CN1858738A - Method and device for access data bank - Google Patents

Method and device for access data bank Download PDF

Info

Publication number
CN1858738A
CN1858738A CNA2006100076097A CN200610007609A CN1858738A CN 1858738 A CN1858738 A CN 1858738A CN A2006100076097 A CNA2006100076097 A CN A2006100076097A CN 200610007609 A CN200610007609 A CN 200610007609A CN 1858738 A CN1858738 A CN 1858738A
Authority
CN
China
Prior art keywords
database
client
unit
operation requests
accessing
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CNA2006100076097A
Other languages
Chinese (zh)
Other versions
CN1858738B (en
Inventor
徐永胜
姜琰祥
曹振峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN2006100076097A priority Critical patent/CN1858738B/en
Publication of CN1858738A publication Critical patent/CN1858738A/en
Application granted granted Critical
Publication of CN1858738B publication Critical patent/CN1858738B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
  • Storage Device Security (AREA)

Abstract

This invention relates to a method and a device for accessing database, in which, said method includes: A, verifying the validity of a request for accessing the database by a received customer end and sending the legal operation request to the database and records said operation request, B, the database operates the received operation request and feeds back the result to the customer end, said device includes: a database customer end inserts a data access agent as the tool for accessing the database and packages the operation request to it, a unified certification and journal unit connected with the access agent of the customer end of the database used in drafting a safety strategy, a journal strategy and /or alarm strategy and alarms when abnormal events happen, a database connected with the customer end for storing data of user relations.

Description

Database Accessing Methods and device
Technical field
The present invention relates to database technology, particularly relate to a kind of Database Accessing Methods and device.
Background technology
Development along with society, lot of data need store, data to storage, using certain data access method according to requirements of different users handles, described database is a kind of technology that adapts to this demand, briefly, database is that data can be preserved lastingly with a kind of, and the data acquisition of can operated mode preserving.Database Systems comprise that by a database and environment on every side its user of software, operating system, hardware and use forms.For make the user can have access to easily database (such as, user need inquire about the data in the database, add, operation such as deletion, modification), database needs data to carry out control corresponding.Wherein, database mainly comprises the control function of data: 1) data integrity control is meant correctness, the validity of storing data; 2) data security control is meant that protected data do not used, do not cause divulging a secret of data by illegal person; 3) the concurrent control of data is meant multi-user's concurrent operations is controlled and coordinated; 4) data recovery function is meant the conversion that database is returned to a certain known correct status from a certain error condition.
The architecture of described Database Systems is total frameworks of Database Systems.Although the actual database software product is of a great variety, the database language of use is different, and fundamental operation system difference, most Database Systems all have the architectural feature of three-level schema on general structure.That is: external schema, pattern, internal schema.Wherein, described external schema claims subpattern or user model again, is the subclass of pattern, is the local logic structure of data, also is the Data View that database user is seen; Described pattern claims logical schema again, is the global logic structure of all data in the database and the description of characteristic, also is all users' common data view; Described internal schema claims memory module again, is the internal representations of data in Database Systems, the i.e. description of the physical arrangement of database and storage mode.
Please refer to Fig. 1, for using the logical schematic of the client terminal accessing database of database at present.Its access process is: at first determine the connection parameter of associated databases, as data library name, URL(uniform resource locator) (URL) and user's name etc.; Connecting parameter by the database that obtains then sets up and being connected of this database; The 3rd, then be demand encapsulation SQL (Structured Query Language (SQL)) statement according to the Database Systems accessing operation, carry out the SQI statement after encapsulating then, return result.
Specifically shown in Figure 1, use the application program 101 (comprising application program 1,2 and 3) of database client 10 to identify (database user) accessing database 2, and carry out corresponding operating, such as SQL (Structured Query Language (SQL)) statement by external schema.Wherein, described external schema (database user) sign comprises: user name, password etc. are the signs of applications accessing database system, can carry out the encryption of certain mode to it, with guarantee user name, password is unlikely leaks.And purview certification system 201 is set in database 20, in order to checking user's legitimacy and rights of using etc., simultaneously, the user also is set in database allows table or the Data View 202 seen, and other data of forbidding not returning this external schema in disabled user's accessing database and being allowed.
Aforesaid way is for large-scale application system such as mobile communication, bank, when making up Database Systems, can use unified external schema to set up the data model of system, the personnel of all application clients and maintenance system all use this pattern or the littler external schema of authority to come operating database (SQL statement), as list of modification structure, the data of inquiry correlation table and the data of list of modification etc.But for these operations, the change to inquiry, change and the list structure of client ip address, privacy of user correlation table in the present this Database Accessing Methods is not all write down, safety certification and alarm triggered mechanism.Therefore there is following defective in disclosed disclosed technical scheme at present:
1) can't follow the tracks of the operation (SQL statement) of database, and uncontrollable.That is to say be difficult to determine when certain user takes place the destructive procedure (SQL statement) of database, and login up from any station terminal, concrete user be who etc.;
2) in abnormal operation (SQL statement to database, as revise list structure, delete list, deletion storing process etc.) when taking place, the system manager can't in time be known, cause safeness of Data Bank (at application) to reduce greatly, may cause using application system (as BOSS support system, the banking system etc.) paralysis of this database, increase the difficulty of the maintenance management of database simultaneously greatly.
Summary of the invention
The technical matters that the present invention solves provides a kind of Database Accessing Methods and device, is not controlled and problem that can not follow the tracks of with the request that solves accessing database in the present technical scheme; And can not prevent, and the problem that can not fully be ensured to safety of data.
For addressing the above problem, the invention provides a kind of Database Accessing Methods, it is characterized in that, comprise step:
The legitimacy of A, checking received client-access database manipulation request, and legal operation requests sent to database, write down described operation requests simultaneously;
B, database are handled the operation requests that receives, and result are returned client.
The checking of the legitimacy of operation requests described in the steps A is finished by calling security certification system by the data access agency.
The operation requests that described security certification system will meet the security alarm strategy sends to warning system as alarm event, and the reporting system keeper.
Described legitimacy is to measure according to the safety certification strategy that pre-establishes, and described safety certification strategy comprises: the legitimacy of authority, the validity of request and attack are checked.
The process of the described operation requests of record is in the steps A: data access proxy call log system, described log system carries out record according to the daily record rank to described operation requests.
The operation requests that described log system will meet daily record warning strategy sends to warning system as alarm event, and the reporting system keeper.
Among the step B result being returned the client path is: database directly feeds back result client or by the data access agency result is fed back client.
In addition, the present invention also provides a kind of device of accessing database, and described device comprises:
Database client is used to send the database manipulation request;
Safety certification unit is used for the legitimacy of authentication-access database manipulation request, and corresponding warning strategies is set, and the incident that meets warning strategies is sent alarm;
The log record unit is used for all operations request of record access database, and corresponding warning strategies is set, and the incident that meets warning strategies is sent alarm;
Database, the data that are used to store customer relationship, and the database manipulation request of handling fed back to database client;
The data access agent unit, link to each other respectively with database with database client, safety certification unit, log record unit, be used to receive the database manipulation solicited message that sends with database client, and call the legitimacy that safety certification unit is verified described operation requests information, legal operation requests information is sent to database; And call all operations solicited message that the log record unit record receives.
Described data access agent unit is embedded into database client, is used for the instrument of client-access database, and to the operation requests in its encapsulation of data storehouse.
Described device also comprises Alarm Unit, links to each other respectively with the log record unit with safety certification unit, is used for the alarm event reporting system keeper about Database Systems that safety certification unit and log record unit are sent.
In addition, the present invention provides a kind of device of accessing database again, and described device comprises:
Database client, this client embed data access agency, are used for the instrument of client-access database, and to the operation requests in its encapsulation of data storehouse;
Unified certification and log unit link to each other with the data access agency of database client, be used for unified security strategy, daily record strategy and/or the warning strategies of formulating data access, and send alarm when anomalous event;
Database links to each other with database client, is used to store the data of customer relationship.
Described device also comprises Alarm Unit, links to each other with unified certification and log unit, is used for the alarm event reporting system keeper about Database Systems that unified certification and log unit are sent.
At last, the present invention provides a kind of device of accessing database again, and described device comprises:
Database client, be embedded in data access agency, safety certification and log record in this client, be used for the operation requests information of database is encapsulated in the data access agency, and unified security strategy, daily record strategy and/or the warning strategies of formulating data access, and when anomalous event, send alarm;
Database links to each other with database client, is used to store the data of customer relationship;
Described device also comprises Alarm Unit, links to each other with database client, is used for the alarm event reporting system keeper about Database Systems that database client is sent.
Compared with prior art, the present invention has following beneficial effect: the present invention is by being provided with the data access agency between client and database, be used to intercept and capture the database manipulation request that client sends, and the accessing operation request (SQL statement) of database is all verified its legitimacy according to corresponding security strategy; Simultaneously, the database operation requests is carried out record according to corresponding log record strategy, when data of database is destroyed, can track the saboteur; When the Database Systems of all-access unusual request (SQL statement) incident is arranged the time, all can be by security alarm strategy, the daily record warning strategies that is provided with, anomalous event is sent to Alarm Unit, the timely reporting system keeper of described Alarm Unit (DBA), so that the system manager supervises client-access control data of database situation, and abnormal conditions are in time handled it and safeguard, improve safeness of Data Bank.In addition, (client requests (SQL) of coming as certain IP address will be under an embargo etc., and shielding is to the attack of database by corresponding attack protection strategy is set.Through safety certification the security strategy of system is distributed different authorities to different clients, even if use the same user model of database, also can limit its classification access request to database.Database user as the BOSS application system is BOSS; client is all logined this database with BOSS; but through safety certification system is provided with corresponding strategy, and the SQL statement that promptly meets some condition is authorized to or the security that action comes the protected data storehouse such as forbids.Therefore, the operation requests of all-access database all is controlled, traceable.Because scheme of the present invention is only monitored the operation requests (SQL statement) of client, and the database that protect is not had any overhead.
Description of drawings
Fig. 1 is the logical schematic of accessing database in the prior art;
Fig. 2 is the process flow diagram of Database Accessing Methods of the present invention;
Fig. 3 is the sequential synoptic diagram of Database Accessing Methods of the present invention;
Fig. 4 is the logical organization synoptic diagram of the device of accessing database of the present invention;
Fig. 5 is a kind of embodiment of the device of accessing database of the present invention;
Fig. 6 is another embodiment of the device of accessing database of the present invention;
Fig. 7 is another embodiment of the device of accessing database of the present invention;
Fig. 8 is the another kind of embodiment of the device of accessing database of the present invention.
Embodiment
Core of the present invention is between database client and database, and a data access agent is set, and is used to intercept and capture all accessing operation requests to database; Described data access proxy call security certification system checking client sends the legitimacy of database access operation requests, simultaneously, the database access operation requests that database client is sent sends to log system, described log system to the database accessing operation request carry out record, when data of database is destroyed, can track the saboteur.In addition, the present invention can also can be provided with corresponding warning strategies at described security certification system and log system, and the abnormal operation request that will meet warning strategies sends to warning system as alarm event, warning system in time sends to system manager (DBA) with this incident, so that the system manager is in time known relevant abnormalities, this database is in time safeguarded, improved safeness of Data Bank.
The present invention is described further below in conjunction with accompanying drawing.
See also Fig. 2, be the process flow diagram of Database Accessing Methods of the present invention, described method comprises step:
Step S11: verify the legitimacy of received client-access database manipulation request, and legal operation requests is sent to database, write down described operation requests simultaneously;
Step S12: database is handled the operation requests that receives, and result is returned client.
Database client sends the operation requests (being SQL statement) of accessing database; After the data access agency receives described client's operation requests (being SQL statement), at first resolve this SQL statement, and call security certification system, whether the operation requests of authentication-access database is legal, the judgement of described legitimacy is to measure according to the strategy that security certification system pre-establishes, wherein, described strategy comprises: the validity of authority legitimacy, request and attack inspection etc.; But described strategy is not limited to that disclosed these are several, can also formulate other strategy accordingly according to actual needs.The present invention is the security strategy of system through safety certification, can distribute different rights of using to different clients, even if use the same user model of database, also can limit its classification access request to database.Database user such as the BOSS application system is BOSS; client is all logined this database with BOSS; but through safety certification system is provided with corresponding strategy, and the SQL statement that promptly meets some condition is authorized to or the security that action comes the protected data storehouse such as forbids.
Described security certification system will be verified feedback data access agent as a result; Simultaneously, the operation requests (being SQL statement) that security certification system will meet the security alarm strategy sends to warning system as alarm event, so that system manager (DBA) in time knows, prevents trouble before it happens.
The checking of the feedback that receives as described data access agency is as a result the time, and the result makes corresponding processing according to this checking, if that is: verify that this operation requests is an illegal request, does not then allow accessing database, and this result is directly fed back to client; If this operation requests is a legitimate request, the operation requests (SQL statement) of the accessing database that described data access agency is all with database client all sends to log system and carries out record, when data of database is destroyed, can track the saboteur according to record.Described log system carries out record according to the daily record rank to the accessing operation request, and the accessing operation request that will meet the daily record warning strategies sends to warning system as alarm event, with timely reporting system keeper (DBA).Simultaneously, described data access agency sends to database with all legal operation requests of client, described database is handled the operation requests that receives, and the result that will handle directly feeds back to database client, perhaps by the data access agency result fed back to database client.In addition, in above-mentioned implementation procedure, described data access agency will legal operation requests sends to process that database handles and operation requests with all clients transmissions and sends to the process that log system writes down and walk abreast, and the two is independent of each other.The sequential chart of the implementation procedure of its described method specifically sees Fig. 3 for details.
Also please refer to Fig. 4, be the logical organization synoptic diagram of the device of accessing database of the present invention.Described device comprises: database client 11, data access agent unit 12, safety certification unit 13, log record unit 14 and database 15.In addition, described device can also comprise Alarm Unit 16.
Wherein, described database client 11, it is the client of wanting accessing database, be the main user of database 15, send database manipulation request (SQL statement) by it, described database manipulation request mainly comprises: operation requests such as data query language DQL, data manipulation language (DML) DML, data definition language (DDL) DDL, data control language (DCL) DCL.Client described below all refers to database client.
Described data access agent unit 12, link to each other with database client 11, safety certification unit 13, log record unit 14 and database 15 respectively, be used for the database manipulation solicited message that the interception database client sends, and call the legitimacy of security certification system verification operation request according to corresponding security strategy, if security certification system thinks that this operation requests is illegal, just do not meet the security strategy that pre-establishes, then the data access agency directly will verify return data storehouse client as a result; If this operation requests is legal, then all operation requests is sent to log system and carry out record.Simultaneously, legal operation requests is sent to database.Wherein, 12 of described data access agent units are intercepted and captured the SQL statement that client sends, (be that client visits database by this data access of visit earlier agency, rather than direct accessing database), and resolve the SQL statement received, obtain the operation which kind of type is this SQL statement be, visit be which the table etc., these information are bases that security strategy and warning strategies are set.The principle of described security strategy and warning strategies setting is just made certain action at the request that meets certain condition, and this has been a known technology for a person skilled in the art, no longer describes at this.Described data access agent unit 12 is indifferent to returning of database processing result, that is to say, database processing result can directly return to database client 11 without data access agent unit 12; Also result can be fed back to data access agent unit 12 earlier, be transmitted to database client 11 (as shown in phantom in Figure 4) by data access agent unit 12 again.
In addition, data access agent unit 12 of the present invention and present middleware Technology (such as the AS of CICS, the ORACLE of TUXEDO, the IBM of BEA, the middleware systems such as MIDAS of DEPHI) are different on framework, in described middleware Technology, the parts of its similar data access agent functionality are mainly used in the otherness between the shielding multisystem, accomplish transparent transmission, and process processing accordingly making request package and returning Bao Jun.And data access agent unit of the present invention mainly is an intercepted data storehouse operation requests, and it is carried out safety certification and log record, and and be indifferent to the real result of returning of database, promptly do not carry out any processing and handle returning bag.
Described safety certification unit 13 is connected with data access agent unit 12 and/or Alarm Unit 16 respectively, is the legitimacy according to the security strategy authentication-access database manipulation request of system's setting.Described security strategy sets in advance, and concrete strategy is the difference according to application system, and it is provided with also different.Such as being provided with of, security strategy can be unallowed to the inquiry of which table according to the client of which IP address; Client except certain IP address is to delete, to change the strategies such as structure of all tables.Simultaneously, described safety certification unit 13 also can be provided with corresponding warning strategies, and the operation requests incident that will meet warning strategies is sent alarm to Alarm Unit 16; Also can refuse simultaneously this operation requests (SQL statement).When described warning strategies can be meant the data of certain table of client query of certain unknown IP address, notify certain system manager by note system, or situation such as denied access, safety certification unit can be accomplished obviate like this.
Described log record unit 14, be connected with data access agent unit 12 and/or Alarm Unit 16 respectively, all database manipulation solicited messages that data access agent unit 12 is sended over all write down separate, stored, the mode of described storage can be that database, file system, flash memory or internal memory are stored etc., but is not limited to this several modes.Described log unit also can be provided with corresponding warning strategies simultaneously, and (it is provided with principle with the warning strategies of safety certification unit is identical, but can only be to alarm here afterwards, because the record of 14 pairs of SQL statement of log unit is to walk abreast with the execution of this SQL statement at database), and the incident that meets warning strategies sent alarm to Alarm Unit 16.
Described database 15, respectively with the database of being monitored by this data access agent unit 12, it is storing the data of the real relation of user; And the database manipulation request of handling fed back to database client; Or the operation requests of handling fed back to data access agent unit 12 earlier, described data access agent unit returns to database client 11 in the feedback result that will receive.
Described device can also comprise Alarm Unit 16, and described Alarm Unit 16 links to each other respectively with log record unit 14 with safety certification unit 13, and described Alarm Unit 16 is to be provided with according to the needs of application system.Be used for to receive the alarm event reporting system keeper (DBA) that safety certification unit 13 and log unit 14 are sent, be convenient to the system manager and in time know, prevent trouble before it happens about Database Systems.Wherein, described Alarm Unit 16 can come the reporting system keeper by note, voice or Email.
In addition, in said apparatus, described data access agent unit 12 can be embedded into database client 11, as the instrument of personnel's accessing database of final use database, and on the database client 11 that embeds data access agent unit 11 operation requests of encapsulation all-access database.
In addition, described database client 11 and data access agent unit 12 are divisions in logic, can separate in actual applications, also can be compatibility together.Described safety certification unit 13 and log record unit also are divisions in logic, can separate in actual applications, also can compatibility together.Its concrete implementation procedure also please refer to following specific embodiment.
Please refer to Fig. 5, for being a kind of embodiment of the device of accessing database of the present invention.Described device comprises: database client 21, unified certification and log unit 22 and database 23.Described device can also comprise Alarm Unit 24, and wherein said Alarm Unit is that example illustrates with note subelement 241.
Described database client 21 embeds data access agency 211 in client, as the instrument of the personnel's of final use database accessing database, and to the operation requests in its encapsulation of data storehouse.
Described unified certification and log unit 22, link to each other with the data access agency 211 of database client 21, comprise safety certification subelement 221 and log record subelement 222, and unified security strategy, daily record strategy and/or the warning strategies of formulating data access, alarm sent to the note subelement 241 in the warning system 24 when anomalous event is arranged, described note subelement 241 sends to system manager (DBA) with alarm.The present invention determines by security strategy whether the operation requests (SQL statement) of this database can continue; Determine by warning strategies whether whether the operation requests (SQL statement) of this database notifies the related personnel, know such as system manager DBA; By daily record strategy record the operation requests (SQL statement) of client-access database is arranged more,, when data of database is destroyed, can track the saboteur so that the visit of system is followed the tracks of.
Described database 23 links to each other with database client 21, is used to store the data of customer relationship.
All use the personnel of this database client 21 at first to carry out secure log, this moment unified certification unit 22 need to write down, the legitimacy of the uniqueness sign (as host name, IP address, MAC Address and login username etc.) of checking client process place main frame, and will verify that the result feeds back to the data access agency 211 of database client 21, described data access agency 211 sends to database 23 with legal database manipulation request (SQL statement) and handles, simultaneously, data access agency 211 calls the log record unit and carries out record.After database 23 is finished dealing with, with result return data storehouse client 21.Wherein the processing request of the record of daily record and database walks abreast, and that is to say, the success of log record and failure and database do not have any relation to the result of client-requested.
Therefore, the characteristics of embodiment of the present invention can be used for the application system maintenance in large database application system (such as fields such as communication, banks), because this system generally is to use identical user model, are safeguarded jointly by many people; In addition, all database manipulations (SQL statement) have been encapsulated at database client 21, to substitute general database client, intercepted and captured all database manipulation requests (SQL statement) of using this client simultaneously, and this operation requests is sent to unified certification unit 22 authenticated and record; Described unified certification and log unit 22 according to the warning strategies that sets in advance, are alarmed the abnormal operation request (SQL statement) that database 23 receives, and make the system manager in time know relevant abnormalities.Therefore, present embodiment can be avoided randomness, the non-trackability of database maintenance basically, thereby has improved safeness of Data Bank.
Please refer to Fig. 6 again, for being another embodiment of the device of accessing database of the present invention.Described device comprises: database client 31, safety certification unit 32 and log record unit 33 and database 34.Described device can also comprise Alarm Unit 35, and wherein said Alarm Unit is that example illustrates with note subelement 351.
In described database client 31 processes are embedded in data access agency 311,, and it all operation requests to database have been encapsulated as the instrument of the personnel's of final use database accessing database; All use the personnel of this database client 31 at first to carry out secure log, this moment, safety certification unit 32 needed the uniqueness sign (as host name, IP address, MAC Address and login username etc.) of database of record client 31 process place main frames, and then carried out follow-up database manipulation request (SQL statement); The operation requests (SQL statement) of 32 pairs of database clients 31 of safety certification unit is verified simultaneously, and operation requests (SQL statement) is refused according to being provided with of security strategy, or when anomalous event is arranged, operation requests (SQL statement) is alarmed according to being provided with of warning strategies.And alarm sent to note subelement 251 in the Alarm Unit 25, described note subelement 251 sends to system manager (DBA) with alarm.
All database manipulation requests (SQL statement) send to database 34 and handle through after authenticating, and carry out record simultaneously.After database 34 is finished dealing with, result is returned to database client 31.Described log record unit 33 is by daily record strategy database of record operation requests (SQL statement), so that the visit of system is followed the tracks of.Wherein, the processing request of the record of described daily record and database walks abreast, and that is to say, the success of log record and failure and database do not have any relation to the result of client-requested.
Therefore, present embodiment and the foregoing description (as shown in Figure 4) are basic identical, and its difference is that safety certification unit and log record unit are respectively unit independently.Its characteristics are identical with the characteristics of the foregoing description, see for details above-mentionedly, do not repeat them here.
Also please refer to Fig. 7, is another embodiment of the device of described accessing database for the present invention.Described device comprises: database client 41 and database 42.Described device can also comprise Alarm Unit 43, and wherein said Alarm Unit is that example illustrates with note subelement 431.
The present invention is packaged into the Fat Client database client of security control (promptly with) with database client 41, data access is acted on behalf of unit such as subelement 411, safety certification subelement 412, log record subelement 413 and all is encapsulated into together; Unified security strategy, daily record strategy and/or the warning strategies of formulating data access sends to alarm when anomalous event is arranged in the note subelement 431 of Alarm Unit 43, and described note subelement 431 sends to system manager (DBA) with alarm.The present invention determines by security strategy whether this operation requests (SQL statement) can continue; Determine by warning strategies whether this operation requests (SQL statement) notifies related personnel such as system manager DBA to know; By the operation requests (SQL statement) of daily record strategy record all-access database, so that can follow the tracks of to the visit of system.
All use the personnel of this database client 41 at first to carry out secure log, this moment safety certification subelement 412 need to write down, the legitimacy of the uniqueness sign (as host name, IP address, MAC Address and login username etc.) of checking client process place main frame, and then carry out follow-up database manipulation request (SQL statement); All database manipulation requests (SQL statement) send to database 42 and handle through after authenticating, and carry out record at log record subelement 413 simultaneously.After database place 42 reasons are finished, result is returned to client.Wherein, the processing request of the record of daily record and database walks abreast, and that is to say, the success of log record and failure and database do not have any relation to the result of client-requested.
Therefore, present embodiment and the foregoing description (as shown in Figure 4) are basic identical, and its difference part is that unit such as data access agency, safety certification, log record all are encapsulated in the database client process.Its characteristics are identical with the characteristics of the foregoing description, specifically see for details above-mentionedly, do not repeat them here.In addition, the deployment of present embodiment is comparatively convenient.
Please refer to Fig. 8 at last, is the another kind of embodiment of the device of described accessing database for the present invention.Described device comprises: database client 51, data access agent unit 52, unified certification and log unit 53 and database 54.Wherein said unified certification and log unit 53 comprise: safety certification subelement 531 and log record subelement 532.Described device can also comprise Alarm Unit 55, and wherein said Alarm Unit 55 is that example illustrates with note subelement 551.
Described database client 51 is used to send the database manipulation request.Described data access agent unit 52, link to each other respectively with database 53 with database client 51, unified certification and log unit 52, be used to receive the database manipulation solicited message that sends with database client 51, and call the legitimacy that safety certification subelement 531 is verified received operation requests information, legal operation requests information is sent to database 53; And the operation requests of database is sent to log record subelement 532 carry out record.Described unified certification and log unit 53 link to each other with data access agent unit 52 with database client 51, be used for unified security strategy, daily record strategy and/or the warning strategies of formulating data access, and send alarm when anomalous event.Described database 54 links to each other with database client 51, is used to store the data of customer relationship.Described device also comprises Alarm Unit 55, links to each other with unified certification and log unit 53, be used for unified certification and log unit send about the alarm event of Database Systems by note subelement 551 reporting system keepers.Its concrete realization sees for details above-mentioned, does not repeat them here.
The above only is a preferred implementation of the present invention; should be pointed out that for those skilled in the art, under the prerequisite that does not break away from the principle of the invention; can also make some improvements and modifications, these improvements and modifications also should be considered as protection scope of the present invention.

Claims (14)

1, a kind of Database Accessing Methods is characterized in that, comprises step:
The legitimacy of A, checking received client-access database manipulation request, and legal operation requests sent to database, write down described operation requests simultaneously;
B, database are handled the operation requests that receives, and result are returned client.
According to the described Database Accessing Methods of claim 1, it is characterized in that 2, the checking of the legitimacy of operation requests described in the steps A is finished by calling security certification system by the data access agency.
According to the described Database Accessing Methods of claim 2, it is characterized in that 3, the operation requests that described security certification system will meet the security alarm strategy sends to warning system as alarm event, and the reporting system keeper.
4, according to claim 1 or 2 described Database Accessing Methods, it is characterized in that, described legitimacy is to measure according to the safety certification strategy that pre-establishes, and described safety certification strategy comprises: the legitimacy of authority, the validity of request and attack are checked.
According to the described Database Accessing Methods of claim 1, it is characterized in that 5, the process of the described operation requests of record is in the steps A: data access proxy call log system, described log system carries out record according to the daily record rank to described operation requests.
According to claim 1 or 5 described Database Accessing Methods, it is characterized in that 6, the operation requests that described log system will meet daily record warning strategy sends to warning system as alarm event, and the reporting system keeper.
7, according to the described Database Accessing Methods of claim 1, it is characterized in that, among the step B result is returned the client path and be: database directly feeds back result client or by the data access agency result is fed back client.
8, a kind of device of accessing database comprises:
Database client is used to send the database manipulation request;
Safety certification unit is used for the legitimacy of authentication-access database manipulation request, and corresponding warning strategies is set, and the incident that meets warning strategies is sent alarm;
The log record unit is used for all operations request of record access database, and corresponding warning strategies is set, and the incident that meets warning strategies is sent alarm;
Database, the data that are used to store customer relationship, and the database manipulation request of handling fed back to database client;
It is characterized in that described device also comprises:
The data access agent unit, link to each other respectively with database with database client, safety certification unit, log record unit, be used to receive the database manipulation solicited message that sends with database client, and call the legitimacy that safety certification unit is verified described operation requests information, legal operation requests information is sent to database; And call all operations solicited message that the log record unit record receives.
9, the device of described accessing database according to Claim 8 is characterized in that described data access agent unit is embedded into database client, is used for the instrument of client-access database, and to the operation requests in its encapsulation of data storehouse.
10, according to Claim 8 or the device of 9 described accessing databases, it is characterized in that, described device also comprises Alarm Unit, link to each other respectively with the log record unit with safety certification unit, be used for the alarm event reporting system keeper that safety certification unit and log record unit are sent about Database Systems.
11, a kind of device of accessing database is characterized in that, comprising:
Database client, this client embed data access agency, are used for the instrument of client-access database, and to the operation requests in its encapsulation of data storehouse;
Unified certification and log unit link to each other with the data access agency of database client, be used for unified security strategy, daily record strategy and/or the warning strategies of formulating data access, and send alarm when anomalous event;
Database links to each other with database client, is used to store the data of customer relationship.
12, according to the device of the described accessing database of claim 11, it is characterized in that, described device also comprises Alarm Unit, links to each other with unified certification and log unit, is used for the alarm event reporting system keeper about Database Systems that unified certification and log unit are sent.
13, a kind of device of accessing database is characterized in that, comprising:
Database client, be embedded in data access agency, safety certification and log record in this client, be used for the operation requests information of database is encapsulated in the data access agency, and unified security strategy, daily record strategy and/or the warning strategies of formulating data access, and when anomalous event, send alarm;
Database links to each other with database client, is used to store the data of customer relationship;
According to the device of the described accessing database of claim 13, it is characterized in that 14, described device also comprises Alarm Unit, link to each other, be used for the alarm event reporting system keeper that database client is sent about Database Systems with database client.
CN2006100076097A 2006-02-15 2006-02-15 Method and device for access data bank Active CN1858738B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2006100076097A CN1858738B (en) 2006-02-15 2006-02-15 Method and device for access data bank

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2006100076097A CN1858738B (en) 2006-02-15 2006-02-15 Method and device for access data bank

Publications (2)

Publication Number Publication Date
CN1858738A true CN1858738A (en) 2006-11-08
CN1858738B CN1858738B (en) 2010-08-25

Family

ID=37297647

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2006100076097A Active CN1858738B (en) 2006-02-15 2006-02-15 Method and device for access data bank

Country Status (1)

Country Link
CN (1) CN1858738B (en)

Cited By (35)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101763593A (en) * 2009-12-17 2010-06-30 中国电力科学研究院 Method and device for realizing audit log of system
CN101833620A (en) * 2010-04-28 2010-09-15 国网电力科学研究院 Custom security JDBC driver-based database protective method
CN101930434A (en) * 2009-06-19 2010-12-29 深圳市守望网络技术有限公司 Cell security mode based database access security method and system
CN102195795A (en) * 2010-03-19 2011-09-21 Tcl集团股份有限公司 Intelligent district log system and log recording method thereof
CN102654864A (en) * 2011-03-02 2012-09-05 华北计算机系统工程研究所 Independent transparent security audit protection method facing real-time database
CN101515931B (en) * 2009-03-24 2012-09-19 北京理工大学 Method for enhancing the database security based on agent way
CN101874249B (en) * 2007-11-30 2012-10-03 株式会社富士通Bsc Security management program, security management method, and portable terminal
CN102722667A (en) * 2012-03-07 2012-10-10 甘肃省电力公司信息通信公司 Database security protection system and method based on virtual databases and virtual patches
CN102750357A (en) * 2012-06-12 2012-10-24 苏州微逸浪科技有限公司 Event data processing method based on heterogeneous data base
CN102801699A (en) * 2011-12-28 2012-11-28 北京安天电子设备有限公司 System, method and equipment for preventing data tampering of server
CN101739422B (en) * 2008-11-05 2013-12-18 深圳迪贝守望信息技术有限公司 Method and system for controlling access to front-end database based on database protocol proxy
CN103905464A (en) * 2014-04-21 2014-07-02 西安电子科技大学 Network security strategy verification system and method on basis of formalizing method
CN104166812A (en) * 2014-06-25 2014-11-26 中国航天科工集团第二研究院七〇六所 Database safety access control method based on independent authorization
CN104424447A (en) * 2013-09-02 2015-03-18 中国移动通信集团四川有限公司 Method and device for creating database firewalls
CN104504014A (en) * 2014-12-10 2015-04-08 无锡城市云计算中心有限公司 Data processing method and device based on large data platform
CN104899278A (en) * 2015-05-29 2015-09-09 北京京东尚科信息技术有限公司 Method and apparatus for generating data operation logs of Hbase database
CN105279169A (en) * 2014-06-26 2016-01-27 中兴通讯股份有限公司 Database operation processing method and apparatus
CN105429826A (en) * 2015-12-25 2016-03-23 北京奇虎科技有限公司 Fault detection method and device for database cluster
CN105447408A (en) * 2015-12-03 2016-03-30 曙光信息产业(北京)有限公司 Data protection method and apparatus
CN105512569A (en) * 2015-12-17 2016-04-20 浪潮电子信息产业股份有限公司 Database security reinforcing method and device
CN106021335A (en) * 2016-05-06 2016-10-12 北京奇虎科技有限公司 A database accessing method and device
CN107741948A (en) * 2017-09-01 2018-02-27 郑州云海信息技术有限公司 A kind of database alarm method, device and terminal
CN109413111A (en) * 2018-12-21 2019-03-01 郑州云海信息技术有限公司 A kind of security access system and method based on wisdom data center
CN109828983A (en) * 2018-12-15 2019-05-31 平安科技(深圳)有限公司 PG data base processing method, device, electronic equipment and storage medium
CN109934011A (en) * 2019-03-18 2019-06-25 国网安徽省电力有限公司黄山供电公司 A kind of data safety partition method applied to O&M auditing system
CN110457944A (en) * 2019-08-02 2019-11-15 爱友智信息科技(苏州)有限公司 A kind of data sharing method and system
CN110995657A (en) * 2019-11-11 2020-04-10 广州市品高软件股份有限公司 Data access method, server and system based on data label
CN111092910A (en) * 2019-12-30 2020-05-01 深信服科技股份有限公司 Database security access method, device, equipment, system and readable storage medium
CN112231733A (en) * 2020-10-29 2021-01-15 刘秀萍 MAC protection enhancement system of object proxy feature database
CN112632171A (en) * 2020-12-30 2021-04-09 中国农业银行股份有限公司 Interception auditing method and system for data access
CN112769739A (en) * 2019-11-05 2021-05-07 中国移动通信集团安徽有限公司 Database operation violation processing method, device and equipment
CN112817833A (en) * 2021-01-20 2021-05-18 中国银联股份有限公司 Method and device for monitoring database
CN113919000A (en) * 2021-12-16 2022-01-11 北京交研智慧科技有限公司 User database management method and device
CN114385594A (en) * 2022-01-12 2022-04-22 未鲲(上海)科技服务有限公司 Method, device, equipment and storage medium for managing data modification process
CN115906178A (en) * 2022-12-23 2023-04-04 星环信息科技(上海)股份有限公司 Database management method, data subscription end and data publishing end

Cited By (47)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101874249B (en) * 2007-11-30 2012-10-03 株式会社富士通Bsc Security management program, security management method, and portable terminal
CN101739422B (en) * 2008-11-05 2013-12-18 深圳迪贝守望信息技术有限公司 Method and system for controlling access to front-end database based on database protocol proxy
CN101515931B (en) * 2009-03-24 2012-09-19 北京理工大学 Method for enhancing the database security based on agent way
CN101930434A (en) * 2009-06-19 2010-12-29 深圳市守望网络技术有限公司 Cell security mode based database access security method and system
CN101763593A (en) * 2009-12-17 2010-06-30 中国电力科学研究院 Method and device for realizing audit log of system
CN102195795A (en) * 2010-03-19 2011-09-21 Tcl集团股份有限公司 Intelligent district log system and log recording method thereof
CN101833620A (en) * 2010-04-28 2010-09-15 国网电力科学研究院 Custom security JDBC driver-based database protective method
CN102654864A (en) * 2011-03-02 2012-09-05 华北计算机系统工程研究所 Independent transparent security audit protection method facing real-time database
CN102801699A (en) * 2011-12-28 2012-11-28 北京安天电子设备有限公司 System, method and equipment for preventing data tampering of server
CN102801699B (en) * 2011-12-28 2015-07-29 北京安天电子设备有限公司 The system preventing server data from distorting, method and apparatus
CN102722667A (en) * 2012-03-07 2012-10-10 甘肃省电力公司信息通信公司 Database security protection system and method based on virtual databases and virtual patches
CN102722667B (en) * 2012-03-07 2015-12-02 甘肃省电力公司信息通信公司 Based on the database safeguarding system and method for virtual data base and virtual patch
CN102750357A (en) * 2012-06-12 2012-10-24 苏州微逸浪科技有限公司 Event data processing method based on heterogeneous data base
CN104424447A (en) * 2013-09-02 2015-03-18 中国移动通信集团四川有限公司 Method and device for creating database firewalls
CN103905464B (en) * 2014-04-21 2017-03-01 西安电子科技大学 Network security policy checking system based on formalization method and method
CN103905464A (en) * 2014-04-21 2014-07-02 西安电子科技大学 Network security strategy verification system and method on basis of formalizing method
CN104166812A (en) * 2014-06-25 2014-11-26 中国航天科工集团第二研究院七〇六所 Database safety access control method based on independent authorization
CN104166812B (en) * 2014-06-25 2017-05-24 中国航天科工集团第二研究院七〇六所 Database safety access control method based on independent authorization
CN105279169A (en) * 2014-06-26 2016-01-27 中兴通讯股份有限公司 Database operation processing method and apparatus
CN104504014A (en) * 2014-12-10 2015-04-08 无锡城市云计算中心有限公司 Data processing method and device based on large data platform
CN104504014B (en) * 2014-12-10 2018-03-13 无锡城市云计算中心有限公司 Data processing method and device based on big data platform
CN104899278A (en) * 2015-05-29 2015-09-09 北京京东尚科信息技术有限公司 Method and apparatus for generating data operation logs of Hbase database
CN104899278B (en) * 2015-05-29 2019-05-03 北京京东尚科信息技术有限公司 A kind of generation method and device of Hbase database data operation log
CN105447408A (en) * 2015-12-03 2016-03-30 曙光信息产业(北京)有限公司 Data protection method and apparatus
CN105512569A (en) * 2015-12-17 2016-04-20 浪潮电子信息产业股份有限公司 Database security reinforcing method and device
CN105429826A (en) * 2015-12-25 2016-03-23 北京奇虎科技有限公司 Fault detection method and device for database cluster
CN106021335A (en) * 2016-05-06 2016-10-12 北京奇虎科技有限公司 A database accessing method and device
CN107741948A (en) * 2017-09-01 2018-02-27 郑州云海信息技术有限公司 A kind of database alarm method, device and terminal
CN109828983A (en) * 2018-12-15 2019-05-31 平安科技(深圳)有限公司 PG data base processing method, device, electronic equipment and storage medium
CN109828983B (en) * 2018-12-15 2024-05-07 平安科技(深圳)有限公司 PG database processing method, device, electronic equipment and storage medium
CN109413111A (en) * 2018-12-21 2019-03-01 郑州云海信息技术有限公司 A kind of security access system and method based on wisdom data center
CN109934011A (en) * 2019-03-18 2019-06-25 国网安徽省电力有限公司黄山供电公司 A kind of data safety partition method applied to O&M auditing system
CN110457944A (en) * 2019-08-02 2019-11-15 爱友智信息科技(苏州)有限公司 A kind of data sharing method and system
CN110457944B (en) * 2019-08-02 2023-08-25 爱友智信息科技(苏州)有限公司 Data sharing method and system
CN112769739A (en) * 2019-11-05 2021-05-07 中国移动通信集团安徽有限公司 Database operation violation processing method, device and equipment
CN112769739B (en) * 2019-11-05 2023-08-04 中国移动通信集团安徽有限公司 Database operation violation processing method, device and equipment
CN110995657A (en) * 2019-11-11 2020-04-10 广州市品高软件股份有限公司 Data access method, server and system based on data label
CN111092910A (en) * 2019-12-30 2020-05-01 深信服科技股份有限公司 Database security access method, device, equipment, system and readable storage medium
CN112231733A (en) * 2020-10-29 2021-01-15 刘秀萍 MAC protection enhancement system of object proxy feature database
CN112632171A (en) * 2020-12-30 2021-04-09 中国农业银行股份有限公司 Interception auditing method and system for data access
CN112632171B (en) * 2020-12-30 2024-05-28 中国农业银行股份有限公司 Interception auditing method and system for data access
CN112817833A (en) * 2021-01-20 2021-05-18 中国银联股份有限公司 Method and device for monitoring database
CN113919000A (en) * 2021-12-16 2022-01-11 北京交研智慧科技有限公司 User database management method and device
CN113919000B (en) * 2021-12-16 2022-03-29 北京交研智慧科技有限公司 User database management method and device
CN114385594A (en) * 2022-01-12 2022-04-22 未鲲(上海)科技服务有限公司 Method, device, equipment and storage medium for managing data modification process
CN115906178A (en) * 2022-12-23 2023-04-04 星环信息科技(上海)股份有限公司 Database management method, data subscription end and data publishing end
CN115906178B (en) * 2022-12-23 2024-06-04 星环信息科技(上海)股份有限公司 Database management method, data subscription terminal and data publishing terminal

Also Published As

Publication number Publication date
CN1858738B (en) 2010-08-25

Similar Documents

Publication Publication Date Title
CN1858738A (en) Method and device for access data bank
CN110543464B (en) Big data platform applied to intelligent park and operation method
CN105656903B (en) A kind of user safety management system of Hive platforms and application
US20210209077A1 (en) Communicating fine-grained application database access to a third-party agent
CN103501228B (en) A kind of dynamic two-dimension code token and dynamic two-dimension code command identifying method
US10114970B2 (en) Immutable logging of access requests to distributed file systems
CN111783075B (en) Authority management method, device and medium based on secret key and electronic equipment
CN106487744B (en) Shiro verification method based on Redis storage
US9639678B2 (en) Identity risk score generation and implementation
US20070118534A1 (en) Auditing database end user activity in one to multi-tier web application and local environments
CN108780485A (en) Data set extraction based on pattern match
CN102891840B (en) Based on the Information Security Management System of separation of the three powers and the management method of information security
CN102497374A (en) Off-line available software license centralized security authentication system based on cloud computation, and method of the same
CN101034983A (en) System and method for realizing on-Internet true name of the network access user
CN101030242A (en) Method for controlling database safety access
CN111353151B (en) Vulnerability detection method and device for network application
CN101035135A (en) Digital certificate system applicable to the no/weak local storage client system
CN1464402A (en) User identification confirmation and operation conferring process
CN104504014A (en) Data processing method and device based on large data platform
CN1822590A (en) Securing lightweight directory access protocol traffic
CN110430180A (en) A kind of platform of internet of things and implementation method based on hot plug
CN101833620A (en) Custom security JDBC driver-based database protective method
CN114881469A (en) Performance assessment and management system and method for enterprise workers
CN101540704B (en) Unreliable DBMS malicious intrusion detection system and method
CN113378151A (en) Unified identity authentication system and method based on mimicry structure

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant