CN116015695A - Resource access method, system, device, terminal and storage medium - Google Patents

Resource access method, system, device, terminal and storage medium Download PDF

Info

Publication number
CN116015695A
CN116015695A CN202111221829.0A CN202111221829A CN116015695A CN 116015695 A CN116015695 A CN 116015695A CN 202111221829 A CN202111221829 A CN 202111221829A CN 116015695 A CN116015695 A CN 116015695A
Authority
CN
China
Prior art keywords
resource access
verification
request
resource
terminal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111221829.0A
Other languages
Chinese (zh)
Inventor
吴岳廷
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN202111221829.0A priority Critical patent/CN116015695A/en
Publication of CN116015695A publication Critical patent/CN116015695A/en
Pending legal-status Critical Current

Links

Images

Abstract

The embodiment of the application discloses a resource access method, a system, a device, a terminal and a storage medium, and belongs to the technical field of computers. The method comprises the following steps: intercepting a resource access request sent by a first client based on first access control information, wherein the first access control information indicates that the resource access request is intercepted and verification operation is executed under the condition that any client in a terminal sends the resource access request; verifying the current state information of the terminal; verifying the resource access request based on the first access control information under the condition that the state information passes verification; and carrying out resource access based on the resource access request under the condition that the verification of the resource access request is passed. The method combines the verification of the state information and the verification of the resource access request, increases the verification information, improves the verification process, and improves the security of the resource access.

Description

Resource access method, system, device, terminal and storage medium
Technical Field
The embodiment of the application relates to the technical field of computers, in particular to a resource access method, a system, a device, a terminal and a storage medium.
Background
With the rapid development of computer technology and the internet, many users can access resources on the network through terminals, in order to ensure the security of access, access control information is configured in advance for each client in the related art, and when the client starts to access the resources, the resource access request initiated by the client is verified based on the access control information. However, the related technology only verifies the resource access request, and the verified information is less, so that the security of the resource access is poor.
Disclosure of Invention
The embodiment of the application provides a resource access method, a system, a device, a terminal and a storage medium, which improves the security of resource access. The technical scheme is as follows:
in one aspect, a method for accessing resources is provided, the method comprising:
intercepting a resource access request sent by a first client based on first access control information, wherein the first access control information indicates that the resource access request is intercepted and verification operation is executed under the condition that any client in a terminal sends the resource access request;
verifying the current state information of the terminal;
verifying the resource access request based on the first access control information under the condition that the state information passes verification;
And carrying out resource access based on the resource access request under the condition that the verification of the resource access request is passed.
Optionally, the verifying the user identifier includes:
and under the condition that the user identifier belongs to a target identifier set, determining that the user identifier passes the verification, wherein the user identifier contained in the target identifier set has the authority to access the resource.
Optionally, in the case that the status information is verified, based on the process identifier, after the first process information corresponding to the process identifier is acquired from the first client, the method further includes:
sending the authentication request to the management server under the condition that the process information corresponding to the process identifier is not stored in the management client;
and receiving a verification result returned by the management server.
Optionally, in the case that the state information is verified, verifying the resource access request based on the first access control information includes:
and verifying the resource access request based on the first access control information within a target time period after the state information verification is passed.
Optionally, after verifying the current state information of the terminal, the method further includes:
and deleting the resource access request in the case that the state information verification is not passed.
Optionally, after verifying the resource access request based on the first access control information in the case that the state information is verified, the method further includes:
and deleting the resource access request in the case that the verification of the resource access request is not passed.
Optionally, the resource access request carries a process identifier, and after the resource access request is verified based on the first access control information if the state information is verified, the method further includes:
and under the condition that the verification of the resource access request is not passed, the process identification corresponding to the target process is cleared.
Optionally, the management client includes a first sub-client and a second sub-client;
the first sub-client is used for intercepting a resource access request and forwarding the resource access request;
the second sub-client is configured to verify the status information and verify the resource access request.
In another aspect, a method for accessing a resource is provided, the method comprising:
receiving an authentication request sent by a management client by a terminal, wherein the authentication request carries first process information, the first process information corresponds to a process identifier carried in a resource access request intercepted by the management client and is acquired from the first client sending the resource access request, and the process identifier indicates a process for requesting to access resources in the first client;
and verifying the authentication request based on second access control information, returning a verification result of the authentication request to the terminal, wherein the terminal is used for receiving the verification result, performing resource access based on the resource access request when the verification result indicates that the resource access request passes verification, and performing verification operation when the authentication request is received.
Optionally, the authentication request further carries the process identifier, and the verifying the authentication request includes:
and verifying the first process information under the condition that the process identifier belongs to a process identifier set, wherein the process identifier set comprises process identifiers corresponding to the processes allowing the resource access.
Optionally, the verifying the first process information includes:
under the condition that the first process information is matched with third process information, determining that the first process information passes verification, wherein the third process information is process information stored in the local terminal equipment and corresponding to the process identifier; or alternatively, the process may be performed,
and under the condition that the local terminal equipment does not store the process information corresponding to the process identifier, sending the authentication request to a cloud server, and receiving a verification result of the first process information returned by the cloud server, wherein the cloud server stores the latest process information, and the cloud server is used for verifying the first process information based on the authentication request.
Optionally, after the verifying the first process information, the method further includes:
receiving third process information sent by the cloud server;
and storing the process identification and the third process information correspondingly.
In another aspect, a method for accessing a resource is provided, the method comprising:
receiving a network request sent by a terminal, wherein the network request is sent by the terminal under the condition that a management server verifies a resource access request of the terminal, and the network request carries a verification certificate sent by the management server to the terminal;
Transmitting a verification request carrying the verification credential to a management server based on third access control information, the management server being configured to verify the verification credential, the third access control information indicating that a verification operation is performed if a network request is received;
and under the condition that the management server verifies the verification credentials, establishing a connection with the terminal, wherein the connection is used for the terminal to send the resource access request.
In another aspect, a resource access system is provided, the resource access system including a terminal and a management server;
the terminal is used for intercepting a resource access request sent by a first client based on first access control information through a management client, wherein the first access control information indicates that the resource access request is intercepted and verification operation is executed under the condition that any client in the terminal sends the resource access request;
the terminal is further used for verifying the current state information of the terminal;
the terminal is further configured to send an authentication request to the management server based on the first access control information when the status information passes verification, where the authentication request carries first process information, the first process information corresponds to a process identifier carried in the resource access request, and is acquired from the first client, and the process identifier indicates a process in the first client that requests for resource access;
The management server is used for verifying the authentication request based on second access control information, and returning a verification result of the authentication request to the terminal, wherein the second access control information indicates that verification operation is performed under the condition that the authentication request is received;
the terminal is further configured to receive the verification result, and perform resource access based on the resource access request when the verification result indicates that the resource access request passes verification.
In another aspect, there is provided a resource access device, the device comprising:
the request interception module is used for intercepting a resource access request sent by a first client based on first access control information, wherein the first access control information indicates that the resource access request is intercepted and verification operation is executed under the condition that any client in the terminal sends the resource access request;
the first verification module is used for verifying the current state information of the terminal;
the second verification module is used for verifying the resource access request based on the first access control information under the condition that the state information passes verification;
and the resource access module is used for carrying out resource access based on the resource access request under the condition that the verification of the resource access request is passed.
Optionally, the request intercepting module is configured to intercept, by a management client, the resource access request based on the first access control information, where the management client is configured to perform resource access control on a client in the terminal.
Optionally, the status information includes network information, and the first verification module includes:
the first verification unit is used for acquiring network information corresponding to a network to which the terminal is currently connected;
the first verification unit is further configured to determine that the status information is verified and passed when the network information is matched with target network information, where the target network information is network information corresponding to a secure network; or alternatively, the process may be performed,
the state information further comprises a user identifier logged in the management client, and the first verification unit is further configured to verify the user identifier when the network information is not matched with the target network information, and determine that the state information is verified when the user identifier is verified.
Optionally, the status information includes a resource type, and the first verification module includes:
the second verification unit is used for obtaining the resource type of the resource requested to be accessed by the resource access request;
The second verification unit is further configured to determine that the status information is verified when the resource type is a common resource type, where a resource belonging to the common resource type is a resource that is accessed by a client that allows any user identifier to be logged in; or alternatively, the process may be performed,
the second verification unit is further configured to verify the user identifier when the resource type is a non-public resource type, and determine that the state information is verified when the user identifier is verified.
Optionally, the first verification module is configured to determine that the user identifier passes verification when the user identifier belongs to a target identifier set, where the user identifier included in the target identifier set has a right to access a resource.
Optionally, the state information includes client information of each client installed by the terminal, and the first verification module includes:
the third verification unit is used for acquiring current client information of each client installed by the terminal and verifying the client information;
And the second verification module is used for verifying the resource access request based on the first access control information under the condition that the information of each client passes verification.
Optionally, the request interception module includes:
the first interception unit is used for intercepting the resource access request under the condition that the management client is in a first interception mode, and the first interception mode indicates to intercept the resource access request which is sent by any client in the terminal and accesses any resource; or alternatively, the process may be performed,
the second interception unit is configured to intercept the resource access request when the management client is in a second interception mode and the target address carried by the resource access request belongs to a first address set, where the second interception mode indicates to intercept a resource access request sent by any client in the terminal and used for accessing a non-public resource, and the first address set includes an address of the non-public resource.
Optionally, the resource access request carries a process identifier, the process identifier indicates a process for requesting to perform resource access, the first access control information indicates a verification operation on process information corresponding to the process identifier, and the second verification module is configured to:
Acquiring first process information corresponding to the process identifier from the first client based on the process identifier under the condition that the state information passes verification;
acquiring second process information corresponding to the process identifier from the management client based on the process identifier;
sending an authentication request to a management server corresponding to the management client when the first process information is matched with the second process information, wherein the authentication request carries the first process information, and the management server is used for verifying the authentication request based on second access control information, and the second access control information indicates that verification operation is executed when the authentication request is received;
and receiving a verification result returned by the management server.
Optionally, the second verification module is configured to:
sending the authentication request to the management server under the condition that the process information corresponding to the process identifier is not stored in the management client;
and receiving a verification result returned by the management server.
Optionally, the resource access module is configured to:
when the resource access request passes verification, sending the resource access request to a service server through the management client, wherein the service server is used for returning the target resource corresponding to the resource access request; or alternatively, the process may be performed,
And sending the resource access request to a service server through the management client and the access gateway under the condition that the resource access request passes verification.
Optionally, the resource access module is configured to:
sending, by the management client, a network request to the access gateway, where the network request carries a verification credential sent to the terminal by a management server corresponding to the management client, where the access gateway is configured to send, to the management server, a verification request carrying the verification credential based on third access control information, the management server is configured to verify the verification credential, return, to the access gateway, a verification result of the verification credential, and establish a connection between the access gateway and the terminal if the verification credential passes, where the third access control information indicates that a verification operation is performed if the verification request is received;
and based on the established connection, sending the resource access request to the access gateway, wherein the access gateway is used for sending the resource access request to the service server.
Optionally, the second verification module is configured to:
and verifying the resource access request based on the first access control information within a target time period after the state information verification is passed.
Optionally, the apparatus further comprises:
and the request deleting module is used for deleting the resource access request under the condition that the state information verification is not passed.
Optionally, the apparatus further comprises:
and the request deleting module is used for deleting the resource access request under the condition that the verification of the resource access request is not passed.
Optionally, the resource access request carries a process identifier, and the apparatus further includes:
and the process clearing module is used for clearing the target process corresponding to the process identifier under the condition that the verification of the resource access request is not passed.
Optionally, the management client includes a first sub-client and a second sub-client;
the first sub-client is used for intercepting a resource access request and forwarding the resource access request;
the second sub-client is configured to verify the status information and verify the resource access request.
In another aspect, there is provided a resource access device, the device comprising:
The authentication request receiving module is used for receiving an authentication request sent by a terminal through a management client, wherein the authentication request carries first process information, the first process information corresponds to a process identifier carried in a resource access request intercepted by the management client and is acquired from the first client sending the resource access request, and the process identifier indicates a process for requesting to access resources in the first client;
the authentication module is used for authenticating the authentication request based on second access control information, returning an authentication result of the authentication request to the terminal, receiving the authentication result by the terminal, and performing resource access based on the resource access request when the authentication result indicates that the resource access request passes authentication, wherein the second access control information indicates that authentication operation is performed when the authentication request is received.
Optionally, the authentication request further carries the process identifier, and the verification module is configured to verify the first process information when the process identifier belongs to a process identifier set, where the process identifier set includes a process identifier corresponding to a process that allows resource access.
Optionally, the verification module is configured to:
under the condition that the first process information is matched with third process information, determining that the first process information passes verification, wherein the third process information is process information stored in the local terminal equipment and corresponding to the process identifier; or alternatively, the process may be performed,
and under the condition that the local terminal equipment does not store the process information corresponding to the process identifier, sending the authentication request to a cloud server, and receiving a verification result of the first process information returned by the cloud server, wherein the cloud server stores the latest process information, and the cloud server is used for verifying the first process information based on the authentication request.
Optionally, the apparatus further comprises:
the storage module is used for receiving third process information sent by the cloud server;
and the storage module is also used for storing the process identification and the third process information correspondingly.
In another aspect, there is provided a resource access device, the device comprising:
the network request receiving module is used for receiving a network request sent by a terminal, wherein the network request is sent by the terminal when the resource access request of the terminal is verified by a management server, and the network request carries a verification certificate sent to the terminal by the management server;
The verification request sending module is used for sending a verification request carrying the verification certificate to the management server based on third access control information, the management server is used for verifying the verification certificate, and the third access control information indicates that verification operation is executed under the condition that a network request is received;
and the connection establishment module is used for establishing connection with the terminal under the condition that the management server verifies the verification credentials, and the connection is used for sending the resource access request by the terminal.
In another aspect, a terminal is provided, the terminal including a processor and a memory, the memory storing at least one computer program, the at least one computer program being loaded and executed by the processor to implement the operations performed by the resource access method of the above aspect.
In another aspect, a management server is provided, where the management server includes a processor and a memory, where the memory stores at least one computer program, and the at least one computer program is loaded and executed by the processor to implement the operations performed by the resource access method in the above aspect.
In another aspect, there is provided an access gateway comprising a processor and a memory, the memory storing at least one computer program, the at least one computer program being loaded and executed by the processor to implement the operations performed by the resource access method of the above aspect.
In another aspect, there is provided a computer readable storage medium having stored therein at least one computer program loaded and executed by a processor to implement the operations performed by the resource access method as described in the above aspects.
In another aspect, a computer program product is provided, comprising a computer program which, when executed by a processor, implements the operations performed by the resource access method of the above aspect.
The beneficial effects that technical scheme that this application embodiment provided include at least:
in the embodiment of the application, in order to ensure that the terminal is safe during resource access, the current state information of the terminal is verified, then, when the state information is verified, namely, when the terminal is ensured to be safe, the resource access request is verified based on the first access control information, and when the resource access request is verified, the resource access is performed. By combining the verification of the state information and the verification of the resource access request, not only is the verification information added, but also the current state information of the terminal is adopted, so that the real-time verification of the terminal can be realized, the verification process is more perfect, and the safety of the resource access is improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the description of the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic diagram of a resource access system provided in an embodiment of the present application;
FIG. 2 is a schematic diagram of another resource access system provided by an embodiment of the present application;
FIG. 3 is a schematic diagram of yet another resource access system provided by an embodiment of the present application;
FIG. 4 is a flowchart of a method for accessing resources according to an embodiment of the present application;
FIG. 5 is a flowchart of a method for accessing resources according to an embodiment of the present application;
FIG. 6 is a flowchart of a method for accessing resources according to an embodiment of the present application;
fig. 7 is a schematic diagram of a gateway configuration interface provided in an embodiment of the present application;
FIG. 8 is a schematic diagram of a policy management interface provided by an embodiment of the present application;
fig. 9 is a schematic diagram of a service system configuration interface provided in an embodiment of the present application;
FIG. 10 is a schematic diagram of a resource allocation interface provided by an embodiment of the present application;
FIG. 11 is a schematic diagram of another business system configuration interface provided by an embodiment of the present application;
FIG. 12 is a schematic diagram of another gateway configuration interface provided by an embodiment of the present application;
FIG. 13 is a schematic diagram of a client configuration interface provided by an embodiment of the present application;
FIG. 14 is a flowchart of a method for accessing resources according to an embodiment of the present application;
FIG. 15 is a schematic diagram of a login interface provided by an embodiment of the present application;
FIG. 16 is a schematic diagram of a presentation interface provided by an embodiment of the present application;
FIG. 17 is a schematic diagram of a verification interface provided by an embodiment of the present application;
FIG. 18 is a schematic diagram of a prompt interface provided by an embodiment of the present application;
FIG. 19 is a schematic diagram of a detection interface provided by an embodiment of the present application;
FIG. 20 is a schematic diagram of another prompt interface provided by an embodiment of the present application;
FIG. 21 is a schematic diagram of a resource access method according to an embodiment of the present disclosure;
FIG. 22 is a flowchart of a method for accessing resources according to an embodiment of the present application;
fig. 23 is a schematic structural diagram of a resource access device according to an embodiment of the present application;
Fig. 24 is a schematic structural diagram of a resource access device according to an embodiment of the present application;
fig. 25 is a schematic structural diagram of a resource access device according to an embodiment of the present application;
fig. 26 is a schematic structural diagram of a terminal according to an embodiment of the present application;
fig. 27 is a schematic structural diagram of a server according to an embodiment of the present application.
Detailed Description
For the purposes of making the objects, technical solutions and advantages of the embodiments of the present application more apparent, the embodiments of the present application will be described in further detail below with reference to the accompanying drawings.
It will be understood that the terms "first," "second," and the like, as used herein, may be used to describe various concepts, but are not limited by these terms unless otherwise specified. These terms are only used to distinguish one concept from another. For example, the first process information may be referred to as second process information and the second process information may be referred to as first process information without departing from the scope of the present application.
The terms "at least one," "a plurality," "each," "any" and the like as used herein, wherein at least one includes one, two or more, and a plurality includes two or more, each referring to each of a corresponding plurality, and any one referring to any one of the plurality. For example, the plurality of clients includes 3 clients, and each client refers to each of the 3 clients, and any one refers to any one of the 3 clients, which may be the first, the second, or the third.
In order to facilitate understanding of the embodiments of the present application, the keywords related to the embodiments of the present application are explained first:
login credentials: after logging in the management client based on the user identifier, the management server corresponding to the management client generates an encryption string for the user identifier, and represents login authorization information of the user identifier, wherein the login authorization information comprises user information and an authorization validity period, and the login credentials are stored in the management client in an encrypted mode.
Network request credentials: the management server issues authorization information for the network request for identifying the authorization status of the network request.
Sensitive information: including user information such as user ID, login password, login credentials, and network request credentials.
Zero trust access control policy: the system consists of a trusted process (client) and a service site where an accessible resource is located, and any resource can be accessed through any trusted process under the condition of opening the authority. The granularity of the zero-trust access control policy is for the login user, allowing different zero-trust policies to be formulated for different login users.
Access gateway (zero trust gateway): the access request is deployed at the entrance of the client and the resource and is responsible for verifying and forwarding each access request for accessing the resource.
Access agent: the terminal access agent is a terminal agent which is deployed at the terminal and initiates secure access, is responsible for the request initiation of the trusted identity authentication of the access main body, establishes encrypted access connection with the access gateway, and is also a policy enforcement point of access control.
Direct access: in the zero-trust network access architecture, a certain client initiates a resource access request, after hijacking the traffic by a full-traffic agent, the full-traffic agent initiates resource access to a service site where the resource is located, namely initiates direct connection access, and the full-traffic agent sends a response of the service site to the client, wherein the access mode is called direct connection access.
Proxy access: in the zero-trust network access architecture, a certain client initiates a resource access request, after hijacking traffic by a full-traffic agent, the full-traffic agent initiates traffic forwarding to an access gateway, resource access is initiated to a service site where a resource is located through the access gateway, then a response of the service site is sent to the full-traffic agent through the access gateway, and the full-traffic agent forwards the response of the service site to the client.
Accessing a subject: the party initiating the access. For example, personnel, devices, applications, processes, and services accessing a resource are digital entities formed by individual or combination of factors such as personnel, devices, applications, processes, and services.
Accessing an object: the party being accessed. Such as applications, systems accessed (development test environments, operation and maintenance environments, production environments, etc.), data, interfaces, functions, etc.
White box cryptography: the white-box cryptographic technique is a cryptographic technique capable of resisting white-box attacks, and is divided into two types from the implementation mode: static white boxes and dynamic white boxes. Static white box: binding and confusing the key of the algorithm and the appointed encryption algorithm to generate a key white box, wherein one key corresponds to one key white box and exists in a file form, and the key white box and the appointed encryption algorithm are integrated into engineering to be compiled to generate a binary file when an application program is developed.
Strategy: an administrator manages a set of rules for terminal management issued by a terminal. Policies include patch repair, zero trust network management and control, security reinforcement policies, and the like. The policy contains information such as notes, timeliness, number of validity, etc.
Network session: the user and the service system execute a process of information interaction, for example, a process of resource sending or receiving after the client establishes network connection with the server. The network session includes the establishment and termination of a connection, or the sending and receiving of resources.
Access session: based on a web session and contains a set of related features. An access session is an abstract concept of the combined binding of a network session with devices, people, network attributes, process attributes, endpoint attributes for each access resource (including business applications, core systems, asset data, functional interfaces, etc.).
Fig. 1 is a schematic diagram of a resource access system according to an embodiment of the present application. Referring to fig. 1, the resource access system includes a terminal 101 and a management server 102. The terminal 101 and the server 102 are connected by a wireless or wired network.
The terminal 101 is provided with a management client served by the management server 102 and other clients different from the management client, and the terminal 101 can initiate resource access by the other clients and control resource access by the management client. Optionally, the terminal 101 is a computer, a mobile phone, a tablet computer, a vehicle-mounted terminal, or other terminals. Optionally, the management client is a client provided by a third party. Optionally, the management server 102 is a stand-alone physical server, or a server cluster or a distributed system formed by a plurality of physical servers, or a cloud server providing cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, CDNs (Content Delivery Network, content delivery networks), and basic cloud computing services such as big data and artificial intelligence platforms.
In one possible implementation manner, the terminal 101 logs in to the management client based on the user identifier, when intercepting a resource access request sent by another client, verifies current state information of the terminal 101 through the management client, and verifies resource access requests initiated by other clients when the state information is verified. Optionally, the management client sends an authentication request for the resource access request to the management server 102, the server 102 is configured to verify the authentication request, and return a verification result to the terminal 101, so that the terminal 101 determines whether the resource access request passes the verification according to the verification result, and performs resource access based on the resource access request if the resource access request passes the verification.
In one possible implementation, fig. 2 is a schematic diagram of another resource access system provided in an embodiment of the present application. Referring to fig. 2, the resource access system further includes a cloud server 103. The cloud server 103 and the management server 102 are connected by a wireless or wired network.
Optionally, the authentication request carries first process information, where the first process information corresponds to a process identifier carried in the resource access request and is obtained from a client that sends the resource access request, when the management server 102 verifies the authentication request, that is, verifies the first process information, and when the management server 102 does not store the process information corresponding to the first process information, the management server 102 needs to send the authentication request to the cloud server 103 that stores the latest process information, the cloud server 103 verifies the first process information, sends a verification result to the management server 102, and then the management server 102 sends a verification result to the terminal 101.
In one possible implementation, fig. 3 is a schematic diagram of yet another resource access system provided in an embodiment of the present application. Referring to fig. 3, the resource access system further includes an access gateway 104. When the resource access request passes the authentication, the terminal 101 accesses the resource through the access gateway 104.
Alternatively, a connection between the access gateway 104 and the terminal 101 is established first, then the terminal 101 sends a resource access request to the access gateway 104 based on the established connection, and then the access gateway 104 performs resource access based on the resource access request.
In one possible implementation, the resource access system includes a terminal 101, a management server 102, a cloud server 103, and an access gateway 104.
In one possible implementation, for any of the above resource access systems, the resource access system further comprises a service server for storing the resource.
Fig. 4 is a flowchart of a resource access method provided in an embodiment of the present application. The execution body of the embodiment of the application is a terminal. Referring to fig. 4, the method includes the steps of:
401. and the terminal intercepts a resource access request sent by the first client based on the first access control information.
The terminal has configured first access control information indicating that the resource access request is intercepted and a verification operation is performed in a case where any one of the clients in the terminal transmits the resource access request, before the resource access request is initiated. When a first client initiates a resource access request, the terminal intercepts the resource access request based on the indication of the first access control information, and then verifies the resource access request based on the verification operation indicated by the first access control information.
The first client is any client which is installed in the terminal and can initiate resource access, for example, the first client is a video client, a browser, a music client, a game client or other types of clients; a resource access request is a request to access any resource or a resource access request is a request to access a particular type of resource.
402. And the terminal verifies the current state information.
After intercepting the resource access request, the terminal acquires the current state information of the terminal, and verifies the state information to determine whether the terminal can access the resource currently. The state information includes network information corresponding to a network to which the terminal is connected, a resource type to which a resource requested to be accessed by the resource access request belongs, client information corresponding to each client installed in the terminal, and the like.
The verification of the state information indicates that the terminal is safe at present and can access resources; failure of the state information verification indicates that the terminal is not secure and cannot access resources.
403. And under the condition that the state information verification is passed, the terminal verifies the resource access request based on the first access control information.
After the state information verification is passed, the terminal determines that the terminal is currently safe, and further needs to continuously verify the resource access request. Optionally, the resource access request is verified by the terminal, or the resource access request is verified by both the terminal and the management client.
404. And the terminal performs resource access based on the resource access request under the condition that the verification of the resource access request is passed.
The authentication of the resource access request indicates that the resource access request is capable of accessing the resource, and therefore, when the authentication of the resource access request is successful, the resource access is performed based on the resource access request.
In order to ensure that the terminal is safe during resource access, the method provided by the embodiment of the application firstly verifies the current state information of the terminal, and then verifies the resource access request based on the first access control information under the condition that the state information is verified to pass, namely under the condition that the terminal is ensured to be safe at present, and performs resource access when the resource access request is verified to pass. By combining the verification of the state information and the verification of the resource access request, not only is the verification information added, but also the current state information of the terminal is adopted, so that the real-time verification of the terminal can be realized, the verification process is more perfect, and the safety of the resource access is improved.
Fig. 5 is a flowchart of a resource access method provided in an embodiment of the present application. The execution subject of the embodiment of the application is a management server. Referring to fig. 5, the method includes the steps of:
501. the management server receives an authentication request sent by the terminal through the management client.
The authentication request carries first process information, the first process information corresponds to a process identifier carried in a resource access request intercepted by the management client, the first process information is obtained from a first client sending the resource access request, and the process identifier indicates a process requesting for resource access in the first client. That is, the terminal obtains, from the management client, the first process information corresponding to the process identifier based on the process identifier carried by the resource access request, and sends an authentication request carrying the first process information to the management server.
502. And the management server verifies the authentication request based on the second access control information and returns a verification result of the authentication request to the terminal.
The management server is configured in advance with second access control information indicating that a verification operation is performed in the case of receiving the authentication request. After receiving the authentication request, the management server verifies the authentication request based on the verification operation indicated by the second access control information to obtain a verification result of the authentication request, wherein the verification result indicates whether the resource access request passes verification. And the terminal receives the verification result sent by the management server, and performs resource access based on the resource access request under the condition that the verification result indicates that the resource access request passes verification.
The verification of the authentication request by the management server is actually the verification of the first process information carried by the authentication request, and if the first process information is matched with the process information of the standard corresponding to the process identifier, the authentication request is determined to pass the verification.
According to the method provided by the embodiment of the application, the management server performs resource verification on the resource access request initiated by the client in the terminal, the management server sends the verification result to the terminal, then the terminal performs resource access, and the verification on the resource access request is realized through interaction between the terminal and the management server.
Fig. 6 is a flowchart of a resource access method provided in an embodiment of the present application. The execution body of the embodiment of the application is an access gateway. Referring to fig. 6, the method includes the steps of:
601. the access gateway receives a network request sent by the terminal, wherein the network request carries authentication credentials sent to the terminal by the management server.
The network request is sent by the terminal under the condition that the management server verifies the resource access request of the terminal, the verification certificate indicates that the resource access request is verified, and the network request is used for requesting the access gateway to establish connection with the terminal.
602. The access gateway sends a verification request carrying the verification credentials to the management server based on the third access control information.
The access gateway is configured in advance with third access control information indicating that the authentication operation is performed in the case of receiving the network request.
The access gateway needs to verify whether the resource access request is authenticated by the management server, and establishes a connection between the access gateway and the terminal if the resource access request is determined to be authenticated by the management server. Therefore, after the access gateway receives the network request, based on the verification operation indicated by the third access control information, a verification request is sent to the management server, and the management server verifies the verification credential, namely, verifies whether the verification credential is issued by the management server or not, and sends a verification result to the access gateway.
603. The access gateway establishes a connection with the terminal for the terminal to send a resource access request in case the authentication credentials are authenticated by the management server.
When the management server verifies the verification credentials, namely, when the verification credentials are determined to be issued by the management server, the access gateway establishes connection between the access gateway and the terminal, and then the terminal can send a resource access request to access resources based on the connection.
According to the method provided by the embodiment of the application, when the terminal accesses the resource through the access gateway, the access gateway interacts with the management server to enable the management server to verify the verification certificate, and under the condition that the verification certificate passes, connection can be established to access the resource, so that the access gateway is prevented from establishing connection based on the invalid verification certificate, the management server verifies the verification certificate, the verification process is more perfect, and the security of resource access is improved.
The above-mentioned fig. 4, 5, and 6 respectively introduce the resource access procedure for the execution subject by using the terminal, the management server, and the access gateway, and the interaction procedure between the devices is described in detail below.
The first access control information, the second access control information and the third access control information in the embodiment of the application are configured for the management terminal. Before introducing the resource access process, the configuration of each item of access control information is described.
For example, referring to the gateway configuration interface 701 shown in fig. 7, a trusted gateway is configured through the gateway configuration interface 701, including a gateway name, gateway setup information, and an IP (Intern et Protocol ) segment that can access the gateway preferentially. Wherein, the configured gateway can be queried by inputting the gateway name in the gateway query column; by triggering the gateway adding control, a new gateway can be added; by triggering the bulk delete control, multiple configured gateways can be selected and deleted.
Referring to the policy management interface 801 shown in fig. 8, a trusted client is configured through the policy management interface 801, and URLs (Uniform Resource Locator, same resource locator) corresponding to resources in a service system that the trusted client can access. In fig. 8, an example is that any client installed in the windows system is a trusted client, and can access a resource corresponding to any address in the service system.
Referring to the service system configuration interface 901 shown in fig. 9, the address of the service system, the IP address of the service system, and the port of the service system are accessible through the service system configuration interface 901.
Referring to the resource configuration interface 1001 shown in fig. 10, a resource name, a resource category, a port corresponding to the resource in the service system, a group to which the resource belongs, an access mode (direct access and proxy access) of the resource, and a protocol type corresponding to the resource are set through the resource configuration interface 1001.
Referring to another business system configuration interface 1101 shown in fig. 11, the address of a business system is configured through the business configuration interface 1001, the domain name of the business system can be accessed, and the port of the business system can be accessed.
Referring to another gateway configuration interface 1201 shown in fig. 12, a gateway that can access a service system is configured through the gateway configuration interface 1201, a plurality of different gateways can be configured for one service system, and priorities of the different gateways can be set, and a gateway with a high priority can access the service system preferentially.
Referring to trusted client configuration interface 1301 shown in fig. 13, a certain trusted client can be configured through client configuration interface 1301, including client name, process name, operating system, client signature information, version, process MD5 (Message Digest Algorithm 5, 5 th edition of message digest algorithm), and sha 256.
In the embodiment of the application, the mapping relationship of the access subject, the access object and the access authority and the network attribute information are configured through the interfaces. The access subject represents a client side requesting for resource access, the access object represents a resource to be accessed, the mapping relation of the access authority represents that certain resource access is allowed to be performed through certain client side based on certain user identification, and the network attribute information comprises network information allowing resource access, access protocol, access domain name, network request method, request path and the like according to which the resource access is performed. For example, taking an access object as an enterprise resource (service system) of a certain enterprise as an example, an access subject is user information and client information of an authorized user accessing the enterprise resource through a zero trust network access function (a function of managing the client), a mapping relationship of access authority is that the enterprise resource is allowed to be accessed through a client based on an a user identifier, and the access authority refers to reading and operation authority of the access subject for the access object.
It should be noted that, in the embodiment of the present application, only the configuration of each item of access control information through the above interface is taken as an example for explanation, in another embodiment, the access control information may also be configured through other interfaces, for example, the user identifier of the accessible service system may be configured, and the configuration mode of the access control information and the specific content of the access control information are not limited.
In one possible implementation, the management terminal is provided with a management client, logs in based on the administrator identifier, and then configures the access control information based on the logged-in administrator identifier.
In the embodiment of the application, after the management terminal configures the first access control information, the second access control information and the third access control information, according to the equipment applicable to each item of access control information, each item of access control information is respectively sent to the terminal, the management server and the access gateway, so that the terminal, the management server and the access gateway control resource access based on the received access control information.
Fig. 14 is a flowchart of a resource access method provided in an embodiment of the present application. The interaction subject of the embodiment of the application is a terminal, a management server and an access gateway. Referring to fig. 14, the method includes the steps of:
1401. And the terminal intercepts a resource access request sent by the first client through the management client based on the first access control information.
The terminal is provided with a management client and a first client, wherein the management client is different from the first client, and the first client is any client except the management client in the terminal. The management client is used for controlling resource access to the clients in the terminal, and the management client stores first access control information which indicates that the resource access request is intercepted under the condition that any client in the terminal sends the resource access request.
In the embodiment of the application, the terminal triggers the resource access through the first client, generates a resource access request, and sends the resource access request, and when the terminal detects the resource access request sent by the first client through the management client, the terminal intercepts the resource access request based on the first access control information.
In one possible implementation, the first access control information includes an interception mode, and the first access control information indicates that in a case where any one of the terminals transmits the resource access request, the resource access request is intercepted based on the interception mode. The interception mode comprises a first interception mode and a second interception mode, wherein the first interception mode indicates a resource access request which is sent by any client side in the interception terminal and is used for accessing any resource, and the second interception mode indicates a resource access request which is sent by any client side in the interception terminal and is used for accessing non-public resources.
The management client determines which interception mode is currently in based on the interception mode included in the first access control information, and then the terminal intercepts the corresponding resource access request based on the interception mode in which the management client is located. And the terminal intercepts the resource access request under the condition that the management client is in the first interception mode.
Or under the condition that the management client is in the second interception mode and the target address carried by the resource access request belongs to the first address set, intercepting the resource access request, namely, under the condition that the management client is in the second interception mode, whether the resource requested to be accessed by the resource access request is a non-public resource or not needs to be determined, under the condition that the resource is a non-public resource, intercepting the resource access request, and under the condition that the resource is not a non-public resource, not intercepting the resource access request, the terminal can directly access the resource based on the resource access request, and no subsequent steps are executed. The target address is an address corresponding to a resource to be accessed, the first address set includes addresses of non-public resources, the non-public resources are resources accessed under the condition of logging in based on a user identifier with access authority, for example, the non-public resources are enterprise resources of a certain enterprise, an administrator sets access authority for the user identifier corresponding to an employee of the enterprise, and the enterprise resources can be accessed under the condition of logging in based on the user identifier with access authority. For example, the destination address is an IP address or a domain name.
In one possible implementation, the management client includes a first sub-client, through which the resource access request is intercepted based on the first access control information. Optionally, the terminal intercepts the resource access request under the condition that the first sub-client is in a first interception mode; or the terminal intercepts the resource access request under the condition that the first sub-client is in the second interception mode and the target address carried by the resource access request belongs to the first address set.
In one possible implementation, the resource access request carries a source IP address or domain name, a source port, a destination IP address or domain name, a destination port, and a process identification indicating the process requesting the resource access.
1402. And the terminal verifies the current state information of the terminal.
In the embodiment of the present application, considering that the resource accessed by the terminal is changed in real time, the resource requested to be accessed at different moments may be different, and the network to which the terminal is connected may also change along with the change of the environment in which the terminal is located, and the client installed by the terminal may also change. Therefore, in order to ensure that the state information of the terminal itself is secure, it is necessary to verify the current state information of the terminal.
In one possible implementation, the state information includes network information corresponding to a network to which the terminal is currently connected, for example, the network information includes information of a network IP, a network type, a network name, and the like of the physical network card. The terminal acquires network information corresponding to a network connected currently; and under the condition that the network information is matched with the target network information, determining that the state information passes verification, wherein the target network information is the network information corresponding to the security network. Wherein, the matching of the network information and the target network information means that the network IP is the same.
Optionally, the state information further includes a user identifier of the login management client, the user identifier is verified when the network information does not match with the target network information, and the state information is determined to pass verification when the user identifier passes verification. That is, although the network information does not match the target network information, that is, the network to which the terminal is connected changes, the user identifier is verified, and if the user identifier passes the verification, it indicates that the user identifier has the right to access the resource, and at this time, the state information is still considered to pass the verification. According to the method and the device for verifying the network information, whether the user identifier is logged in different places or not can be identified by verifying the network information and the user identifier, and when the user identifier is identified to be logged in different places, based on the verification of the user identifier, when the user identifier is determined to have the authority of accessing the resource, the state information is determined to pass verification, so that the resource access process can be continuously executed.
In one possible implementation, the state information includes a resource type to which the resource requested to be accessed by the resource access request belongs. The terminal acquires the resource type of the resource requested to be accessed by the resource access request, and determines that the state information verification passes under the condition that the resource type is the common resource type. Wherein, the resources belonging to the public resource type are the resources which are accessed by the clients which are allowed to log in any user identification. That is, when the terminal recognizes that the resource requested to be accessed is a public resource, it is determined that any user identifier can access the resource, and therefore, the user identifier needs to be verified again. Wherein the common resource is a resource accessible based on any user identification. For example, a common resource is a resource disclosed on a network.
Optionally, the state information further includes a user identifier of the login management client, the user identifier is verified when the resource type is a non-public resource type, and the state information is determined to pass verification when the user identifier passes verification. That is, although the resource to be accessed belongs to a non-public resource type, the user identifier is verified, and in the case that the user identifier passes the verification, the user identifier is indicated to have the authority to access the resource, and at the moment, the state information is still considered to pass the verification. According to the method and the device for verifying the resource type, the resource type and the user identification are verified, whether the user identification has the authority to access the resource is identified, and when the user identification is confirmed to have the authority to access the resource, the state information is confirmed to pass verification, so that the resource access process can be continuously executed.
For example, resources belonging to a non-public resource type include user information such as user identification and login password, sensitive information such as login credentials and network request credentials, and enterprise resources of a certain enterprise.
Optionally, the terminal analyzes the resource access request to obtain a target address carried in the resource access request, and obtains a resource type to which the resource corresponding to the target address belongs based on the target address. For example, the resource type is determined according to a field in the target address, or the resource type is determined according to a correspondence between the address and the resource type, which is not limited in the manner of determining the resource type in the embodiment of the present application.
In one possible implementation manner, the verifying the user identifier includes: and in the case that the user identifier belongs to the target identifier set, determining that the user identifier passes verification, wherein the user identifier contained in the target identifier set has the authority to access the resource. Optionally, the target identifier set includes a first identifier set and a second identifier set, and if the network information does not match the target network information, determining whether the user identifier belongs to the first identifier set; in the case that the resource type is a non-common resource type, it is determined whether the user identity belongs to the second set of identities. The user identifiers contained in the first identifier set and the second identifier set may or may not be identical. Optionally, the first identifier set or the second identifier set may further include a plurality of subsets, where different subsets include user identifiers that have different time periods for accessing resources, so that when verifying the user identifier, it is further required to verify whether the current time belongs to a time period in which the user identifier allows access. For example, the user identifier is allowed to access resources at 8:00-18:00, and the current time is 20:00, and the user identifier is determined to be failed to be verified.
In one possible implementation, the state information includes client information of each client installed by the terminal, where the client information is description information of the client, for example, the client information includes information of MD5, file version information, copyright information, file description, product information, product name, signature information, root certificate, intermediate certificate, signature certificate, and the like of an executable file corresponding to the client. The terminal acquires current client information of each client installed by the terminal, verifies the client information, and determines that the client information is verified to pass, namely, the state information is verified to pass under the condition that the client information is respectively matched with the corresponding target client information; and under the condition that any client information is not matched with the corresponding target client information, determining that the verification of each client information is not passed, namely that the verification of the state information is not passed.
Optionally, the terminal stores target client information corresponding to each client, and then the terminal directly matches the client information with the corresponding target client information. Or the terminal sends the client information of each client to a server corresponding to the client, target client information corresponding to the client is stored in the server, the server matches the client information with the target client information, and then the matching result is returned to the terminal.
In one possible implementation, the verification of the client information further includes verification of virus killing, bug fixes, security reinforcement, data protection, real-time protection, heartbeat detection, and the like. In case that the above-mentioned verification passes, the subsequent resource access procedure is allowed to be continued. When an abnormal item exists and cannot be automatically repaired, a prompt interface is displayed to prompt the reason of the abnormal item and the repair suggestion under the condition that the user needs to manually repair, and before the user repairs the abnormal item, resource access is forbidden.
In one possible implementation manner, the terminal verifies the current state information of the terminal through the management client, and the verification process of the state information is performed through the management client.
For example, referring to the login interface 1501 in the management client shown in fig. 15, when the management client is logged in based on the user identifier and the network information corresponding to the network to which the terminal is currently connected matches the target network information, a first presentation interface 1601 shown in fig. 16 is displayed, where the first presentation interface 1601 includes prompt information for prompting that the user has connected a secure network, and resource access is possible. Alternatively, a second presentation interface 1602 as shown in fig. 16 is displayed, where the second presentation interface 1602 includes prompt information for prompting the user about the clients available for resource access in the current terminal.
The state information of the terminal can also be verified by the management client, for example, see a verification interface 1701 shown in fig. 17, to verify the state information, for example, whether each client is secure, whether each running process has a violation, and the like. Then, when detecting that the process has a violation, a prompt interface 1801 shown in fig. 18 is displayed to prompt the user that the process of the violation currently exists, and then the management client can automatically repair the process of the violation or the user manually repair the process of the violation. In the case of successful repair, a detection interface 1901 as shown in fig. 19 is displayed, and in the case of failure without repair, a presentation interface 2001 as shown in fig. 20 is displayed to present the user that the current state information verification is not passed, and that resource access is not possible.
It should be noted that, in the embodiment of the present application, only the above-mentioned process of verifying the state information once after intercepting the resource access request is taken as an example, and in another embodiment, the terminal can periodically verify the state information of the terminal through the management client.
The verification methods for the state information can be separately executed or combined, that is, at least two verification methods of the three verification methods are adopted to verify the state information, and if at least two verification methods are all verified to pass, the state information verification is determined to pass, and if any one of the at least two verification methods is not verified to pass, that is, the state information verification is determined to not pass.
In one possible implementation, the terminal includes a terminal context awareness module, through which state information of the terminal can be obtained. For the enterprise resource access scene, the management client comprises an enterprise resource security policy service, after the terminal acquires the state information, the state information is sent to the enterprise resource security policy service, and the enterprise resource security policy server adjusts the access rule of the business system.
In the embodiment of the application, the dynamic evaluation of the resource access request is realized by verifying the current state information of the terminal, namely, the state information is detected in real time, so that the terminal is ensured to be safe, and the effective implementation of the subsequent verification process of the resource access request is ensured.
1403. And under the condition that the state information verification is passed, the terminal verifies the first process information corresponding to the process identifier carried by the resource access request based on the first access control information.
Wherein the first access control information indicates a validation operation of the intercepted resource access request. The resource access request carries a process identifier, and the process identifier indicates a process for requesting to access the resource.
In one possible implementation, considering that the state information of the terminal may change, in order to avoid that the state information changes after verification of the state information, it cannot be determined whether the changed state information can pass the verification, that is, whether the terminal after the state information change is still safe cannot be guaranteed, so that, in order to avoid this, the terminal verifies the first process information based on the first access control information within a target period after the state information passes the verification. Wherein the target duration is any one of a number of durations, such as 30 seconds, 1 minute, or other durations.
In one possible implementation manner, under the condition that the state information verification is passed, the terminal acquires first process information corresponding to the process identifier from the first client based on the process identifier, wherein the first process information is current actual process information in the first client; the terminal also acquires second process information corresponding to the process identifier from the management client based on the process identifier, wherein the second process information is process information stored by the management client; then determining whether the first process information is matched with the second process information, wherein if the first process information is matched with the second process information, the current first process information of the first client is accurate, and the subsequent resource access process can be executed; and if the first process information is not matched with the second process information, the current first process information of the first client is possibly tampered, namely the first client is not a safe client, and the subsequent resource access process is not executed any more in order to ensure the access security.
Optionally, the first process information includes MD5, process path, process latest modification time, copyright information, signature information. The matching of the first process information and the second process information means that all the information included in the first process information is the same as all the information included in the second process information, and if one of the information is different, the first process information and the second process information are determined to be not matched.
In another possible implementation manner, if the management client does not store the process information corresponding to the process identifier, the terminal cannot verify the first process information, and then the management client needs to verify the first process information.
In the embodiment of the present application, the state information verification is merely taken as an example, and in another embodiment, when the state information verification is not passed, the terminal deletes the resource access request and does not perform resource access based on the resource access request.
1404. And the terminal sends an authentication request carrying the first process information to the management server based on the first access control information under the condition that the first process information meets the condition.
The first process information meeting the condition means that the first process information is matched with the second process information, or the process information corresponding to the process identifier is not stored in the management client. The authentication request is used to request the management server to verify the first process information. The first access control information indicates a verification operation performed when the first process information meets the condition.
In the embodiment of the application, under the condition that the first process information is matched with the second process information, in order to avoid that the second process information stored by the management client is not updated in time, which leads to inaccurate second process information currently stored by the management client, if the first process information is matched with the second process information, the first process information cannot be ensured to be accurate process information, therefore, an authentication request is sent to the management server, and the management server performs secondary verification on the first process information, so that the accuracy of a verification result can be improved, and the security of resource access is improved. For the case that the process information corresponding to the process identifier is not stored in the management client, the terminal cannot verify whether the first process information is accurate, so that the management server needs to verify the first process information.
1405. And the management server verifies the authentication request based on the second access control information and sends a verification result of the authentication request to the terminal.
Wherein the second access control information indicates that the authentication operation is performed in case of receiving the authentication request. The verification result of the authentication request indicates whether the resource access request passes verification, and the authentication request carries a process identifier and first process information.
In one possible implementation manner, the management server obtains third process information stored corresponding to the process identifier based on the process identifier, then matches the first process information with the third process information process, and determines that the authentication request passes verification, namely the resource access request passes verification under the condition that the first process information is matched with the third process information, and then issues a verification certificate to the terminal; and under the condition that the first process information is not matched with the third process information, determining that the authentication request fails to pass the authentication, namely the resource access request fails to pass the authentication, sending an authentication failure notification to the terminal by the management server, and after receiving the authentication failure notification, not executing the subsequent resource access process.
Optionally, the first process information includes MD5, process path, process latest modification time, copyright information, signature information. The matching of the first process information and the third process information means that all the information included in the first process information is the same as all the information included in the third process information, and if one of the information is different, the first process information and the third process information are determined to be not matched.
Optionally, the verification credential includes a verification pass notification, a maximum number of uses, a validity time. The verification passing notification indicates that the resource access request passes verification, the maximum use times refer to the times of resource access based on the resource access request, and the effective time refers to the use of the verification credentials in the effective time.
In another possible implementation manner, the management server sends an authentication request to the cloud server under the condition that the local terminal device does not store the process information corresponding to the process identifier, and the cloud server stores the latest process information; and after receiving the authentication request, the cloud server verifies the first process information based on the authentication request and returns a verification result of the first process information to the management server. The verification of the cloud server on the first process information comprises the following steps: matching the first process information with the process information corresponding to the process identifier stored in the cloud server, and determining that the first process information is verified and passed under the condition that the first process information is matched with the process information corresponding to the process identifier stored in the cloud server, and returning a first process information verification and passed notification to the management server; and under the condition that the first process information is not matched with the process information corresponding to the process identifier stored in the cloud server, determining that the first process information verification fails, and returning a notification that the first process information verification fails to the management server.
The management server issues a verification certificate to the terminal under the condition that the management server receives the first process information verification passing notification; and sending a verification failure notification to the terminal when the first process information verification failure notification is received.
Optionally, after the cloud server verifies the first process information, sending third process information to the management server, where the third process information is process information corresponding to the process identifier stored in the cloud server, and the management server stores the process identifier corresponding to the third process information. Optionally, in order to avoid other devices from tampering with the third process information, the third process information is stored in an encrypted manner. For example, the encryption is performed by adopting a white-box cryptographic technology or other encryption modes, and the encryption modes are not limited in the embodiment of the application.
In one possible implementation manner, the management server verifies the first process information if the process identifier belongs to a process identifier set, wherein the process identifier set includes a process identifier corresponding to a process allowed to access the resource.
In one possible implementation manner, after the management server verifies the first information, third process information corresponding to the process identifier stored in the management server is sent to the management client. After receiving the third process information sent by the management server, the management client updates the second process information based on the third process information under the condition that the second process information corresponding to the process identifier is stored; or under the condition that the management client does not store the process information corresponding to the process identifier, storing the third process information as second process information corresponding to the process identifier in the management client. Optionally, the management client encrypts and stores the second process information.
In addition, in one possible implementation manner, in order to ensure that the third process information stored in the management client is accurate, the management server periodically initiates an asynchronous detection request to the cloud server, where the asynchronous detection request carries the third process information and a corresponding process identifier, the cloud server determines whether the received third process information is the latest process information based on the process information stored in the local terminal device, and if it is determined that the third process information is not the latest process information, issues the latest third process information corresponding to the process identifier to the management server, and the management server updates the original third process information based on the received latest third process information. Optionally, after updating the third process information, the management server sends the updated third process information to the management client, so that the management client updates the second process information corresponding to the process identifier based on the third process information, so as to ensure that the second process information stored by the management client is up-to-date.
It should be noted that, in this embodiment of the present application, the authentication request carries the first process information and the process identifier only as an example, and in another embodiment, the authentication request further carries the source address, the source port, the destination address and the destination port. The management server also needs to determine, based on the target correspondence, whether resources corresponding to the target address and the target port can be accessed through the source address and the source port. The target corresponding relation comprises a source address and a source port which request to access the resource, and a corresponding relation between the target address and the target port corresponding to the accessible resource. And under the condition that the source address and the source port have a corresponding relation with the target address and the target port, determining that the resource access can be performed through the resource access request.
1406. And the terminal receives a verification result returned by the management server, and sends a network request carrying a verification credential to the access gateway through the management client when the verification result indicates that the resource access request passes verification.
And under the condition that the terminal receives the verification certificate, determining that the resource access request passes the verification, and at the moment, continuously executing the resource access process. In the embodiment of the application, taking resource access through the access gateway as an example, when the access is performed through the access gateway, connection between the terminal and the access gateway needs to be established first, so that a network request carrying a verification credential is sent to the access gateway through the management client.
It should be noted that, in this embodiment of the present application, only the case where the verification result indicates that the verification of the resource access request is passed is taken as an example to describe the case where, in another embodiment, the verification result indicates that the verification of the resource access request is not passed, the subsequent resource access process is not executed any more by deleting the resource access request. And meanwhile, the process identifier corresponds to the target process to perform subsequent resource access, and the target process is cleared or added into a blacklist, wherein the processes corresponding to the process identifier included in the blacklist are all processes incapable of performing resource access.
Another point to be described is that in the embodiment of the present application, resource access is performed through an access gateway, and in another embodiment, the management client may directly send a resource access request to a corresponding service server to perform resource access, that is, perform direct access.
1407. The access gateway receives the network request and sends a verification request carrying the verification credentials to the management server based on the third access control information.
Wherein the third access control information indicates that the authentication operation is performed after the network request is received. In order to ensure the authenticity of the verification credentials, after receiving the network request, the access gateway sends a verification request carrying the verification credentials to the management server to request the management server to verify the authenticity of the verification credentials.
In one possible implementation, after receiving the network request, the access gateway parses the network request to obtain the authentication ticket from a header field of the network request.
1408. The management server receives the verification request, verifies the verification certificate and returns a verification result of the verification certificate to the access gateway.
After receiving the verification request, the management server verifies the verification certificate, determines whether the verification certificate is issued by the management server, if so, determines that the verification certificate passes verification, and sends a verification passing notification of the verification certificate to the access gateway; if it is determined that the authentication credential is not issued by the management server, determining that the authentication credential is not authenticated, and sending an authentication failed notification of the authentication credential to the access gateway.
In one possible implementation, in the case that the verification credential passes, the management server increases the number of uses corresponding to the verification credential once, and stores the number of uses in the management server. The management server also needs to verify whether the current use times of the certificates reach the maximum use times, and under the condition that the maximum use times are not reached, the verification of the certificates is determined to pass; in the event that the maximum number of uses has been reached, it is determined that the validation credential fails validation.
In one possible implementation, where the validation credential includes a validity time, the management server verifies whether the validation credential has currently exceeded a usable validity time, and if the usable validity time has not been exceeded, determines that the validation credential has been validated; in the event that the usable validity time is exceeded, it is determined that the validation credential is not validated.
In one possible implementation, the second access control information further indicates that the verification operation is performed after receiving the verification request. The management server verifies the verification credential based on the second access control request. Optionally, the second access control information indicates verifying the authenticity of the authentication ticket, verifying the number of uses of the authentication ticket, and verifying the validity time of the authentication ticket.
1409. And the access gateway establishes connection between the access gateway and the terminal under the condition that the verification credentials pass verification.
1410. The terminal sends a resource access request to the access gateway based on the established connection.
And the access gateway establishes connection between the access gateway and the terminal under the condition that the verification credentials pass verification, so that the terminal sends a resource access request to the access gateway through the established connection.
In one possible implementation, the access gateway establishes a connection between the access gateway and the management client, and sends a resource access request to the access gateway based on the established connection through the management client.
In one possible implementation, the third access control information further indicates that a verification operation is performed on the request format of the resource access request. And after receiving the resource access request, the access gateway determines whether the request format of the resource access request is consistent with the target format based on the third access control information. Wherein the target format indicates the format of the address and port carried in the request, the path of the request, etc.
In one possible implementation manner, the third access control information further indicates that a verification operation is performed on a source IP address carried by the resource access request, the access gateway obtains the source IP address carried by the resource access request, verifies the source IP address, and performs a subsequent resource access process if the source IP address verification is passed.
Optionally, the access gateway verifies whether the source IP address belongs to a legitimate IP address. For example, the access gateway stores a blacklist of IP addresses, determines whether the source IP address belongs to an address in the blacklist, and determines that the source IP address is legal if the source IP address does not belong to the blacklist; or the access gateway stores a white list of IP addresses, determines whether the source IP address belongs to the address in the white list, and determines that the source IP address is legal, namely the source IP address verification is passed, under the condition that the source IP address belongs to the white list.
Optionally, the access gateway verifies whether the access frequency of the source IP address exceeds a first target threshold, determines that the source IP address verification is not passed if the access frequency exceeds the first target threshold, and determines that the source IP address verification is passed if the access frequency does not exceed the first target threshold. For example, verifying whether the access amount of the source IP address exceeds a first target threshold, where the access total amount refers to a total number of resource accesses based on the source IP address, and the first target threshold is any value set in advance; or verifying whether the access amount of the source IP address in the target duration exceeds a first target threshold, where the access amount in the target duration refers to a total number of resource accesses performed in the target duration based on the source IP address, and the target duration refers to a period of time between current time points, for example, the target duration is 1 hour, 1 day or other duration before the current time point, and the first target threshold is any value set in advance; or verifying whether the access amount of the source IP address in a target time period exceeds a first target threshold, wherein the access amount in the target time period refers to the total number of resource access times in the target time period based on the source IP address, the target time period refers to a preset time period, the first target threshold corresponding to different time periods can be different, for example, the target time period is 8:00-18:00, and the first target threshold is 100 times in the time period of 8:00-18:00; the target time period is 18:00-22:00, and the first target threshold value is 10 times in the time period of 18:00-22:00; the target time period is 22:00-6:00, and the first target threshold is 5 times in the time period of 22:00-6:00.
In one possible implementation manner, the third access control information further indicates to perform a verification operation on a resource access path carried by the resource access request, the access gateway obtains the resource access path carried by the resource access request, verifies the resource access path, and performs a subsequent resource access process if the resource access path verification passes.
Optionally, the access gateway verifies whether the resource corresponding to the resource access path belongs to an accessible resource. For example, the access gateway stores a first path set corresponding to an accessible resource, determines that the resource access path passes verification when the resource access path belongs to the first path set, and then can perform resource access based on the resource access path, and determines that the resource access path fails verification when the resource access path does not belong to the first path set, and does not perform subsequent resource access processes. Or the access gateway stores a second path set corresponding to the inaccessible resource, determines that the resource access path passes the verification of the resource access path when the resource access path does not belong to the second path set, and then can perform resource access based on the resource access path, and determines that the resource access path does not pass the verification of the resource access path when the resource access path belongs to the second path set, and does not execute the subsequent resource access process.
Optionally, if the resource access path passes verification, further verifying whether the access frequency of the resource corresponding to the resource access path exceeds a second target threshold, if the access frequency exceeds the second target threshold, determining that the resource corresponding to the resource access path cannot be accessed any more, and if the access frequency does not exceed the second target threshold, determining that the resource corresponding to the resource access path can be accessed any more. For example, verifying whether the access amount of the resource corresponding to the resource access path in the target duration exceeds a second target threshold, where the access amount of the resource corresponding to the resource access path in the target duration refers to a total number of times of requesting access to the resource corresponding to the resource access path in the target duration, the target duration refers to a period of time between current time points, for example, the target duration is 1 hour, 1 day or other duration before the current time point, and the first target threshold is any value set in advance. Further, the resource access request carries a source IP address, and whether the access amount of the resource corresponding to the resource access path based on the source IP address exceeds a second target threshold value is verified in the target duration.
Optionally, the access gateway sets a second different target threshold for different time periods, for example, the target time period is 8:00-12:00, and the second target threshold is 500 times in the time period of 8:00-12:00, and verifies whether the number of accesses to the resource corresponding to the resource access path exceeds 500 times in the time period of 8:00-12:00, and determines that the resource cannot be accessed any more in the time period of 8:00-12:00 if the number of accesses exceeds 500 times, and determines that the resource can be accessed continuously in the time period of 8:00-12:00 if the number of accesses does not exceed 500 times. Further, for different source IP addresses, a second target threshold corresponding to the source IP address in different time periods is set.
Note that the second target threshold value corresponding to the resource corresponding to the different resource access paths may be the same or different.
Another point to be described is that the embodiment of the present application only uses the verification of the source IP address, the access frequency of the source IP address, and the resource access path as an example, and in another embodiment, the access gateway can also verify other information carried by the resource access request, which is not limited in this embodiment of the present application.
1411. The access gateway sends a resource access request to the service server.
In one possible implementation manner, the access gateway determines a service server corresponding to a target address based on the target address carried in the resource access request, and sends the resource access request to the determined service server.
The service server sends corresponding target resources to the access gateway based on the received resource access request, then the target resources are sent to the management client through the access gateway, and the management client forwards the target resources to the first client, so that the resource access of the first client is completed.
In addition, referring to the schematic diagram of the resource access method shown in fig. 21, the management client, the management server and the access gateway are used as the providers of the zero-trust network security service, and a unified portal is provided between the access subject and the access object through the management client and the access gateway, so that the access subject can request the management server to perform authentication operation on the resource access request through the unified portal, and then perform actual resource access through the access gateway when the resource access request passes verification.
In order to ensure that the terminal is safe during resource access, the method provided by the embodiment of the application firstly verifies the current state information of the terminal, and then verifies the resource access request based on the first access control information under the condition that the state information is verified to pass, namely under the condition that the terminal is ensured to be safe at present, and performs resource access when the resource access request is verified to pass. By combining the verification of the state information and the verification of the resource access request, not only is the verification information added, but also the current state information of the terminal is adopted, so that the real-time verification of the terminal can be realized, the verification process is more perfect, and the safety of the resource access is improved.
In addition, in the embodiment of the application, the terminal, the management server and the access gateway have access control information configured in advance, the terminal can also verify the state information in real time during resource access, namely, generate a real-time access control rule during resource access, and control resource access of the client through the access control information configured in advance and the access control rule generated in real time, so that more accurate access control and unified risk disposal measures can be realized, and the security of resource access is improved. And more accurate control capability can be realized.
In addition, in the embodiment of the application, the terminal, the management server and the access gateway are configured with corresponding access control information, and the terminal, the management server and the access gateway execute corresponding operations based on the respective access control information respectively, so that the verification process of the resource access request is realized through interaction of the terminal, the management server and the access gateway. The device interaction mode is adopted for verification, so that one device is prevented from executing multiple verification, the verification efficiency is improved, and the user perceives that the resource access speed is higher for the user. And under the condition that the access control information is changed, only the access control information in the corresponding equipment is required to be updated, and all the access control information is not required to be updated. And, for the established resource access request, when the access control information is updated, the resource access can be interrupted timely through the terminal or the access gateway.
In one possible implementation, the management client in the embodiment shown in fig. 14 described above includes a first sub-client and a second sub-client. Referring to the flowchart of the resource access method shown in fig. 22, the resource access procedure is:
1. the terminal intercepts a resource access request sent by a first client through a first sub-client, wherein the resource access request carries a process identifier.
2. And the terminal sends the resource access request to the second sub-client through the first sub-client.
3. And after the terminal receives the resource access request through the second sub-client, verifying the state information of the current terminal, and under the condition that the state information is verified, acquiring first process information corresponding to the process identifier from the first client.
4. And the terminal sends an authentication request carrying the first process information to the management server through the second sub-client.
5. And after receiving the authentication request, the management server verifies the authentication request, and sends a verification certificate to the second sub-client under the condition that the authentication request passes verification.
6. And after receiving the verification certificate through the second sub-client, the terminal sends the verification certificate to the first sub-client.
7. After receiving the verification credentials through the first sub-client, the terminal sends a network request carrying the verification credentials to the access gateway.
8. After receiving the network request, the access gateway sends a verification request carrying the verification credential to the management server.
9. After receiving the verification request, the management server verifies the verification certificate, and sends a verification passing notification of the verification certificate to the access gateway under the condition that the verification certificate passes.
10. After receiving the verification passing notification of the verification certificate, the access gateway establishes connection between the access gateway and the first sub-client, and the terminal sends a resource access request to the access gateway through the first sub-client based on the established connection.
11. And after receiving the resource access request, the access gateway sends the resource access request to the corresponding service server.
12. The service server sends the corresponding target resource to the access gateway based on the resource access request.
13. And the access gateway sends the received target resource to the first sub-client.
14. And the terminal sends the target resource to the first client through the first sub-client.
Referring to fig. 22, in one possible implementation, the management server includes a policy center module, a sending service module, and a ticket center module, where the policy center module stores second access control information for indicating an executed authentication operation, the sending service module is used to interact with the cloud server, and the ticket center is used to issue an authentication credential to the terminal and verify the authentication credential.
Note that, the resource access procedure shown in fig. 21 is the same as the embodiment of the resource access procedure shown in fig. 14, and is not described here again.
The resource access method provided by the embodiment of the application can be applied to various scenes, and the embodiment of the application takes the application in a remote office scene as an example to explain the resource access method:
when a user remotely works, in order to ensure the security of accessing the internal resources of an enterprise, the resource access method provided by the embodiment of the application is adopted to verify the resource access request, and the resource access process is as follows: the user uses his own private terminal, logs in to the management client in the terminal based on the user identification, then intercepts a resource access request sent by a certain client based on the first access control information through the management client, the resource access request is used for requesting access to data inside the company, and then verifies the current state information of the terminal to determine whether the current terminal is compliant, thereby determining whether the data inside the company can be accessed through the terminal, and when the verification result indicates that the terminal is compliant, the embodiment of steps 1403-1411 is adopted to verify the resource access request to access the data inside the company.
The terminal in the embodiment of the application is a vehicle-mounted terminal and is not described in detail herein for the resource access process in the intelligent traffic scene.
Fig. 23 is a schematic structural diagram of a resource access device according to an embodiment of the present application. Referring to fig. 23, the apparatus includes:
a request interception module 2301, configured to intercept a resource access request sent by a first client based on first access control information, where the first access control information indicates that the resource access request is intercepted and a verification operation is performed when any client in the terminal sends the resource access request;
a first verification module 2302, configured to verify current state information of a terminal;
a second verification module 2303, configured to verify the resource access request based on the first access control information if the status information is verified;
a resource access module 2304, configured to perform resource access based on the resource access request if the resource access request passes verification.
Optionally, the request interception module 2301 is configured to intercept the resource access request based on the first access control information by a management client, where the management client is configured to perform resource access control on a client in the terminal.
Optionally, the state information includes network information, and the first verification module 2302 includes:
the first verification unit is used for acquiring network information corresponding to a network to which the terminal is currently connected;
the first verification unit is further used for determining that the state information passes verification under the condition that the network information is matched with the target network information, and the target network information is network information corresponding to the security network; or alternatively, the process may be performed,
the state information further comprises a user identifier of the login management client, and the first verification unit is further used for verifying the user identifier under the condition that the network information is not matched with the target network information, and determining that the state information passes verification under the condition that the user identifier passes verification.
Optionally, the state information includes a resource type, and the first verification module 2302 includes:
the second verification unit is used for acquiring the resource type of the resource requested to be accessed by the resource access request;
the second verification unit is further used for determining that the state information is verified to pass under the condition that the resource type is a public resource type, and the resource belonging to the public resource type is a resource which is accessed by a client allowing any user identifier to be logged in; or alternatively, the process may be performed,
the state information further comprises a user identifier of the login management client, and the second verification unit is further used for verifying the user identifier when the resource type is a non-public resource type, and determining that the state information passes verification when the user identifier passes verification.
Optionally, the first verification module 2302 is configured to determine that the user identifier passes verification if the user identifier belongs to a set of target identifiers, where the user identifier included in the set of target identifiers has a right to access the resource.
Optionally, the state information includes client information of each client installed by the terminal, and the first verification module includes:
the third verification unit is used for acquiring current client information of each client installed by the terminal and verifying the client information;
and a second verification module 2303, configured to verify the resource access request based on the first access control information when each piece of client information passes verification.
Optionally, the request interception module 2301 includes:
the first interception unit is used for intercepting the resource access request under the condition that the management client is in a first interception mode, and the first interception mode indicates the resource access request which is sent by any client in the interception terminal and accesses any resource; or alternatively, the process may be performed,
the second interception unit is used for intercepting the resource access request under the condition that the management client is in a second interception mode and the target address carried by the resource access request belongs to a first address set, the second interception mode indicates the resource access request which is sent by any client in the interception terminal and is used for accessing the non-public resource, and the first address set comprises the address of the non-public resource.
Optionally, the resource access request carries a process identifier, the process identifier indicates a process for requesting to access the resource, the first access control information indicates a verification operation on process information corresponding to the process identifier, and the second verification module is configured to:
under the condition that the state information verification is passed, acquiring first process information corresponding to the process identifier from the first client based on the process identifier;
acquiring second process information corresponding to the process identifier from the management client based on the process identifier;
sending an authentication request to a management server corresponding to the management client under the condition that the first process information is matched with the second process information, wherein the authentication request carries the first process information, and the management server is used for verifying the authentication request based on second access control information, and the second access control information indicates that verification operation is executed under the condition that the authentication request is received;
and receiving a verification result returned by the management server.
Optionally, a second verification module 2303 is configured to:
under the condition that process information corresponding to the process identifier is not stored in the management client, an authentication request is sent to the management server;
and receiving a verification result returned by the management server.
Optionally, the resource access module is configured to:
under the condition that the verification of the resource access request is passed, the resource access request is sent to a service server through a management client, and the service server is used for returning a target resource corresponding to the resource access request; or alternatively, the process may be performed,
and in the case that the verification of the resource access request is passed, sending the resource access request to the service server through the management client and the access gateway.
Optionally, the resource access module is configured to:
the method comprises the steps that through a management client, a network request is sent to an access gateway, the network request carries a verification credential which is sent to a terminal by a management server corresponding to the management client, wherein the access gateway is used for sending a verification request carrying the verification credential to the management server based on third access control information, the management server is used for verifying the verification credential, a verification result of the verification credential is returned to the access gateway, the access gateway is further used for establishing connection between the access gateway and the terminal under the condition that the verification credential passes verification, and the third access control information indicates that verification operation is executed under the condition that the verification request is received;
based on the established connection, a resource access request is sent to an access gateway, which is used for sending the resource access request to a service server.
Optionally, the second verification module is configured to:
and verifying the resource access request based on the first access control information within a target time period after the state information verification is passed.
Optionally, the apparatus further comprises:
and the request deleting module is used for deleting the resource access request under the condition that the state information verification is not passed.
Optionally, the apparatus further comprises:
and the request deleting module is used for deleting the resource access request under the condition that the verification of the resource access request is not passed.
Optionally, the resource access request carries a process identifier, and the apparatus further includes:
and the process clearing module is used for clearing the process identifier corresponding to the target process under the condition that the verification of the resource access request is not passed.
Optionally, the management client includes a first sub-client and a second sub-client;
the first sub-client is used for intercepting a resource access request and forwarding the resource access request;
the second sub-client is used to verify the status information and to verify the resource access request.
In order to ensure that the terminal is safe during resource access, the device provided by the embodiment of the application firstly verifies the current state information of the terminal, and then verifies the resource access request based on the first access control information under the condition that the state information is verified to pass, namely under the condition that the terminal is ensured to be safe at present, and performs resource access when the resource access request is verified to pass. By combining the verification of the state information and the verification of the resource access request, not only is the verification information added, but also the current state information of the terminal is adopted, so that the real-time verification of the terminal can be realized, the verification process is more perfect, and the safety of the resource access is improved.
Any combination of the above optional solutions may be adopted to form an optional embodiment of the present application, which is not described herein in detail.
It should be noted that: in the resource access device provided in the above embodiment, only the division of the above functional modules is used for illustration when accessing resources, and in practical application, the above functional allocation may be performed by different functional modules according to needs, that is, the internal structure of the computer device is divided into different functional modules, so as to complete all or part of the functions described above. In addition, the resource access device and the resource access method provided in the foregoing embodiments belong to the same concept, and specific implementation processes of the resource access device and the resource access method are detailed in the method embodiments and are not repeated herein.
Fig. 24 is a schematic structural diagram of a resource access device according to an embodiment of the present application. Referring to fig. 24, the apparatus includes:
the authentication request receiving module 2401 is configured to receive an authentication request sent by a management client through the terminal, where the authentication request carries first process information, the first process information corresponds to a process identifier carried in a resource access request intercepted by the management client, the process identifier is obtained from the first client sending the resource access request, and the process identifier indicates a process in the first client requesting to access resources;
The verification module 2402 is configured to verify the authentication request based on the second access control information, return a verification result of the authentication request to the terminal, and receive the verification result, where the verification result indicates that the resource access request passes the verification, and perform the resource access based on the resource access request, and the second access control information indicates that the verification operation is performed when the authentication request is received.
Optionally, the authentication request further carries a process identifier, and the verification module is configured to verify the first process information when the process identifier belongs to a process identifier set, where the process identifier set includes a process identifier corresponding to a process allowed to access resources.
Optionally, the verification module 2402 is configured to:
under the condition that the first process information is matched with the third process information, determining that the first process information passes verification, wherein the third process information is process information stored in the local terminal equipment and corresponding to the process identifier; or alternatively, the process may be performed,
and under the condition that the local terminal equipment does not store the process information corresponding to the process identifier, sending an authentication request to the cloud server, and receiving a verification result of the first process information returned by the cloud server, wherein the cloud server stores the latest process information, and the cloud server is used for verifying the first process information based on the authentication request.
Optionally, the apparatus and further comprise:
the storage module is used for receiving third process information sent by the cloud server;
and the storage module is also used for storing the process identification and the third process information correspondingly.
According to the device provided by the embodiment of the application, the management server performs resource verification on the resource access request initiated by the client in the terminal, the management server sends the verification result to the terminal, then the terminal performs resource access, and the verification on the resource access request is realized through interaction between the terminal and the management server.
Any combination of the above optional solutions may be adopted to form an optional embodiment of the present application, which is not described herein in detail.
It should be noted that: in the resource access device provided in the above embodiment, only the division of the above functional modules is used for illustration when accessing resources, and in practical application, the above functional allocation may be performed by different functional modules according to needs, that is, the internal structure of the computer device is divided into different functional modules, so as to complete all or part of the functions described above. In addition, the resource access device and the resource access method provided in the foregoing embodiments belong to the same concept, and specific implementation processes of the resource access device and the resource access method are detailed in the method embodiments and are not repeated herein.
Fig. 25 is a schematic structural diagram of a resource access device according to an embodiment of the present application. Referring to fig. 25, the apparatus includes:
the network request receiving module 2501 is configured to receive a network request sent by a terminal, where the network request is sent by the terminal when the resource access request of the terminal by the management server passes through the verification, and the network request carries a verification credential sent by the management server to the terminal;
a verification request sending module 2502, configured to send a verification request carrying a verification credential to a management server, where the management server is configured to verify the verification credential, based on third access control information, where the third access control information indicates that a verification operation is performed when a network request is received;
a connection establishment module 2503, configured to establish a connection with a terminal, where the management server verifies the verification credentials, and the connection is used for the terminal to send a resource access request.
According to the device provided by the embodiment of the application, when the terminal accesses the resource through the access gateway, the access gateway interacts with the management server to enable the management server to verify the verification certificate, and under the condition that the verification certificate passes, connection can be established to access the resource, so that the access gateway is prevented from establishing connection based on the invalid verification certificate, the management server verifies the verification certificate, the verification process is more perfect, and the security of resource access is improved.
It should be noted that: in the resource access device provided in the above embodiment, only the division of the above functional modules is used for illustration when accessing resources, and in practical application, the above functional allocation may be performed by different functional modules according to needs, that is, the internal structure of the computer device is divided into different functional modules, so as to complete all or part of the functions described above. In addition, the resource access device and the resource access method provided in the foregoing embodiments belong to the same concept, and specific implementation processes of the resource access device and the resource access method are detailed in the method embodiments and are not repeated herein.
The embodiment of the application also provides a terminal, which comprises a processor and a memory, wherein at least one computer program is stored in the memory, and the at least one computer program is loaded and executed by the processor to realize the operations executed by the resource access method of the embodiment.
Fig. 26 is a schematic structural diagram of a terminal 2600 provided in an embodiment of the present application. The terminal 2600 may be a portable mobile terminal, such as: a smart phone, a tablet computer, an MP3 player (Moving Picture Experts Group Audio Layer III, motion picture expert compression standard audio plane 3), an MP4 (Moving Picture Experts Group Audio Layer IV, motion picture expert compression standard audio plane 4) player, a notebook computer, or a desktop computer. Terminal 2600 may also be referred to by other names of user devices, portable terminals, laptop terminals, desktop terminals, and the like.
Terminal 2600 includes: a processor 2601, and a memory 2602.
The processor 2601 may include one or more processing cores, such as a 4-core processor, an 8-core processor, or the like. The processor 2601 may be implemented in at least one hardware form of a DSP (Digital Signal Processing ), FPGA (Field-Programmable Gate Array, field programmable gate array), PLA (Programmable Logic Array ). The processor 2601 may also include a main processor and a coprocessor, wherein the main processor is a processor for processing data in an awake state, and is also called a CPU (Central Processing Unit ); a coprocessor is a low-power processor for processing data in a standby state. In some embodiments, the processor 2601 may be integrated with a GPU (Graphics Processing Unit, image processor) for taking care of rendering and drawing of content that the display screen needs to display. In some embodiments, the processor 2601 may also include an AI (Artificial Intelligence ) processor for processing computing operations related to machine learning.
The memory 2602 may include one or more computer-readable storage media, which may be non-transitory. Memory 2602 may also include high-speed random access memory, as well as non-volatile memory, such as one or more magnetic disk storage devices, flash memory storage devices. In some embodiments, the non-transitory computer readable storage medium in memory 2602 is used to store at least one computer program for execution by processor 2601 to implement the resource access methods provided by the method embodiments in the present application.
In some embodiments, terminal 2600 may further optionally include: a peripheral interface 2603, and at least one peripheral. The processor 2601, the memory 2602, and the peripheral interface 2603 may be connected by a bus or signal lines. The individual peripheral devices may be connected to the peripheral device interface 2603 by buses, signal lines, or circuit boards. Specifically, the peripheral device includes: at least one of a radio frequency circuit 2604, a display screen 2605, a camera assembly 2606, an audio circuit 2607, a positioning assembly 2608, and a power source 2609.
The peripheral interface 2603 may be used to connect at least one Input/Output (I/O) related peripheral to the processor 2601 and the memory 2602. In some embodiments, the processor 2601, the memory 2602, and the peripheral interface 2603 are integrated on the same chip or circuit board; in some other embodiments, either or both of the processor 2601, the memory 2602, and the peripheral interface 2603 may be implemented on separate chips or circuit boards, which is not limited in this embodiment.
The Radio Frequency circuit 2604 is configured to receive and transmit an RF (Radio Frequency) signal, which is also called an electromagnetic signal. The radio frequency circuit 2604 communicates with a communication network and other communication devices through electromagnetic signals. The radio frequency circuit 2604 converts an electric signal into an electromagnetic signal to transmit, or converts a received electromagnetic signal into an electric signal. Optionally, the radio frequency circuit 2604 includes: antenna systems, RF transceivers, one or more amplifiers, tuners, oscillators, digital signal processors, codec chipsets, subscriber identity module cards, and so forth. The radio frequency circuit 2604 may communicate with other terminals through at least one wireless communication protocol. The wireless communication protocol includes, but is not limited to: the world wide web, metropolitan area networks, intranets, generation mobile communication networks (2G, 3G, 4G, and 5G), wireless local area networks, and/or WiFi (Wireless Fidelity ) networks. In some embodiments, the radio frequency circuit 2604 may also include NFC (Near Field Communication ) related circuits, which are not limited in this application.
The display screen 2605 is used to display a UI (User Interface). The UI may include graphics, text, icons, video, and any combination thereof. When the display 2605 is a touch display, the display 2605 also has the ability to collect touch signals at or above the surface of the display 2605. The touch signal may be input to the processor 2601 as a control signal for processing. At this point, the display 2605 may also be used to provide virtual buttons and/or a virtual keyboard, also referred to as soft buttons and/or a soft keyboard. In some embodiments, display 2605 may be one, disposed on a front panel of terminal 2600; in other embodiments, the display 2605 may be at least two, disposed on different surfaces of the terminal 2600 or in a folded design; in other embodiments, display 2605 may be a flexible display disposed on a curved surface or a folded surface of terminal 2600. Even more, the display screen 2605 may be arranged in an irregular pattern other than rectangular, i.e., a shaped screen. The display 2605 may be made of LCD (Liquid Crystal Display ), OLED (Organic Light-Emitting Diode) or other materials.
The camera assembly 2606 is used to capture images or video. Optionally, the camera assembly 2606 includes a front camera and a rear camera. The front camera is arranged on the front panel of the terminal, and the rear camera is arranged on the back of the terminal. In some embodiments, the at least two rear cameras are any one of a main camera, a depth camera, a wide-angle camera and a tele camera, so as to realize that the main camera and the depth camera are fused to realize a background blurring function, and the main camera and the wide-angle camera are fused to realize a panoramic shooting and Virtual Reality (VR) shooting function or other fusion shooting functions. In some embodiments, the camera assembly 2606 may also include a flash. The flash lamp can be a single-color temperature flash lamp or a double-color temperature flash lamp. The dual-color temperature flash lamp refers to a combination of a warm light flash lamp and a cold light flash lamp, and can be used for light compensation under different color temperatures.
The audio circuitry 2607 may include a microphone and a speaker. The microphone is used for collecting sound waves of a user and the environment, converting the sound waves into electric signals, and inputting the electric signals to the processor 2601 for processing, or inputting the electric signals to the radio frequency circuit 2604 for realizing voice communication. For purposes of stereo acquisition or noise reduction, the microphone may be multiple, each disposed at a different location of terminal 2600. The microphone may also be an array microphone or an omni-directional pickup microphone. The speaker is used to convert electrical signals from the processor 2601 or the radio frequency circuit 2604 into sound waves. The speaker may be a conventional thin film speaker or a piezoelectric ceramic speaker. When the speaker is a piezoelectric ceramic speaker, not only the electric signal can be converted into a sound wave audible to humans, but also the electric signal can be converted into a sound wave inaudible to humans for ranging and other purposes. In some embodiments, the audio circuit 2607 may also include a headphone jack.
The location component 2608 is used to locate the current geographic location of terminal 2600 to enable navigation or LBS (Location Based Service, location-based services). The positioning component 2608 may be a positioning component based on the united states GPS (Global Positioning System ), the beidou system of china, the russian graver positioning system, or the galileo positioning system of the european union.
Power supply 2609 is used to power various components in terminal 2600. The power supply 2609 may be an alternating current, a direct current, a disposable battery, or a rechargeable battery. When the power source 2609 includes a rechargeable battery, the rechargeable battery may be a wired rechargeable battery or a wireless rechargeable battery. The wired rechargeable battery is a battery charged through a wired line, and the wireless rechargeable battery is a battery charged through a wireless coil. The rechargeable battery may also be used to support fast charge technology.
Those skilled in the art will appreciate that the structure shown in fig. 26 is not limiting and that terminal 2600 may include more or fewer components than shown, or may combine certain components, or may employ a different arrangement of components.
The embodiment of the application also provides a server, which comprises a processor and a memory, wherein at least one computer program is stored in the memory, and the at least one computer program is loaded and executed by the processor to realize the operations executed by the resource access method of the embodiment.
Fig. 27 is a schematic structural diagram of a server according to an embodiment of the present application, where the server 2700 may have a relatively large difference due to configuration or performance, and may include one or more processors (Central Processing Units, CPU) 2701 and one or more memories 2702, where the memories 2702 store at least one computer program, and the at least one computer program is loaded and executed by the processors 2701 to implement the methods provided in the foregoing method embodiments. Of course, the server may also have a wired or wireless network interface, a keyboard, an input/output interface, and other components for implementing the functions of the device, which are not described herein.
The present application also provides a computer readable storage medium having at least one computer program stored therein, the at least one computer program being loaded and executed by a processor to implement the operations performed by the resource access method of the above embodiments.
The present application also provides a computer program product comprising a computer program which, when executed by a processor, implements the operations performed by the resource access method of the above embodiments.
In some embodiments, the computer program related to the embodiments of the present application may be deployed to be executed on one computer device or on multiple computer devices located at one site, or on multiple computer devices distributed across multiple sites and interconnected by a communication network, where the multiple computer devices distributed across multiple sites and interconnected by a communication network may constitute a blockchain system.
It will be understood by those skilled in the art that all or part of the steps for implementing the above embodiments may be implemented by hardware, or may be implemented by a program for instructing relevant hardware, where the program may be stored in a computer readable storage medium, and the above storage medium may be a read-only memory, a magnetic disk or an optical disk, etc.
The foregoing is merely an alternative embodiment of the present application and is not intended to limit the embodiments of the present application, and any modifications, equivalent substitutions, improvements, etc. made within the spirit and principles of the embodiments of the present application are intended to be included in the scope of the present application.

Claims (20)

1. A method of resource access, the method comprising:
intercepting a resource access request sent by a first client based on first access control information, wherein the first access control information indicates that the resource access request is intercepted and verification operation is executed under the condition that any client in a terminal sends the resource access request;
Verifying the current state information of the terminal;
verifying the resource access request based on the first access control information under the condition that the state information passes verification;
and carrying out resource access based on the resource access request under the condition that the verification of the resource access request is passed.
2. The method of claim 1, wherein intercepting the resource access request sent by the first client based on the first access control information comprises:
and intercepting the resource access request based on the first access control information through a management client, wherein the management client is used for controlling the resource access of the client in the terminal.
3. The method according to claim 2, wherein the status information includes network information, and the verifying the current status information of the terminal includes:
acquiring network information corresponding to a network to which the terminal is currently connected;
under the condition that the network information is matched with the target network information, determining that the state information passes verification, wherein the target network information is network information corresponding to a security network; or alternatively, the process may be performed,
The state information also comprises a user identifier logged in the management client, the user identifier is verified under the condition that the network information is not matched with the target network information, and the state information is determined to pass verification under the condition that the user identifier passes verification.
4. The method according to claim 2, wherein the status information includes a resource type, and the verifying the current status information of the terminal includes:
acquiring a resource type to which the resource requested to be accessed by the resource access request belongs;
under the condition that the resource type is a public resource type, determining that the state information passes verification, wherein the resource belonging to the public resource type is a resource which is accessed by a client allowing any user identification to be logged in; or alternatively, the process may be performed,
the state information also comprises a user identifier logged in the management client, the user identifier is verified under the condition that the resource type is a non-public resource type, and the state information is confirmed to pass under the condition that the user identifier passes the verification.
5. The method according to claim 1, wherein the status information includes client information of each client installed by the terminal, and the verifying the current status information of the terminal includes:
Acquiring current client information of each client installed by the terminal, and verifying the client information;
and in the case that the state information verification is passed, verifying the resource access request based on the first access control information, including:
and under the condition that all client information passes verification, verifying the resource access request based on the first access control information.
6. The method of claim 2, wherein intercepting, by the administration client, the resource access request based on the first access control information, comprises:
intercepting the resource access request under the condition that the management client is in a first interception mode, wherein the first interception mode indicates to intercept the resource access request which is sent by any client in the terminal and accesses any resource; or alternatively, the process may be performed,
and intercepting the resource access request under the condition that the management client is in a second interception mode and the target address carried by the resource access request belongs to a first address set, wherein the second interception mode indicates to intercept the resource access request which is sent by any client in the terminal and is used for accessing non-public resources, and the first address set comprises addresses of the non-public resources.
7. The method according to claim 2, wherein the resource access request carries a process identifier, the process identifier indicates a process for requesting to access resources, the first access control information indicates a verification operation for process information corresponding to the process identifier, and in case that the state information verification is passed, verifying the resource access request based on the first access control information includes:
acquiring first process information corresponding to the process identifier from the first client based on the process identifier under the condition that the state information passes verification;
acquiring second process information corresponding to the process identifier from the management client based on the process identifier;
sending an authentication request to a management server corresponding to the management client when the first process information is matched with the second process information, wherein the authentication request carries the first process information, and the management server is used for verifying the authentication request based on second access control information, and the second access control information indicates that verification operation is executed when the authentication request is received;
And receiving a verification result returned by the management server.
8. The method of claim 2, wherein the performing resource access based on the resource access request if the resource access request is verified comprises:
when the resource access request passes verification, sending the resource access request to a service server through the management client, wherein the service server is used for returning the target resource corresponding to the resource access request; or alternatively, the process may be performed,
and sending the resource access request to a service server through the management client and the access gateway under the condition that the resource access request passes verification.
9. The method of claim 8, wherein said sending the resource access request to a traffic server via the management client and access gateway comprises:
sending, by the management client, a network request to the access gateway, where the network request carries a verification credential sent to the terminal by a management server corresponding to the management client, where the access gateway is configured to send, to the management server, a verification request carrying the verification credential based on third access control information, the management server is configured to verify the verification credential, return, to the access gateway, a verification result of the verification credential, and establish a connection between the access gateway and the terminal if the verification credential passes, where the third access control information indicates that a verification operation is performed if the verification request is received;
And based on the established connection, sending the resource access request to the access gateway, wherein the access gateway is used for sending the resource access request to the service server.
10. A method of resource access, the method comprising:
receiving an authentication request sent by a management client by a terminal, wherein the authentication request carries first process information, the first process information corresponds to a process identifier carried in a resource access request intercepted by the management client and is acquired from the first client sending the resource access request, and the process identifier indicates a process for requesting to access resources in the first client;
and verifying the authentication request based on second access control information, returning a verification result of the authentication request to the terminal, wherein the terminal is used for receiving the verification result, performing resource access based on the resource access request when the verification result indicates that the resource access request passes verification, and performing verification operation when the authentication request is received.
11. A method of resource access, the method comprising:
Receiving a network request sent by a terminal, wherein the network request is sent by the terminal under the condition that a management server verifies a resource access request of the terminal, and the network request carries a verification certificate sent by the management server to the terminal;
transmitting a verification request carrying the verification credential to a management server based on third access control information, the management server being configured to verify the verification credential, the third access control information indicating that a verification operation is performed if a network request is received;
and under the condition that the management server verifies the verification credentials, establishing a connection with the terminal, wherein the connection is used for the terminal to send the resource access request.
12. A resource access system, characterized in that the resource access system comprises a terminal and a management server;
the terminal is used for intercepting a resource access request sent by a first client based on first access control information through a management client, wherein the first access control information indicates that the resource access request is intercepted and verification operation is executed under the condition that any client in the terminal sends the resource access request;
The terminal is further used for verifying the current state information of the terminal;
the terminal is further configured to send an authentication request to the management server based on the first access control information when the status information passes verification, where the authentication request carries first process information, the first process information corresponds to a process identifier carried in the resource access request, and is acquired from the first client, and the process identifier indicates a process in the first client that requests for resource access;
the management server is used for verifying the authentication request based on second access control information, and returning a verification result of the authentication request to the terminal, wherein the second access control information indicates that verification operation is performed under the condition that the authentication request is received;
the terminal is further configured to receive the verification result, and perform resource access based on the resource access request when the verification result indicates that the resource access request passes verification.
13. A resource access device, the device comprising:
the request interception module is used for intercepting a resource access request sent by a first client based on first access control information, wherein the first access control information indicates that the resource access request is intercepted and verification operation is executed under the condition that any client in the terminal sends the resource access request;
The first verification module is used for verifying the current state information of the terminal;
the second verification module is used for verifying the resource access request based on the first access control information under the condition that the state information passes verification;
and the resource access module is used for carrying out resource access based on the resource access request under the condition that the verification of the resource access request is passed.
14. A resource access device, the device comprising:
the authentication request receiving module is used for receiving an authentication request sent by a terminal through a management client, wherein the authentication request carries first process information, the first process information corresponds to a process identifier carried in a resource access request intercepted by the management client and is acquired from the first client sending the resource access request, and the process identifier indicates a process for requesting to access resources in the first client;
the authentication module is used for authenticating the authentication request based on second access control information, returning an authentication result of the authentication request to the terminal, receiving the authentication result by the terminal, and performing resource access based on the resource access request when the authentication result indicates that the resource access request passes authentication, wherein the second access control information indicates that authentication operation is performed when the authentication request is received.
15. A resource access device, the device comprising:
the network request receiving module is used for receiving a network request sent by a terminal, wherein the network request is sent by the terminal when the resource access request of the terminal is verified by a management server, and the network request carries a verification certificate sent to the terminal by the management server;
the verification request sending module is used for sending a verification request carrying the verification certificate to the management server based on third access control information, the management server is used for verifying the verification certificate, and the third access control information indicates that verification operation is executed under the condition that a network request is received;
and the connection establishment module is used for establishing connection with the terminal under the condition that the management server verifies the verification credentials, and the connection is used for sending the resource access request by the terminal.
16. A terminal comprising a processor and a memory, wherein the memory has stored therein at least one computer program that is loaded and executed by the processor to implement the operations performed by the resource access method of any of claims 1 to 9.
17. A management server comprising a processor and a memory, wherein the memory stores at least one computer program that is loaded and executed by the processor to perform the operations performed by the resource access method of claim 10.
18. An access gateway comprising a processor and a memory, wherein the memory stores at least one computer program that is loaded and executed by the processor to implement the operations performed by the resource access method of claim 11.
19. A computer readable storage medium, wherein at least one computer program is stored in the computer readable storage medium, the at least one computer program being loaded and executed by a processor to implement the operations performed by the resource access method of any one of claims 1 to 9, or to implement the operations performed by the resource access method of claim 10, or to implement the operations performed by the resource access method of claim 11.
20. A computer program product comprising a computer program, characterized in that the computer program, when being executed by a processor, implements the operations performed by the resource access method of any of claims 1 to 9, or the operations performed by the resource access method of claim 10, or the operations performed by the resource access method of claim 11.
CN202111221829.0A 2021-10-20 2021-10-20 Resource access method, system, device, terminal and storage medium Pending CN116015695A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111221829.0A CN116015695A (en) 2021-10-20 2021-10-20 Resource access method, system, device, terminal and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111221829.0A CN116015695A (en) 2021-10-20 2021-10-20 Resource access method, system, device, terminal and storage medium

Publications (1)

Publication Number Publication Date
CN116015695A true CN116015695A (en) 2023-04-25

Family

ID=86027126

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111221829.0A Pending CN116015695A (en) 2021-10-20 2021-10-20 Resource access method, system, device, terminal and storage medium

Country Status (1)

Country Link
CN (1) CN116015695A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117155716A (en) * 2023-10-31 2023-12-01 腾讯科技(深圳)有限公司 Access verification method and device, storage medium and electronic equipment

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117155716A (en) * 2023-10-31 2023-12-01 腾讯科技(深圳)有限公司 Access verification method and device, storage medium and electronic equipment
CN117155716B (en) * 2023-10-31 2024-02-09 腾讯科技(深圳)有限公司 Access verification method and device, storage medium and electronic equipment

Similar Documents

Publication Publication Date Title
EP3602388B1 (en) Blockchain node communication method and apparatus
CN111475841B (en) Access control method, related device, equipment, system and storage medium
US10601787B2 (en) Root of trust of geolocation
CN108614878B (en) Protocol data management method, device, storage medium and system
CN108632253B (en) Client data security access method and device based on mobile terminal
WO2020143414A1 (en) Wireless network access method, device, equipment and system
CN104660562B (en) A kind of information inspection method, relevant apparatus and system
US8151324B2 (en) Remotable information cards
CN108293045A (en) Single-sign-on Identity Management between local and remote system
CN112235400B (en) Communication method, communication system, communication device, server, and storage medium
CN102859935A (en) System And Methods For Remote Maintenance Of Multiple Clients In An Electronic Network Using Virtual Machines
CN109691057A (en) Sensitive content is convertibly fetched via private contents distribution network
US11456872B2 (en) Offline protection of secrets
CN112417425A (en) Equipment authentication method, device, system, terminal equipment and storage medium
US9871778B1 (en) Secure authentication to provide mobile access to shared network resources
CN112765684B (en) Block chain node terminal management method, device, equipment and storage medium
CN109587101A (en) A kind of digital certificate management method, device and storage medium
CN112533202B (en) Identity authentication method and device
CN111355732B (en) Link detection method and device, electronic equipment and storage medium
CN110826043A (en) Digital identity application system and method, identity authentication system and method
CN112073421B (en) Communication processing method, communication processing device, terminal and storage medium
CN110598386B (en) Block chain-based data processing method, device, equipment and storage medium
CN110463155A (en) Enhance the integrality specific to the information of data center
CN115001841A (en) Identity authentication method, identity authentication device and storage medium
CN115996122A (en) Access control method, device and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
REG Reference to a national code

Ref country code: HK

Ref legal event code: DE

Ref document number: 40083872

Country of ref document: HK