CN117319096B - Access right management method, access right management device, and readable storage medium - Google Patents
Access right management method, access right management device, and readable storage medium Download PDFInfo
- Publication number
- CN117319096B CN117319096B CN202311631437.0A CN202311631437A CN117319096B CN 117319096 B CN117319096 B CN 117319096B CN 202311631437 A CN202311631437 A CN 202311631437A CN 117319096 B CN117319096 B CN 117319096B
- Authority
- CN
- China
- Prior art keywords
- access
- character string
- authority
- user data
- application program
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000007726 management method Methods 0.000 title claims abstract description 76
- 238000000034 method Methods 0.000 claims description 27
- 230000008569 process Effects 0.000 claims description 15
- 238000012544 monitoring process Methods 0.000 claims description 13
- 238000004422 calculation algorithm Methods 0.000 claims description 9
- 238000004806 packaging method and process Methods 0.000 claims description 3
- 230000009897 systematic effect Effects 0.000 claims 3
- 238000012545 processing Methods 0.000 abstract description 9
- 238000005516 engineering process Methods 0.000 abstract description 2
- 238000012795 verification Methods 0.000 description 13
- 238000004590 computer program Methods 0.000 description 10
- 230000006870 function Effects 0.000 description 10
- 238000010586 diagram Methods 0.000 description 8
- 238000012986 modification Methods 0.000 description 5
- 230000004048 modification Effects 0.000 description 5
- 238000004891 communication Methods 0.000 description 4
- 230000004075 alteration Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 1
- 238000007796 conventional method Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000002035 prolonged effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/105—Multiple levels of security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/108—Network architectures or network communication protocols for network security for controlling access to devices or network resources when the policy decisions are valid for a limited amount of time
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
The present invention relates to the field of electronic digital data processing technologies, and in particular, to an access right management method, an access right management device, and a readable storage medium. The access right management method is applied to a server side, and when user login information sent by a client side is received, corresponding local user data is called according to the user login information; generating and sending an access character string corresponding to the local user data to the client according to the local user data; after receiving the access character string sent by the client, calling local user data corresponding to the access character string; generating and transmitting a message header carrying a permission identification to a switch application program according to the local user data; and accessing the switch application program when receiving the access permission information returned by the switch application program based on the message header. Fine-grained authority control and user authority management of the users of the switch are achieved.
Description
Technical Field
The present invention relates to the field of electronic digital data processing technologies, and in particular, to an access right management method, an access right management device, and a readable storage medium.
Background
In the existing method that the client accesses the switch application program through the token, only basic identity verification and access function control are considered, and authority division among different user roles is not considered. Therefore, most switches only support basic user addition and access through tokens, and cannot meet the fine-grained rights control and management requirements of user rights.
Therefore, the conventional method for accessing the switch application has the defect that fine-grained authority control and user authority management cannot be performed on the users of the switch.
The foregoing is provided merely for the purpose of facilitating understanding of the technical solutions of the present invention and is not intended to represent an admission that the foregoing is prior art.
Disclosure of Invention
The invention mainly aims to provide an access right management method which aims to solve the problem that a plurality of users of a switch cannot be managed.
In order to achieve the above object, the present invention provides an access right management method, applied to a server, the access right management method includes the following steps:
when receiving user login information sent by a client, calling corresponding local user data according to the user login information;
Generating and sending an access character string corresponding to the local user data to the client according to the local user data;
After receiving the access character string sent by the client, calling local user data corresponding to the access character string;
generating and transmitting a message header carrying a permission identification to a switch application program according to the local user data;
And accessing the switch application program when receiving the access permission information returned by the switch application program based on the message header.
Optionally, the step of generating and sending a message header carrying the permission identifier to the switch application program according to the local user data includes:
when the authority level of the local user data is a basic authority, generating and transmitting a message header carrying a primary authority identification;
When the authority level of the local user data is the monitoring authority, generating and transmitting a message header carrying a secondary authority identifier;
And when the authority level of the local user data is the management authority, generating and transmitting a message header carrying the three-level authority identification.
Optionally, after receiving the access string sent by the client, the step of calling the local user data corresponding to the access string includes:
performing out-of-period verification on the access character string based on a period field in the access character string;
After judging that the access character string fails, sending an access character string failure prompt to the client;
and after the access character string is judged to be valid, calling the local user data according to the access character string.
Optionally, the step of performing out-of-date verification on the access character string based on the deadline field in the access character string includes:
Reading a deadline field in the access character string and access time in a session record corresponding to the access character string;
Determining the effective duration corresponding to the access character string according to the deadline field, and determining the offline duration of the client according to the difference value between the current time and the access time;
When the offline time length is greater than or equal to the effective time length, judging that the access character string is invalid;
and when the offline time length is smaller than the effective time length, judging that the access character string is effective.
Optionally, after the step of accessing the switch application when receiving the permission access information returned by the switch application based on the message header, the method further includes:
And refreshing the access time in the session record of the access character string.
Optionally, before the step of refreshing the access time in the session record of the access string, the method further includes:
determining whether the access character string carries a timing task identifier;
And when the access character string carries a timing task identifier, the step of refreshing the access time in the session record of the access character string is not executed.
Optionally, when receiving the user login information sent by the client, the step of calling the corresponding local user data according to the user login information includes:
After receiving the user login information, encrypting and packaging the user login information based on a random encryption string to generate ciphertext information, and sending the ciphertext information to a user management process;
the user management process obtains a corresponding decryption algorithm from an encryption library based on the encryption identification of the ciphertext information;
based on the decryption algorithm, performing decryption operation on the ciphertext information to obtain the local user data;
and generating an online user according to the local user data, and adding the online user to a user management table.
In addition, the invention also provides an access right management method which is applied to the switch application program and comprises the following steps:
when a message header sent by a server side is received, reading a permission identifier carried by the message header, and determining a permission level corresponding to the permission identifier according to the permission identifier;
verifying whether the authority level is greater than or equal to a local authority level;
if yes, generating and sending access permission information to the server side;
If not, generating and sending access refusal information to the server side.
In addition, in order to achieve the above object, the present invention also provides an access right management apparatus including a memory, a processor, and an access right management program stored on the memory and executable on the processor, the access right management program implementing the steps of the access right management method as described above when executed by the processor.
In addition, in order to achieve the above object, the present invention also provides a computer-readable storage medium having stored thereon an access right management program which, when executed by a processor, implements the steps of the access right management method as described above.
The embodiment of the invention provides an access right management method, which is used for calling corresponding local user data according to user login information so as to ensure that the identity verification of a login user is accurate; by generating and transmitting the access character string corresponding to the local user data to the client, the access character string contains the user information, so that the access switch application program can be directly requested to the server according to the access character string, and the security of the local user data can be ensured because the access is not required through a user name and a user password. And after receiving the access character string sent by the client, calling the local user data corresponding to the access character string, generating and sending a message header carrying the permission identification to the switch application program so that the switch application program can verify whether the user has the permission to use the function of the switch application program, thereby realizing fine-granularity permission control. When receiving the permission access information returned by the switch application program based on the message header, the switch application program is accessed, so that only users with authority levels can use the switch application program, and further, the access of the users is managed and controlled. Therefore, verification and control of access authority are performed through user login information, local user data, access character strings and message headers, and fine-grained authority control and user authority management of the users of the switch are achieved.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the invention and together with the description, serve to explain the principles of the invention. In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are needed in the description of the embodiments will be briefly described below, and it will be obvious to those skilled in the art that other drawings can be obtained from these drawings without inventive effort.
FIG. 1 is a schematic architecture diagram of a hardware operating environment of an access rights management apparatus according to an embodiment of the present invention;
FIG. 2 is a flow chart of a first embodiment of the access rights management method of the present invention;
FIG. 3 is a flow chart of a second embodiment of the access rights management method of the present invention;
fig. 4 is a flowchart of a third embodiment of the access rights management method of the present invention.
The achievement of the objects, functional features and advantages of the present invention will be further described with reference to the accompanying drawings, in conjunction with the embodiments.
Detailed Description
The application relates to an access right management method, which is applied to a server side and calls corresponding local user data according to user login information when receiving the user login information sent by a client side; generating and sending an access character string corresponding to the local user data to the client according to the local user data; after receiving the access character string sent by the client, calling local user data corresponding to the access character string; generating and transmitting a message header carrying a permission identification to a switch application program according to the local user data; and accessing the switch application program when receiving the access permission information returned by the switch application program based on the message header. The management capability of the exchanger user and the safety of the local user data are improved.
In order to better understand the above technical solution, exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
As an implementation scheme, fig. 1 is a schematic architecture diagram of a hardware running environment of an access rights management device according to an embodiment of the present invention.
As shown in fig. 1, the access right management device may include: a processor 101, such as a central processing unit (Central Processing Unit, CPU), a memory 102, a communication bus 103. The Memory 102 may be a high-speed random access Memory (Random Access Memory, RAM) Memory or a stable Non-Volatile Memory (NVM), such as a disk Memory. The memory 102 may alternatively be a storage device separate from the aforementioned processor 101. The communication bus 103 is used to enable connected communication among the components.
It will be appreciated by those skilled in the art that the structure shown in fig. 1 does not constitute a limitation of the access rights management device, and may include more or fewer components than shown, or may combine certain components, or a different arrangement of components.
As shown in fig. 1, an operating system, a data storage module, a network communication module, a user interface module, and an access right management program may be included in the memory 102, which is one type of computer-readable storage medium.
In the access right management device shown in fig. 1, the processor 101, the memory 102 may be provided in the access right management device, which calls an access right management program stored in the memory 102 through the processor 101, and performs the following operations:
when receiving user login information sent by a client, calling corresponding local user data according to the user login information;
Generating and sending an access character string corresponding to the local user data to the client according to the local user data;
After receiving the access character string sent by the client, calling local user data corresponding to the access character string;
generating and transmitting a message header carrying a permission identification to a switch application program according to the local user data;
And accessing the switch application program when receiving the access permission information returned by the switch application program based on the message header.
In one embodiment, the processor 101 may be configured to call an access rights management program stored in the memory 102 and perform the following operations:
when the authority level of the local user data is a basic authority, generating and transmitting a message header carrying a primary authority identification;
When the authority level of the local user data is the monitoring authority, generating and transmitting a message header carrying a secondary authority identifier;
And when the authority level of the local user data is the management authority, generating and transmitting a message header carrying the three-level authority identification.
In one embodiment, the processor 101 may be configured to call an access rights management program stored in the memory 102 and perform the following operations:
performing out-of-period verification on the access character string based on a period field in the access character string;
After judging that the access character string fails, sending an access character string failure prompt to the client;
and after the access character string is judged to be valid, calling the local user data according to the access character string.
In one embodiment, the processor 101 may be configured to call an access rights management program stored in the memory 102 and perform the following operations:
Reading a deadline field in the access character string and access time in a session record corresponding to the access character string;
Determining the effective duration corresponding to the access character string according to the deadline field, and determining the offline duration of the client according to the difference value between the current time and the access time;
When the offline time length is greater than or equal to the effective time length, judging that the access character string is invalid;
and when the offline time length is smaller than the effective time length, judging that the access character string is effective.
In one embodiment, the processor 101 may be configured to call an access rights management program stored in the memory 102 and perform the following operations:
And refreshing the access time in the session record of the access character string.
In one embodiment, the processor 101 may be configured to call an access rights management program stored in the memory 102 and perform the following operations:
determining whether the access character string carries a timing task identifier;
And when the access character string carries a timing task identifier, the step of refreshing the access time in the session record of the access character string is not executed.
In one embodiment, the processor 101 may be configured to call an access rights management program stored in the memory 102 and perform the following operations:
After receiving the user login information, encrypting and packaging the user login information based on a random encryption string to generate ciphertext information, and sending the ciphertext information to a user management process;
the user management process obtains a corresponding decryption algorithm from an encryption library based on the encryption identification of the ciphertext information;
based on the decryption algorithm, performing decryption operation on the ciphertext information to obtain the local user data;
and generating an online user according to the local user data, and adding the online user to a user management table.
In one embodiment, the processor 101 may be configured to call an access rights management program stored in the memory 102 and perform the following operations:
when a message header sent by a server side is received, reading a permission identifier carried by the message header, and determining a permission level corresponding to the permission identifier according to the permission identifier;
verifying whether the authority level is greater than or equal to a local authority level;
if yes, generating and sending access permission information to the server side;
If not, generating and sending access refusal information to the server side.
Based on the hardware architecture of the access right management device, the embodiment of the access right management method is provided.
It should be noted that, in the embodiment of the present application, one end of the switch is connected to the client through the network; the other end of the switch is connected with the server end through a network.
Referring to fig. 2, in a first embodiment, the access right management method is applied to a server side, and includes the following steps:
Step S100: when receiving user login information sent by a client, calling corresponding local user data according to the user login information.
In this embodiment, when the server receives the user login information sent by the client, the server invokes the corresponding local user data in the user management table according to the user login information. Alternatively, the client may be a computer, printer, IP camera, network storage device, or the like. The user login information includes a user name and a user password. The local user data includes, but is not limited to, user identity information, user rights information, user access data, and the like. The user management table includes local user data for all online users, where online users refer to registered users. Optionally, after receiving the user login information sent by the client, it needs to determine whether the user login information matches with the user data in the linux database; then, when the user login information is matched with the user data in the linux database, detailed local user data is called from the background management terminal.
Alternatively, after the client is connected to the switch that has been connected to the server, the server may request login information from the client through the switch. And then, after receiving the user login information, the server encrypts and encapsulates the user login information based on the random encryption string to generate ciphertext information, and sends the ciphertext information to a user management process. The user management process is a program running on the server side and is used for processing user login requests, verifying user identities, managing local user data, authorities and other tasks. The random encryption string is obtained from a local database, and is generated by encrypting a user password by an encryption identifier generated by combining a user name and the password.
After receiving the ciphertext information, the user management process obtains a corresponding decryption algorithm from an encryption library based on the encryption identification of the ciphertext information. Then, based on the decryption algorithm, the ciphertext information is decrypted, and the local user data is obtained. Then, an online user is generated from the local user data and added to the user management table. Wherein, after the step of decrypting the ciphertext information to obtain the local user data, the step of verifying the local user data may further include verifying the local user data to ensure that the local user data is correct. Wherein the encryption libraries are distributed to the user management process during system initialization.
Therefore, on the user management process, only an administrator can see all local user data, and the user password and the encryption string are not included in the local user data, so that the security of external data is ensured. And, since different encryption libraries are allocated to different switch applications during system initialization, only the switch application program including the corresponding decryption algorithm in the encryption library can decrypt the received ciphertext information. Therefore, the local user data is transmitted to the user management process in an encrypted mode, so that the local user data can be prevented from being monitored during transmission, and the safety of the local user data transmission is improved.
Step S200: and generating and sending an access character string corresponding to the local user data to the client according to the local user data.
In this embodiment, after the server side invokes the local user data corresponding to the user login information, an access string corresponding to the local user data is generated, and the access string is sent to the client side through the switch. The client is a client corresponding to the user login information. The access string is used for the client to access the data of the switch.
Since the access string is sent to the client, after the client receives the access string, the switch application can be accessed at the server side through the access string to manage the switch. By accessing the switch application program in the character string access server, the user can avoid the complicated operation of frequently inputting user names and passwords, and the convenience of user access is improved.
Step S300: and after receiving the access character string sent by the client, calling the local user data corresponding to the access character string.
In this embodiment, when the client accesses the switch application through the server, the access string sent by the server is sent to the server to request access to the switch application. After the server receives the access character string sent by the client, the server queries the corresponding local user data through the access character string and invokes the local user data.
Optionally, the server performs out-of-date verification on the access character string after receiving the access character string. Optionally, the access string includes a deadline field, wherein the deadline field is used for out-of-date verification. Specifically, a deadline field in the access string and a last access time in the session record corresponding to the access string are read. And then, determining the effective duration corresponding to the access character string according to the deadline field, and determining the offline duration of the client according to the difference value between the current time and the last access time. When the offline time length is longer than or equal to the effective time length, judging that the access character string is invalid; and when the offline time length is smaller than the effective time length, judging that the access character string is effective. Specifically, the step of determining the offline time length of the client according to the difference between the current time and the access time is realized by the server through calculation.
After the access character string is subjected to out-of-date verification, sending an access character string failure prompt to the client after judging that the access character string fails; when it is determined that the access character string is valid, a step of calling the local user data according to the access character string is performed.
Optionally, after determining that the access string is invalid, deleting the session record corresponding to the invalid access string, so that the corresponding local user data cannot be invoked when the access string is received next time. At this time, if the user needs to apply the program to the switch at the server side, the user login information needs to be input again at the client side to obtain a new access character string, and then the switch application program is accessed through the new access character string.
By performing out-of-date verification on the access character string, the access character string can be ensured to be effective within a certain time, malicious attackers can be prevented from tampering or reusing the outdated access character string, unauthorized access can be prevented, and the data security of users can be ensured.
Step S400: and generating and sending a message header carrying the permission identification to a switch application program according to the local user data.
In this embodiment, after the server side invokes the local user data corresponding to the access string, a message header carrying the permission identifier is generated according to the local user data, and then the message header is sent to the switch application program. Optionally, when the authority level of the local user data is the basic authority, generating and transmitting a message header carrying a primary authority identifier; when the authority level of the local user data is the monitoring authority, generating and transmitting a message header carrying a secondary authority identifier; when the authority level of the local user data is the management authority, generating and transmitting a message header carrying a three-level authority identifier; when the authority level of the local user data is the standard authority, generating and transmitting a message header carrying a four-level authority identification.
Optionally, a user with basic authority can access the switch application program of the server side; the user with the monitoring authority can access the switch application program of the server side, and can monitor the switch by using the monitoring function; a user with standard authority can access a switch application program and a use monitoring function, and can use most of the switch application programs to realize the configuration of the switch; the user having the management authority has the authority to systematically manage the switch in addition to the above-mentioned authority.
It should be noted that fine-grained authority control refers to controlling specific functions, operations or data of the switch application program in the process of user authority allocation. To realize specific authority requirements of different users and provide finer authority management. That is, the user with the management authority can refine the authority to a smaller granularity according to the actual needs, so that the authority management is flexibly performed. The control mode can improve the security of the server side and prevent unauthorized users from accessing sensitive data or executing operations which should not be executed.
Because the user with the management authority can set the authorities of other users, the authorities of the users can be adjusted according to the requirements of products and user management schemes, and further the authority management of the users of the switch can be realized, so that the application program of the switch can be used only by the user with the authority level.
Step S500: and accessing the switch application program when receiving the access permission information returned by the switch application program based on the message header.
In this embodiment, after the server sends the message header carrying the permission identifier to the switch application, waiting for the information returned by the switch application; if the information returned by the switch application is the permission access information, the switch application can be accessed. And the server side sends the data acquired during access to the client side so that the client side can operate the switch application program.
Illustratively, assume that the user login information received by the server is a user name aaa and a user password bbb. And then, the server side inquires corresponding local user data in the user management table according to the received user login information. Then, an access character string XY1Z23 is generated from the local user data, and is transmitted to the client through the switch.
And after the server receives the access character string XY1Z23 sent by the client, performing out-of-date verification on the access character string. Assuming that the access character string is valid, the server searches that the user authority level in the local user data corresponding to the access character string XY1Z23 is standard authority, and then generates and sends a message header carrying a four-level authority identifier to the switch application program.
And if the server receives the access permission information returned by the switch application program, accessing the switch application program according to the access permission information.
In the technical scheme provided by the embodiment, the corresponding local user data is called according to the user login information so as to ensure that the identity verification of the login user is accurate; by generating and transmitting the access character string corresponding to the local user data to the client, the access character string contains the user information, so that the access switch application program can be directly requested to the server according to the access character string, and the security of the local user data can be ensured because the access is not required through a user name and a user password. And after receiving the access character string sent by the client, calling the local user data corresponding to the access character string, generating and sending a message header carrying the permission identification to the switch application program so that the switch application program can verify whether the user has the permission to use the function of the switch application program, thereby realizing fine-granularity permission control. When receiving the permission access information returned by the switch application program based on the message header, the switch application program is accessed, so that only users with authority levels can use the switch application program, and further, the access of the users is managed and controlled. Therefore, verification and control of access authority are performed through user login information, local user data, access character strings and message headers, and fine-grained authority control and user authority management of the users of the switch are achieved.
Referring to fig. 3, based on the above embodiment, in a second embodiment, after the step of accessing the switch application when receiving the access permission information returned by the switch application based on the message header, the method further includes:
Step S600: and refreshing the access time in the session record of the access character string.
In this embodiment, when the server accesses the switch application, the server refreshes the access time in the session record corresponding to the access character string, so as to extend the effective duration of the access character string. The session record may include, among other things, a user name, an access string, an access time, a valid duration, a user ip, a user permission level, an online status, etc. It should be noted that, only the switch application program having the relevant encryption library can access the session record, so that the external application has no access right, the session record only allows local access and is not issued to the outside, thereby ensuring the security of local user data.
In the technical scheme provided by the embodiment, the effective duration of the character string is prolonged by refreshing the access time, so that the condition that the access character string fails after short offline is avoided.
Further, before the step of refreshing the access time in the session record of the access string, the method further includes:
determining whether the access character string carries a timing task identifier;
And when the access character string carries a timing task identifier, the step of refreshing the access time in the session record of the access character string is not executed.
In this embodiment, the timing data and the user-active access data are separated to distinguish between user accesses and timer accesses. Therefore, before refreshing the access time in the session record, determining whether the access character string carries the timing task identifier, if so, not executing the step of refreshing the access time in the session record of the access character string.
In the technical scheme adopted by the embodiment, whether the access operation is user access or timer access is determined by determining whether the access character string carries the timing task identification, so that the accuracy of calculating the offline time of the user is ensured.
Referring to fig. 4, based on the above-described embodiments, in a third embodiment, the access right management method is applied to a switch application, and includes the steps of:
step S700: when a message header sent by a server side is received, reading a permission identifier carried by the message header, and determining a permission level corresponding to the permission identifier according to the permission identifier;
Step S800: verifying whether the authority level is greater than or equal to a local authority level;
Step S810: if yes, generating and sending access permission information to the server side;
step S820: if not, generating and sending access refusal information to the server side.
In this embodiment, after receiving the message header sent by the server, the switch application reads the message header to obtain the permission identifier carried by the message header, and then determines the permission level of the user according to the permission identifier. The permission identifier can be a primary permission identifier, a secondary permission identifier, a tertiary permission identifier or a quaternary permission identifier; correspondingly, the permission level may be a base permission, a monitoring permission, a management permission, or a standard permission.
After determining the user's permission level, verifying whether the permission level is greater than or equal to the local permission level; if yes, generating and sending permission access information to a server side; if not, generating and sending access refusal information to the server side. The access permission information is used for informing the client side, and the client side is permitted to access the switch application program; the access refusal information is used for informing the server side, and the client side which sends the access character string does not have access to the switch application program.
In the technical scheme provided by the embodiment, the switch application program verifies the permission identifier carried by the message header to determine whether the client requesting access has the right to access the switch application program. And furthermore, the management of the user permission is realized, so that only users with permission levels can use the switch application program, and the security of the switch application program data is ensured.
Furthermore, it will be appreciated by those of ordinary skill in the art that implementing all or part of the processes in the methods of the above embodiments may be accomplished by computer programs to instruct related hardware. The computer program comprises program instructions, and the computer program may be stored in a storage medium, which is a computer readable storage medium. The program instructions are executed by at least one processor in the access rights management device to implement the flow steps of embodiments of the method described above.
Accordingly, the present invention also provides a computer-readable storage medium storing an access right management program which, when executed by a processor, implements the steps of the access right management method described in the above embodiments.
The computer readable storage medium may be a usb disk, a removable hard disk, a Read-Only Memory (ROM), a magnetic disk, or an optical disk, etc. which may store the program code.
It should be noted that, because the storage medium provided in the embodiments of the present application is a storage medium used for implementing the method in the embodiments of the present application, based on the method described in the embodiments of the present application, a person skilled in the art can understand the specific structure and the modification of the storage medium, and therefore, the description thereof is omitted herein. All storage media adopted by the method of the embodiment of the application belong to the scope of protection of the application.
It will be appreciated by those skilled in the art that embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It should be noted that in the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The use of the words first, second and third, et cetera do not indicate any ordering. These words may be interpreted as names.
While preferred embodiments of the present invention have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. It is therefore intended that the following claims be interpreted as including the preferred embodiments and all such alterations and modifications as fall within the scope of the invention.
It will be apparent to those skilled in the art that various modifications and variations can be made to the present invention without departing from the spirit or scope of the invention. Thus, it is intended that the present invention also include such modifications and alterations insofar as they come within the scope of the appended claims or the equivalents thereof.
Claims (6)
1. The access right management method is characterized by being applied to a server side, and comprises the following steps of:
when receiving user login information sent by a client, calling corresponding local user data according to the user login information;
generating and sending an access character string corresponding to the local user data to the client according to the local user data, and returning the access character string to a server side when the client accesses an exchanger application program;
after receiving the access character string sent by the client, reading a deadline field in the access character string and access time in a session record corresponding to the access character string;
Determining the effective duration corresponding to the access character string according to the deadline field, and determining the offline duration of the client according to the difference value between the current time and the access time;
When the offline time length is greater than or equal to the effective time length, judging that the access character string is invalid;
when the offline time length is smaller than the effective time length, judging that the access character string is effective;
After the access character string is judged to be effective, calling local user data corresponding to the access character string according to the access character string;
When the authority level of the local user data is a basic authority, generating and transmitting a message header carrying a primary authority identification to the switch application program, wherein the basic authority allows access to the switch application program;
When the authority level of the local user data is a monitoring authority, generating and sending a message header carrying a secondary authority identification to the switch application program, wherein the monitoring authority allows access to the switch application program and monitors the switch;
When the authority level of the local user data is a management authority, generating and sending a message header carrying a three-level authority identification to the switch application program, wherein the management authority has the monitoring authority and allows the switch to be systematically managed, and the systematic management comprises the setting of the authorities of other users;
When receiving the access permission information returned by the switch application program based on the message header, accessing the switch application program;
determining whether the access character string carries a timing task identifier;
if not, refreshing the access time in the session record of the access character string;
If yes, the step of refreshing the access time in the session record of the access character string is not executed.
2. The access right management method according to claim 1, wherein after the step of determining that the access character string is invalid when the offline time period is longer than or equal to the valid time period, further comprising:
and after judging that the access character string fails, sending an access character string failure prompt to the client.
3. The access right management method according to claim 1, wherein when receiving user login information sent by the client, the step of calling corresponding local user data according to the user login information includes:
After receiving the user login information, encrypting and packaging the user login information based on a random encryption string to generate ciphertext information, and sending the ciphertext information to a user management process;
the user management process obtains a corresponding decryption algorithm from an encryption library based on the encryption identification of the ciphertext information;
based on the decryption algorithm, performing decryption operation on the ciphertext information to obtain the local user data;
and generating an online user according to the local user data, and adding the online user to a user management table.
4. An access right management method, applied to a switch application, comprising the steps of:
when a server receives user login information sent by a client, corresponding local user data is called according to the user login information;
The server generates and transmits an access character string corresponding to the local user data to the client according to the local user data, and returns the access character string to the server when the client accesses the switch application program;
After the server receives the access character string sent by the client, reading a deadline field in the access character string and access time in a session record corresponding to the access character string;
The server side determines the effective duration corresponding to the access character string according to the deadline field, determines the offline duration of the client side according to the difference value between the current time and the access time, determines that the access character string is invalid when the offline duration is greater than or equal to the effective duration, and determines that the access character string is effective when the offline duration is less than the effective duration;
When the server side judges that the access character string is valid, local user data corresponding to the access character string is called according to the access character string, when the authority level of the local user data is a basic authority, a message header carrying a primary authority identification is generated and sent to the switch application program, the basic authority allows the switch application program to be accessed, when the authority level of the local user data is a monitoring authority, a message header carrying a secondary authority identification is generated and sent to the switch application program, the monitoring authority allows the switch application program to be accessed, and the switch is monitored, when the authority level of the local user data is a management authority, a message header carrying a tertiary authority identification is generated and sent to the switch application program, the management authority has the monitoring authority and allows the switch to be subjected to systematic management, and the systematic management comprises setting of authorities of other users;
When the switch application program receives the message header sent by the server, reading the permission identification carried by the message header, and determining the permission level corresponding to the permission identification according to the permission identification;
verifying whether the authority level is greater than or equal to a local authority level;
if yes, generating and sending access permission information to the server side;
If not, generating and sending access refusal information to the server side;
When the server receives the permission access information returned by the switch application program based on the message header, the server accesses the switch application program;
And the server determines whether the access character string carries a timing task identifier, and when the access character string does not carry the timing task identifier, the server refreshes the access time in the session record of the access character string, otherwise, the step of refreshing the access time in the session record of the access character string is not executed.
5. An access rights management apparatus, characterized in that the access rights management apparatus comprises: memory, a processor and an access rights management program stored on the memory and executable on the processor, the access rights management program being configured to implement the steps of the access rights management method of any of claims 1 to 4.
6. A readable storage medium, wherein an access rights management program is stored on the readable storage medium, which when executed by a processor, implements the steps of the access rights management method according to any one of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311631437.0A CN117319096B (en) | 2023-12-01 | 2023-12-01 | Access right management method, access right management device, and readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311631437.0A CN117319096B (en) | 2023-12-01 | 2023-12-01 | Access right management method, access right management device, and readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117319096A CN117319096A (en) | 2023-12-29 |
| CN117319096B true CN117319096B (en) | 2024-04-23 |
Family
ID=89260793
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311631437.0A Active CN117319096B (en) | 2023-12-01 | 2023-12-01 | Access right management method, access right management device, and readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117319096B (en) |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109981683A (en) * | 2019-04-11 | 2019-07-05 | 苏州浪潮智能科技有限公司 | A kind of exchange data access method, system, equipment and computer storage medium |
| CN111030828A (en) * | 2019-12-19 | 2020-04-17 | 中国电建集团华东勘测设计研究院有限公司 | Authority control method and system under micro-service architecture and access token |
| CN111181941A (en) * | 2019-12-23 | 2020-05-19 | 杭州安恒信息技术股份有限公司 | Page login method, system and related device |
| WO2021147442A1 (en) * | 2020-01-22 | 2021-07-29 | 华为技术有限公司 | Access control method and apparatus, terminal device, and storage medium |
| CN113922968A (en) * | 2021-10-19 | 2022-01-11 | 中国电信股份有限公司 | Access token generation and verification method and device, electronic equipment and storage medium |
| WO2022134063A1 (en) * | 2020-12-25 | 2022-06-30 | Oppo广东移动通信有限公司 | Access token usage method and device |
| CN114697063A (en) * | 2020-12-30 | 2022-07-01 | 北京国双科技有限公司 | Security authentication method and device, electronic equipment and storage medium |
| CN115996122A (en) * | 2021-10-20 | 2023-04-21 | 华为技术有限公司 | Access control method, device and system |
| CN116192432A (en) * | 2022-12-07 | 2023-05-30 | 国网智能电网研究院有限公司 | Security authentication and authority control method and device under micro-application architecture and storage medium |
| CN116226879A (en) * | 2022-12-26 | 2023-06-06 | 易方达基金管理有限公司 | Service interface access control method, device, computer equipment and storage medium |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8695071B2 (en) * | 2011-10-23 | 2014-04-08 | Gopal Nandakumar | Authentication method |
-
2023
- 2023-12-01 CN CN202311631437.0A patent/CN117319096B/en active Active
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109981683A (en) * | 2019-04-11 | 2019-07-05 | 苏州浪潮智能科技有限公司 | A kind of exchange data access method, system, equipment and computer storage medium |
| CN111030828A (en) * | 2019-12-19 | 2020-04-17 | 中国电建集团华东勘测设计研究院有限公司 | Authority control method and system under micro-service architecture and access token |
| CN111181941A (en) * | 2019-12-23 | 2020-05-19 | 杭州安恒信息技术股份有限公司 | Page login method, system and related device |
| WO2021147442A1 (en) * | 2020-01-22 | 2021-07-29 | 华为技术有限公司 | Access control method and apparatus, terminal device, and storage medium |
| WO2022134063A1 (en) * | 2020-12-25 | 2022-06-30 | Oppo广东移动通信有限公司 | Access token usage method and device |
| CN114697063A (en) * | 2020-12-30 | 2022-07-01 | 北京国双科技有限公司 | Security authentication method and device, electronic equipment and storage medium |
| CN113922968A (en) * | 2021-10-19 | 2022-01-11 | 中国电信股份有限公司 | Access token generation and verification method and device, electronic equipment and storage medium |
| CN115996122A (en) * | 2021-10-20 | 2023-04-21 | 华为技术有限公司 | Access control method, device and system |
| CN116192432A (en) * | 2022-12-07 | 2023-05-30 | 国网智能电网研究院有限公司 | Security authentication and authority control method and device under micro-application architecture and storage medium |
| CN116226879A (en) * | 2022-12-26 | 2023-06-06 | 易方达基金管理有限公司 | Service interface access control method, device, computer equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117319096A (en) | 2023-12-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8424077B2 (en) | Simplified management of authentication credentials for unattended applications | |
| US7035854B2 (en) | Content management system and methodology employing non-transferable access tokens to control data access | |
| US8196186B2 (en) | Security architecture for peer-to-peer storage system | |
| US8640261B2 (en) | Method and client agent for monitoring the use of protected content | |
| JP5100286B2 (en) | Cryptographic module selection device and program | |
| EP0752636A2 (en) | NIS+ password update protocol | |
| CN110535880B (en) | Access control method and system of Internet of things | |
| US20040177258A1 (en) | Secure object for convenient identification | |
| JPH1185622A (en) | Protection memory for core data secret item | |
| WO2007045257A1 (en) | A method for controlling access to file systems, related system, sim card and computer program product for use therein | |
| CN111191217B (en) | Password management method and related device | |
| CN111917711B (en) | Data access method and device, computer equipment and storage medium | |
| JP4607602B2 (en) | How to provide access | |
| JP5122225B2 (en) | A method for implementing a state tracking mechanism in a communication session between a server and a client system | |
| CN108521424B (en) | Distributed data processing method for heterogeneous terminal equipment | |
| WO2002005475A2 (en) | Generation and use of digital signatures | |
| CN109492384B (en) | Method for receiving entity access and accessing password device, password device and entity | |
| CN117319096B (en) | Access right management method, access right management device, and readable storage medium | |
| CN108616517B (en) | High-reliability cloud platform service providing method | |
| CN112165381B (en) | Key management system and method | |
| KR20150115332A (en) | Access control managemnet apparatus and method for open service components | |
| EP3872671A1 (en) | Secure key management system | |
| CN108449358B (en) | Cloud-based low-delay secure computing method | |
| CN117579674B (en) | Remote control system and method | |
| CN114978771B (en) | Data security sharing method and system based on blockchain technology |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |