CN115189967A - Access control method, device, electronic equipment and machine-readable storage medium - Google Patents
Access control method, device, electronic equipment and machine-readable storage medium Download PDFInfo
- Publication number
- CN115189967A CN115189967A CN202211089088.XA CN202211089088A CN115189967A CN 115189967 A CN115189967 A CN 115189967A CN 202211089088 A CN202211089088 A CN 202211089088A CN 115189967 A CN115189967 A CN 115189967A
- Authority
- CN
- China
- Prior art keywords
- authentication
- access request
- authentication factor
- web server
- url
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 69
- 238000005516 engineering process Methods 0.000 claims abstract description 17
- 238000012544 monitoring process Methods 0.000 claims description 72
- 238000013475 authorization Methods 0.000 claims description 69
- 238000012795 verification Methods 0.000 claims description 30
- 238000007726 management method Methods 0.000 description 36
- 238000010586 diagram Methods 0.000 description 7
- 230000008569 process Effects 0.000 description 7
- 230000009471 action Effects 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 230000004913 activation Effects 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 239000003999 initiator Substances 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 239000003795 chemical substances by application Substances 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000008571 general function Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
The application provides an access control method, an access control device, electronic equipment and a machine-readable storage medium, wherein the method comprises the following steps: under the condition that an access request aiming at the target URL is monitored, generating an authentication factor by utilizing a cryptographic technology according to a specified authentication parameter; and carrying the authentication factor in the access request, and sending the access request carrying the authentication factor to a WEB server so that the WEB server verifies the authentication factor and responds to the access request under the condition that the authentication factor passes. The method can improve the safety of WEB service access.
Description
Technical Field
The present application relates to the field of communications technologies, and in particular, to an access control method and apparatus, an electronic device, and a machine-readable storage medium.
Background
At present, in order to improve the security of WEB service access, access control is usually performed on WEB services according to roles of visitors, for example, different role authorities such as administrator authority, common registered user authority, non-registered user authority and the like are designed, and WEB contents which can be accessed by different authorities are different.
Disclosure of Invention
In view of the above, the present application provides an access control method, an access control apparatus, an electronic device, and a machine-readable storage medium.
Specifically, the method is realized through the following technical scheme:
according to a first aspect of an embodiment of the present application, an access control method is provided, which is applied to a designated terminal device, where the designated terminal device is a terminal device preset with a target uniform resource locator URL access permission, and the target URL is a URL that needs to be accessed after authorization, and the method includes:
under the condition that an access request aiming at the target URL is monitored, generating an authentication factor by utilizing a cryptographic technology according to a specified authentication parameter;
and carrying the authentication factor in the access request, and sending the access request carrying the authentication factor to a WEB server so that the WEB server verifies the authentication factor and responds to the access request under the condition that the verification is passed.
According to a second aspect of the embodiments of the present application, there is provided an apparatus deployed in a designated terminal device, where the designated terminal device is a terminal device preset with a target uniform resource locator URL access right, and the target URL is a URL that needs to be accessed after authorization, the apparatus including: the device comprises a monitoring unit, a generating unit and a sending unit; wherein:
the generating unit is used for generating an authentication factor by using a cryptographic technology according to a specified authentication parameter under the condition that the monitoring unit monitors the access request aiming at the target URL;
the sending unit is configured to carry the authentication factor in the access request, and send the access request carrying the authentication factor to a WEB server, so that the WEB server verifies the authentication factor, and responds to the access request when the authentication is passed.
According to a third aspect of embodiments herein, there is provided an electronic device comprising a processor and a memory, the memory storing machine executable instructions executable by the processor, the processor being configured to execute the machine executable instructions to implement the method provided by the first aspect.
According to a fourth aspect of embodiments herein, there is provided a machine-readable storage medium having stored therein machine-executable instructions that, when executed by a processor, implement the method provided by the first aspect.
The technical scheme provided by the application can at least bring the following beneficial effects:
by setting a URL (target URL) which needs to be accessed after authorization and a terminal device with target URL access authority (designated terminal device), the designated terminal device generates an authentication factor according to a designated authentication parameter and by using a cryptographic technique under the condition of monitoring an access request aiming at the target URL and sends the authentication factor carried in the access request to a WEB server, so that the WEB server responds to the access request under the condition of passing the authentication factor verification, the WEB service access control aiming at the designated terminal device is realized, and the safety of WEB service access is improved.
Drawings
Fig. 1 is a schematic flow chart diagram illustrating an access control method according to an exemplary embodiment of the present application;
FIG. 2 is a flow chart diagram illustrating a method of access control in accordance with an exemplary embodiment of the present application;
FIG. 3 is a block diagram of an access control device according to an exemplary embodiment of the present application;
fig. 4 is a schematic diagram of a hardware structure of an electronic device according to an exemplary embodiment of the present application.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. The following description refers to the accompanying drawings in which the same numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application, as detailed in the appended claims.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
In order to make the technical solutions provided in the embodiments of the present application better understood and make the above objects, features and advantages of the embodiments of the present application more comprehensible, the technical solutions in the embodiments of the present application are described in further detail below with reference to the accompanying drawings.
Referring to fig. 1, a flowchart of an access control method provided in an embodiment of the present application is shown, where the access control method may be applied to a specific terminal device, where the specific terminal device is a terminal device that is preset to have an access right of a target URL (uniform resource locator), and the target URL is a URL that needs to be accessed after authorization, as shown in fig. 1, the access control method may include the following steps:
it should be noted that, the sequence numbers of the steps in the embodiments of the present application do not mean the execution sequence, and the execution sequence of each process should be determined by the function and the inherent logic of the process, and should not constitute any limitation to the implementation process of the embodiments of the present application.
And step S100, generating an authentication factor by using a cryptographic technology according to a specified authentication parameter under the condition of monitoring the access request aiming at the target URL.
In the embodiment of the present application, in order to improve security of WEB service access, access control for a terminal device may be performed on a WEB service, that is, for a URL (referred to as a target URL herein) that needs to be accessed after authorization, access needs to be performed through a terminal device having an access right (i.e., the above-mentioned specified terminal device).
For example, the specified terminal device may monitor the URL access request, and in the case of monitoring the access request for the target URL, may generate the authentication factor by using a cryptographic technique according to the specified authentication parameter.
The authentication factor is used for verifying the access authority of the terminal device requesting to access the target URL on the WEB server (namely, the server installed with the WEB service) side.
In one example, a target URL list may be configured on the designated terminal device side in advance, and the designated terminal device may monitor an access request for a target URL by matching the target URL in the target URL list.
And step S110, carrying the authentication factor in the access request, and sending the access request carrying the authentication factor to the WEB server, so that the WEB server verifies the authentication factor, and responds to the access request under the condition that the verification is passed.
In the embodiment of the application, the specified terminal device may carry the generated authentication factor in an access request (an access request for a target URL), and send the access request carrying the authentication factor to the WEB server.
For example, the designated terminal device may carry the generated authentication factor in a request header of the access request.
For example, when receiving an access request for a target URL, the WEB server may obtain an authentication factor carried in the access request, verify the authentication factor, and determine that an initiator device of the access request has an authority to access the target URL if the authentication is passed, so that the WEB server may respond to the access request.
In one example, a target URL list may be configured on the WEB server side in advance, and the WEB server may determine an access request for a target URL by matching the target URL in the target URL list.
It should be noted that, in this embodiment of the application, if the WEB server does not obtain the authentication factor from the access request for the target URL (for example, the authentication factor is not carried in the access request sent by the unspecified terminal device), or if the authentication factor is obtained, the authentication factor is not verified, the WEB server may refuse to respond to the access request, for example, the WEB server may directly discard the access request.
In addition, when the WEB server receives an access request for a non-target URL (i.e. a URL that does not need to be accessed after authorization), the WEB server may not need to perform authorization verification based on an authentication factor on the access request, and the specific implementation policy of the WEB server is not limited in this application.
As can be seen, in the method flow shown in fig. 1, by setting a URL (i.e., a target URL) to be accessed after authorization and a terminal device (i.e., a designated terminal device) having a target URL access right, the designated terminal device generates an authentication factor by using a cryptographic technique according to a designated authentication parameter when monitoring an access request for the target URL, and sends the authentication factor carried in the access request to a WEB server, so that the WEB server responds to the access request when verifying the authentication factor, thereby implementing WEB service access control for the designated terminal device and improving security of WEB service access.
In some embodiments, the generating the authentication factor by using a cryptographic technique according to the specified authentication parameter may include:
carrying out digital signature on the specified authentication parameters to obtain authentication factors;
the carrying of the authentication factor in the access request may include:
and carrying the specified authentication parameters and the authentication factors in the access request.
Illustratively, a given end device may generate an authentication factor using digital signature techniques.
For example, in the case that the specified terminal device monitors the access request for the target URL, the specified authentication parameter may be digitally signed by using a digital signature technology according to the specified authentication parameter, and a resultant signature value (which may be referred to as a first signature value) may be used as the authentication factor.
For example, in the case that the authentication factor is generated, the specified terminal device may send the specified authentication parameter and the first signature value to the WEB server, carrying the specified authentication parameter and the first signature value in the access request.
For example, the designated terminal device may perform a hash operation on the designated authentication parameter by using a preset hash algorithm, encrypt an obtained hash value (which may be referred to as a first hash value) by using a private key of the digital signature key pair to obtain a first signature value, and send the designated authentication parameter, the public key of the digital signature key pair, and the first signature value to the WEB server in the access request.
When the WEB server receives the access request, the same hash algorithm can be used for performing hash operation on the specified authentication parameters to obtain a corresponding hash value (which can be called as a second hash value), the public key in the digital signature key pair is used for decrypting the first signature value, whether the value obtained by decryption is consistent with the second hash value or not is compared, and if so, the first signature value is determined to pass the verification; otherwise, the verification is determined to fail.
It should be noted that, in order to ensure the reliability of the public key in the received digital signature key pair, the WEB server may verify the public key in the received digital signature key pair according to a public key of a Certificate Authority (CA) issued by a trusted third party Certification Authority, which is not described in detail in this embodiment of the present application. Wherein the digital signature key pair for use by the specified terminal device is also issued by the third party certification authority.
In one example, the specified authentication parameters may include, but are not limited to, one or more of a timestamp, a first random number, and terminal hardware information specifying the terminal device.
In a case that the specified authentication parameter includes the timestamp, digitally signing the specified authentication parameter to obtain the authentication factor may include:
sending an authentication request to a WEB server;
receiving a target timestamp sent by a WEB server;
and carrying out digital signature on the specified authentication parameters including the target timestamp to obtain the authentication factor.
The sending of the access request carrying the authentication factor to the WEB server to enable the WEB server to verify the authentication, and to respond to the access request when the authentication is passed may include:
and sending the access request carrying the specified authentication parameters and the authentication factors to a WEB server so that the WEB server verifies the target timestamp and verifies the authentication factors, and responding to the access request under the condition that the target timestamp passes verification and the authentication factors pass verification.
For example, in order to further improve the security of access to the target URL, the designated terminal device may further send an authentication request to the WEB server when monitoring the access request to the target URL, so that the WEB server issues a timestamp (referred to as a target timestamp herein) to the authentication request initiator device according to the authentication request.
For example, the timestamp may be a timestamp corresponding to the system time of the WEB server when the WEB server receives the authentication request.
When receiving the target timestamp sent by the WEB server, the designated terminal device may digitally sign the designated authentication parameter including the target timestamp, and use the obtained signature value (i.e., the first signature value) as the authentication factor.
The specified terminal device can send an access request carrying the specified authentication parameters (including the target timestamp) and the authentication factor to the WEB server.
On one hand, the WEB server may verify the target timestamp, for example, may compare the current system time of the WEB server with the system time corresponding to the target timestamp, and if the system time corresponding to the target timestamp is earlier than the current system time, but a time difference between the system time corresponding to the target timestamp and the current system time exceeds a preset threshold, or the system time corresponding to the target timestamp is later than the current system time, determine that the verification does not pass; otherwise, the check is determined to pass.
On the other hand, the WEB server may verify the authentication factor.
Illustratively, the WEB server may respond to the access request in the event that the WEB server verifies the target timestamp and verifies the authentication factor.
Illustratively, the WEB server may refuse to respond to the access request in the event that the WEB server fails the target timestamp verification and/or fails the authentication factor verification.
In some embodiments, the specified terminal device is provided with a URL monitoring management plug-in and an authorization client;
the generating an authentication factor by using a cryptographic technique according to the specified authentication parameter in the case of monitoring the access request for the target URL may include:
and under the condition that the URL monitoring management plug-in monitors the access request aiming at the target URL, generating an authentication factor by an authorization client side according to the specified authentication parameter and by using a password technology.
For example, in order to reduce the modification of the terminal device and improve the applicability of the technical solution provided by the present application, a URL monitoring management plug-in and an authorization client may be installed on a terminal device (i.e., the specified terminal device) determined to have a target URL access right, so that the specified terminal device may access the target URL in the manner described in the foregoing embodiment.
Illustratively, the specified terminal device may monitor the URL access request of the specified terminal device via the URL monitoring management plug-in to determine whether there is an access request for the target URL,
when the URL monitoring management plug-in monitors an access request for a target URL, a designated terminal device may generate an authentication factor through an authorization client according to a designated authentication parameter by using a cryptographic technique, and a specific generation policy of the authentication factor may refer to the related description in the above method embodiment, which is not described herein again.
In one example, in the case that the URL monitoring management plugin monitors an access request for a target URL, before generating, by the authorization client, an authentication factor by using a cryptographic technique according to a specified authentication parameter, the method may further include:
sending an authentication request to an authorization client through a URL monitoring management plug-in;
generating a second random number through the authorization client, and sending the second random number to the URL monitoring management plug-in;
generating a third random number through the URL monitoring management plug-in, digitally signing the second random number and the third random number, and sending a signature value and the third random number to an authorization client;
and verifying the signature value through the authorization client, determining to execute the specified authentication parameters under the condition of passing the verification, and generating an authentication factor by using a cryptographic technology.
For example, in order to ensure the reliability of the URL monitoring management plugin and further improve the security of access to the target URL, the terminal device may send the authentication request to the authorization client through the URL monitoring management plugin when monitoring the access request to the target URL through the URL monitoring management plugin.
The authorizing client, upon receiving the authentication request, may generate a random number (referred to herein as a second random number) and send the second random number to the URL monitoring management plug-in.
The URL monitoring management plug-in may generate a random number (referred to as a third random number herein) when receiving the second random number, perform digital signature on the second random number and the third random number to obtain a corresponding signature value (may be referred to as a second signature value), and further may send the second signature value and the third random number to the authorization client.
The authorization client may verify the second signature value upon receiving the second signature value and the third random number.
For example, the URL monitoring management plugin may perform hash operation on the second random number and the third random number by using a preset hash algorithm, encrypt an obtained hash value (which may be referred to as a third hash value) by using a private key in the digital signature key pair to obtain a second signature value, and send the second signature value and the third random number to the authorization client.
Under the condition that the authorization client receives the second signature value and the third random number, the authorization client can perform hash operation on the second random number and the third random number by using the same hash algorithm according to the recorded second random number to obtain a corresponding hash value (which can be called as a fourth hash value), decrypt the third signature value by using a public key in a digital signature key pair, compare whether the decrypted value is consistent with the fourth hash value, and if so, determine that the second signature value passes verification; otherwise, it is determined that the second signature value does not verify.
For example, in the case where the authorized client verifies the second signature value, the authentication factor may be generated by using a cryptographic technique according to the specified authentication parameter.
For example, in the event that the authorization client fails to verify the second signature value, the generation of the authentication factor may be denied.
In an example, the carrying the authentication factor in the access request and sending the access request carrying the authentication factor to the WEB server may include:
sending the authentication factor to a URL monitoring management plug-in through an authorization client;
and carrying the authentication factor in the access request through the URL monitoring management plug-in, and sending the access request carrying the authentication factor to the WEB server.
For example, when the terminal device is specified to generate the authentication factor through the authorization client in the manner described in the above embodiment, the generated authentication factor may be sent to the URL monitoring management plug-in through the authorization client.
And the URL monitoring management plug-in can carry the authentication factor in the access request under the condition of receiving the authentication factor and send the access request carrying the authentication factor to the WEB server.
In some embodiments, the WEB server is installed with an authentication service;
the carrying of the authentication factor in the access request and the sending of the access request carrying the authentication factor to the WEB server may include:
and carrying the authentication factor in the access request, sending the access request carrying the authentication factor to an authentication service so that the authentication service verifies the authentication factor, and forwarding the access request to a WEB server under the condition that the verification is passed.
Illustratively, the authentication service can verify the authority of the target URL access by installing the authentication service on the WEB server side (that is, the authentication service provided in the embodiment of the present application can be installed in addition to the WEB service in the WEB server), so as to avoid the modification of the existing WEB service.
Accordingly, when the terminal device is specified to generate the authentication factor in the manner described in the above embodiment, the terminal device may send the authentication factor to the authentication service by carrying the authentication factor in the access request.
The authentication service can acquire the authentication factor carried in the access request and verify the authentication factor when receiving the access request.
In the case that the authentication service verifies the authentication factor, the authentication service may forward the access request to the WEB server (i.e., forward the access request to the WEB service installed in the WEB server), and the WEB service in the WEB server responds to the access request.
For example, in the event that the authentication service fails to verify the authentication factor, the authentication service may refuse to forward the access request to the WEB service in the WEB server, e.g., the authentication service may discard the access request so that the WEB server does not respond to the access request.
In order to enable those skilled in the art to better understand the technical solutions provided in the embodiments of the present application, the technical solutions provided in the embodiments of the present application are described below with reference to specific examples.
In this embodiment, access control for the terminal device is introduced, so that some functions (such as the target URL) of the WEB service can be accessed only through an authorized terminal, and only general functions (such as a non-target URL) of the WEB service can be accessed through other terminals.
In this embodiment, the access control system may include a URL monitoring management plug-in, an authorization client (which may also be referred to as a terminal authorization client), and an authentication service. Wherein:
1. URL monitoring management plug-in
Deployed at an authorized terminal (i.e., the above-mentioned specified terminal device), monitors for an access request identifying a URL (i.e., the above-mentioned target URL) that requires authorization to access, and adds an authentication factor to the access request.
Illustratively, an access request for a URL that needs to be authorized to be accessed can be monitored and an authentication factor can be added thereto through technologies such as traffic interception or browser interception redirection.
2. Authorization client
The authentication factor is generated based on the cryptographic technology and is deployed at an authorized terminal (namely the specified terminal device).
3. Authentication service
The URL authentication agent is deployed in front of the WEB service (namely, an access request sent to the WEB service needs to be sent to the authentication service first, the access request is verified by the authentication service and forwarded to the WEB service when the verification is passed), the access request aiming at the URL is authenticated under the condition that the original WEB service is not modified, and if the authentication factor does not exist or the verification fails, the corresponding access request is directly discarded.
The following describes a specific workflow of access control.
1. And the administrator of the authentication service logs in the system, generates an authorization activation file for the trusted terminal, and installs an authorization client and a URL monitoring management plug-in by using the authorization activation file.
2. When a user on an authorization terminal (namely the appointed terminal device) accesses the URL (namely the target URL) needing authorization, the user is identified by the URL monitoring management plug-in, and actively initiates authentication to an authorization client:
2.1, the URL monitoring management plug-in initiates an authentication request;
2.2, the authorization client generates a second random number and returns the second random number to the URL monitoring management plug-in;
2.3, the URL monitoring management plug-in generates a third random number, digitally signs the second random number and the third random number, and sends the obtained signature value (namely the second signature value) and the third random number to the authorization client;
2.4, the authorization client verifies the second signature value, if the verification fails, the generation of an authentication factor is refused, and the current process is ended; otherwise, the next flow is continued.
3. The authorized client generates an authentication factor:
3.1, the authorization client side initiates an authentication request to the authentication service;
3.2, the authentication service returns a time stamp (namely the target time stamp) and a random number (such as the first random number) to the client;
3.3, the authorization client acquires the terminal hardware information of the authorization terminal, digitally signs the target timestamp, the first random number and the terminal hardware information of the authorization terminal, and takes the obtained signature value (namely the first signature value) as an authentication factor;
and 3.4, the authorized client sends the authentication factor to the URL monitoring management plug-in.
4. And the URL monitoring management plug-in adds the authentication factor to a request header of the URL access request and sends the request header to the authentication service.
5. The authentication service performs request head stripping on the access request aiming at the target URL, checks whether the target timestamp is valid after the authentication factor is taken, verifies the first signature value, forwards the access request to the WEB service if the target timestamp passes the verification and the first signature value passes the verification, or rejects the forwarding of the access request to the WEB service, and the overall flow schematic diagram can be shown as fig. 2.
The methods provided herein are described above. The following describes the apparatus provided in the present application:
referring to fig. 3, a schematic structural diagram of an access control device according to an embodiment of the present application is shown in fig. 3, where the access control device may include: a monitoring unit 310, a generating unit 320, and a transmitting unit 330; wherein:
the generating unit 320 is configured to generate an authentication factor by using a cryptographic technique according to a specified authentication parameter when the monitoring unit 310 monitors the access request for the target URL;
the sending unit 330 is configured to carry the authentication factor in the access request, and send the access request carrying the authentication factor to a WEB server, so that the WEB server verifies the authentication factor, and responds to the access request when the verification is passed.
In some embodiments, the generating unit 320 generates the authentication factor by using a cryptographic technique according to the specified authentication parameter, including:
carrying out digital signature on the specified authentication parameters to obtain authentication factors; the specified authentication parameters comprise one or more of a timestamp, a first random number and terminal hardware information of the specified terminal equipment;
the sending unit 330 carries the authentication factor in the access request, including:
and carrying the specified authentication parameters and the authentication factors in the access request.
In some embodiments, in the case that the specified authentication parameter includes a timestamp, the generating unit 320 digitally signs the specified authentication parameter to obtain an authentication factor, including:
sending an authentication request to the WEB server;
receiving a target timestamp sent by the WEB server;
carrying out digital signature on the specified authentication parameters including the target timestamp to obtain an authentication factor;
the sending unit 330 sends the access request carrying the authentication factor to a WEB server, so that the WEB server verifies the authentication factor, and responds to the access request when the authentication factor passes, including:
and sending the access request carrying the specified authentication parameters and the authentication factors to a WEB server so that the WEB server verifies the target timestamp and verifies the authentication factors, and responding to the access request under the condition that the target timestamp passes verification and the authentication factors pass verification.
In some embodiments, the specified terminal device is provided with a URL monitoring management plug-in and an authorization client;
the generating unit 320 generates an authentication factor by using a cryptographic technique according to a specified authentication parameter when the monitoring unit 310 monitors the access request for the target URL, including:
in a case where the monitoring unit 310 monitors the access request for the target URL through the URL monitoring management plug-in, an authentication factor is generated by the authorization client using a cryptographic technique according to a specified authentication parameter.
In some embodiments, in a case that the monitoring unit 310 monitors the access request for the target URL through the URL monitoring management plug-in, before the generating unit 320 generates an authentication factor by using a cryptographic technique according to a specified authentication parameter through the authorized client, the method further includes:
sending an authentication request to the authorization client through the URL monitoring management plug-in;
generating a second random number through the authorization client, and sending the second random number to the URL monitoring management plug-in;
generating a third random number through the URL monitoring management plug-in, performing digital signature on the second random number and the third random number, and sending a signature value and the third random number to the authorization client;
and verifying the signature value through the authorization client, determining to execute the operation of generating an authentication factor according to the specified authentication parameter and using a cryptographic technology under the condition that the verification is passed.
In some embodiments, the sending unit 330 carries the authentication factor in the access request, and sends the access request carrying the authentication factor to a WEB server, including:
sending the authentication factor to the URL monitoring management plug-in through the authorization client;
and carrying the authentication factor in the access request through the URL monitoring management plug-in, and sending the access request carrying the authentication factor to a WEB server.
In some embodiments, the WEB server is installed with an authentication service;
the sending unit 330 carries the authentication factor in the access request, and sends the access request carrying the authentication factor to a WEB server, including:
and carrying the authentication factor in the access request, sending the access request carrying the authentication factor to the authentication service so that the authentication service verifies the authentication factor, and forwarding the access request to the WEB server under the condition that the authentication is passed.
An embodiment of the present application provides an electronic device, including a processor and a memory, where the memory stores machine executable instructions capable of being executed by the processor, and the processor is configured to execute the machine executable instructions to implement the above-described access control method.
Fig. 4 is a schematic diagram of a hardware structure of an electronic device according to an embodiment of the present disclosure. The electronic device may include a processor 401, a memory 402 having stored thereon machine executable instructions. The processor 401 and memory 402 may communicate via a system bus 403. Also, the processor 401 may perform the access control methods described above by reading and executing machine-executable instructions in the memory 402 corresponding to the access control logic.
The memory 402 referred to herein may be any electronic, magnetic, optical, or other physical storage device that can contain or store information such as executable instructions, data, and the like. For example, the machine-readable storage medium may be: a RAM (random Access Memory), a volatile Memory, a non-volatile Memory, a flash Memory, a storage drive (e.g., a hard drive), a solid state drive, any type of storage disk (e.g., an optical disk, a dvd, etc.), or similar storage medium, or a combination thereof.
In some embodiments, there is also provided a machine-readable storage medium, such as the memory 402 in fig. 4, having stored therein machine-executable instructions that, when executed by a processor, implement the access control method described above. For example, the storage medium may be a ROM, a RAM, a CD-ROM, a magnetic tape, a floppy disk, an optical data storage device, and the like.
It should be noted that, in this document, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising a … …" does not exclude the presence of another identical element in a process, method, article, or apparatus that comprises the element.
The above description is only exemplary of the present application and should not be taken as limiting the present application, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the scope of protection of the present application.
Claims (11)
1. An access control method is applied to a designated terminal device, the designated terminal device is a terminal device with preset target Uniform Resource Locator (URL) access authority, and a target URL is a URL which needs to be accessed after authorization, and the method comprises the following steps:
under the condition that an access request aiming at the target URL is monitored, generating an authentication factor by utilizing a cryptographic technology according to a specified authentication parameter;
and carrying the authentication factor in the access request, and sending the access request carrying the authentication factor to a WEB server so that the WEB server verifies the authentication factor and responds to the access request under the condition that the verification is passed.
2. The method of claim 1, wherein generating an authentication factor using a cryptographic technique in accordance with specified authentication parameters comprises:
carrying out digital signature on the specified authentication parameters to obtain authentication factors; wherein the specified authentication parameters include one or more of a timestamp, a first random number, and terminal hardware information of the specified terminal device;
the carrying of the authentication factor in the access request includes:
and carrying the specified authentication parameters and the authentication factors in the access request.
3. The method of claim 2, wherein digitally signing the specified authentication parameter, if the specified authentication parameter includes a timestamp, results in an authentication factor comprising:
sending an authentication request to the WEB server;
receiving a target timestamp sent by the WEB server;
carrying out digital signature on the specified authentication parameters including the target timestamp to obtain an authentication factor;
the sending the access request carrying the authentication factor to a WEB server to enable the WEB server to verify the authentication factor and respond to the access request when the authentication is passed includes:
and sending the access request carrying the specified authentication parameters and the authentication factors to a WEB server so that the WEB server verifies the target timestamp and verifies the authentication factors, and responding to the access request under the condition that the target timestamp passes verification and the authentication factors pass verification.
4. The method according to claim 1, wherein the specified terminal device is provided with a URL monitoring management plug-in and an authorization client;
generating an authentication factor by using a cryptographic technique according to a specified authentication parameter under the condition that the access request aiming at the target URL is monitored, wherein the authentication factor comprises the following steps:
and under the condition that the URL monitoring management plug-in monitors the access request aiming at the target URL, generating an authentication factor by the authorization client side according to the specified authentication parameter and by using a cryptographic technology.
5. The method of claim 4, wherein before the generating, by the authorization client, an authentication factor using a cryptographic technique according to a specified authentication parameter in case of monitoring an access request for the target URL by the URL monitoring management plug-in, further comprises:
sending an authentication request to the authorization client through the URL monitoring management plug-in;
generating a second random number through the authorization client, and sending the second random number to the URL monitoring management plug-in;
generating a third random number through the URL monitoring management plug-in, performing digital signature on the second random number and the third random number, and sending a signature value and the third random number to the authorization client;
and verifying the signature value through the authorization client, determining to execute the operation of generating an authentication factor according to the specified authentication parameter and using a cryptographic technology under the condition that the verification is passed.
6. The method according to claim 4, wherein the carrying the authentication factor in the access request and sending the access request carrying the authentication factor to a WEB server comprises:
sending the authentication factor to the URL monitoring management plug-in through the authorization client;
and carrying the authentication factor in the access request through the URL monitoring management plug-in, and sending the access request carrying the authentication factor to a WEB server.
7. The method according to claim 1, wherein the WEB server is installed with an authentication service;
the carrying of the authentication factor in the access request and the sending of the access request carrying the authentication factor to a WEB server includes:
and carrying the authentication factor in the access request, sending the access request carrying the authentication factor to the authentication service so that the authentication service verifies the authentication factor, and forwarding the access request to the WEB server under the condition that the authentication is passed.
8. An access control device is deployed in a designated terminal device, the designated terminal device is a terminal device with preset target Uniform Resource Locator (URL) access authority, and a target URL is a URL which needs to be accessed after authorization, and the device comprises: the device comprises a monitoring unit, a generating unit and a sending unit; wherein:
the generation unit is used for generating an authentication factor by using a cryptographic technology according to a specified authentication parameter under the condition that the monitoring unit monitors the access request aiming at the target URL;
the sending unit is configured to carry the authentication factor in the access request, and send the access request carrying the authentication factor to a WEB server, so that the WEB server verifies the authentication factor, and responds to the access request when the authentication is passed.
9. The apparatus of claim 8, wherein the generating unit generates the authentication factor using a cryptographic technique in accordance with a specified authentication parameter, comprising:
carrying out digital signature on the specified authentication parameters to obtain authentication factors; wherein the specified authentication parameters include one or more of a timestamp, a first random number, and terminal hardware information of the specified terminal device;
the sending unit carries the authentication factor in the access request, including:
carrying the specified authentication parameters and the authentication factors in the access request;
wherein, under the condition that the specified authentication parameter includes the timestamp, the generating unit performs digital signature on the specified authentication parameter to obtain an authentication factor, and the method includes:
sending an authentication request to the WEB server;
receiving a target timestamp sent by the WEB server;
carrying out digital signature on the specified authentication parameters including the target timestamp to obtain an authentication factor;
the sending unit sends the access request carrying the authentication factor to a WEB server so that the WEB server verifies the authentication factor and responds to the access request when the authentication factor passes, and the method comprises the following steps:
sending the access request carrying the specified authentication parameters and the authentication factors to a WEB server so that the WEB server verifies the target timestamp and verifies the authentication factors, and responding to the access request under the condition that the target timestamp passes verification and the authentication factors pass verification;
and/or the presence of a gas in the gas,
the appointed terminal equipment is provided with a URL monitoring management plug-in and an authorization client;
the generating unit generates an authentication factor by using a cryptographic technique according to a specified authentication parameter when the monitoring unit monitors the access request for the target URL, including:
under the condition that the monitoring unit monitors the access request aiming at the target URL through the URL monitoring management plug-in, generating an authentication factor through the authorization client by using a cryptographic technology according to a specified authentication parameter;
wherein, in the case that the monitoring unit monitors the access request for the target URL through the URL monitoring management plug-in, the generating unit generates an authentication factor through the authorization client according to a specified authentication parameter and by using a cryptographic technique, the method further includes:
sending an authentication request to the authorization client through the URL monitoring management plug-in;
generating a second random number through the authorization client, and sending the second random number to the URL monitoring management plug-in;
generating a third random number through the URL monitoring management plug-in, performing digital signature on the second random number and the third random number, and sending a signature value and the third random number to the authorization client;
verifying the signature value through the authorization client, determining to execute the specified authentication parameters under the condition of passing the verification, and generating an authentication factor by using a cryptographic technology;
the sending unit carries the authentication factor in the access request, and sends the access request carrying the authentication factor to a WEB server, and the sending unit includes:
sending the authentication factor to the URL monitoring management plug-in through the authorization client;
carrying the authentication factor in the access request through the URL monitoring management plug-in, and sending the access request carrying the authentication factor to a WEB server;
and/or the presence of a gas in the gas,
the WEB server is provided with authentication service;
the sending unit carries the authentication factor in the access request and sends the access request carrying the authentication factor to a WEB server, and the sending unit includes:
and carrying the authentication factor in the access request, sending the access request carrying the authentication factor to the authentication service so that the authentication service verifies the authentication factor, and forwarding the access request to the WEB server under the condition that the authentication is passed.
10. An electronic device comprising a processor and a memory, the memory storing machine executable instructions executable by the processor, the processor being configured to execute the machine executable instructions to implement the method of any one of claims 1 to 7.
11. A machine-readable storage medium having stored therein machine-executable instructions which, when executed by a processor, perform the method of any one of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211089088.XA CN115189967A (en) | 2022-09-07 | 2022-09-07 | Access control method, device, electronic equipment and machine-readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211089088.XA CN115189967A (en) | 2022-09-07 | 2022-09-07 | Access control method, device, electronic equipment and machine-readable storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115189967A true CN115189967A (en) | 2022-10-14 |
Family
ID=83523340
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211089088.XA Pending CN115189967A (en) | 2022-09-07 | 2022-09-07 | Access control method, device, electronic equipment and machine-readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115189967A (en) |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104753881A (en) * | 2013-12-30 | 2015-07-01 | 上海格尔软件股份有限公司 | WebService security certification access control method based on software digital certificate and timestamp |
| CN109359252A (en) * | 2018-10-30 | 2019-02-19 | 北京小米移动软件有限公司 | Browser selection method and device |
| US20190156008A1 (en) * | 2017-11-22 | 2019-05-23 | Canon Kabushiki Kaisha | Access control system, control method of access control system, and storage medium |
| CN110691087A (en) * | 2019-09-29 | 2020-01-14 | 北京搜狐新媒体信息技术有限公司 | Access control method, device, server and storage medium |
| CN113037484A (en) * | 2021-05-19 | 2021-06-25 | 银联商务股份有限公司 | Data transmission method, device, terminal, server and storage medium |
| CN114036490A (en) * | 2021-11-15 | 2022-02-11 | 公安部交通管理科学研究所 | Security authentication method for calling plug-in software interface, USBKey driving device and authentication system |
| CN114553568A (en) * | 2022-02-25 | 2022-05-27 | 重庆邮电大学 | Resource access control method based on zero-trust single packet authentication and authorization |
| CN114679293A (en) * | 2021-06-15 | 2022-06-28 | 腾讯云计算(北京)有限责任公司 | Access control method, device and storage medium based on zero trust security |
-
2022
- 2022-09-07 CN CN202211089088.XA patent/CN115189967A/en active Pending
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104753881A (en) * | 2013-12-30 | 2015-07-01 | 上海格尔软件股份有限公司 | WebService security certification access control method based on software digital certificate and timestamp |
| US20190156008A1 (en) * | 2017-11-22 | 2019-05-23 | Canon Kabushiki Kaisha | Access control system, control method of access control system, and storage medium |
| CN109359252A (en) * | 2018-10-30 | 2019-02-19 | 北京小米移动软件有限公司 | Browser selection method and device |
| CN110691087A (en) * | 2019-09-29 | 2020-01-14 | 北京搜狐新媒体信息技术有限公司 | Access control method, device, server and storage medium |
| CN113037484A (en) * | 2021-05-19 | 2021-06-25 | 银联商务股份有限公司 | Data transmission method, device, terminal, server and storage medium |
| CN114679293A (en) * | 2021-06-15 | 2022-06-28 | 腾讯云计算(北京)有限责任公司 | Access control method, device and storage medium based on zero trust security |
| CN114036490A (en) * | 2021-11-15 | 2022-02-11 | 公安部交通管理科学研究所 | Security authentication method for calling plug-in software interface, USBKey driving device and authentication system |
| CN114553568A (en) * | 2022-02-25 | 2022-05-27 | 重庆邮电大学 | Resource access control method based on zero-trust single packet authentication and authorization |
Non-Patent Citations (1)
| Title |
|---|
| 张星等: "基于PMI的Web安全访问控制系统设计", 《舰船电子工程》 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109902074B (en) | Data center-based log storage method and system | |
| CN108768664B (en) | Key management method, device, system, storage medium and computer equipment | |
| US8024488B2 (en) | Methods and apparatus to validate configuration of computerized devices | |
| CN108173662B (en) | Equipment authentication method and device | |
| CN106612180B (en) | Method and device for realizing session identification synchronization | |
| US7793340B2 (en) | Cryptographic binding of authentication schemes | |
| US8196186B2 (en) | Security architecture for peer-to-peer storage system | |
| EP1622301B1 (en) | Methods and system for providing a public key fingerprint list in a PK system | |
| KR101019006B1 (en) | Certify and split system and method for replacing cryptographic keys | |
| CN108259406B (en) | Method and system for verifying SSL certificate | |
| WO2008014328A2 (en) | Systems and methods for digitally-signed updates | |
| US20130124870A1 (en) | Cryptographic document processing in a network | |
| CN107733636B (en) | Authentication method and authentication system | |
| CN109525565B (en) | Defense method and system for short message interception attack | |
| CN114244522B (en) | Information protection method, device, electronic equipment and computer readable storage medium | |
| TWI390937B (en) | Method, system, and storage medium for eliminating password exposure when requesting third party attribute certificates | |
| CN110020869B (en) | Method, device and system for generating block chain authorization information | |
| CN111800378A (en) | Login authentication method, device, system and storage medium | |
| CN113886771A (en) | Software authorization authentication method | |
| CN112396735A (en) | Internet automobile digital key safety authentication method and device | |
| CN112600831A (en) | Network client identity authentication system and method | |
| KR20090054774A (en) | Method of integrated security management in distribution network | |
| CN111245611B (en) | Anti-quantum computation identity authentication method and system based on secret sharing and wearable equipment | |
| CN112383577A (en) | Authorization method, device, system, equipment and storage medium | |
| EP3022865B1 (en) | Selective revocation of certificates |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20221014 |