CN117155690A

CN117155690A - Communication method, electronic device, and storage medium

Info

Publication number: CN117155690A
Application number: CN202311219464.7A
Authority: CN
Inventors: 包宸曦; 王常玲; 蔡庆宇; 吕涛; 马文辉; 许灵军; 李雯雯; 兰宇; 孙远航
Original assignee: China United Network Communications Group Co Ltd; Unicom Digital Technology Co Ltd
Current assignee: China United Network Communications Group Co Ltd; Unicom Digital Technology Co Ltd
Priority date: 2023-09-20
Filing date: 2023-09-20
Publication date: 2023-12-01

Abstract

The application provides a communication method, an electronic device and a storage medium. The method comprises the following steps: receiving an authentication request message sent by first access equipment of a first communication network, wherein the authentication request message is used for requesting whether an authentication terminal has access rights of a target resource; determining whether the terminal has the access right of the target resource; and when the terminal has the access right of the target resource, sending authentication and authorization information of the terminal for the access right of the target resource to the first access equipment and a second access equipment of a second communication network, so that the second access equipment confirms whether the terminal has the access right of the target resource or not based on the authentication and authorization information when the terminal requests to access the target resource through the second communication network. The method reduces the time delay when the terminal accesses the target resource through different communication networks and improves the user experience.

Description

Communication method, electronic device, and storage medium

Technical Field

The present application relates to the field of communications, and in particular, to a communication method, an electronic device, and a storage medium.

Background

For some specific resources, such as private network or intranet resources, on the premise that the access authority authentication passes, the terminal (such as a mobile phone, a computer and the like) can access through a plurality of different communication networks. The communication network here may be, for example, a mobile network, a local area network, etc. Currently, access rights of terminals are generally authenticated by using respective access rights authentication methods and authentication resources (e.g., authentication servers) for different communication networks. However, this approach has the problems of increasing signaling overhead and complexity of use, increasing service delay, and even causing service interruption reconnection.

Disclosure of Invention

The application provides a communication method, electronic equipment and a storage medium, which are used for solving the problems of high signaling overhead, high use complexity, high service delay, even service interruption reconnection and the like when a terminal accesses resources which need access authority authentication through different communication networks.

In a first aspect, the present application provides a communication method comprising:

receiving an authentication request message sent by first access equipment of a first communication network, wherein the authentication request message is used for requesting whether an authentication terminal has access rights of a target resource;

Determining whether the terminal has the access right of the target resource;

and when the terminal has the access right of the target resource, sending authentication and authorization information of the terminal for the access right of the target resource to the first access equipment and a second access equipment of a second communication network, so that the second access equipment confirms whether the terminal has the access right of the target resource or not based on the authentication and authorization information when the terminal requests to access the target resource through the second communication network.

Optionally, the authentication authorization information includes: and the validity period of the authentication authorization of the terminal aiming at the access authority of the target resource.

Optionally, before the authentication authorization information of the access right of the terminal for the target resource is sent to the first access device and the second access device of the second communication network, the method further includes:

and determining that the terminal supports the access to the target resource through the second communication network.

Optionally, the message header of the authentication request message carries the identifier of the terminal;

the determining whether the terminal has the access right of the target resource comprises the following steps:

And determining whether the terminal has the access right of the target resource according to the identification of the terminal.

In a second aspect, the present application provides a communication method applied to a second access device of a second communication network, the method comprising:

receiving authentication authorization information of access rights of a terminal to a target resource, which is sent by an authentication server; the authentication authorization information is sent by the authentication server when the authentication request message sent by the first access equipment of the first communication network is used for requesting whether the authentication terminal has the access right of the target resource or not, and the authentication request message is determined that the terminal has the access right of the target resource;

receiving an access request message sent by the terminal, wherein the access request message is used for requesting to access a target resource;

confirming that the terminal has the access right of the target resource according to the authentication and authorization information;

and establishing a network access for the terminal to access the target resource.

Optionally, the message header of the access request message carries the identifier of the terminal;

the step of confirming that the terminal has the access right of the target resource according to the authentication and authorization information comprises the following steps:

And according to the authentication and authorization information and the identification of the terminal, confirming whether the terminal has the access right of the target resource.

Optionally, according to the authentication authorization information and the identifier of the terminal, the method for confirming that the terminal has the access right of the target resource includes:

determining whether the terminal has the access right of the target resource or not;

and if the authentication is determined, confirming that the terminal has the access right of the target resource according to the authentication authorization information and the identification of the terminal.

Optionally, the determining, according to the authentication authorization information and the identifier of the terminal, that the terminal has the access right of the target resource includes:

detecting whether the message header of the access request message carries the identifier of the terminal;

and if the terminal identification is carried, confirming that the terminal has the access right of the target resource according to the authentication and authorization information and the terminal identification.

Optionally, if an access request message which does not carry the identifier of the terminal in the message header is received, an access request response is sent to the terminal, where the access request response is used to instruct the terminal to resend the access request message which carries the identifier of the terminal in the message header.

Optionally, the authentication authorization information includes: the validity period of the authentication authorization of the terminal aiming at the access authority of the target resource; the step of confirming that the terminal has the access right of the target resource according to the authentication and authorization information comprises the following steps:

determining whether the authentication and authorization information is valid or not according to the validity period;

and if the authentication and authorization information is valid, confirming that the terminal has the access right of the target resource according to the authentication and authorization information.

Optionally, the method further comprises:

if the authentication authorization information is invalid, an authentication request message is sent to an authentication server, wherein the authentication request message is used for requesting authentication of whether the terminal has the access right of the target resource or not;

receiving an authentication request response returned by the authentication server, wherein the authentication request response is used for indicating whether the terminal has the access right of the target resource;

and if the authentication request response is used for indicating that the terminal has the access right of the target resource, establishing a network access for the terminal to access the target resource.

Optionally, the confirming that the terminal has the access right of the target resource according to the authentication authorization information includes:

and if the authentication is determined, confirming that the terminal has the access right of the target resource according to the authentication authorization information.

In a third aspect, the present application provides a communication apparatus comprising:

the receiving module is used for receiving an authentication request message sent by first access equipment of a first communication network, wherein the authentication request message is used for requesting whether an authentication terminal has access rights of a target resource or not;

the determining module is used for determining whether the terminal has the access right of the target resource;

and the sending module is used for sending authentication and authorization information of the access right of the terminal to the target resource to the first access equipment and second access equipment of a second communication network when the terminal has the access right of the target resource, so that the second access equipment confirms whether the terminal has the access right of the target resource or not based on the authentication and authorization information when the terminal requests to access the target resource through the second communication network.

In a fourth aspect, the present application provides a communication apparatus comprising:

The first receiving module is used for receiving authentication authorization information of the access authority of the terminal to the target resource, which is sent by the authentication server; the authentication authorization information is sent by the authentication server when the authentication request message sent by the first access equipment of the first communication network is used for requesting whether the authentication terminal has the access right of the target resource or not, and the authentication request message is determined that the terminal has the access right of the target resource;

the second receiving module is used for receiving an access request message sent by the terminal, wherein the access request message is used for requesting to access the target resource;

the confirmation module is used for confirming whether the terminal has the access right of the target resource according to the authentication and authorization information;

and the establishing module is used for establishing a network access for the terminal to access the target resource if the terminal is confirmed to have the access right of the target resource.

In a fifth aspect, the present application provides an electronic device, comprising: a processor, and a memory communicatively coupled to the processor, a transceiver;

the memory stores computer-executable instructions;

the transceiver is used for receiving and transmitting messages;

the processor executes computer-executable instructions stored by the memory to implement the method of any of the second aspects.

In a sixth aspect, the present application provides an electronic device, comprising: a processor, and a memory and a communication interface which are in communication connection with the processor;

the memory stores computer-executable instructions;

the processor executes computer-executable instructions stored in the memory to implement the method of the first aspect, or any of the second aspects.

In a seventh aspect, the present application provides a computer-readable storage medium having stored therein computer-executable instructions for performing the method of the first aspect, or any of the second aspects, when executed by a processor.

In an eighth aspect, the present application provides a computer program product comprising a computer program which, when executed by a processor, implements the method of the first aspect, or any of the second aspects.

According to the communication method, the electronic equipment and the storage medium, the authentication server receives the authentication request message sent by the first access equipment of the first communication network, and the authentication request message is used for requesting whether the authentication terminal has the access right of the target resource or not; subsequently, the authentication server determines whether the terminal has the access right of the target resource; when the terminal has the access right of the target resource, the authentication server sends authentication authorization information of the terminal for the access right of the target resource to the first access device and the second access device of the second communication network, so that the second access device confirms whether the terminal has the access right of the target resource or not based on the authentication authorization information when the terminal requests to access the target resource through the second communication network. In this way, the integration of the authentication servers of the first communication network and the second communication network is realized, that is, after the terminal has been accessed to the authentication server through the first communication network to confirm that the terminal has the access right to the target resource, if the terminal accesses the target resource through the second communication network, the terminal does not need to pass the authentication of the authentication server, but only needs to confirm through the second access device of the second communication network. Therefore, the access authority authentication path of the terminal when accessing the target resource through the second communication network can be shortened, the authentication time is saved, the signaling overhead and the complexity of use can be reduced, the service time delay is reduced, and the user experience is improved.

Drawings

The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the application and together with the description, serve to explain the principles of the application.

Fig. 1 is a schematic flow chart of a first communication method provided by the present application;

FIG. 2 is a schematic diagram of a communication method according to the present application;

FIG. 3 is a flow chart of a second communication method according to the present application;

fig. 4 is a schematic flow chart of a third communication method according to the present application;

fig. 5 is a schematic structural diagram of a first communication device according to the present application;

fig. 6 is a schematic structural diagram of a second communication device according to the present application;

fig. 7 is a schematic structural diagram of a first electronic device 110 according to the present application;

fig. 8 is a schematic structural diagram of a second electronic device 220 according to the present application.

Specific embodiments of the present application have been shown by way of the above drawings and will be described in more detail below. The drawings and the written description are not intended to limit the scope of the inventive concepts in any way, but rather to illustrate the inventive concepts to those skilled in the art by reference to the specific embodiments.

Detailed Description

Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary examples do not represent all implementations consistent with the application. Rather, they are merely examples of apparatus and methods consistent with aspects of the application as detailed in the accompanying claims.

It should be noted that, the user information (including but not limited to user equipment information, user personal information, etc.) and the data (including but not limited to data for analysis, stored data, presented data, etc.) related to the present application are information and data authorized by the user or fully authorized by each party, and the collection, use and processing of the related data need to comply with related laws and regulations and standards, and provide corresponding operation entries for the user to select authorization or rejection.

The terminal (such as a mobile phone, a computer, a tablet and the like) can access some specific resources (such as private network resources and intranet resources) through a plurality of different communication networks on the premise of having access rights. Currently, different communication networks generally employ independent access rights authentication systems. For example, the authentication methods adopted by different communication networks may be different, the adopted authentication servers are independent, and the operation and maintenance are also independent.

In some scenarios, a terminal may need to switch the communication network used to enable access to a particular resource. For example, in a campus scenario, a terminal may need to frequently perform handover between a mobile network and a campus network. At present, since two authentication modes of the communication networks for specific resources are independent from each other, when the terminal switches the communication networks, it is often necessary to re-acquire authentication information (for example, account numbers and passwords) input by a user. This approach has a large signaling overhead and a large complexity of use. When the terminal switches the communication network, the authentication information needs to be input again, so that the service delay is increased, and even the service interruption reconnection and the like are caused.

The inventor considers that if one set of authentication system can be adopted for different communication networks, signaling overhead and complexity of use can be reduced, service time delay is reduced, and user experience is improved.

In view of this, the present application provides a communication method, which builds a set of authentication system for whether a terminal has access rights to specific resources for different communication networks, and when the terminal accesses a target resource through different communication networks, authentication of the access rights of the terminal can be achieved based on only one authentication server. In addition, when the terminal accesses a specific resource through a different communication network, the authentication server only needs to authenticate the terminal once, and does not need to authenticate again when the terminal changes the communication network. Therefore, the signaling overhead and the complexity of use can be reduced, the service delay is reduced, and the problems of service interruption reconnection and the like caused by the terminal when the communication network is changed are avoided.

The following describes the technical scheme of the present application and how the technical scheme of the present application solves the above technical problems in detail with specific embodiments. The following embodiments may be combined with each other, and the same or similar concepts or processes may not be described in detail in some embodiments. Embodiments of the present application will be described below with reference to the accompanying drawings.

Fig. 1 is a schematic flow chart of a first communication method provided by the present application, and fig. 2 is a schematic flow chart of a communication method provided by the present application, as shown in fig. 1 and fig. 2, the method includes the following steps:

s101, a first access device of a first communication network sends an authentication request message to an authentication server, wherein the authentication request message is used for requesting whether an authentication terminal has access rights of a target resource.

The first communication network may be any communication network that may establish a communication path between the terminal and the target resource, for example, a mobile network or a local area network. The type of the first access device is related to the type of the first communication network, for example, if the first communication network is a local area network, the access device may be, for example, an access controller (Access Controller, AC) or a wireless access point (Wireless Access Point, AP); if the first communication network is a mobile network, the access device may be, for example, a session management network element (Session Management function, SMF) or a user plane network element (User plane function, UPF). The authentication server here may be, for example, an authentication, authorization and accounting (Authentication, authorization, accounting, AAA) server. The target resource may be any resource that needs access authority authentication, for example, a private network resource or an intranet resource.

The present application is not limited to the content specifically included in the authentication request message, and specifically relates to the authentication method, and may be either non-inductive authentication or inductive authentication. For example, if the authentication is performed by a sensible authentication method, the authentication request message may include, for example, an account number and a password that are input by the user and used for performing access rights authentication. If the authentication is performed by the non-inductive authentication method, the identifier of the terminal may be directly written in the header of the authentication request message, for example. The application is not limited to the type of identity of the terminal, for example, when the terminal is a mobile phone, the identity of the terminal may include any one or more of an international mobile subscriber identity (International Mobile Subscriber Identity, IMSI), a phone number, an international mobile equipment identity (International Mobile Equipment Identity, IMEI) of the terminal, and the like, for example.

For example, if the terminal wants to access the target resource through the first communication network, the terminal sends an access request message to a first access device of the first communication network. Subsequently, the first access device sends an authentication request message to the authentication server based on the access request message. The application is not limited to the type of transmission protocol used for the messages described above, but may be, for example, hypertext transfer security protocol (Hypertext Transfer Protocol Secure, HTTPS); alternatively, a transmission control protocol (Transmission Control Protocol, TCP) is also possible. Correspondingly, the authentication server receives an authentication request message sent by a first access device of the first communication network.

S102, the authentication server determines whether the terminal has the access right of the target resource.

The manner in which the authentication server determines whether the terminal has access to the target resource is related to the content included in the authentication request message. For example, if the authentication request message includes the identity of the terminal, the authentication server may store the identities of all terminals having access rights to the target resource, for example. The authentication server judges whether the stored identifiers of all the terminals with the access rights comprise the identifiers of the terminals in the currently acquired authentication request message, and if so, the authentication server determines that the terminals have the access rights of the target resources.

For another example, if the authentication request message includes an account number and a password for performing access rights authentication, which are input by the user, the authentication server may store the account numbers and the corresponding passwords of all users having access rights with respect to the target resource, for example. The authentication server judges whether the account number and the password in the authentication request message are consistent with the stored account number and password, and if yes, the terminal is determined to have the access right of the target resource.

If it is determined that the terminal has the access right to the target resource, step S103 is performed.

S103, the authentication server sends authentication authorization information of the access authority of the terminal for the target resource to the first access equipment and the second access equipment of the second communication network.

The second communication network may be any communication network that can establish a communication path between the terminal and the target resource, for example, a mobile network or a local area network. It should be appreciated that the first communication network and the second communication network are not the same communication network. The type of the second access device is related to the type of the second communication network. The present application is not limited to the specific content included in the authentication and authorization information, and may include, for example, the identification of the terminal.

In this step, the authentication server sends authentication authorization information of the access right of the terminal to the target resource to the first access device, and the second access device of the second communication network, so that the first access device and the second access device learn that the terminal has the access right to the target resource.

Correspondingly, the first access device and the second access device of the second communication network receive authentication authorization information of the access right of the terminal to the target resource, which is sent by the authentication server.

S104, the terminal sends an access request message to the second access equipment.

The access request message is used for requesting access to the target resource. The terminal can access the target resource through the first communication network, and can also access the target resource through the second communication network. And when the terminal accesses the target resource through the second communication network, the terminal sends an access request message to the second access equipment. As described above, the present application is not limited to the content included in the access request message, and is particularly related to the authentication method of the access right.

Correspondingly, the second access device receives an access request message sent by the terminal through the second communication network.

S105, confirming whether the terminal has the access right of the target resource according to the authentication and authorization information.

Since the second access device has acquired the authentication authorization information of the access right of the terminal to the target resource in step S103, the second access device may directly determine whether the terminal has the access right of the target resource based on the acquired authentication authorization information when the terminal requests to access the target resource through the second communication network, without confirming whether the terminal has the access right of the target resource by transmitting an authentication request message to the authentication server.

For example, when the second access device acquires the access request message sent by the terminal through the second communication network, it is determined whether the authentication authorization information of the terminal for the target resource has been acquired, and if it is determined that the authentication authorization information of the terminal has been acquired, it is determined that the terminal has the access right for the target resource. In this case, the second access device does not need to determine whether the terminal has access rights to the target resource by sending the authentication request message to the authentication server, so that an authentication path when the terminal accesses the target resource through the second communication network can be shortened, and authentication time can be saved.

If it is confirmed that the terminal has the access right to the target resource, step S106 is executed.

S106, the second access equipment establishes a network path for the terminal to access the target resource.

In this step, the second access device establishes a network path for the terminal to access the target resource, so that the terminal can access the target resource through the second communication network. The application is not limited to the manner in which the second access device establishes a network path for the terminal to access the target resource, and is particularly related to the type of the second communication network. Reference may be made specifically to the prior art, and will not be described in detail herein.

S107, the terminal accesses the target resource through the network path.

Because the second access device of the second communication network establishes a network path for the terminal to access the target resource, in this step, the terminal can access the target resource through the network path.

In this embodiment, the authentication server receives an authentication request message sent by a first access device of a first communication network, where the authentication request message is used to request whether an authentication terminal has access rights of a target resource; subsequently, the authentication server determines whether the terminal has the access right of the target resource; when the terminal has the access right of the target resource, the authentication server sends authentication authorization information of the terminal for the access right of the target resource to the first access device and the second access device of the second communication network, so that the second access device confirms whether the terminal has the access right of the target resource or not based on the authentication authorization information when the terminal requests to access the target resource through the second communication network. In this way, the integration of the authentication servers of the first communication network and the second communication network is realized, that is, after the terminal has been accessed to the authentication server through the first communication network to confirm that the terminal has the access right to the target resource, if the terminal accesses the target resource through the second communication network, the terminal does not need to pass the authentication of the authentication server, but only needs to confirm through the second access device of the second communication network. Therefore, the access authority authentication path of the terminal when accessing the target resource through the second communication network can be shortened, the authentication time is saved, the signaling overhead and the complexity of use can be reduced, the service time delay is reduced, and the user experience is improved.

Optionally, the authentication authorization information may include a validity period of authentication authorization of the access right of the terminal to the target resource. In the following, it is explained how the second access device confirms whether the terminal has the access right to the target resource based on the authentication authorization information, specifically, step S105 in the above-described embodiment. Fig. 3 is a flow chart of a second communication method provided by the present application, as shown in fig. 3, step S105 may include the following steps:

s201, the second access device determines whether the authentication and authorization information is valid according to the validity period.

In this step, the second access device determines, according to the validity period, whether the authentication and authorization information is valid, and further may determine whether the authentication and authorization information may be used as a basis for determining whether the terminal has access rights to the target resource.

The application is not limited to the representation mode of the validity period, and can be represented by a mode of marking the starting time of the validity period of the authentication and authorization information, or by a mode of marking the validity period and acquiring the authentication and authorization information.

Illustratively, the second access device determines whether the authentication authorization information is valid based on the current time and the validity period of the second access device. If the authentication authorization information is valid, step S202 is performed.

Optionally, if the authentication authorization information has been disabled, step S203 is performed.

S202, the second access device confirms that the terminal has the access right of the target resource according to the authentication and authorization information.

The second access device confirms that the terminal has the access right of the target resource according to the authentication and authorization information because the authentication and authorization information is valid and the second access device indicates that the second access device has the access right of the target resource only by acquiring the authentication and authorization information.

Optionally, the second access device may also determine whether to authenticate whether the terminal has access rights of the target resource; and if the authentication is determined to be carried out, confirming that the terminal has the access right of the target resource according to the authentication authorization information.

The terminal can access some specific resources, such as private network resources and intranet resources, and some public network resources through the second communication network. For access to public network resources, whether the terminal has access authority or not is not required to be authenticated. Therefore, the second access device first determines whether the terminal needs to authenticate whether the terminal has the access authority of the target resource or not, so as to avoid unnecessary authentication of the access device when the terminal actually wants to access the public network resource, which causes waste of computational resources.

The second access device may store, for example, a mapping relationship between the resource and whether access permission authentication is required, and determine, according to the target resource and the mapping relationship, whether access permission authentication is required for a terminal accessing the target resource.

S203, the second access device sends an authentication request message to the authentication server.

The authentication request message is used for requesting whether the authentication terminal has the access right of the target resource.

In this step, since the authentication and authorization information acquired by the second access device has been already disabled, the second access device cannot determine that the terminal has the access right of the target resource according to the authentication and authorization information. Therefore, it is necessary to authenticate the access right of the terminal again through the authentication server. Thus, the second access device sends an authentication request message to the authentication server.

S204, the authentication server determines whether the terminal has the access right of the target resource according to the authentication request message, and sends an authentication request response to the second access device.

In this step, the authentication server determines whether the terminal has access rights to the target resource according to the authentication request message sent by the second access device, as a compensation authentication path when the authentication authorization information is invalid. The specific implementation manner may refer to the above embodiments, and will not be described herein.

The authentication request response is used for indicating whether the terminal has the access right of the target resource. The present application is not limited to the specific content included in the authentication request response on this basis.

Correspondingly, the second access device receives an authentication request response returned by the authentication server.

If the authentication request response indicates that the terminal has the access right to the target resource, step S205 is performed.

S205, the second access equipment establishes a network path for the terminal to access the target resource.

Because the terminal has the access right of the target resource after being authenticated by the authentication server, in the step, the second access equipment establishes a network path for the terminal to access the target resource so that the terminal can access the target resource.

S206, the terminal accesses the target resource through the network path.

In this step, the second access device establishes a network path for the terminal to access the target resource, so that the terminal can access the target resource through the network path.

In this embodiment, the authentication and authorization information includes an validity period of authentication and authorization of the terminal for access rights of the target resource; the second access device determines whether the authentication and authorization information is valid according to the validity period; and if the authentication and authorization information is valid, confirming that the terminal has the access right of the target resource according to the authentication and authorization information. By setting the validity period of authentication authorization, more flexible setting of the access authority of the terminal to the target resource can be realized. When the authentication server updates the access right of the terminal to the target resource, for example, if the access right of the terminal to the target resource is changed from the authorized to the unauthorized, the access right of the terminal to the target resource can be updated in time through the validity period mechanism, and the reliability of the communication method provided by the application is improved.

In addition, when the authentication authorization information is invalid, the second access device can judge whether the terminal has the access right of the target resource or not in an authentication mode of the authentication server, so that the access right of the terminal to the target resource can be accurately authenticated. The application scene of the scheme is expanded in the mode, and the use requirement of a user can be better met.

Optionally, the authentication server may further determine that the terminal supports access to the target resource through the second communication network before sending authentication authorization information of the access right of the terminal to the target resource to the first access device and the second access device of the second communication network.

The authentication server may, for example, store terminal-supported communication networks that can access the target resource. The authentication server firstly determines a communication network supporting the terminal to access the target resource, and if the communication network comprises a second communication network, the authentication server sends authentication authorization information of the terminal for the access authority of the target resource to the first access equipment and the second access equipment of the second communication network.

Before the authentication server sends the authentication authorization information of the access authority of the terminal for the target resource to the second access device, the terminal is firstly determined to support the access of the target resource through the second communication network.

As described above, the process of authenticating the access authority of the terminal to the target resource based on the communication method provided by the present application may be either a sensible authentication or a non-sensible authentication. The access request message and the content included in the authentication request message are different in different authentication modes. When the communication method provided by the application adopts a non-inductive authentication mode, the use experience of the user can be further improved, and when the terminal switches the communication network to access the target resource, the user is non-inductive to the switching process, so that the use experience of the user can be further improved.

The following describes in detail how the communication method provided by the application is realized by means of non-inductive authentication. In one implementation, the message header of the access request message and the authentication request message may also carry the identifier of the terminal. It should be understood that, in addition to the above, the present application is not limited to whether the message header of the access request message includes other contents, and the contents included in the message body of the access request message may be set by those skilled in the art according to requirements.

Fig. 4 is a flow chart of a third communication method provided by the present application, as shown in fig. 4, in this case, the communication method provided by the present application may further include the following steps:

S301, the terminal sends an access request message to the first access device.

As described above, the header of the access request message includes the identification of the terminal, which is automatically added to the header of the access request message by the terminal, instead of being added by the user through the terminal. By the method, the user can authenticate the access right of the terminal to the target resource without inputting authentication information.

Correspondingly, the first access device receives an access request message sent by the terminal.

S302, the first access device sends an authentication request message to an authentication server.

As described above, the authentication request message includes the identification of the terminal. The identifier of the terminal here may be carried in the header of the access request message in step S101, or may be another identifier of the terminal acquired by the access device according to the identifier of the terminal carried in the header of the access request message. For example, if the identifier of the terminal carried in the access request message can be used for authenticating whether the authentication server has access rights to the target resource for the terminal, the identifier of the terminal can be directly written in the authentication request message; if the identifier of the terminal carried in the access request message cannot be used for authenticating whether the authentication server has the access right of the target resource for the terminal, the access device may store a mapping relationship between the identifier of the terminal carried in the access request message and the identifier of the terminal capable of being used for performing access right authentication, for example, and the access device obtains the identifier of the terminal capable of being used for performing access right authentication according to the mapping relationship, and makes the message header of the authentication request message carry the identifier.

Correspondingly, the authentication server receives an authentication request message sent by the access device.

S303, the authentication server determines whether the terminal has the access right of the target resource according to the identification of the terminal.

For example, the authentication server may store in advance an identifier of a terminal that can access the target resource. The authentication server extracts the identification of the terminal from the message header of the authentication request message after acquiring the authentication request message. Subsequently, the authentication server judges whether the prestored identification of the terminal which can access the target resource comprises the identification of the terminal extracted from the message header of the authentication request message, and further judges whether the terminal has the access authority of the target resource.

If it is determined that the terminal has the access right to the target resource, step S304 is performed.

S304, the authentication server sends authentication authorization information of the access authority of the terminal for the target resource to the first access device and the second access device of the second communication network.

Correspondingly, the first access device and the second access device of the second communication network receive authentication and authorization information of the access authority of the terminal to the target resource.

S305, the terminal sends an access request message to the second access device.

When the terminal is to switch from the first communication network to access the target resource by adopting the second communication network, the terminal sends an access request message to the second access device.

S306, the second access device confirms whether the terminal has the access right of the target resource according to the authentication and authorization information and the identification of the terminal.

The authentication and authorization information includes an identifier of the terminal, and the second access device compares whether the identifier of the terminal in the access request message is consistent with the identifier of the terminal in the authentication and authorization information, and if so, confirms that the terminal has the access right of the target resource.

Optionally, the second access device may also first determine whether to authenticate whether the terminal has access rights to the target resource; if the authentication is determined, confirming that the terminal has the access right of the target resource according to the authentication authorization information and the identification of the terminal.

Optionally, the second access device may further detect whether the message header of the access request message carries an identifier of the terminal; if the terminal identification is carried, confirming that the terminal has the access right of the target resource according to the authentication and authorization information and the terminal identification.

For example, if in the actual application process, the access device only forwards the access request message sent by the terminal, that is, forwards the access request message to the authentication server, the access device may directly send the access request message with the identifier of the terminal in the message header as the authentication request message to the authentication server; if in the actual application process, the access device needs to extract the useful information in the access request message, and then sends the authentication request message to the authentication server after generating the corresponding authentication request message according to the useful information, the access device can generate the authentication request message based on the carried identifier of the terminal. That is, the access device may extract, for example, the identifier of the terminal carried in the access request message, and then add the extracted identifier to the message header of the authentication request message, so as to implement creation of the authentication request message with the identifier of the terminal carried in the message header.

Optionally, if an access request message that does not carry the identifier of the terminal in the message header is received, the second access device may send an access request response to the terminal, where the access request response is used to instruct the terminal to resend the access request message that carries the identifier of the terminal in the message header.

For example, after receiving the above access request response, the terminal may directly write the identifier of the terminal in the header of the access request message, and then resend the access request message carrying the identifier of the terminal to the access device.

By the method, the access equipment can check whether the message header of the access request message sent by the terminal carries the identifier of the terminal, and when the message header does not comprise the identifier of the terminal, the terminal can send the access request message carrying the identifier of the terminal to the access equipment again by sending the access request response to the terminal. Therefore, the situation that the access authority authentication for the target resource cannot be smoothly performed due to the fact that the terminal does not carry the identification of the terminal can be avoided, and the feasibility of the communication method provided by the application is improved.

If it is confirmed that the terminal has the access right to the target resource, step S307 is performed.

S307, the second access device establishes a network path for the terminal to access the target resource.

In this step, the second access device establishes a network path for the terminal to access the target resource, so that the terminal can access the target resource through the network path. The specific implementation manner may refer to the above embodiments, and will not be described herein.

S308, the terminal accesses the target resource through a network path.

In this step, since the second access device establishes a network path for the terminal to access the target resource, the terminal can access the target resource through the network path.

In this embodiment, the access request message sent by the terminal and the message header of the authentication request message sent by the authentication server all include the identifier of the terminal. By the method that the identifier of the terminal is directly added in the message header of the request message in the process of authenticating the access authority of the terminal aiming at the target resource, the terminal does not need to acquire the authentication information input by the user any more to realize the authentication of the access authority of the terminal. In this way, on the one hand, since the identification of the terminal for performing access rights authentication is located in the header of the request message, the body of the request message is not affected. Moreover, since the acquisition of the identification of the terminal for performing access authority authentication can be realized only by extracting the message header without extracting the message body, the acquisition is not affected by measures for protecting the request message such as message body encryption and the like, and the security of the request message is not affected. On the other hand, the message header of the request message directly carries the identifier of the terminal for performing access authority authentication, so that the authentication server does not need to acquire the authentication information input by the user by the terminal, thereby realizing the authentication of the access authority of the terminal. By the method, access authority authentication operation can be simplified, authentication efficiency and user experience are improved, and non-inductive authentication in the process of accessing the target resource is truly realized. In addition, the second access equipment can realize authentication on whether the terminal has the access right of the target resource or not directly according to the authentication authorization information, so that when the terminal is switched from the first communication network to the second communication network to access the target resource, the noninductive switching can be realized, the service delay caused by network switching is further avoided, and the user experience is improved.

Fig. 5 is a schematic structural diagram of a first communication device according to the present application, as shown in fig. 5, the device includes: a receiving module 11, a determining module 12, and a transmitting module 13.

A receiving module 11, configured to receive an authentication request message sent by a first access device of a first communication network, where the authentication request message is used to request whether the authentication terminal has access rights of a target resource.

A determining module 12, configured to determine whether the terminal has access rights of the target resource.

And the sending module 13 is configured to send authentication and authorization information of the access right of the terminal to the target resource to the first access device when determining that the terminal has the access right of the target resource, and to enable the second access device to confirm whether the terminal has the access right of the target resource based on the authentication and authorization information when the terminal requests to access the target resource through the second communication network.

The determining module 12 is further configured to determine that the terminal supports access to the target resource through the second communication network before the sending module 13 sends authentication authorization information of the access right of the terminal to the target resource to the first access device and the second access device of the second communication network.

The communication device provided by the embodiment of the application can execute the communication method executed by the authentication server in the embodiment of the method, and the implementation principle and the technical effect are similar, and are not repeated here. The division of the modules shown in fig. 5 is merely an illustration, and the present application is not limited to the division of the modules and the naming of the modules.

Fig. 6 is a schematic structural diagram of a second communication apparatus provided in the present application, where the apparatus is applied to a second access device of a second communication network, as shown in fig. 6, and the apparatus includes: a first receiving module 21, a second receiving module 22, a confirming module 23, and a establishing module 24. Optionally, the apparatus may further comprise a sending module 25.

A first receiving module 21, configured to receive authentication authorization information of access rights of a terminal to a target resource, where the authentication authorization information is sent by an authentication server; the authentication authorization information is sent by the authentication server when the authentication request message sent by the first access equipment of the first communication network is used for requesting whether the authentication terminal has the access right of the target resource or not, and the authentication request message is determined that the terminal has the access right of the target resource;

a second receiving module 22, configured to receive an access request message sent by the terminal, where the access request message is used to request access to a target resource;

A confirmation module 23 for confirming whether the terminal has the access right of the target resource according to the authentication authorization information;

and the establishing module 24 is configured to establish a network path for accessing the target resource for the terminal if the terminal is confirmed to have the access right of the target resource.

Optionally, the authentication authorization information includes: the validity period of the authentication authorization of the terminal aiming at the access authority of the target resource; a confirmation module 23, specifically configured to determine whether the authentication authorization information is valid according to the validity period; and if the authentication and authorization information is valid, confirming that the terminal has the access right of the target resource according to the authentication and authorization information.

Optionally, the sending module 25 is configured to send an authentication request message to an authentication server if the authentication authorization information has been invalidated, where the authentication request message is used to request authentication whether the terminal has access rights of the target resource; receiving an authentication request response returned by the authentication server, wherein the authentication request response is used for indicating whether the terminal has the access right of the target resource; and if the authentication request response is used for indicating that the terminal has the access right of the target resource, establishing a network access for the terminal to access the target resource.

Optionally, the confirmation module 23 is specifically configured to determine whether to authenticate whether the terminal has the access right of the target resource; and if the authentication is determined, confirming that the terminal has the access right of the target resource according to the authentication authorization information.

The communication device provided in the embodiment of the present application may execute the communication method executed by the second access device in the above method embodiment, and its implementation principle and technical effects are similar, and are not described herein again. The division of the modules shown in fig. 6 is merely an illustration, and the present application is not limited to the division of the modules and the naming of the modules.

It will be appreciated that the device embodiments described above are merely illustrative and that the device of the application may be implemented in other ways. For example, the division of the units/modules in the above embodiments is merely a logic function division, and there may be another division manner in actual implementation. For example, multiple units, modules, or components may be combined, or may be integrated into another system, or some features may be omitted or not performed.

In addition, each functional unit/module in each embodiment of the present application may be integrated into one unit/module, or each unit/module may exist alone physically, or two or more units/modules may be integrated together, unless otherwise specified. The integrated units/modules described above may be implemented either in hardware or in software program modules.

The integrated units/modules, if implemented in hardware, may be digital circuits, analog circuits, etc. Physical implementations of hardware structures include, but are not limited to, transistors, memristors, and the like. The processor may be any suitable hardware processor, such as CPU, GPU, FPGA, DSP and ASIC, etc., unless otherwise specified. Unless otherwise indicated, the storage elements may be any suitable magnetic or magneto-optical storage medium, such as resistive Random Access Memory RRAM (Resistive Random Access Memory), dynamic Random Access Memory DRAM (Dynamic Random Access Memory), static Random Access Memory SRAM (Static Random-Access Memory), enhanced dynamic Random Access Memory EDRAM (Enhanced Dynamic Random Access Memory), high-Bandwidth Memory HBM (High-Bandwidth Memory), hybrid Memory cube HMC (Hybrid Memory Cube), etc.

The integrated units/modules may be stored in a computer readable memory if implemented in the form of software program modules and sold or used as a stand-alone product. Based on this understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in whole or in part in the form of a software product stored in a memory, comprising several instructions for causing a computer device (which may be a personal computer, a server or a network device, etc.) to perform all or part of the steps of the method of the various embodiments of the present application. And the aforementioned memory includes: a usb disk, a read-only memory, a random access memory, a removable hard disk, a magnetic disk, or an optical disk, or the like.

Fig. 7 is a schematic structural diagram of a first electronic device 110 according to the present application. As shown in fig. 7, the electronic device 110 may include: at least one processor 111, a memory 112, a transceiver 113.

A memory 112 for storing a program. In particular, the program may include program code including computer-operating instructions.

Memory 112 may comprise high-speed RAM memory or may further comprise non-volatile memory (non-volatile memory), such as at least one disk memory.

The processor 111 is configured to execute computer-executable instructions stored in the memory 112 to implement the communication method performed by the terminal, or the first access device or the second access device, described in the foregoing method embodiments. The processor 111 may be a central processing unit (Central Processing Unit, abbreviated as CPU), or an application specific integrated circuit (Application Specific Integrated Circuit, abbreviated as ASIC), or one or more integrated circuits configured to implement embodiments of the present application.

The electronic device 110 may be communicatively interactive with external devices via the transceiver 113. In a specific implementation, if the transceiver 113, the memory 112, and the processor 111 are implemented independently, the transceiver 113, the memory 112, and the processor 111 may be connected to each other and perform communication with each other through buses. The bus may be an industry standard architecture (Industry Standard Architecture, abbreviated ISA) bus, an external device interconnect (Peripheral Component, abbreviated PCI) bus, or an extended industry standard architecture (Extended Industry Standard Architecture, abbreviated EISA) bus, among others. Buses may be divided into address buses, data buses, control buses, etc., but do not represent only one bus or one type of bus.

Alternatively, in a specific implementation, the communication interface 113, the memory 112, and the processor 111 may complete communication through internal interfaces.

Fig. 8 is a schematic structural diagram of a second electronic device 220 according to the present application. As shown in fig. 8, the electronic device 220 may include: at least one processor 221, a memory 222, a communication interface 223.

A memory 222 for storing a program. In particular, the program may include program code including computer-operating instructions.

The memory 222 may comprise high-speed RAM memory or may further comprise non-volatile memory (non-volatile memory), such as at least one disk memory.

The processor 221 is configured to execute computer-executable instructions stored in the memory 222 to implement the communication method performed by the terminal, or the access device, or the authentication server, described in the foregoing method embodiments. The processor 221 may be a central processing unit (Central Processing Unit, abbreviated as CPU), or an application specific integrated circuit (Application Specific Integrated Circuit, abbreviated as ASIC), or one or more integrated circuits configured to implement embodiments of the present application.

The electronic device 220 may be communicatively interactive with external devices via a communication interface 223. In a specific implementation, if the communication interface 223, the memory 222, and the processor 221 are implemented independently, the communication interface 223, the memory 222, and the processor 221 may be connected to each other by a bus and perform communication with each other.

Alternatively, in a specific implementation, if the communication interface 223, the memory 222, and the processor 221 are integrated on a chip, the communication interface 223, the memory 222, and the processor 221 may complete communication through internal interfaces.

The present application also provides a computer-readable storage medium, which may include: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes, and specifically, the computer-readable storage medium stores therein program instructions for the communication method in the above-described embodiments.

The present application also provides a program product comprising execution instructions stored in a readable storage medium. The at least one processor of the banking system may read the execution instructions from the readable storage medium, the execution instructions being executed by the at least one processor to cause the banking system to implement the communication methods provided by the various embodiments described above.

It should be noted that, for simplicity of description, the foregoing method embodiments are all described as a series of acts, but it should be understood by those skilled in the art that the present application is not limited by the order of acts described, as some steps may be performed in other orders or concurrently in accordance with the present application. Further, those skilled in the art will also appreciate that the embodiments described in the specification are alternative embodiments, and that the acts and modules referred to are not necessarily required for the present application.

It should be further noted that, although the steps in the flowchart are sequentially shown as indicated by arrows, the steps are not necessarily sequentially performed in the order indicated by the arrows. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, at least a portion of the steps in the flowcharts may include a plurality of sub-steps or stages that are not necessarily performed at the same time, but may be performed at different times, the order in which the sub-steps or stages are performed is not necessarily sequential, and may be performed in turn or alternately with at least a portion of the sub-steps or stages of other steps or other steps.

In the foregoing embodiments, the descriptions of the embodiments are emphasized, and for parts of one embodiment that are not described in detail, reference may be made to related descriptions of other embodiments. The technical features of the foregoing embodiments may be arbitrarily combined, and for brevity, all of the possible combinations of the technical features of the foregoing embodiments are not described, however, all of the combinations of the technical features should be considered as being within the scope of the disclosure.

Other embodiments of the application will be apparent to those skilled in the art from consideration of the specification and practice of the application disclosed herein. This application is intended to cover any variations, uses, or adaptations of the application following, in general, the principles of the application and including such departures from the present disclosure as come within known or customary practice within the art to which the application pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the application being indicated by the following claims.

It is to be understood that the application is not limited to the precise arrangements and instrumentalities shown in the drawings, which have been described above, and that various modifications and changes may be effected without departing from the scope thereof. The scope of the application is limited only by the appended claims.

Claims

1. A method of communication, the method comprising:

determining whether the terminal has the access right of the target resource;

2. The method of claim 1, wherein the authentication authorization information comprises: and the validity period of the authentication authorization of the terminal aiming at the access authority of the target resource.

3. The method according to claim 1 or 2, wherein before the sending of the authentication grant information of the access right of the terminal to the target resource to the first access device and to a second access device of a second communication network, the method further comprises:

4. A method of communication, the method being applied to a second access device of a second communication network, the method comprising:

Confirming whether the terminal has the access right of the target resource or not according to the authentication authorization information;

if the terminal is confirmed to have the access right of the target resource, a network access for accessing the target resource is established for the terminal.

5. The method of claim 4, wherein the authentication authorization information comprises: the validity period of the authentication authorization of the terminal aiming at the access authority of the target resource; the step of confirming whether the terminal has the access right of the target resource according to the authentication authorization information comprises the following steps:

6. The method of claim 5, wherein the method further comprises:

7. The method according to any one of claims 4-6, wherein said confirming that the terminal has access rights to the target resource according to the authentication authorization information comprises:

8. An electronic device, comprising: a processor, and a memory communicatively coupled to the processor, a transceiver;

the memory stores computer-executable instructions;

the transceiver is used for receiving and transmitting messages;

the processor executes computer-executable instructions stored in the memory to implement the method of any one of claims 4 to 7.

9. An electronic device, comprising: a processor, and a memory and a communication interface which are in communication connection with the processor;

the memory stores computer-executable instructions;

The processor executes computer-executable instructions stored in the memory to implement the method of any one of claims 1 to 7.

10. A computer readable storage medium having stored therein computer executable instructions which when executed by a processor are adapted to carry out the method of any one of claims 1 to 7.