KR20150073784A - METHOD for controlling REsource access over the web network of things - Google Patents

Abstract

The present invention relates to a method for controlling a resource access request for physical objects on a web-based data communication network of physical objects. According to an embodiment of the present invention, the method for controlling a resource access of physical objects which are connected to be communicated via a communication network comprises the steps of: receiving an access request for a web resource possessed by the physical objects; checking whether the web resource related to the access request exists or not; determining an access authority to the web resource related to the access request; and performing, when the access authority is verified, the access request for the web resource to return results thereof, wherein the access request includes one of generation, inquiry, and update deletion request for the web resource, and the access authority is determined by using any one of at least one permissive condition, at least one non-permissive condition, and a combination thereof.

Description

METHOD FOR CONTROLLING RESOURCE ACCESS THROUGH WEB NETWORKS BETWEEN OBJECTS < RTI ID = 0.0 >

The present invention relates to a method for controlling a resource access request for an object on a web-based inter-object data communication network. More particularly, the present invention relates to a method and apparatus for generating a resource / It is possible to provide the function of accepting or rejecting the request by judging the access right to the inquiry / change / deletion request.

2. Description of the Related Art In recent years, electronic devices (hereinafter, referred to as objects) equipped with a communication function have been able to perform data communication with other objects even when there is no human intervention, Technologies that can exchange data (such as temperature, humidity, vibration, etc.) of the surrounding environment are highlighted. The concept of technology for wired or wireless communication between such objects is variously referred to as Web of Things (WoT), Machine-to-Machine (M2M), Machine Type Communication (MTC) and Internet-of-Things (IoT) have.

In particular, when an inter-object communication network based on the web (WWW, W3, World Wide Web) is constructed, one object can be configured to use information expressed as a web resource using a conventional web protocol, . In addition, since each web resource can be uniquely identified through a URI (Uniform Resource Indicator), resource information exchange and retrieval between various objects can be facilitated through a public web network. However, at the same time, since each object resource is exposed in the web network, it is necessary to solve the security problem related to resource access authority such as malicious intentional resource access attempts or unintended information leakage.

As a representative resource access authority control scheme in the conventional web network, the access authority is determined through an authorization procedure for confirming user authentication or service function provision. That is, by performing a user authentication (for example, a separate external authentication server check, a social networking service login, or the like) for the resource access request, or presetting the accessible user list and the function in advance, It is a way to grant access to resources.

However, since various resource access requests may occur at the same time in a web communication network between objects, there is a limit in pre-registering a list of users who can access each resource individually. On the other hand, since each object has its own computation capability, networking capability, power supply status, and data storage capability, performing additional user authentication procedures each time a resource access request increases the load on the network and computation processing . In addition, since the change of the object and the resource frequently occurs, it is necessary to reflect the state and ability of the object itself as well as the situation of the other party requesting the resource access in judging whether or not to allow the resource access to the object. There is no known method for this specific access control.

Korean Patent No. 10-1192415 Korea Patent No. 10-1274966

In order to solve the problems of the related art described above, the present invention can accept or reject an access request by judging an access right by using the status and attribute information of a resource or a related object for a web resource access request for an object The present invention is directed to a method of providing a method for providing a user interface.

According to an aspect of the present invention, there is provided a method of controlling resource access between objects connected to each other via a communication network, the method comprising: receiving an access request for a web resource held by an object; Determining an access right to the web resource related to the access request, and if the access right is recognized, requesting access to the web resource and returning the result of the access request; Wherein the access authority includes one of a creation, an inquiry, and an update deletion request for the web resource, the access authority including at least one permissive condition, at least one unacceptable condition, and combinations thereof A resource access control method over a web network is provided.

According to the present invention, since the access request for the object web resource is determined by considering not only the access requesting party but also the attributes and state of the object receiving the request, And further, human intervention can be minimized. In addition, since authority to access web resources can be represented as a separate web resource, it is easy to control authority through standard web communication. Therefore, there is an advantage that a resource access right to an object can be flexibly set by using a basic web protocol without going through a separate pre-authentication and authorization procedure.

Hereinafter, the present invention will be described with reference to the embodiments shown in the accompanying drawings. For the sake of clarity, throughout the accompanying drawings, like elements have been assigned the same reference numerals. It is to be understood that the present invention is not limited to the embodiments illustrated in the accompanying drawings, but may be embodied in many other specific forms without departing from the spirit or essential characteristics thereof.
FIG. 1 is a diagram illustrating a data communication structure formed by using a communication network for an object capable of web communication.
FIG. 2 is an exemplary diagram illustrating information of an object represented by a Web resource structure.
FIG. 3 is a flowchart illustrating an access authority checking procedure for requesting a web resource between objects.
FIG. 4 is a diagram illustrating access authority determination elements illustrated in FIG. 3 as separate web resource types.
FIG. 5 is a diagram illustrating an example of a method of applying the access authority determination element illustrated in FIG.
FIG. 6 is a configuration diagram showing a functional configuration of an object for executing a resource access control method. FIG.
FIG. 7 is a flowchart exemplarily showing a resource access control method performed by the object shown in FIG. 6. FIG.

While the present invention has been described in connection with certain exemplary embodiments, it is to be understood that the invention is not limited to the disclosed embodiments, but, on the contrary, is intended to cover various modifications and similarities. It should be understood, however, that the invention is not intended to be limited to the particular embodiments, but includes all modifications, equivalents, and alternatives falling within the spirit and scope of the invention.

FIG. 1 is a diagram illustrating a data communication structure formed by using a communication network for an object capable of web communication.

Each object 100a, 100b, and 120 represents its information through the communication structure shown in FIG. 1 as a web resource (500 in FIG. 2) and exchanges it through the web communication 200. [ At this time, in the case of an object 120 that does not have direct web communication capability, it may delegate resource information delivery to an intermediary 110, such as a web broker, that can proxy web communications according to the internal protocol 300 have. Here, the internal protocol 300 may be, for example, ZigBee, BlueTooth. The object 100b capable of web communication may perform communication according to the interaction 400 with the person 130. [ Here, the interaction 400 may be, for example, a gesture, a keyboard input, an image, and the like.

FIG. 2 is an exemplary diagram illustrating information of an object represented by a Web resource structure.

Referring to FIG. 2, objects 100a, 100b, and 120 may represent their information as one or more web resources 500 structures. The individual web resources 510 must be given a unique identifiable URI 520 on the web communication network and may be represented by one or more attribute values 530 and one or more subordinate resources 540 . At this time, the structure of the web resource 500 may store or represent the entire web resource structure as a resource structure through hierarchical tag representation such as XML or HTML. Meanwhile, typical examples that can be included in the attribute value 530 include a creation time of a resource, a latest modification time of a resource, an administrator identification string that generated a resource, a maximum number limit of a lower resource, Number of sub-resources, total byte size limit value of the lower resource, and the like.

FIG. 3 is a flowchart illustrating an access authority checking procedure for requesting a web resource between objects.

When one object 100a receives a CRUD (Create: Create, Retrieve: Update: Update: Delete) request for a specific web resource from the other party 100b, the process can proceed in the following order.

At step 305, object 100a receives a request for CRUD of web resources from object 100b. In step 310, the object 100a analyzes the request message to determine whether an unspecified invalid message format or an invalid parameter exists. If an error has occurred, the process proceeds to step 315 where the object 100a returns an error to the object 100b.

If the CRUD request passes through steps 305-310, then at step 320, the object 100a checks if there is a web resource associated with the CRUD request of the object 100b. If the corresponding web resource is not present, at step 325, the object 100a may return an error. For example, in the case of a resource inquiry (Retrieve) / update / delete request, an error may be returned if the corresponding resource does not exist, and in the case of a resource creation request, It can return an error if it already exists.

If the CRUD request passes through steps 320 through 325, then at step 330, the object 100a verifies the access right of the object 100b to that web resource. If, as a result of the check, the CRUD request of the object 100b can not be approved, it may return different errors depending on the reason for disapproval. In step 335, if the permission condition related to the object 100b for which access is requested is not satisfied, the object 100b is notified that there is no access authority. In step 340, if the current status of the object 100a that has access but is requested to access does not allow the request, it may return an error.

At step 335, the object 100a can determine the access right of the object 100b using the access authority determination element illustrated below.

(1) The object 100b is data that can be uniquely identified, for example, a string, video, audio, image, etc.

(2) Data previously agreed between the object 100a and the object 100b, for example, a string, video, audio, image, etc.

(3) An IP address (IPv4, IPv6) of the object 100b, for example, 192.168.0.1

(4) A domain name associated with object 100b, for example, www.etri.re.kr

Here, if the domain name is set to a wildcard character such as *, access requests from all domains can be set.

In addition, each of the above-described access right determination elements may determine access rights by using a combination of at least one of the determination factors with an Inclusive and an Exclusive condition and a Priority. For example, when C1, C2, and C3 are set as three judgment factors for a specific object web resource, as shown in Table 1, by applying from a lower priority class (third) to a higher priority (first) Accept CRUD requests from objects that have * .etri.re.kr as a domain for web resources, excluding CRUD requests for objects with an IP address beginning with 129.254.100, but not from 129.254.100.15 CRUD requests can be accepted as permissible. That is, if it is expressed as a set symbol, it can be expressed as {{{C3} ∩ ~ C2} ∪ C1}.

Condition Priority Allow / Disallow Kinds Example value C1 One Inclusive IP address 129.254.100.15 C2 2 Exclusive IP address 129.254.100. * C3 3 Inclusive Domain name * .etri.re.kr

As another implementation, if there are more than one decision factors, 1) a method of allowing access only if all of the conditions are satisfied, 2) a method of allowing access if any of the conditions are satisfied, and 3) , Or a method of allowing access only when none of the combined elements of the unacceptable condition is satisfied. For example, if there are three conditions C1, C2, C3 listed in Table 1, the manner of allowing access can be expressed as:

Method 1: C1 ∩ ~ C2 ∩ C3

Method 2: C1 ∪ ~ C2 ∪ C3

Method 3: {C1? C3} - {C2}

On the other hand, in step 340, the object 100a may determine the access right of the object 100b using the access authority determination element illustrated below.

(1) "timeBetween (09:00:00, 17:00:00), for example, as an accessible time range (second / minute / hour / day / day / month / ", CRUD requests can be accepted only from 9 am to 5 pm.

(2) If it is set as "timeAfter (2013-10-31T00: 00: 00)", for example, as a time of access to the web resource, CRUD request only after 0:00:00 of October 31, 2013 . ≪ / RTI >

(3) As a result of comparing the attribute value of the corresponding web resource, for example, when the maximum number of lower resources is set to 10, the CRUD request to generate the 11th lower resource may not be permitted.

(4) A state of the object holding the web resource, for example, if the current memory utilization rate of the object is less than 5%, the CRUD request may be rejected. Also, only when the object has reached a specific spatial state and location (altitude, atmospheric pressure, longitude and latitude, within a logical zone, distance from a specific geographical location), or a specific temporal state , You can allow CRUD requests.

(5) As a capability or a configuration limit value set for an object having the web resource, for example, when the maximum number of resources that can be held in an object is limited to 100, You may not allow the CRUD request you want to generate.

Each of the above determination factors can determine the access right by using a combination of at least one of the determination factors having an exclusive and non-exclusive condition and a priority. For example, if C4, C5, and C6 are set as three judgment factors for a specific object web resource, as shown in Table 2, by applying from a lower priority class (third) to a higher priority (first) Allow CRUD requests from 9:00 am to 3:00 pm for resources, but do not allow CRUD requests if the current CPU usage of the object exceeds 95% and the total number of resources in the object exceeds 100. That is, if it is represented by the set symbol, {{C6} ∩ ~ C5} ∩ ~ C4} can be displayed.

Condition Priority Allow / Disallow Kinds Example value C4 One Exclusive resourceTotalCount MoreThan, 100 C5 2 Exclusive CPUusage MoreThan, 95% C6 3 Inclusive timeBetween 09:00:00, 15:00:00

On the other hand, the access right determining elements of steps 335 and 340 described so far can be expressed in combination using permissible and non-permissive conditions, or priorities. For example, when the four decision elements C2, C3, C4, and C6 described in Table 3 are determined to have the same priority, {C3 ∪ C6} - {C2 ∪ C4}, that is, 9:00 am to 3:00 pm If the CRUD request is accepted from the domain etri.re.kr but the IP band starts with 129.254.100, or if the total number of resources in the object exceeds 100, the CRUD request can be rejected .

Condition Priority Allow / Disallow Kinds Example value C2 One Exclusive IP address 129.254.100. * C3 One Inclusive Domain name * .etri.re.kr C4 One Exclusive resourceTotalCount MoreThan, 100 C6 One Inclusive timeBetween 09:00:00, 15:00:00

If the CRUD request passes all of the steps 305 through 340 described above, then at step 345, the object 100a processes the request for that web resource and at step 350 sends the result to the object 100b.

Here, the above-described steps 320 to 325, steps 330 to 340, and steps 345 to 350 are not necessarily performed sequentially, but may be performed in parallel or in a different order depending on the implementation method.

FIG. 4 is an exemplary diagram illustrating the access authority determination elements illustrated in FIG. 3 as separate Web resource types, and FIG. 5 is an exemplary view illustrating a method of applying the access authority determination element illustrated in FIG.

The access authorization decision elements illustrated in FIG. 3 may be expressed in the form of a separate web resource. For example, as shown in FIG. 4, a web resource for an access right called AccessRight1 can be expressed. There are three permissive conditions that allow an identifier called ETRI_1 to be a parameter, an IP address starting with 129.254.100, or a request to retrieve from an object with etri.re.kr as a domain, Time request, the CPU availability status of the object, and three non-allowable conditions that do not allow CRUD requests in a particular domain.

Accordingly, when an object accesses a specific web resource with the access right of AccessRight1, access to the corresponding web resource can be controlled using the access right determining elements specified in AccessRight1 when there is a request for the corresponding web resource have. FIG. 5 shows a method of applying access rights set in AccessRight1 to a resource called DataContainer1. That is, when receiving the inquiry request for DataContainer1, the access right is determined by using the three permission conditions and the three non-permission conditions specified in AccessRight1.

Similarly, a CRUD request for the AccessRight1 resource itself can be granted access using the rights set in AccessRight2, which is specified with another access right. Furthermore, since access rights can be expressed as web resources, they can be accessed via URIs on the web communication network. Therefore, depending on the implementation method, web resources for access rights may be separately stored for individual objects, or may be stored in a specific storage included in web communication between objects, so that a plurality of objects can be shared, You may.

FIG. 6 is a diagram showing a functional configuration of an object implementing the resource access control method, and FIG. 7 is a flowchart exemplarily showing a resource access control method performed by the object shown in FIG.

The objects 100a and 100b include a request receiving unit 101 for receiving a resource access request in a web communication network, a rights analysis unit 102 for determining an access right, a resource for generating / inquiring / changing / A management unit 103, a resource storage 104 for storing resource information, a request processing unit 105 for executing a received request and generating a result, and a response transmitting unit 106 for transmitting a result of execution of the request in response .

When the functional modules are implemented, for example, the functions can be performed in the following order.

In step 700, the request receiving unit 101 receives CRUD (resource creation / resource inquiry / resource change / resource deletion) request through the web.

In step 705, the request receiving unit 101 inquires of the resource managing unit 103 whether or not a web resource corresponding to the CRUD request exists.

In step 710, the resource management unit 103 inquires the resource repository 104 to check whether the corresponding web resource exists. If the corresponding web resource exists, the resource management unit 103 notifies the request receiving unit 101 that the corresponding web resource exists. If the web resource does not exist, it returns an error.

In step 715, if the corresponding web resource exists, the request receiving unit 101 requests the authority analysis unit 102 to analyze the access authority to the web resource.

In step 720, the authority analysis unit 102 inquires the resource management unit 103 about the access authority determination element associated with the web resource.

In step 725, the resource management unit 103 inquires the resource repository 104 and returns an access authorization factor for the corresponding web resource.

In step 730, the authority analyzing unit 102 determines whether or not the counterpart object that transmitted the CRUD request using the access authority determination element searched through the resource management unit 103 and the access authority .

In step 735, when the access to the corresponding web resource is permitted, the authority analysis unit 102 delivers a CRUD request for the resource to the request processing unit 105.

In step 740, the request processing unit 105 performs an operation according to the CRUD request, and when there is a change in the web resource, the resource management unit 103 transmits the change.

In step 745, the resource management unit 103 stores the changed resource information in the resource repository 104.

In step 750, the request processing unit 105 delivers the result of the execution of the CURD request to the response sending unit 106.

In step 755, the response sender sends a response to the CRUD request.

It will be understood by those skilled in the art that the foregoing description of the present invention is for illustrative purposes only and that those of ordinary skill in the art can readily understand that various changes and modifications may be made without departing from the spirit or essential characteristics of the present invention. will be. It is therefore to be understood that the above-described embodiments are illustrative in all aspects and not restrictive.

It is intended that the present invention covers the modifications and variations of this invention provided they come within the scope of the appended claims and their equivalents. .

100a, 100b, 120: Objects
101:
102: authority analysis section
103: Resource Management Unit
104: Resource Store
105:
106:
110: Web broker
500: Web Resources

Claims (1)

A method for controlling resource access between objects connected to each other via a communication network,
Receiving an access request for a web resource held by an object;
Confirming whether or not a web resource related to the access request exists;
Determining access rights to a web resource associated with the access request;
If the access right is recognized, requesting access to the web resource and returning the result,
Wherein the access request includes one of a creation, an inquiry, an update deletion request for the web resource,
Wherein the access right is determined using at least one permission condition, at least one non-permission condition, and a combination thereof.

Images