CN116186723A - Authority control system, method, equipment, medium and product - Google Patents

Authority control system, method, equipment, medium and product Download PDF

Info

Publication number
CN116186723A
CN116186723A CN202111433945.9A CN202111433945A CN116186723A CN 116186723 A CN116186723 A CN 116186723A CN 202111433945 A CN202111433945 A CN 202111433945A CN 116186723 A CN116186723 A CN 116186723A
Authority
CN
China
Prior art keywords
api
user
authority
server
resource
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111433945.9A
Other languages
Chinese (zh)
Inventor
胡皎
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing ByteDance Network Technology Co Ltd
Original Assignee
Beijing ByteDance Network Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing ByteDance Network Technology Co Ltd filed Critical Beijing ByteDance Network Technology Co Ltd
Priority to CN202111433945.9A priority Critical patent/CN116186723A/en
Publication of CN116186723A publication Critical patent/CN116186723A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/629Protecting access to data via a platform, e.g. using keys or access control rules to features or functions of an application

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Automation & Control Theory (AREA)
  • Telephonic Communication Services (AREA)
  • Computer And Data Communications (AREA)

Abstract

The disclosure provides a permission control system, a permission control method, permission control equipment, permission control media and permission control products, and relates to the technical field of computers, wherein the permission control system comprises a front end and a server end; the front end is used for sending a user identifier of a user to the server; the server side is used for acquiring authority resources of the user according to the user identification; acquiring an API of a user from the association relationship between the pre-configured authority resource and the API of the application programming interface according to the authority resource of the user, and returning the API of the user to the front end; the front end is used for calling authority control logic, and when authentication is passed, an API calling request corresponding to operation triggered by a user is sent to the server; the authority control logic indicates that the API corresponding to the operation is authenticated based on the API of the user; the server side is used for calling the authority control logic according to the API call request corresponding to the operation, and responding to the API call request corresponding to the operation when the authentication passes. Therefore, the authority control system can greatly reduce the code quantity and is easy to maintain.

Description

Authority control system, method, equipment, medium and product
Technical Field
The present disclosure relates to the field of computer technology, and in particular, to a rights control system, method, apparatus, computer readable storage medium, and computer program product.
Background
With the continuous development of computer technology, particularly mobile internet technology, service providers (e.g., service systems) can provide users with various kinds of rich service. Generally, the business system provides corresponding business services to the user according to the authority resources (such as the identifier of the authority) of the user.
In order to ensure the security of the service system, the mode of performing authority control by a single front-end page in the service system is changed into a mode of performing authority control on both the front-end page and the service end, so that the authority control of a user crossing the front-end page is avoided, and related service (such as privacy content, payment content and the like) is directly acquired from the service end.
Hard-coded approaches are often employed to provide finer granularity control over the user's rights resources. However, in the case where the front-end page and the server side both need to perform authority control, relevant codes for judging the authority resources need to be written in both the front-end page and the server side. Therefore, performing rights control by hard coding generates a large amount of redundant rights control logic, thereby greatly increasing the code amount and being difficult to maintain.
Disclosure of Invention
The purpose of the present disclosure is to: provided are a rights control system, a method, an apparatus, a computer-readable storage medium, and a computer program product, capable of greatly reducing the amount of code, and easy to maintain.
In a first aspect, the present disclosure provides a rights control system, including a front end and a server;
the front end is used for sending the user identification of the user to the service end;
the server is used for acquiring the authority resources of the user according to the user identification; acquiring the API of the user from the association relationship between the pre-configured authority resource and the API of the application programming interface according to the authority resource of the user, and returning the API of the user to the front end;
the front end is used for calling authority control logic, and when authentication is passed, an API calling request corresponding to the operation triggered by the user is sent to the server; the authority control logic indicates that the API corresponding to the operation is authenticated based on the API of the user;
and the server is used for calling the authority control logic according to the API call request corresponding to the operation, and responding to the API call request corresponding to the operation when the authentication passes.
In a second aspect, the present disclosure provides a rights control method, applied to a server, where the method includes:
the server receives a user identifier sent by the front end, acquires authority resources of a user according to the user identifier, acquires the API of the user from the association relationship between the preset authority resources and the API of the application programming interface according to the authority resources of the user, and returns the API of the user to the front end;
the server receives an API request corresponding to the operation triggered by the user when the authentication of the front-end calling authority control logic passes, calls the authority control logic according to the API call request corresponding to the operation, and responds to the API call request corresponding to the operation when the authentication passes; and the authority control logic indicates that the API corresponding to the operation is authenticated based on the API of the user.
In a third aspect, the present disclosure provides a rights control method applied to a front end, the method including:
the front end sends a user identification of a user to the server;
the front end receives the API of the user returned by the server, wherein the API of the user is obtained from the association relationship between the preset authority resource and the API of the application programming interface by the server through the authority resource of the user, and the authority resource of the user is obtained by the server based on the user identifier;
The front end calls authority control logic, and when authentication is passed, an API call request corresponding to operation triggered by a user is sent to a server; and the authority control logic indicates that the API corresponding to the operation is authenticated based on the API of the user.
In a fourth aspect, the present disclosure provides a server, including:
the communication unit is used for receiving the user identification sent by the front end;
the acquisition unit is used for acquiring the authority resources of the user according to the user identification, and acquiring the API of the user from the association relationship between the preset authority resources and the API of the application programming interface according to the authority resources of the user; the API of the user is obtained from the association relationship between the preset authority resource and the API of the application programming interface through the authority resource of the user by the server, and the authority resource of the user is obtained by the server based on the user identifier;
the communication unit is also used for returning the API of the user to the front end and receiving an API call request corresponding to the operation sent by the front end;
the authentication unit calls the authority control logic, and when authentication passes, the authentication unit responds to an API call request corresponding to the operation; and the authority control logic indicates that the API corresponding to the operation is authenticated based on the API of the user.
In a fifth aspect, the present disclosure provides a front end comprising:
the communication unit is used for sending the user identification of the user to the server and receiving the API of the user returned by the server;
the authentication unit is used for calling authority control logic, and the authority control logic indicates to authenticate the API corresponding to the operation based on the API of the user;
and the communication unit is also used for sending an API call request corresponding to the operation triggered by the user to the server when the authentication is passed.
In a sixth aspect, the present disclosure provides a computer readable medium having stored thereon a computer program which when executed by a processing device performs the steps of the method according to any of the second aspects of the present disclosure.
In a seventh aspect, the present disclosure provides an electronic device, comprising:
a storage device having a computer program stored thereon;
processing means for executing the computer program in the storage means to implement the steps of the method of any of the second aspects of the present disclosure.
In an eighth aspect, the present disclosure provides a computer program product comprising instructions which, when run on a device, cause the device to perform the method of any one of the implementations of the second aspect described above.
From the above technical solution, the present disclosure has the following advantages:
in the authority control system, based on the association relation between the preset authority resource and the API, the front end can acquire the API of the user through the server end, then call the authority control logic to carry out front end authentication, and after the front end authentication is passed, the server end calls the authority control logic to carry out the server end authentication based on the API call request sent by the front end. Therefore, related codes of authority control logic do not need to be repeatedly written, code redundancy is reduced, and maintenance is easy. In addition, the authority control logic authenticates based on the API of the user and the API corresponding to the operation, and the front end and the server end perform authority control from the interface level, so that the code logic is further simplified, the code quantity is reduced, and the maintenance is easier.
Additional features and advantages of the present disclosure will be set forth in the detailed description which follows.
Drawings
In order to more clearly illustrate the technical method of the embodiments of the present disclosure, the drawings that are required to be used in the embodiments will be briefly described below.
FIG. 1 is a system architecture diagram of a rights control system provided in an embodiment of the present disclosure;
FIG. 2 is a flowchart of a method for controlling rights provided in an embodiment of the present disclosure;
Fig. 3 is a schematic diagram of an association relationship between a rights resource and an API according to an embodiment of the present disclosure;
FIG. 4 is a schematic diagram of an interactive interface provided by an embodiment of the present disclosure;
FIG. 5 is a flow chart of a rights control logic provided by an embodiment of the present disclosure;
FIG. 6 is a schematic diagram of a prompt interface provided by an embodiment of the present disclosure;
fig. 7 is a schematic diagram of a server provided in an embodiment of the disclosure;
FIG. 8 is a schematic diagram of a front end provided by an embodiment of the present disclosure;
fig. 9 is a schematic structural diagram of an electronic device according to an embodiment of the disclosure.
Detailed Description
The terms "first," "second," and the like in the presently disclosed embodiments are used for descriptive purposes only and are not to be construed as indicating or implying a relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include one or more such feature.
Some technical terms related to the embodiments of the present disclosure will be first described.
The front end refers to a website foreground part, and is displayed to a webpage browsed by a user on a browser of a personal computer (personal computer, PC), a mobile terminal and the like. The front end supports interaction with a user, and receives various operations triggered by the user, such as search operations, view operations, editing operations, and the like. The service provider generally provides a back end, such as a service end, corresponding to the front end, and after the front end receives a search operation triggered by a user, the front end requests data corresponding to the search operation from the service end, and after the service end returns the data to the front end, the front end can present the data to the user.
In order to ensure the security of data, the front end and the service end both authenticate the operation of the user, and in order to control the authority resources of the user in a finer granularity, authority control logic is deployed at the front end and the service end respectively in a hard coding mode. The authority control logic is deployed at the front end and the service end respectively, so that a large amount of redundant codes can be generated, the code quantity is greatly increased, and the maintenance is difficult.
In view of this, an embodiment of the present disclosure provides a rights control system, which includes a front end and a server. The front end is used for sending a user identifier of a user to the service end, the service end is used for acquiring authority resources of the user according to the user identifier, then acquiring an API of the user from the association relationship between the preset authority resources and the API according to the authority resources of the user, and returning the API of the user to the front end; the front end is used for calling authority control logic, when authentication is passed, an API calling request corresponding to the operation triggered by the user is sent to the server, and the authority control logic indicates that the API corresponding to the operation is authenticated based on the API of the user; the server side is used for calling authority control logic according to the API call request corresponding to the operation, and responding to the API call request corresponding to the operation when authentication is passed.
In order to make the technical solution of the present disclosure clearer and easier to understand, the architecture of the rights control system provided by the embodiments of the present disclosure is described below with reference to the accompanying drawings.
Referring to the system architecture diagram of the entitlement control system 100 shown in fig. 1, the entitlement control system 100 includes a front-end 102 and a server-side 104. The front end 102 may be a web page running on a terminal, including but not limited to a smart phone, tablet, notebook, personal digital assistant (personal digital assistant, PDA), or smart wearable device, among others. The server 104 may be deployed in a server, which may be a cloud server, for example, a central server in a central cloud computing cluster, or an edge server in an edge cloud computing cluster. The server may also be a server in a local data center. The local data center refers to a data center directly controlled by a user.
In some embodiments, the rights control system 100 may be a rights control system for pay documents, a rights control system for pay video, or a rights control system for other data, etc. Taking a payment document authority control system as an example, the front end 102 can receive a viewing operation of a user on a target document, the front end 102 sends a user identifier of the user to the server end 104, the server end 104 obtains an authority resource of the user according to the user identifier, then obtains an API of the user from an association relationship between a preconfigured authority resource and the API according to the authority resource of the user, and the server end 104 can cache the API of the user in the server end 104 and send the API of the user to the front end 104; after the front end 102 receives the API of the user, it calls the authority control logic to perform front end authentication, and after the front end authentication passes, the server 104 calls the same authority control logic to perform server authentication based on the API call request corresponding to the front end sending view operation. Therefore, related codes of authority control logic do not need to be repeatedly written, code redundancy is reduced, and maintenance is easy.
The rights control logic authenticates based on the user's API and the API to which the viewing operation corresponds. In some examples, when the API corresponding to the viewing operation hits in the API list of the user, the authentication is passed; when the API corresponding to the checking operation is not hit in the API list of the user, the authentication is not passed. In the process of calling the authority control logic to perform the server authentication, the server 104 can directly acquire the API of the user from the cache, so that the quick authentication is realized, the API of the user is not required to be acquired again based on the authority resource of the user, and the authentication efficiency is improved. The front end 102 and the server 104 both perform authority control from the interface level, so that the code logic is further simplified, the code quantity is reduced, and the maintenance is easier.
In some embodiments, when the server authentication passes, the server 104 responds to an API call request corresponding to the view operation sent by the front end, for example, returns document data of the target document to the front end. After the front end receives the document data returned by the server end, the document data can be presented to the user.
In other embodiments, when the authentication of the server side fails, the server side 104 may reject the API call request corresponding to the viewing operation sent by the front end, and further reject the document data of the target document returned by the front end, so as to ensure the security of the document data of the target document.
In other embodiments, the front end 102 may prompt the user that there is no authority to view the target document when the front end authentication fails. Further, the front end 102 may also prompt the user to apply for permission of the viewing operation of the target document, and so on.
In order to make the technical scheme of the disclosure clearer and easier to understand, the right control method provided by the embodiment of the disclosure is described below from the angles of a front end and a service end.
As shown in fig. 2, the present disclosure provides a flowchart of a rights control method, where the method includes:
s201: the front end obtains the user identification of the user.
The front end may present a human-machine interaction interface to the user that supports the user to trigger various operations, such as search operations, view operations, edit operations, and the like. When a user enters a man-machine interaction interface presented by the front end, the front end can prompt the user to log in, and after the user logs in, the front end can acquire the user identification of the user. In other examples, the front end may also request user authorization, after which the front end may obtain the user identification of the user based on the user's authorization. The user identification can be any one or more of an identification code, a mailbox address and a mobile phone number of the user. The user identification uniquely identifies the user.
S202: and the front end sends an API acquisition request of the user to the server according to the user identification.
The user's API acquisition request is used to request the user's API from the server, where the user's API refers to the API that the user has permission to call, and the user's API is used for subsequent front-end authentication.
In some embodiments, the front end may encapsulate the user identifier into an API obtaining request of the user, and further, the API obtaining request of the user carries the user identifier of the user, and then send the API obtaining request of the user to the server to request the server to return to the API of the user.
In other embodiments, the front end may also directly send the user identifier of the user to the server, so that the server queries the API of the user according to the user identifier of the user, and returns the API of the user to the front end.
S203: and the server acquires the API of the user according to the API acquisition request of the user.
In some embodiments, after receiving an API acquisition request of a user, a server may decapsulate the API acquisition request of the user to obtain a user identifier of the user; in other embodiments, the server may also directly receive the user identifier sent by the front end.
And the server acquires the authority resource of the user according to the user identification of the user. The rights resources of the user may be characterized by a rights name, a rights unique identification and a rights list. As shown in table 1 below, table 1 is a data structure of a rights resource provided in an embodiment of the present disclosure.
Table 1:
field name Type(s) Description of the invention Examples of the examples
name String Rights name User search and user editing
key String Rights unique identification Rights 1, rights 2
actions List<String> Rights list Reading, writing, reading and writing
In the process of managing the rights of the user, the operation and maintenance personnel can determine the rights represented by the unique rights identifier based on the rights names, and then adjust the rights list corresponding to the unique rights identifier. For example, the rights resource after adjustment may be "rights 1-user search-read".
In some embodiments, the server may search the authority resource of the user corresponding to the user identifier from the association relationship between the pre-stored user identifier and the authority resource of the user. In the specific implementation process, the server side can obtain the unique authority identification of the user from the association relationship between the pre-stored user identification and the unique authority identification of the user. Because the authority unique identification corresponds to the authority name and the authority list one by one, the authority resource of the user can be obtained. The association relation between the user identifier and the authority resource of the user can be stored in a database in advance, the database can provide an API interface externally, and the server side can acquire the authority resource corresponding to the user identifier by calling the API interface externally provided by the database. In some examples, the server may use the mailbox address of the user as a parameter, call the database to provide an API interface to the outside, obtain the returned rights unique identifier (e.g. "rights 1" and "rights 2"), and further obtain the rights resources of the user based on the rights unique identifier, such as "rights 1-user search-read", "rights 2-user edit-write".
Then, after the server side obtains the authority resource of the user, the API of the user can be obtained from the association relationship between the preset authority resource and the API.
Fig. 3 is a schematic diagram of an association relationship between a rights resource and an API according to an embodiment of the present disclosure. The user can pre-configure the association relation between the preset operation and the authority resource in the database, and then pre-configure the association relation between the preset operation and the API, so that the association relation between the authority resource and the API can be obtained. Thus, the server side can obtain the API of the user based on the authority resource of the user. Further, the server may cache the user's API for subsequent server authentication by the user's operation of the user's API.
In some embodiments, the user's API may be a user's API list that includes at least one Uniform resource locator (uniform resource locator, URL), e.g., the user's API list includes "URL1", "URL2", and "URL3", with different URLs corresponding to different resources (e.g., data). The server can acquire corresponding resources based on the URL.
After the association relation between the authority resources and the API is pre-configured in the database, the operation and maintenance personnel can update the association relation more conveniently so as to manage the authority of the user, and compared with a hard coding mode, the operation and maintenance personnel are not required to check and modify related codes at the front end and the server end respectively. Therefore, the authority control system can greatly reduce the operation of operation and maintenance personnel, reduce the workload of the operation and maintenance personnel and improve the operation and maintenance efficiency.
The server may receive an update request, where the update request may specifically be an update request triggered by an operation and maintenance person, and then the server updates, according to the update request, an association relationship between a preconfigured authority resource and an application program interface API.
In some examples, the update request may include a rights resource associated with the new operation and an API associated with the new operation, and the server establishes an association between the rights resource associated with the new operation and the API associated with the new operation. In other examples, the update request may include a rights resource associated with a history operation and an API associated with the history operation, and the server may update an association relationship between a pre-configured rights resource and an API of the application program interface to an association relationship between a rights resource associated with the history operation and an API associated with the history operation.
As shown in fig. 4, the figure is a schematic diagram of an interactive interface provided in an embodiment of the disclosure. The interactive interface includes a rights resource configuration area 401, an API configuration area 402, and a submit control 403. In some examples, the operator may configure the rights resource associated with the new operation in the rights resource configuration area 401 of the interactive interface, configure the API associated with the new operation in the API configuration area 402, and trigger the update request by clicking the submit control 403, so that the server may receive the update request including the rights resource associated with the new operation and the API associated with the new operation, so as to newly establish the association relationship between the rights resource associated with the new operation and the API associated with the new operation in the database.
Similarly, the operator may configure the rights resource associated with the history operation in the rights resource configuration area 401 of the interactive interface, and configure the API associated with the history operation in the API configuration area 402, and then the operator may trigger the update request by clicking the submit control 403, so that the server may receive the update request including the rights resource associated with the history operation and the API associated with the history operation, so as to adjust the association relationship between the original rights resource in the database and the API of the application programming interface, for example, update the association relationship between the rights resource preconfigured in the database and the API of the application programming interface to the association relationship between the rights resource associated with the history operation and the API associated with the history operation.
The API associated with the new operation and the API associated with the history operation may be an original API in the database, or may be an API newly added in the database. In some examples, the database may automatically detect the newly added API based on the generic service plugin. For example, the relevant code for the generic service plugin is as follows:
Figure BDA0003380918150000071
s204: the server sends the API of the user to the front end.
After the server acquires the API of the user, the front end returns the API of the user to the front end so that the front end performs front end authentication based on the API of the user.
S205: the front end invokes the authority control logic to perform front end authentication; if the front-end authentication is not passed, executing S206; if the front-end authentication passes, S207 is performed.
After the front end receives the API of the user, authority control logic can be called to carry out front end authentication. The authority control logic indicates that the API corresponding to the operation triggered by the user is authenticated based on the API of the user. The user-triggered operation may be a search operation, an edit operation, or the like.
As shown in fig. 5, the figure is a flowchart of a rights control logic provided in an embodiment of the present disclosure. For ease of understanding, the description is presented in connection with front-end invocation of the entitlement control logic. The process of calling the authority control logic by the front end comprises the following steps:
s501: and acquiring an API corresponding to the operation triggered by the user.
The front end can acquire the API corresponding to the operation triggered by the user from the association relation between the preconfigured operation and the API.
S502: judging whether the API corresponding to the operation triggered by the user hits in the API of the user or not.
S503: when the API corresponding to the operation triggered by the user is not hit in the API of the user, the authentication is not passed.
S504: when the API corresponding to the operation triggered by the user hits in the API of the user, the authentication passes.
In some examples, after the front end obtains the API corresponding to the operation triggered by the user and the API of the user, the API corresponding to the operation triggered by the user may be retrieved from the API of the user, and if the API corresponding to the operation triggered by the user is retrieved, that is, the API corresponding to the operation triggered by the user hits in the API of the user; if the API corresponding to the operation triggered by the user is not retrieved, namely, the API corresponding to the operation triggered by the user is not hit in the API of the user.
S206: the front end prompts the user to have no operation authority.
When the authentication of the front end is not passed, the front end can prompt the user that the operation authority is not available. Fig. 6 is a schematic diagram of a prompt interface according to an embodiment of the disclosure. The prompt interface includes prompt 601, which may be "you have no permission to view this content".
The prompt interface further includes an application control 602, a user can trigger an application request of the authority of the operation through the application control 602, the front end can send the application request triggered by the user to the server, and the operation and maintenance personnel can configure relevant authorities for the user based on the application request. For example, the operation and maintenance personnel can configure relevant rights for the user through an interactive interface as shown in fig. 4.
S207: the front end sends an API call request corresponding to the operation to the server.
When the front end passes the authentication, the front end can send an API call request corresponding to the operation to the server.
S208: the server calls the authority control logic to authenticate the server; if the authentication of the server is not passed, executing S209; if the authentication of the server passes, S210 is executed.
After the server receives the API of the user, authority control logic can be called to authenticate the server. The authority control logic indicates that the API corresponding to the operation triggered by the user is authenticated based on the API of the user. Similarly, as shown in fig. 5, the process of the server side calling the authority control logic includes:
s501: and acquiring an API corresponding to the operation triggered by the user.
The server side can obtain the API corresponding to the operation triggered by the user based on the received API call request corresponding to the operation.
S502-S504 are similar to the front-end authentication procedure described above, and are not repeated here.
It should be noted that, after acquiring the API of the user, the server may cache the API of the user. In this way, in the authentication process of the server, the user API does not need to be acquired from the database again, but the API corresponding to the operation triggered by the user is directly searched in the cached user APIs, so that the authentication efficiency of the server is further improved.
S209: the server refuses to respond to the API call request sent by the front end.
And when the authentication of the server side is not passed, the server side refuses to respond to the API call request sent by the front end. In the embodiment of the disclosure, when the user passes the front-end authentication through illegal operation, the server side also authenticates the API corresponding to the operation triggered by the user, and when the authentication of the server side fails, the server side refuses to respond to the API call request sent by the front-end, thereby further improving the security.
S210: the server responds to the API call request sent by the front end.
In some embodiments, the server may return response data corresponding to the operation to the front end. For example, the server returns document data corresponding to the search operation for the target document to the front end, which may then present the document data to the user.
Based on the above description, the embodiments of the present disclosure provide a rights control method, based on an association relationship between a pre-configured rights resource and an API, a front end may acquire the API of a user through a server, then call a rights control logic to perform front end authentication, and after the front end authentication passes, the server calls the rights control logic to perform the server authentication based on an API call request sent by the front end. Therefore, related codes of authority control logic do not need to be repeatedly written at the front end and the server, code redundancy is reduced, and maintenance is easy. In addition, the authority control logic authenticates based on the API of the user and the API corresponding to the operation, and the front end and the server end perform authority control from the interface level, so that the code logic is further simplified, the code quantity is reduced, and the maintenance is easier.
FIG. 7 is a schematic diagram of a server, as shown in FIG. 7, according to an exemplary disclosed embodiment, the server comprising:
a communication unit 701, configured to receive a user identifier sent by a front end;
an obtaining unit 702, configured to obtain a rights resource of a user according to a user identifier, and obtain an API of the user from an association relationship between a pre-configured rights resource and an API of an application programming interface according to the rights resource of the user;
the communication unit 701 is further configured to return an API of the user to the front end, and receive an API call request corresponding to the operation sent by the front end;
an authentication unit 703, for calling the authority control logic, and when authentication passes, responding to the API calling request corresponding to the operation; and the authority control logic indicates that the API corresponding to the operation is authenticated based on the API of the user.
Optionally, the server further includes an updating unit; the updating unit is used for receiving an updating request, and updating the association relation between the preconfigured authority resource and the application programming interface API according to the updating request.
Optionally, the update request includes a rights resource associated with the newly added operation and an API associated with the newly added operation; the updating unit is specifically configured to create an association relationship between the rights resource associated with the new operation and the API associated with the new operation.
Optionally, the update request includes a rights resource associated with a history operation and an API associated with the history operation; the updating unit is specifically configured to update the association relationship between the preconfigured authority resource and the API of the application programming interface to the association relationship between the authority resource associated with the history operation and the API associated with the history operation.
Optionally, the authentication unit 703 is further configured to reject the API call request corresponding to the operation when the authentication is not passed.
Optionally, the authentication unit 703 is further configured to return response data corresponding to the operation to the front end, so that the front end presents the response data.
FIG. 8 is a schematic diagram of a front end, as shown in FIG. 8, including:
a communication unit 801, configured to send a user identifier of a user to a server, and receive an API of the user returned by the server; the API of the user is obtained from the association relationship between the preset authority resource and the API of the application programming interface through the authority resource of the user by the server, and the authority resource of the user is obtained by the server based on the user identifier;
An authentication unit 802, configured to invoke rights control logic, where the rights control logic indicates that an API corresponding to the operation is authenticated based on the API of the user;
and the communication unit 801 is further configured to send an API call request corresponding to the operation triggered by the user to the server when the authentication is passed.
Optionally, the authentication unit 802 is further configured to prompt the user to have no authority of the operation when authentication is not passed.
Optionally, the communication unit 801 is further configured to receive response data corresponding to the operation returned when the authentication of the server passes, and the front end further includes a display unit, where the display unit is configured to present the response data.
The functions of the above modules are described in detail in the method steps in the above embodiment, and are not described herein.
Referring now to fig. 9, a schematic diagram of an electronic device 900, which may be a server, suitable for use in implementing embodiments of the present disclosure is shown. The electronic device shown in fig. 9 is merely an example, and should not impose any limitations on the functionality and scope of use of embodiments of the present disclosure.
As shown in fig. 9, the electronic device 900 may include a processing means (e.g., a central processor, a graphics processor, etc.) 901, which may perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 902 or a program loaded from a storage means 908 into a Random Access Memory (RAM) 903. In the RAM 903, various programs and data necessary for the operation of the electronic device 900 are also stored. The processing device 901, the ROM 902, and the RAM 903 are connected to each other through a bus 904. An input/output (I/O) interface 905 is also connected to the bus 904.
In general, the following devices may be connected to the I/O interface 905: input devices 906 including, for example, a touch screen, touchpad, keyboard, mouse, camera, microphone, accelerometer, gyroscope, and the like; an output device 907 including, for example, a Liquid Crystal Display (LCD), a speaker, a vibrator, and the like; storage 908 including, for example, magnetic tape, hard disk, etc.; and a communication device 909. The communication means 909 may allow the electronic device 900 to communicate wirelessly or by wire with other devices to exchange data. While fig. 9 shows an electronic device 900 having various means, it is to be understood that not all illustrated means are required to be implemented or provided. More or fewer devices may be implemented or provided instead.
In particular, according to embodiments of the present disclosure, the processes described above with reference to flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a non-transitory computer readable medium, the computer program comprising program code for performing the method shown in the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network via the communication device 909, or installed from the storage device 908, or installed from the ROM 902. When executed by the processing device 901, performs the above-described functions defined in the methods of the embodiments of the present disclosure.
It should be noted that the computer readable medium described in the present disclosure may be a computer readable signal medium or a computer readable storage medium, or any combination of the two. The computer readable storage medium can be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples of the computer-readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this disclosure, a computer-readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In the present disclosure, however, the computer-readable signal medium may include a data signal propagated in baseband or as part of a carrier wave, with the computer-readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: electrical wires, fiber optic cables, RF (radio frequency), and the like, or any suitable combination of the foregoing.
In some implementations, the clients, servers may communicate using any currently known or future developed network protocol, such as HTTP (HyperText Transfer Protocol ), and may be interconnected with any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include a local area network ("LAN"), a wide area network ("WAN"), the internet (e.g., the internet), and peer-to-peer networks (e.g., ad hoc peer-to-peer networks), as well as any currently known or future developed networks.
The computer readable medium may be contained in the electronic device; or may exist alone without being incorporated into the electronic device.
The computer readable medium carries one or more programs which, when executed by the electronic device, cause the electronic device to: receiving a user identifier sent by a front end, acquiring a user authority resource according to the user identifier, acquiring an API of the user from an association relation between a preset authority resource and an application programming interface API according to the user authority resource, and returning the API of the user to the front end; receiving an API request corresponding to the operation triggered by the user when the authentication of the front-end calling authority control logic passes, calling the authority control logic according to the API call request corresponding to the operation, and responding to the API call request corresponding to the operation when the authentication passes; wherein the authority control logic indicates that the API corresponding to the operation is authenticated based on the API of the user; or alternatively, the first and second heat exchangers may be,
Sending a user identification of a user to a server; receiving an API (application program interface) of the user returned by the server, wherein the API of the user is obtained from an association relationship between a preset authority resource and an API (application programming interface) of an application program through the authority resource of the user by the server, and the authority resource of the user is obtained by the server based on the user identifier; calling authority control logic, and when authentication is passed, sending an API calling request corresponding to operation triggered by a user to a server; and the authority control logic indicates that the API corresponding to the operation is authenticated based on the API of the user.
Computer program code for carrying out operations of the present disclosure may be written in one or more programming languages, including, but not limited to, an object oriented programming language such as Java, smalltalk, C ++ and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computer (for example, through the Internet using an Internet service provider).
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The modules described in the embodiments of the present disclosure may be implemented in software or hardware. The name of a module is not limited to the module itself in some cases, and for example, the first acquisition module may also be described as "a module that acquires at least two internet protocol addresses".
The functions described above herein may be performed, at least in part, by one or more hardware logic components. For example, without limitation, exemplary types of hardware logic components that may be used include: a Field Programmable Gate Array (FPGA), an Application Specific Integrated Circuit (ASIC), an Application Specific Standard Product (ASSP), a system on a chip (SOC), a Complex Programmable Logic Device (CPLD), and the like.
In the context of this disclosure, a machine-readable medium may be a tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. The machine-readable medium may be a machine-readable signal medium or a machine-readable storage medium. The machine-readable medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
Example 1 provides a rights control system, including a front end and a server, according to one or more embodiments of the present disclosure;
the front end is used for sending the user identification of the user to the service end;
the server is used for acquiring the authority resources of the user according to the user identification; acquiring the API of the user from the association relationship between the pre-configured authority resource and the API of the application programming interface according to the authority resource of the user, and returning the API of the user to the front end;
the front end is used for calling authority control logic, and when authentication is passed, an API calling request corresponding to the operation triggered by the user is sent to the server; the authority control logic indicates that the API corresponding to the operation is authenticated based on the API of the user;
and the server is used for calling the authority control logic according to the API call request corresponding to the operation, and responding to the API call request corresponding to the operation when the authentication passes.
According to one or more embodiments of the present disclosure, example 2 provides the system of example 1, wherein the server is further configured to receive an update request, and update the association relationship between the preconfigured rights resource and the application programming interface API according to the update request.
Example 3 provides the system of example 2, the update request comprising a rights resource associated with a new operation, and an API associated with the new operation, in accordance with one or more embodiments of the present disclosure; the server is specifically configured to newly establish an association relationship between the authority resource associated with the new operation and the API associated with the new operation.
Example 4 provides the system of example 2, the update request comprising a rights resource associated with a historical operation, and an API associated with the historical operation, in accordance with one or more embodiments of the present disclosure; the server is specifically configured to update an association relationship between the preconfigured authority resource and an API of the application programming interface to an association relationship between the authority resource associated with the history operation and the API associated with the history operation.
Example 5 provides the system of example 1, according to one or more embodiments of the present disclosure, the front end further to prompt the user for permission to do not have the operation when authentication is not passed.
Example 6 provides the system of example 1, further comprising means for rejecting an API call request corresponding to the operation when the authentication fails, according to one or more embodiments of the present disclosure.
Example 7 provides the system of 1-6, wherein the server is specifically configured to return response data corresponding to the operation to the front end when authentication is passed;
the front end is further configured to present the response data.
According to one or more embodiments of the present disclosure, example 8 provides a rights control method, applied to a server, the method including:
the server receives a user identifier sent by the front end, acquires authority resources of a user according to the user identifier, acquires the API of the user from the association relationship between the preset authority resources and the API of the application programming interface according to the authority resources of the user, and returns the API of the user to the front end;
the server receives an API request corresponding to the operation triggered by the user when the authentication of the front-end calling authority control logic passes, calls the authority control logic according to the API call request corresponding to the operation, and responds to the API call request corresponding to the operation when the authentication passes; and the authority control logic indicates that the API corresponding to the operation is authenticated based on the API of the user.
Example 9 provides the method of example 8, according to one or more embodiments of the present disclosure, the method further comprising:
and the server receives an update request, and updates the association relationship between the preconfigured authority resource and the application programming interface API according to the update request.
Example 10 provides the method of example 9, the update request comprising a rights resource associated with a new operation, and an API associated with the new operation, in accordance with one or more embodiments of the present disclosure; the updating the association relationship between the preconfigured authority resource and the application programming interface API comprises the following steps:
and newly establishing the association relation between the authority resources associated with the new operation and the APIs associated with the new operation.
Example 11 provides the method of example 9, the update request comprising a rights resource associated with a historical operation, and an API associated with the historical operation, in accordance with one or more embodiments of the present disclosure; the updating the association relationship between the preconfigured authority resource and the application programming interface API comprises the following steps:
and updating the association relation between the preconfigured authority resources and the application programming interface API to be the association relation between the authority resources associated with the historical operation and the API associated with the historical operation.
Example 12 provides the method of example 8, according to one or more embodiments of the disclosure, the method further comprising:
and rejecting the API call request corresponding to the operation when the authentication is not passed by the server side.
Example 13 provides the method of examples 8-12, in accordance with one or more embodiments of the present disclosure, the responding to the API call request corresponding to the operation comprising:
and returning response data corresponding to the operation to the front end so that the front end presents the response data.
Example 14 provides a rights control method, applied to a front end, according to one or more embodiments of the present disclosure, the method comprising:
the front end sends a user identification of a user to the server;
the front end receives the API of the user returned by the server, wherein the API of the user is obtained from the association relationship between the preset authority resource and the API of the application programming interface by the server through the authority resource of the user, and the authority resource of the user is obtained by the server based on the user identifier;
the front end calls authority control logic, and when authentication is passed, an API call request corresponding to operation triggered by a user is sent to a server; and the authority control logic indicates that the API corresponding to the operation is authenticated based on the API of the user.
Example 15 provides the method of example 14, according to one or more embodiments of the present disclosure, the method further comprising:
and when the authentication is not passed, the front end prompts the user to have no authority of the operation.
Example 16 provides the method of example 14 or 15, further comprising:
the front end receives response data corresponding to the operation returned when the authentication of the server passes;
the front end presents the response data.
The foregoing description is only of the preferred embodiments of the present disclosure and description of the principles of the technology being employed. It will be appreciated by persons skilled in the art that the scope of the disclosure referred to in this disclosure is not limited to the specific combinations of features described above, but also covers other embodiments which may be formed by any combination of features described above or equivalents thereof without departing from the spirit of the disclosure. Such as those described above, are mutually substituted with the technical features having similar functions disclosed in the present disclosure (but not limited thereto).
Moreover, although operations are depicted in a particular order, this should not be understood as requiring that such operations be performed in the particular order shown or in sequential order. In certain circumstances, multitasking and parallel processing may be advantageous. Likewise, while several specific implementation details are included in the above discussion, these should not be construed as limiting the scope of the present disclosure. Certain features that are described in the context of separate embodiments can also be implemented in combination in a single embodiment. Conversely, various features that are described in the context of a single embodiment can also be implemented in multiple embodiments separately or in any suitable subcombination.
Although the subject matter has been described in language specific to structural features and/or methodological acts, it is to be understood that the subject matter defined in the appended claims is not necessarily limited to the specific features or acts described above. Rather, the specific features and acts described above are example forms of implementing the claims. The specific manner in which the various modules perform the operations in the apparatus of the above embodiments have been described in detail in connection with the embodiments of the method, and will not be described in detail herein.

Claims (19)

1. The authority control system is characterized by comprising a front end and a service end;
the front end is used for sending the user identification of the user to the service end;
the server is used for acquiring the authority resources of the user according to the user identification; acquiring the API of the user from the association relationship between the pre-configured authority resource and the API of the application programming interface according to the authority resource of the user, and returning the API of the user to the front end;
the front end is used for calling authority control logic, and when authentication is passed, an API calling request corresponding to the operation triggered by the user is sent to the server; the authority control logic indicates that the API corresponding to the operation is authenticated based on the API of the user;
And the server is used for calling the authority control logic according to the API call request corresponding to the operation, and responding to the API call request corresponding to the operation when the authentication passes.
2. The system of claim 1, wherein the server is further configured to receive an update request, and update the association between the preconfigured rights resource and the API according to the update request.
3. The system of claim 2, wherein the update request includes a rights resource associated with a new operation and an API associated with the new operation; the server is specifically configured to newly establish an association relationship between the authority resource associated with the new operation and the API associated with the new operation.
4. The system of claim 2, wherein the update request includes a rights resource associated with a historical operation and an API associated with the historical operation; the server is specifically configured to update an association relationship between the preconfigured authority resource and an API of the application programming interface to an association relationship between the authority resource associated with the history operation and the API associated with the history operation.
5. The system of claim 1, wherein the front end is further configured to prompt the user for permission to do nothing when authentication is not passed.
6. The system of claim 1, wherein the server is further configured to reject the API call request corresponding to the operation when the authentication is not passed.
7. The system according to any one of claims 1 to 6, wherein the server is specifically configured to return response data corresponding to the operation to the front end when authentication is passed;
the front end is further configured to present the response data.
8. A rights control method, characterized in that it is applied to a server, the method comprising:
the server receives a user identifier sent by the front end, acquires authority resources of a user according to the user identifier, acquires the API of the user from the association relationship between the preset authority resources and the API of the application programming interface according to the authority resources of the user, and returns the API of the user to the front end;
the server receives an API request corresponding to the operation triggered by the user when the authentication of the front-end calling authority control logic passes, calls the authority control logic according to the API call request corresponding to the operation, and responds to the API call request corresponding to the operation when the authentication passes; and the authority control logic indicates that the API corresponding to the operation is authenticated based on the API of the user.
9. The method of claim 8, wherein the method further comprises:
and the server receives an update request, and updates the association relationship between the preconfigured authority resource and the application programming interface API according to the update request.
10. The method of claim 9, wherein the update request includes a rights resource associated with a new operation and an API associated with the new operation; the updating the association relationship between the preconfigured authority resource and the application programming interface API comprises the following steps:
and newly establishing the association relation between the authority resources associated with the new operation and the APIs associated with the new operation.
11. The method of claim 9, wherein the update request includes a rights resource associated with a historical operation and an API associated with the historical operation; the updating the association relationship between the preconfigured authority resource and the application programming interface API comprises the following steps:
and updating the association relation between the preconfigured authority resources and the application programming interface API to be the association relation between the authority resources associated with the historical operation and the API associated with the historical operation.
12. The method of claim 8, wherein the method further comprises:
and rejecting the API call request corresponding to the operation when the authentication is not passed by the server side.
13. The method according to any one of claims 8-12, wherein responding to the API call request corresponding to the operation comprises:
and returning response data corresponding to the operation to the front end so that the front end presents the response data.
14. A rights control method, applied to a front end, the method comprising:
the front end sends a user identification of a user to the server;
the front end receives the API of the user returned by the server, wherein the API of the user is obtained from the association relationship between the preset authority resource and the API of the application programming interface by the server through the authority resource of the user, and the authority resource of the user is obtained by the server based on the user identifier;
the front end calls authority control logic, and when authentication is passed, an API call request corresponding to operation triggered by a user is sent to a server; and the authority control logic indicates that the API corresponding to the operation is authenticated based on the API of the user.
15. The method of claim 14, wherein the method further comprises:
and when the authentication is not passed, the front end prompts the user to have no authority of the operation.
16. The method according to claim 14 or 15, characterized in that the method further comprises:
the front end receives response data corresponding to the operation returned when the authentication of the server passes;
the front end presents the response data.
17. An electronic device, comprising:
a storage device having a computer program stored thereon;
processing means for executing said computer program in said storage means to carry out the steps of the method of any one of claims 8 to 16.
18. A computer readable storage medium, on which a computer program is stored, characterized in that the program, when being executed by a processing device, carries out the steps of the method according to any one of claims 8 to 16.
19. A computer program product, characterized in that the computer program product, when run on a computer, causes the computer to perform the method of any of claims 8 to 16.
CN202111433945.9A 2021-11-29 2021-11-29 Authority control system, method, equipment, medium and product Pending CN116186723A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111433945.9A CN116186723A (en) 2021-11-29 2021-11-29 Authority control system, method, equipment, medium and product

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111433945.9A CN116186723A (en) 2021-11-29 2021-11-29 Authority control system, method, equipment, medium and product

Publications (1)

Publication Number Publication Date
CN116186723A true CN116186723A (en) 2023-05-30

Family

ID=86442822

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111433945.9A Pending CN116186723A (en) 2021-11-29 2021-11-29 Authority control system, method, equipment, medium and product

Country Status (1)

Country Link
CN (1) CN116186723A (en)

Similar Documents

Publication Publication Date Title
WO2017190641A1 (en) Crawler interception method and device, server terminal and computer readable medium
CN109218368B (en) Method, device, electronic equipment and readable medium for realizing Http reverse proxy
WO2017167050A1 (en) Configuration information generation and transmission method, and resource loading method, apparatus and system
CN111160845A (en) Service processing method and device
CN112183045B (en) Online document processing method and device and electronic equipment
CN111163324B (en) Information processing method and device and electronic equipment
CN107844488B (en) Data query method and device
CN109040339B (en) Cross-domain request processing method, device and equipment based on AJAX
CN112818371A (en) Resource access control method, system, device, equipment and medium
WO2020073374A1 (en) Advertisement anti-shielding method and device
CN106776917A (en) A kind of method and apparatus for obtaining resource file
JP6302098B2 (en) Address filtering method, apparatus, program, and recording medium
EP4242831A1 (en) Method, apparatus and device for generating image processing interface, and storage medium
CN112202744A (en) Multi-system data communication method and device
CN113572763B (en) Data processing method and device, electronic equipment and storage medium
CN109981546B (en) Method and device for acquiring remote call relation between application modules
US9288189B2 (en) Retrieving both sensitive and non-sensitive content in a secure manner
CN112905990A (en) Access method, client, server and access system
CN108959393A (en) Dynamic picture processing method, device and storage medium
CN111953718B (en) Page debugging method and device
CN116186723A (en) Authority control system, method, equipment, medium and product
CN113824675B (en) Method and device for managing login state
CN109766501B (en) Crawler protocol management method and device and crawler system
CN110377654B (en) Data request processing method and device, electronic equipment and computer-readable storage medium
CN113553623A (en) Access request authentication method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination