CN118118238A - Access right verification method and device - Google Patents

Access right verification method and device Download PDF

Info

Publication number
CN118118238A
CN118118238A CN202410232060.XA CN202410232060A CN118118238A CN 118118238 A CN118118238 A CN 118118238A CN 202410232060 A CN202410232060 A CN 202410232060A CN 118118238 A CN118118238 A CN 118118238A
Authority
CN
China
Prior art keywords
access request
information
request information
access
authority
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202410232060.XA
Other languages
Chinese (zh)
Inventor
赵可涵
林爱文
宁力军
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou DPTech Technologies Co Ltd
Original Assignee
Hangzhou DPTech Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou DPTech Technologies Co Ltd filed Critical Hangzhou DPTech Technologies Co Ltd
Priority to CN202410232060.XA priority Critical patent/CN118118238A/en
Publication of CN118118238A publication Critical patent/CN118118238A/en
Pending legal-status Critical Current

Links

Landscapes

  • Storage Device Security (AREA)

Abstract

The disclosure provides a method and a device for verifying access rights, wherein the method is applied to a server and comprises the following steps: receiving access request information sent by gateway equipment, wherein the access request information is initiated by a target object at terminal equipment, and the gateway equipment verifies the passed access request information; and responding to the access request information in response to determining that the authority verification of the access request information is passed. The gateway equipment and the server are used for carrying out multiple verification on the access rights of the user, a rights verification system based on the zero trust concept is constructed, the accuracy of the user rights verification is improved, the problem that single-point faults are easy to cause due to the fact that the user rights are verified only at the network boundary is avoided, and the security of the network is improved.

Description

Access right verification method and device
Technical Field
The disclosure relates to the technical field of network security, and in particular relates to a method and a device for verifying access rights.
Background
The traditional network security concept often protects resource data inside a network at a network boundary according to setting network defense lines such as a firewall. In the conventional network security concept, only interfaces or boundary points between an internal network and the outside world (such as the Internet) are protected, and the rights management is represented on a rights management platform as a centralized rights management on a central server or a single management platform. If an intruder wants to intrude into the internal network, the central server or the management platform becomes an object to be attacked, increasing the risk of centralized attack and further increasing the risk of single point failure, which results in a problem of lower security of the network.
In addition, the traditional network security concept of intranet protection focuses on static authority control, namely, user authority is configured according to user identities, and the design cannot effectively cope with changeable network attack modes, so that the problem of lower network security is caused.
Aiming at the problem of low network security, no good solution exists at present.
Disclosure of Invention
In view of the above, the present disclosure provides a method and an apparatus for verifying access rights, which construct a rights verification system based on a zero trust concept, so that the risk of single point failure can be effectively reduced, and the security of network information is improved.
The present disclosure provides a method for verifying access rights, the method being applied to a server, the method comprising:
Receiving access request information sent by gateway equipment, wherein the access request information is initiated by a target object at terminal equipment, and the gateway equipment verifies the passed access request information;
and responding to the access request information in response to determining that the authority verification of the access request information is passed.
Optionally, after receiving the access request information sent by the gateway device, the method further includes:
Verifying the service authority information in the access request information according to a pre-constructed data rule, wherein the data rule at least comprises the service authority information of a target object;
Verifying the access right of the access request information on the network boundary according to a preset access strategy, wherein the access strategy is used for verifying whether the access request has the network access right;
Verifying the parameter information of the access request information according to a preset rule in response to the determination that the service authority information in the access request information and the access authority verification of the access request information at the network boundary pass, wherein the preset rule is used for determining the parameter information when responding to the access request information;
and responding to the determination that the parameter information of the access request information accords with the preset rule, acquiring the target request authority of the target object, and performing authority verification on the access request information according to the target request authority.
Optionally, after receiving the access request information sent by the gateway device, the method further includes:
And in response to determining that the parameter information of the access request information does not accord with a preset rule, modifying the parameter information according to the preset rule.
Optionally, the obtaining the target request authority of the target object includes:
determining role authority of the target object according to the access request information;
determining the platform authority of the target object according to the access request information;
and determining the target request authority of the target object according to the role authority and the platform authority.
Optionally, the determining the role authority of the target object according to the access request information includes:
Determining role information of the target object according to the token information in the access request information;
Inquiring a preset permission model according to the role information, and determining the role permission, wherein the permission model is used for storing the corresponding relation between the role information and the permission information.
Optionally, the determining the platform authority of the target object according to the access request information includes:
Determining an access platform corresponding to the access request information according to the token information in the access request information;
And determining the platform permission according to the access platform.
Optionally, after responding to the access request information, the method further includes:
acquiring operation information of the target object in the server;
In response to determining that the authority of the operation information is verified, the server responds to the operation information.
The present disclosure provides an access right verification apparatus, which is applied to a server, the apparatus including:
The first receiving unit is used for receiving access request information sent by gateway equipment, wherein the access request information is initiated by a target object at terminal equipment, and the gateway equipment verifies the passed access request information;
And the first response unit is used for responding to the access request information in response to determining that the authority verification of the access request information is passed.
Optionally, the apparatus further includes:
The first verification unit is used for verifying the service authority information in the access request information according to a pre-constructed data rule, wherein the data rule at least comprises the service authority information of the target object;
The second verification unit is used for verifying the access authority of the access request information on the network boundary according to a preset access strategy, wherein the access strategy is used for verifying whether the access request has the network access authority;
The third verification unit is used for verifying the parameter information of the access request information according to a preset rule in response to the fact that the service authority information in the access request information and the access authority verification of the access request information at the network boundary pass, wherein the preset rule is used for determining the parameter information when the access request information is responded;
And the fourth verification unit is used for acquiring the target request authority of the target object and performing authority verification on the access request information according to the target request authority in response to the fact that the parameter information of the access request information accords with the preset rule.
Optionally, the apparatus further includes:
And the modification unit is used for modifying the parameter information according to a preset rule in response to the fact that the parameter information of the access request information does not accord with the preset rule, wherein the preset rule is used for determining the parameter information when the access request information is responded.
Optionally, the fourth verification unit is specifically configured to:
determining role authority of the target object according to the access request information;
determining the platform authority of the target object according to the access request information;
and determining the target request authority of the target object according to the role authority and the platform authority.
Optionally, the fourth verification unit is specifically configured to:
Determining role information of the target object according to the token information in the access request information;
Inquiring a preset permission model according to the role information, and determining the role permission, wherein the permission model is used for storing the corresponding relation between the role information and the permission information.
Optionally, the fourth verification unit is specifically configured to:
Determining an access platform corresponding to the access request information according to the token information in the access request information;
And determining the platform permission according to the access platform.
Optionally, the apparatus further includes:
an acquisition unit, configured to acquire operation information of the target object in the server;
And the second response unit is used for responding to the operation information if the authority verification of the operation information is determined to pass.
The present disclosure provides a method for verifying access rights, the method being applied to a gateway device, the method comprising:
Receiving access request information initiated by a target object at terminal equipment;
analyzing the access request information to obtain request header information of the access request information;
And in response to determining that the token information exists in the request header information and accords with a token data format specified by a preset token requirement, sending the access request information to a corresponding server so as to enable the server to verify the authority of the access request information.
The present disclosure also provides another device for verifying access rights, where the device is applied to a gateway device, and the device includes:
the second receiving unit is used for receiving access request information initiated by the target object at the terminal equipment;
the analysis unit is used for analyzing the access request information to obtain request header information of the access request information;
and the sending unit is used for sending the access request information to a corresponding server in response to the fact that the token information exists in the request header information and accords with the token data format specified by the preset token requirement, so that the server can verify the authority of the access request information.
The present disclosure also provides a non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the above method.
The application also provides electronic equipment, which comprises a communication interface, a processor, a memory and a bus, wherein the communication interface, the processor and the memory are mutually connected through the bus;
the memory stores machine readable instructions and the processor performs the method by invoking the machine readable instructions.
The technical scheme provided by the embodiment of the disclosure can comprise the following beneficial effects:
The gateway equipment and the server are used for carrying out multiple verification on the access rights of the user, a rights verification system based on the zero trust concept is constructed, the accuracy of the user rights verification is improved, the problem that single-point faults are easy to cause due to the fact that the user rights are verified only at the network boundary is avoided, and the security of the network is improved.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the disclosure and together with the description, serve to explain the principles of the disclosure.
FIG. 1 is a schematic diagram of a method of verifying access rights according to an exemplary embodiment of the present disclosure;
FIG. 2 is a flow chart of a method of verifying access rights according to an exemplary embodiment of the present disclosure;
FIG. 3 is a flow chart illustrating one method of determining target request rights according to an exemplary embodiment of the present disclosure;
FIG. 4 is a block diagram of an access rights verification device according to an exemplary embodiment of the present disclosure;
FIG. 5 is a flowchart of another method of verifying access rights according to an exemplary embodiment of the present disclosure;
FIG. 6 is a block diagram of another access rights verification device shown in accordance with an exemplary embodiment of the present disclosure;
Fig. 7 is a hardware configuration diagram of an electronic device where an access right verification apparatus is located according to an exemplary embodiment of the present disclosure.
Detailed Description
Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary examples are not representative of all implementations consistent with the present disclosure. Rather, they are merely examples of apparatus and methods consistent with some aspects of the present disclosure as detailed in the accompanying claims.
The terminology used in the present disclosure is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. As used in this disclosure and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any or all possible combinations of one or more of the associated listed items.
It should be understood that although the terms first, second, third, etc. may be used in this disclosure to describe various information, these information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present disclosure. The word "if" as used herein may be interpreted as "at … …" or "at … …" or "in response to a determination" depending on the context.
With the development of cloud computing, organizations are increasingly moving towards deploying their applications and data into the cloud for flexibility, scalability, and cost effectiveness. However, as the complexity of cloud environments increases, managing these cloud resources becomes increasingly complex. Thus, to effectively help an organization effectively manage its cloud infrastructure, applications, and services, cloud computing resources are typically managed using a cloud management platform.
The traditional network security concept often protects resource data inside a network at a network boundary according to setting network defense lines such as a firewall. That is, in the conventional network security concept, only interfaces or boundary points between an internal network and the outside world (e.g., the Internet) are protected, and rights management is represented on a cloud management platform as being concentrated on a central server or a single management platform. If an intruder wants to intrude into the cloud platform, the central server or the management platform becomes an object to be attacked, so that the risk of centralized attack is increased, and further, the risk of single-point failure is increased, thereby causing a problem that the security of the network is lower.
With the wide adoption of new technologies such as cloud computing, big data, and internet of things, IT (Information Technology ) architecture is transitioning from "bordered" to "borderless", which means that the traditional security border is gradually disappearing, so new network protection measures are needed to protect the resources inside the network. The zero trust concept is a brand new network security concept and architecture that emphasizes authentication and rights management for each user and device in an unbounded network environment. This means that conventional network boundaries are no longer relied upon to protect data and applications. The method starts from each user and equipment, and performs identity verification and authority management on all network requests, so that the risk of network attack is reduced.
The invention provides an access right verification method, which improves network security by constructing a right verification system based on a zero trust concept.
Referring to fig. 1, fig. 1 is a schematic diagram of an access right verification method according to an exemplary embodiment, and the access right verification method based on the zero trust concept may be implemented through the partial schematic diagram shown in fig. 1.
Firstly, a user initiates an access request at a client, then the access request information is forwarded to gateway equipment through a reverse proxy, the gateway equipment performs preliminary filtration on the access request information, and verifies Token (Token) in request header information of the access request information to determine that the client has the authority of an access platform.
And forwarding the access request information to a corresponding micro-service module through gateway equipment, wherein one micro-service module corresponds to one service operation, verifying the source and the content of the access request information through the micro-service module, and simultaneously, the zero-trust gateway controller also performs identity verification on the access request information to determine the identity information of the user, so as to determine whether the user has access rights at the network boundary.
After the micro service module and the zero trust gateway controller pass the verification of the access request, the interceptor chain further verifies the access request information to determine that the parameters in the access request information meet the requirements of the server and can be responded by the server.
And finally, according to a prestored RBAC (Role-Based Access control based access control) model and platform menu information, respectively determining the Role authority and the platform authority of the user, thereby determining the target request authority of the user, and carrying out authority verification on the access request information through the target request authority.
After the access right passes the verification, the access request can enter service logic, the server responds to the access request information, and the request result is returned to the client.
In order to further explain the specific verification process of each step in the access right verification method, the access right verification method will be further described below.
Referring to fig. 2, fig. 2 is a flowchart illustrating a method for verifying access rights according to an exemplary embodiment, the method is applied to a server, and the method performs the following steps:
Step 202, receiving access request information sent by gateway equipment, wherein the access request information is initiated by a target object at terminal equipment, and the gateway equipment verifies the passed access request information.
Firstly, receiving access request information which is sent by gateway equipment and is preliminarily verified by the gateway, wherein the access request information is access request information which is initiated by a user (namely the target object) on terminal equipment, for example, HTTP (Hypertext Transfer Protocol ) request information, and the access request information can carry operation information such as inquiry, storage, modification and the like of network internal resources. The gateway device may be a router or a firewall for connecting an intranet to the internet, or may be a router, a switch or a specific gateway device for connecting different lans, i.e. the gateway device may enable networks of different types to communicate with each other.
Step 204, responding to the access request information in response to determining that the authority verification of the access request information is passed.
After the server receives the access request information sent by the gateway equipment, the access request information is subjected to multiple authority verification through an authority verification system built based on a zero trust concept so as to carry out safety protection on an borderless IT environment, and after the authority verification of the access request information is passed, the server responds to the access request information.
For example, a user initiates access request information for inquiring cloud computing data in a cloud platform at a terminal device, after receiving the access request information sent by a gateway device, a server verifies access rights of the user initiating the access request information through a rights verification system, judges whether the user has rights for inquiring the cloud computing data, and returns corresponding cloud computing data to a client in response to an access request of the user under the condition that the user is determined to have the rights.
The gateway equipment and the server are used for carrying out multiple verification on the access rights of the user, a rights verification system based on the zero trust concept is constructed, the accuracy of the user rights verification is improved, the problem that single-point faults are easy to cause due to the fact that the user rights are verified only at the network boundary is avoided, and the security of the network is improved.
In an embodiment, after receiving the access request information sent by the gateway device, the method further includes: verifying the service authority information in the access request information according to a pre-constructed data rule, wherein the data rule at least comprises the service authority information of a target object; verifying the access right of the access request information on the network boundary according to a preset access strategy, wherein the access strategy is used for verifying whether the access request has the network access right; verifying the parameter information of the access request information according to a preset rule in response to the determination that the service authority information in the access request information and the access authority verification of the access request information at the network boundary pass, wherein the preset rule is used for determining the parameter information when responding to the access request information; and responding to the determination that the parameter information of the access request information accords with the preset rule, acquiring the target request authority of the target object, and performing authority verification on the access request information according to the target request authority.
When the access request information is subjected to authority verification, four verification sections are mainly divided. First, the source and content of the access request information are verified by a micro-service module associated with the service. In the embodiment provided by the disclosure, a plurality of micro service modules exist, each micro service module corresponds to one service function, and data communication can be performed between different micro service modules. When the micro service module verifies the access request information, the micro service module can verify the access request information according to Token information in the access request information or request header information of the access request information. The Token is a temporary Token for authentication, which is usually generated by a server and issued to a client, and is usually generated by the server and issued to the client, so that Token information should exist in an access request initiated by the client authenticated by the server. The request header information is part of an HTTP message that contains various information about the client sending the request, which can help the server understand the client's request and how to handle it. An HTTP request header is typically made up of a series of key-value pairs, each representing a particular attribute or option.
The aim of the access request information can be determined by comparing and verifying the request header information of Token information or access request information with the pre-constructed data rule, and the information such as decision authority, data authority, validity period and the like of the user can be determined. In addition, in the pre-constructed data rule, besides the decision authority, the data authority, the validity period and other service authority information of the target object, a security policy can be set in the data rule, for example, information such as request frequency, IP number of access requests initiated to the server and the like is specified in the data rule, so as to protect network security.
And when the micro service module verifies the access request information, the zero trust gateway controller also verifies Token information or request header information in the access request information according to a preset access strategy, and judges whether the target object has access rights at the network boundary. The preset access policy may include data information such as an allow list and a reject list.
And after the micro service module and the zero trust gateway controller pass the verification of the access request, further verifying the access request information according to a preset rule. In the present disclosure, further verification of access request information may be achieved through an interceptor chain. In the interceptor chain, the access request information will pass through a series of interceptors, each responsible for performing a particular task at a different stage of request processing. Each interceptor may process, modify, or interrupt access request information and they are linked together in a certain order to form a chain. In the disclosure, the interceptor chain may check and verify contents such as validity, parameter length, parameter format, parameter integrity and the like of the parameter information in the access request information according to a preset rule and a priority order.
After the parameter information in the access request information is verified, the target request authority of the target object can be obtained, and the access request information is verified according to the target request authority. The target request authority may be an authority tree determined by a multiparty information source, and after the access request information is verified according to the target request authority, the server may respond to the access request information and return service data corresponding to the access request information.
It should be noted that, in the above four authentication sections, if authentication is not passed, the access request information cannot be responded to. In addition, the pre-constructed data rules, the preset access policies, the preset rules, the target request authority and other information are stored in the corresponding databases, so that the server can inquire.
Through the verification step, the access request information can be ensured to be sufficiently verified and examined, so that the accuracy of verification of the access authority is improved, and the security of the network environment is further improved.
In an embodiment, after receiving the access request information sent by the gateway device, the method further includes: and in response to determining that the parameter information of the access request information does not accord with a preset rule, modifying the parameter information according to the preset rule, wherein the preset rule is used for determining the parameter information when the access request information is responded.
In the case that the parameter information in the access request information is insufficient to support the server to respond to the request, the access request information can be added, deleted or modified through the interceptor chain according to the preset rule, so that the access request information can be responded by the server. That is, the interceptor chain may determine the purpose of the access request according to the access request information, read the preset rule according to the purpose of the access request, and modify the parameter information in the access request information according to the preset rule, so that the access request information meets the requirement of the server for responding to the request.
The interceptor chain is used for modifying the access request information which does not accord with the preset rule, so that the access request information can be perfected, the server can accurately respond to the access request information, and the response accuracy to the access request information is improved.
In an embodiment, the obtaining the target request authority of the target object includes: determining role authority of the target object according to the access request information; determining the platform authority of the target object according to the access request information; and determining the target request authority of the target object according to the role authority and the platform authority.
In the disclosure, the target request authority is mainly divided into a platform authority and a role authority, wherein the role authority is a pre-built RBAC model, and the platform authority is a pre-stored management authority of different users on cloud platform data. In the RBAC model described above, each role is assigned a set of permissions that indicate the operations that the role can perform in the system. This assignment is accomplished by establishing a mapping relationship between roles and permissions, in the RBAC model, permission grants and access control are based on the role the user belongs to and not the identity or personal characteristics of the user itself. The role authority of the user initiating the access request in the RBAC and which platform data the user has the access authority can be determined by analyzing the access request information through the server, and then the role authority and the menu authority of the platform are associated together, so that the target request authority of the user can be determined.
In an embodiment, the determining the role authority of the target object according to the access request information includes: determining role information of the target object according to the token information in the access request information; inquiring a preset permission model according to the role information, and determining the role permission, wherein the permission model is used for storing the corresponding relation between the role information and the permission information.
By analyzing Token (i.e., the Token information described above) in the access request information, the role information of the user can be determined by reading the cache database storing the RABC model. In the RBAC model, each user has unique flag information, and the same user can correspond to different roles, and the different roles have different access rights. In the present disclosure, firstly, according to Token in the access request information, the role information corresponding to the user is determined, and then, according to the mapping relationship between the pre-stored role information and the role authority, the role authority of the user is determined.
In an embodiment, the determining the platform right of the target object according to the access request information includes: determining an access platform corresponding to the access request information according to the token information in the access request information; and determining the platform permission according to the access platform.
And determining a target platform of the read data corresponding to the access request information by analyzing Token (namely the Token information) in the access request information, reading a relational database storing the platform information and the platform menu, and determining the platform menu of the target platform, thereby determining the platform authority of the user.
Relational databases store data in the form of tables, organized in rows and columns, supporting complex data structures and relationships, such as primary keys, foreign keys, etc., intended to provide storage, management, and querying of structured data. The menu authority, the hierarchy of the platform customization and the visible and hidden data can be respectively stored in the relational database, so that the menu authorities of different platforms can be stored in the database through one set of code programs, and for different platform menus, only specific parameters in the code programs are required to be modified, and new code programs are not required to be redeveloped according to different platforms, thereby improving the multiplexing rate and expandability of the code programs.
To better illustrate the determination of target request rights, referring to FIG. 3, FIG. 3 is a flow chart illustrating one method of determining target request rights according to an exemplary embodiment of the present disclosure.
Firstly, a user logs in a client, initiates an access request, then determines a target platform through a platform identification code in access request information, and acquires menu rights associated with the platform from a relational database, thereby determining the platform rights of the user. And then reading RBAC models stored in a cache database according to Token in request header information of the access request information, determining role information of the user, and determining role rights of the user according to the role information type of the user. And finally, associating the platform permission and the role permission of the user to obtain the target request permission of the user.
In an embodiment, after responding to the access request information, the method further comprises: acquiring operation information of the target object in the server; in response to determining that the authority of the operation information is verified, the server responds to the operation information.
After the server responds to the access request information initiated by the user (i.e. the target object), operation information of the user, such as reading, writing, executing and the like of the platform data, is continuously detected, and the operation authority of the user is verified according to the operation information, wherein the verification method of the specific operation authority is the same as the verification method of the access request information. Based on the zero trust concept, only authorized operations can be executed, and operations such as calling among modules or data service inquiry writing and the like need to be verified on operation permission and data permission. The verification mechanism can ensure that each operation accords with the expected security policy and business rule, thereby ensuring the integrity and security of data, preventing potential security threat and attack and improving network security.
Corresponding to the method embodiment, the disclosure further provides an embodiment of an access right verification device.
Referring to fig. 4, fig. 4 is a block diagram of an apparatus for verifying access rights according to an exemplary embodiment, where the apparatus is applied to a server, and the apparatus may include the following modules:
The first receiving unit is used for receiving access request information sent by gateway equipment, wherein the access request information is initiated by a target object at terminal equipment, and the gateway equipment verifies the passed access request information;
And the first response unit is used for responding to the access request information in response to determining that the authority verification of the access request information is passed.
In an embodiment, the device further comprises:
The first verification unit is used for verifying the service authority information in the access request information according to a pre-constructed data rule, wherein the data rule at least comprises the service authority information of the target object;
The second verification unit is used for verifying the access authority of the access request information on the network boundary according to a preset access strategy, wherein the access strategy is used for verifying whether the access request has the network access authority;
The third verification unit is used for verifying the parameter information of the access request information according to a preset rule in response to the fact that the service authority information in the access request information and the access authority verification of the access request information at the network boundary pass, wherein the preset rule is used for determining the parameter information when the access request information is responded;
And the fourth verification unit is used for acquiring the target request authority of the target object and performing authority verification on the access request information according to the target request authority in response to the fact that the parameter information of the access request information accords with the preset rule.
In an embodiment, the device further comprises:
And the modification unit is used for modifying the parameter information according to a preset rule in response to the fact that the parameter information of the access request information does not accord with the preset rule, wherein the preset rule is used for determining the parameter information when the access request information is responded.
In an embodiment, the fourth verification unit is specifically configured to:
determining role authority of the target object according to the access request information;
determining the platform authority of the target object according to the access request information;
and determining the target request authority of the target object according to the role authority and the platform authority.
In an embodiment, the fourth verification unit is specifically configured to:
Determining role information of the target object according to the token information in the access request information;
Inquiring a preset permission model according to the role information, and determining the role permission, wherein the permission model is used for storing the corresponding relation between the role information and the permission information.
In an embodiment, the fourth verification unit is specifically configured to:
Determining an access platform corresponding to the access request information according to the token information in the access request information;
And determining the platform permission according to the access platform.
In an embodiment, the device further comprises:
an acquisition unit, configured to acquire operation information of the target object in the server;
And the second response unit is used for responding to the operation information if the authority verification of the operation information is determined to pass.
Corresponding to the above method, the present disclosure further provides another method for verifying access rights, which is applied to the gateway device, and further described below.
Referring to fig. 5, fig. 5 is a flowchart illustrating another method for verifying access rights according to an exemplary embodiment, the method is applied to a gateway device, and the method performs the following steps:
step 502, receiving access request information initiated by a target object at a terminal device.
Firstly, access request information initiated by a target object to a server at a terminal device can be used for requesting cloud computing resources in a cloud platform or managing the resources in the cloud platform. And then the access request information is forwarded to the gateway equipment through the reverse proxy, so that the gateway equipment can receive the access request information initiated by the target object at the terminal equipment. The target object may be a person having access rights to the platform, such as a user of the cloud platform.
And step 503, analyzing the access request information to obtain request header information of the access request information.
The gateway device analyzes the access request information, and the access request is generally an HTTP request, so that the process of analyzing the request can be roughly divided into an analysis request line, an analysis request header and an analysis request body, thereby obtaining the request header information in the access request information. The request header includes information such as the content type of the request, and the attribute of the access request can be determined. The request line comprises information such as a request method, a uniform resource identifier, an HTTP protocol version and the like, and the gateway equipment can know the action and the destination resource of the access request by analyzing the request line.
And step 504, in response to determining that the request header information contains the token information and the token information accords with a token data format specified by a preset token requirement, sending the access request information to a corresponding server so as to enable the server to verify the authority of the access request information.
After the gateway device analyzes the request header resources in the access request information to obtain the request header resources, the access request information is primarily filtered through a filter, and whether the request header of the access request information contains a specific Token (namely the Token information) is mainly judged, wherein the Token is a temporary Token for identity verification and can be used for verifying the identity and the access authority of a user, so that if the specific Token does not exist in the access request information, the client initiating the access request information does not have the access authority, and therefore the access request information without the specific Token can be directly filtered.
After determining that specific token information exists in the request header information of the access request information, verifying the data format of the token information, wherein the token data format is a data format requirement stored in a database in advance, for example, a data bit requirement of a token, a position requirement of a special character and the like, and the specific token data format can be set according to practical application. After the gateway device determines that the token information accords with the token data format specified by the preset token requirement, the gateway device can carry out further permission verification on the server in the process of sending the access request information, otherwise, the access request information cannot reach the corresponding server.
Based on the zero trust concept, the gateway equipment performs preliminary verification on the access request information to determine that the access request information reaching the server is effective access information, so that the server performs further verification on the access request information, and accuracy of authority verification and network security are improved.
Corresponding to the above method embodiments, the present disclosure also provides an embodiment of another verification apparatus of access rights.
Referring to fig. 6, fig. 6 is a block diagram of an apparatus for verifying access rights according to an exemplary embodiment, where the apparatus is applied to a gateway device, the apparatus may include the following modules:
the second receiving unit is used for receiving access request information initiated by the target object at the terminal equipment;
the analysis unit is used for analyzing the access request information to obtain request header information of the access request information;
and the sending unit is used for sending the access request information to a corresponding server in response to the fact that the token information exists in the request header information and accords with the token data format specified by the preset token requirement, so that the server can verify the authority of the access request information.
For the foregoing method embodiments, for simplicity of explanation, the methodologies are shown as a series of acts, but one of ordinary skill in the art will appreciate that the present disclosure is not limited by the order of acts described, as some steps may occur in other orders or concurrently in accordance with the disclosure.
Further, those skilled in the art will also appreciate that the embodiments described in the specification are all alternative embodiments, and that the acts and modules referred to are not necessarily required by the present disclosure.
For the device embodiments, reference is made to the description of the method embodiments for the relevant points, since they essentially correspond to the method embodiments. The apparatus embodiments described above are merely illustrative, wherein the elements described above as separate elements may or may not be physically separate, and the elements shown as elements may or may not be physical elements, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the objectives of the disclosed solution. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
Corresponding to the method embodiment, the disclosure further provides an embodiment of an access right verification device. The embodiment of the access right verification device can be applied to electronic equipment. The apparatus embodiments may be implemented by software, or may be implemented by hardware or a combination of hardware and software. Taking software implementation as an example, the device in a logic sense is formed by reading corresponding computer program instructions in a nonvolatile memory into a memory through a processor of an electronic device where the device is located and running the computer program instructions. In terms of hardware, please refer to fig. 7, fig. 7 is a hardware structure diagram of an electronic device where an access right verifying apparatus is located, which is shown in an exemplary embodiment, except for the processor, the memory, the network interface, and the nonvolatile memory shown in fig. 7, where the electronic device where the apparatus is located in the embodiment generally includes other hardware according to the actual function of the electronic device, which will not be described herein.
The implementation process of the functions and roles of each unit in the above device is specifically shown in the implementation process of the corresponding steps in the above method, and will not be described herein again.
For the device embodiments, reference is made to the description of the method embodiments for the relevant points, since they essentially correspond to the method embodiments. The apparatus embodiments described above are illustrative only, in that the elements illustrated as separate elements may or may not be physically separate, and the elements shown as elements may or may not be physical elements, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the objectives of the disclosed solution. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
The system, apparatus, module or unit set forth in the above embodiments may be implemented in particular by a computer chip or entity, or by a product having a certain function. A typical implementation device is a computer, which may be in the form of a personal computer, laptop computer, cellular telephone, camera phone, smart phone, personal digital assistant, media player, navigation device, email device, game console, tablet computer, wearable device, or a combination of any of these devices.
In a typical configuration, a computer includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include volatile memory in a computer-readable medium, random Access Memory (RAM) and/or nonvolatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of computer-readable media.
Computer readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of storage media for a computer include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, read only compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic disk storage, quantum memory, graphene-based storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by the computing device. Computer-readable media, as defined herein, does not include transitory computer-readable media (transmission media), such as modulated data signals and carrier waves.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article or apparatus that comprises the element.
The foregoing has described certain embodiments of the present disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims can be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing are also possible or may be advantageous.
Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure disclosed herein. This disclosure is intended to cover any adaptations, uses, or adaptations of the disclosure following the general principles of the disclosure and including such departures from the present disclosure as come within known or customary practice within the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the disclosure being indicated by the following claims.
It is to be understood that the present disclosure is not limited to the precise arrangements and instrumentalities shown in the drawings, and that various modifications and changes may be effected without departing from the scope thereof. The scope of the present disclosure is limited only by the appended claims.

Claims (10)

1. A method for verifying access rights, applied to a server, the method comprising:
Receiving access request information sent by gateway equipment, wherein the access request information is initiated by a target object at terminal equipment, and the gateway equipment verifies the passed access request information;
and responding to the access request information in response to determining that the authority verification of the access request information is passed.
2. The method of claim 1, wherein after receiving the access request information sent by the gateway device, the method further comprises:
Verifying the service authority information in the access request information according to a pre-constructed data rule, wherein the data rule at least comprises the service authority information of a target object;
Verifying the access right of the access request information on the network boundary according to a preset access strategy, wherein the access strategy is used for verifying whether the access request has the network access right;
Verifying the parameter information of the access request information according to a preset rule in response to the determination that the service authority information in the access request information and the access authority verification of the access request information at the network boundary pass, wherein the preset rule is used for determining the parameter information when responding to the access request information;
and responding to the determination that the parameter information of the access request information accords with the preset rule, acquiring the target request authority of the target object, and performing authority verification on the access request information according to the target request authority.
3. The method of claim 1, wherein after receiving the access request information sent by the gateway device, the method further comprises:
And in response to determining that the parameter information of the access request information does not accord with a preset rule, modifying the parameter information according to the preset rule, wherein the preset rule is used for determining the parameter information when the access request information is responded.
4. The method of claim 2, wherein the obtaining the target request rights for the target object comprises:
determining role authority of the target object according to the access request information;
determining the platform authority of the target object according to the access request information;
and determining the target request authority of the target object according to the role authority and the platform authority.
5. The method of claim 4, wherein determining the role authority of the target object based on the access request information comprises:
Determining role information of the target object according to the token information in the access request information;
Inquiring a preset permission model according to the role information, and determining the role permission, wherein the permission model is used for storing the corresponding relation between the role information and the permission information.
6. The method of claim 4, wherein determining the platform rights for the target object based on the access request information comprises:
Determining an access platform corresponding to the access request information according to the token information in the access request information;
And determining the platform permission according to the access platform.
7. The method of claim 1, wherein after responding to the access request information, the method further comprises:
acquiring operation information of the target object in the server;
In response to determining that the authority of the operation information is verified, the server responds to the operation information.
8. A method for verifying access rights, applied to a gateway device, the method comprising:
Receiving access request information initiated by a target object at terminal equipment;
analyzing the access request information to obtain request header information of the access request information;
And in response to determining that the token information exists in the request header information and accords with a token data format specified by a preset token requirement, sending the access request information to a corresponding server so as to enable the server to verify the authority of the access request information.
9. An apparatus for verifying access rights, applied to a server, comprising:
The first receiving unit is used for receiving access request information sent by gateway equipment, wherein the access request information is initiated by a target object at terminal equipment, and the gateway equipment verifies the passed access request information;
And the first response unit is used for responding to the access request information in response to determining that the authority verification of the access request information is passed.
10. An apparatus for verifying access rights, applied to a gateway device, the apparatus comprising:
the second receiving unit is used for receiving access request information initiated by the target object at the terminal equipment;
the analysis unit is used for analyzing the access request information to obtain request header information of the access request information;
and the sending unit is used for sending the access request information to a corresponding server in response to the fact that the token information exists in the request header information and accords with the token data format specified by the preset token requirement, so that the server can verify the authority of the access request information.
CN202410232060.XA 2024-02-29 2024-02-29 Access right verification method and device Pending CN118118238A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410232060.XA CN118118238A (en) 2024-02-29 2024-02-29 Access right verification method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410232060.XA CN118118238A (en) 2024-02-29 2024-02-29 Access right verification method and device

Publications (1)

Publication Number Publication Date
CN118118238A true CN118118238A (en) 2024-05-31

Family

ID=91211687

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410232060.XA Pending CN118118238A (en) 2024-02-29 2024-02-29 Access right verification method and device

Country Status (1)

Country Link
CN (1) CN118118238A (en)

Similar Documents

Publication Publication Date Title
US11949676B2 (en) Query analysis using a protective layer at the data source
US20240013210A1 (en) Data Processing System Utilising Distributed Ledger Technology
JP4880278B2 (en) Securing lightweight directory access protocol traffic
JP5530562B2 (en) Validating domain name system record updates
US20040267749A1 (en) Resource name interface for managing policy resources
CN111488595A (en) Method for realizing authority control and related equipment
US20220247746A1 (en) Sidecar architecture for stateless proxying to databases
CN110971569A (en) Network access authority management method and device and computing equipment
CN110968848B (en) User-based rights management method and device and computing equipment
US11494482B1 (en) Centralized applications credentials management
US20180218133A1 (en) Electronic document access validation
US20060092948A1 (en) Securing lightweight directory access protocol traffic
US20230334140A1 (en) Management of applications’ access to data resources
US20230065765A1 (en) Dynamic identity attribution
CN116566656A (en) Resource access method, device, equipment and computer storage medium
Yousefnezhad et al. Authentication and access control for open messaging interface standard
CN118118238A (en) Access right verification method and device
CN112905984A (en) Authority control method and device and electronic equipment
CN116232655B (en) Configuration application permission management method and system based on Internet of things cloud platform
US20220150277A1 (en) Malware detonation
US20240223560A1 (en) Architecture having a protective layer at the data source
CN116527316A (en) Service calling method and device, electronic equipment and machine-readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination