially by software, hardware and their combination. The modules can be embedded in a hardware form or independent from a processor in the computer device, and can also be stored in a memory in the computer device in a software form, so that the processor can call and execute operations corresponding to the modules.
In one embodiment, a computer device is provided, which may be a server, the internal structure of which may be as shown in fig. 5. The computer device includes a processor, a memory, and a network interface connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, a computer program, and a database. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The database of the computer device is used for storing the configured corresponding relation data of the login state information and the service request object, and the like. The network interface of the computer device is used for communicating with an external terminal through a network connection. The computer program is executed by a processor to implement a method of entitlement control.
Those skilled in the art will appreciate that the architecture shown in fig. 5 is merely a block diagram of some of the structures associated with the disclosed aspects and is not intended to limit the computing devices to which the disclosed aspects apply, as particular computing devices may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.
In one embodiment, a computer device is provided, comprising a memory and a processor, the memory having stored therein a computer program, the processor implementing the steps of the above-described method embodiments when executing the computer program.
In an embodiment, a computer program product is provided, comprising a computer program which, when being executed by a processor, carries out the steps of the above-mentioned method embodiments.
The method, the device, the computer equipment, the storage medium and the computer program product for controlling the authority firstly receive a service request, acquire login state information and a service request object corresponding to the service request, wherein the login state information comprises a user identifier and a channel identifier, then determine whether the corresponding relation between the login state information and the service request object exists in the corresponding relation between the configured login state information and the service request object, the service request object comprises an interface, if so, determine that the login state information has the authority of using the service request object, and issue the login state information to a downstream service module. By introducing the user identification and the channel identification into the login state information and then performing service request object matching and authority authentication on the login state information, the authority control of users from different channel sources can be realized without repeatedly deploying one set of system and the same database, the code modification is not needed, the maintenance cost is low, the user operation and the data isolation can be realized, the system safety is favorably improved, and the use is reliable.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware instructions of a computer program, which can be stored in a non-volatile computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. Any reference to memory, database, or other medium used in the embodiments provided herein may include at least one of non-volatile and volatile memory. The nonvolatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical Memory, high-density embedded nonvolatile Memory, resistive Random Access Memory (ReRAM), Magnetic Random Access Memory (MRAM), Ferroelectric Random Access Memory (FRAM), Phase Change Memory (PCM), graphene Memory, and the like. Volatile Memory can include Random Access Memory (RAM), external cache Memory, and the like. By way of illustration and not limitation, RAM can take many forms, such as Static Random Access Memory (SRAM) or Dynamic Random Access Memory (DRAM), among others. The databases referred to in various embodiments provided herein may include at least one of relational and non-relational databases. The non-relational database may include, but is not limited to, a block chain based distributed database, and the like. The processors referred to in the embodiments provided herein may be general purpose processors, central processing units, graphics processors, digital signal processors, programmable logic devices, quantum computing based data processing logic devices, etc., without limitation.
The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the present application. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present application shall be subject to the appended claims.
Claims (19)
1. A method of rights control, the method comprising:
receiving a service request, and acquiring login state information and a service request object corresponding to the service request; the login state information comprises a user identifier and a channel identifier;
determining whether the corresponding relation between the login state information and a service request object exists in the corresponding relation between the configured login state information and the service request object, wherein the service request object comprises an interface;
if the login state information exists, the login state information is determined to have the authority of using the service request object, and the service request corresponding to the login state information is sent to a downstream service module.
2. The method according to claim 1, wherein the service request object further includes roles and menus, and the correspondence is a correspondence between login state information, roles, menus, and interfaces, and in the correspondence, one login state information corresponds to at least one role, one role corresponds to at least one menu, and one menu corresponds to at least one interface.
3. The method according to claim 2, wherein the correspondence is stored in a two-layer cache structure, wherein a first-layer cache structure stores the correspondence between the login state information and the role, and a second-layer cache structure stores the correspondence between the role and the interface.
4. The entitlement control method of claim 3, characterized in that the method further comprises:
after obtaining the login state information corresponding to the service request, refreshing the first-layer cache structure;
and after the login state information corresponding to the service request is obtained, if the interval between the current time and the last time of obtaining the login state information is greater than the preset interval, refreshing the second-layer cache structure.
5. The method according to claim 1, wherein the manner of obtaining the corresponding relationship between the configured login state information and the service request object includes:
calling a refreshed resource table interface in user service to acquire all application program interfaces in the system;
and acquiring the service name and the interface path of each application program interface to obtain a preset interface identification list.
6. The method of claim 5, wherein the obtaining the service name and the interface path of each application program interface to obtain a preset interface identifier list comprises:
respectively calculating the message abstract of the character string consisting of the service name and the interface path where each application program interface is located;
respectively carrying out hexadecimal coding on each message abstract to obtain an interface identifier of each application service interface;
and obtaining a preset interface identification list according to the interface identification of each application service interface.
7. The entitlement control method of claim 1, characterized in that the method further comprises:
receiving a configuration relation setting instruction sent by an operator, wherein the configuration relation setting instruction comprises a corresponding relation between login state information and a role and a corresponding relation between the role and a menu;
and updating the corresponding relation among the login state information, the role, the menu and the interface according to the configuration relation setting instruction.
8. The method of claim 1, wherein when the channel identifier in the login state information is an end user channel, the menu matching the login state information is a virtual menu identifier.
9. An entitlement control device, characterized in that said device comprises:
the request receiving module is used for receiving a service request and acquiring login state information and a service request object corresponding to the service request; the login state information comprises a user identifier and a channel identifier;
the corresponding relation determining module is used for determining whether the corresponding relation between the login state information and the service request object exists in the configured corresponding relation between the login state information and the service request object, and the service request object comprises an interface;
and the authority processing module is used for determining that the login state information has the authority to use the service request object when the corresponding relation determining module determines that the corresponding relation exists, and issuing the login state information to a downstream service module.
10. The apparatus of claim 9, wherein the service request object further includes roles and menus, and the correspondence is a correspondence of login state information, roles, menus, and interfaces, and in the correspondence, one login state information corresponds to at least one role, one role corresponds to at least one menu, and one menu corresponds to at least one interface.
11. The apparatus of claim 10, wherein the corresponding relationship is stored in a two-layer cache structure, a first layer cache structure stores the corresponding relationship between the login state information and the role, and a second layer cache structure stores the corresponding relationship between the role and the interface.
12. The apparatus according to claim 11, further comprising an updating module, configured to refresh the first-layer cache structure after obtaining the login state information corresponding to the service request; and after the login state information corresponding to the service request is obtained, if the interval between the current time and the last time of obtaining the login state information is greater than the preset interval, refreshing the second-layer cache structure.
13. The apparatus of claim 9, further comprising a configuration mapping relationship obtaining module, where the configuration mapping relationship obtaining module is configured to invoke a resource table refreshing interface in a user service to obtain all application program interfaces in a system; and acquiring the service name and the interface path of each application program interface to obtain a preset interface identification list.
14. The apparatus according to claim 13, wherein the configuration mapping relationship obtaining module is further configured to calculate a message digest of a character string composed of a service name and an interface path where each of the application program interfaces is located; respectively carrying out hexadecimal coding on each message abstract to obtain an interface identifier of each application service interface; and obtaining a preset interface identification list according to the interface identification of each application service interface.
15. The permission control device according to claim 9, further comprising a configuration module, the configuration module being configured to receive a configuration relationship setting instruction sent by an operator, where the configuration relationship setting instruction includes a correspondence between login state information and a role and a correspondence between the role and a menu; and updating the corresponding relation among the login state information, the role, the menu and the interface according to the configuration relation setting instruction.
16. The apparatus of claim 9, wherein when the channel identifier in the login state information is an end user channel, the menu matching the login state information is a virtual menu identifier.
17. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor, when executing the computer program, implements the steps of the method of any of claims 1 to 8.
18. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method of any one of claims 1 to 8.
19. A computer program product comprising a computer program, characterized in that the computer program realizes the steps of the method of any one of claims 1 to 8 when executed by a processor.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111400294.3A CN114218538A (en) | 2021-11-19 | 2021-11-19 | Authority control method and device, computer equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111400294.3A CN114218538A (en) | 2021-11-19 | 2021-11-19 | Authority control method and device, computer equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114218538A true CN114218538A (en) | 2022-03-22 |
Family
ID=80698067
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111400294.3A Pending CN114218538A (en) | 2021-11-19 | 2021-11-19 | Authority control method and device, computer equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114218538A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115021995A (en) * | 2022-05-26 | 2022-09-06 | 中国平安财产保险股份有限公司 | Multi-channel login method, device, equipment and storage medium |
| CN115102784A (en) * | 2022-07-21 | 2022-09-23 | 武汉联影医疗科技有限公司 | Authority information management method, device, computer equipment, storage medium and product |
| CN115495783A (en) * | 2022-09-20 | 2022-12-20 | 北京三维天地科技股份有限公司 | Configured data service exposure solution method and system |
-
2021
- 2021-11-19 CN CN202111400294.3A patent/CN114218538A/en active Pending
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115021995A (en) * | 2022-05-26 | 2022-09-06 | 中国平安财产保险股份有限公司 | Multi-channel login method, device, equipment and storage medium |
| CN115021995B (en) * | 2022-05-26 | 2023-08-15 | 中国平安财产保险股份有限公司 | Multi-channel login method, device, equipment and storage medium |
| CN115102784A (en) * | 2022-07-21 | 2022-09-23 | 武汉联影医疗科技有限公司 | Authority information management method, device, computer equipment, storage medium and product |
| CN115102784B (en) * | 2022-07-21 | 2023-06-23 | 武汉联影医疗科技有限公司 | Rights information management method, device, computer equipment and storage medium |
| CN115495783A (en) * | 2022-09-20 | 2022-12-20 | 北京三维天地科技股份有限公司 | Configured data service exposure solution method and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111488598B (en) | Access control method, device, computer equipment and storage medium | |
| CN114218538A (en) | Authority control method and device, computer equipment and storage medium | |
| CN110414268B (en) | Access control method, device, equipment and storage medium | |
| US8239954B2 (en) | Access control based on program properties | |
| US10878218B2 (en) | Device fingerprinting, tracking, and management | |
| US8701182B2 (en) | Method and apparatus for process enforced configuration management | |
| US9445271B2 (en) | Multi-user use of single-user apps | |
| US10574693B2 (en) | Password breach registry | |
| US20170163418A1 (en) | Resilient secret sharing cloud based architecture for data vault | |
| CN108289098B (en) | Authority management method and device of distributed file system, server and medium | |
| US20170346797A1 (en) | Detecting compromised credentials | |
| US9509672B1 (en) | Providing seamless and automatic access to shared accounts | |
| CN110569658A (en) | User information processing method and device based on block chain network, electronic equipment and storage medium | |
| WO2022095518A1 (en) | Automatic interface test method and apparatus, and computer device and storage medium | |
| WO2020000716A1 (en) | Big data analysis system, server, data processing method, program and storage medium | |
| CN112837194A (en) | Intelligent system | |
| CN115134087A (en) | Client security data deduplication method for decentralized cloud storage | |
| US11132465B1 (en) | Real-time feature level software security | |
| CN106933605B (en) | Intelligent process identification control method and system | |
| CN111339193A (en) | Category coding method and device | |
| US20220385596A1 (en) | Protecting integration between resources of different services using service-generated dependency tags | |
| CN110502888A (en) | A kind of mobile office method of the mobile software white list mechanism based on credible measurement | |
| CN112685451B (en) | Data query processing method, device, computer equipment and storage medium | |
| CN116438778A (en) | Persistent source value of assumed alternate identity | |
| Salecha | Security and Secrets Management |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |