WO2013182126A1 - Unified management and control method and platform for ubiquitous terminal - Google Patents

Unified management and control method and platform for ubiquitous terminal Download PDF

Info

Publication number
WO2013182126A1
WO2013182126A1 PCT/CN2013/079351 CN2013079351W WO2013182126A1 WO 2013182126 A1 WO2013182126 A1 WO 2013182126A1 CN 2013079351 W CN2013079351 W CN 2013079351W WO 2013182126 A1 WO2013182126 A1 WO 2013182126A1
Authority
WO
WIPO (PCT)
Prior art keywords
terminal
service
identity
mapping table
information
Prior art date
Application number
PCT/CN2013/079351
Other languages
French (fr)
Chinese (zh)
Inventor
孙爱芳
张志飞
凌志浩
高冲
祁学文
袁宜峰
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2013182126A1 publication Critical patent/WO2013182126A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys

Definitions

  • the present invention relates to the field of wireless communication technologies, and in particular, to a ubiquitous terminal unified management and control method and platform.
  • Unified management and control of the terminal includes unified registration, authentication, authorization, and access control.
  • the terminal registration and authentication mainly focus on the group authentication of the homogeneous terminal in the Internet of Things, and all the terminals participating in the group authentication have no significant difference in identity and capability, and the services accessed are basically the same.
  • the publicly-listed single-sign-on system based on unified authentication can realize one-time registration and authentication of the terminal and single-point login to achieve network-wide access, but it also brings security problems, especially in the case of ubiquitous services and terminal heterogeneous.
  • the identity and capabilities of each terminal are different.
  • the entire network access not only brings the burden of information management to the application server, but also has security risks such as data pollution and identity spoofing.
  • the embodiments of the present invention provide a unified management and control method and platform for a ubiquitous terminal, which implements management and control of a heterogeneous terminal group, improves registration and authentication efficiency, and improves security and reliability of service access.
  • an embodiment of the present invention provides a unified management and control method for a ubiquitous terminal, including:
  • the unified management and control platform receives the registration request of the application server, registers the service of the application server, and obtains the identity and capability requirements of the service to the terminal;
  • the identity and capability requirements are used to establish a terminal service mapping table, where the terminal service mapping table indicates a mapping relationship between the terminal and a service that can be accessed, and authorizes each terminal to access the service.
  • the foregoing method may further have the following feature: acquiring identity information and capability information of each terminal in the terminal group, and establishing a terminal service mapping table according to the identity information and capability information and the identity and capability requirements of the service to the terminal Includes:
  • the unified management and control platform organizes the terminals in the terminal group to register, and obtains the identity information of each terminal from the registration information submitted by each terminal;
  • the capability information of each terminal is compared with the capability requirements of the service to the terminal, and the initial terminal service mapping table is filtered to generate a final terminal service mapping table.
  • the above method may also have the following features, the method further comprising:
  • the unified management and control platform After performing the service update, the unified management and control platform updates the terminal service mapping table according to the identity information and capability information of each terminal in the terminal group, and the updated service identity and capability requirements of the terminal, and When the terminal service mapping table is changed, the terminal is re-authorized for the changed terminal.
  • the above method may also have the following features, the method further comprising:
  • the unified management and control platform After receiving the service access request of the terminal in the terminal group, the unified management and control platform determines, according to the terminal service mapping table, whether the terminal has access rights, and if yes, sends the service access request to The corresponding application server, if not, blocks access by the terminal.
  • the above method may further have the following features, the method further comprising: the unified management and control platform uploading identity information, or identity and capability information of the terminal having the service access authority to the corresponding application server.
  • the terminal group includes one or more heterogeneous terminals.
  • the embodiment of the invention further provides a ubiquitous terminal unified management and control platform, including: a service registration module, configured to: receive a registration request of an application server, register a service of the application server, and obtain an identity and capability requirement of the service to the terminal;
  • a mapping module configured to: receive a registration request of the terminal group, obtain identity information and capability information of each terminal in the terminal group, and establish, according to the identity information and capability information, the identity and capability requirements of the service to the terminal, a terminal service mapping table, where the terminal service mapping table indicates a mapping relationship between the terminal and a service that the terminal can access;
  • a terminal authorization module which is configured to: authorize each terminal to access services.
  • mapping module includes: a terminal registration module and a terminal authentication module, where:
  • the terminal registration module is configured to: organize a terminal in the terminal group to register, obtain identity information of each terminal from registration information submitted by each terminal, and perform identity information of each terminal and identity requirements of the service to the terminal. Comparing, generating a preliminary terminal service mapping table and sending the terminal authentication module to the terminal;
  • the terminal authentication module is configured to: deliver a digital certificate to the terminal in the terminal group, and obtain capability information that each terminal uploads through the digital certificate; and perform capability information of each terminal and capability requirements of the service to the terminal.
  • the initial terminal service mapping table is filtered to generate a final terminal service mapping table.
  • the platform may also have the following features, the platform further includes a terminal rights management module, where: the terminal authentication module is further configured to send the terminal service mapping table to the terminal rights management module;
  • the terminal rights management module is configured to: after the service update, update the terminal service mapping table according to the identity information and capability information of each terminal in the terminal group, and the updated service to the identity and capability requirements of the terminal, And when the terminal service mapping table is changed, the service authorization is re-authorized to the changed terminal.
  • the platform may further have the following features, the platform further includes a terminal access control module, configured to: after receiving the service access request of the terminal in the terminal group, determine, according to the terminal service mapping table, whether the terminal has access Permissions, if any, send the service access request to the corresponding application server; if not, block access by the terminal.
  • the above-mentioned platform may also have the following features:
  • the authorization module is further configured to: upload identity information of the terminal having the service access right, or identity and capability information to the corresponding application server.
  • the terminal group includes one or more heterogeneous terminals.
  • the unified management and control method and platform provided by the embodiments of the present invention can effectively manage and control terminal groups formed by heterogeneous terminals, and complete unified authentication, registration, authorization, rights management, and access control functions. The security of service access is ensured under the dual authentication of identity and capability. At the same time, the difference between heterogeneous terminals can be effectively shielded, and the efficient registration and authentication of heterogeneous terminals is realized.
  • Embodiment 1 is a flow chart of a unified management and control method according to Embodiment 1 of the present invention.
  • FIG. 2 is a schematic structural diagram of a unified management and control platform according to Embodiment 2 of the present invention.
  • FIG. 3 is a flowchart of a method for unified management and control by using a unified management and control platform according to Embodiment 3 of the present invention
  • Embodiment 4 is a schematic view of Embodiment 4 of the present invention.
  • a terminal group formed by a heterogeneous terminal is taken as an example, but the present invention is not limited thereto, and the terminal group may also include a homogeneous terminal. In addition, the terminal group does not exclude the case where only one terminal is included.
  • the embodiment of the invention provides a method for unified management and control, and the method includes the following steps:
  • the unified management and control platform receives a registration request of the application server, and the application server The service is registered to obtain the identity and capability requirements of the service to the terminal;
  • the terminal service mapping table indicates the mapping relationship between the terminal and the services that the terminal can access, and authorizes each terminal to access the services that it can access.
  • the terminal service mapping table is established as follows: The unified management and control platform organizes the terminals in the terminal group to register, and obtains each terminal from the registration information submitted by each terminal. Identity information;
  • the capability information of each terminal is compared with the capability requirements of the service to the terminal, and the preliminary terminal service mapping table is filtered to generate a final terminal service mapping table.
  • the method further includes:
  • the unified management and control platform updates the terminal service mapping table according to the identity information and capability information of each terminal in the terminal group, and the updated service identity and capability requirements of the terminal, and When the terminal service mapping table is changed, the terminal is re-authorized for the changed terminal.
  • the method further includes:
  • the unified management and control platform After receiving the service access request of the terminal in the terminal group, the unified management and control platform determines, according to the terminal service mapping table, whether the terminal has access rights, and if yes, sends the service access request to The corresponding application server obtains the access of the terminal to the service after receiving the response from the application server; if not, the access of the terminal is blocked, and the terminal is notified that the terminal does not have the access right.
  • the unified management and control platform uploads the identity information of the terminal having the service access authority, or the identity and capability information to the corresponding application server.
  • Step 101 After receiving the service registration request of the application server, register the application server to obtain the identity and capability requirements of the service to the terminal.
  • the service registration request of the application server is responded to and registered, and the service includes: disaster warning, environmental monitoring, medical service, in-vehicle service, mobile office, data communication, social service, etc., taking into account the specific object of the service and Special requirements require that the business be registered with the identity and capabilities of the terminal that performs the service.
  • the identity of the terminal includes the identity of the general user and the administrator, and may also include the identity of the society, such as students, staff, seniors, etc., and the service without identity requirements defaults to all end users.
  • terminal capabilities include the terminal's CPU, storage capabilities, display capabilities, network interface capabilities, mobility, and more.
  • the specific information of the terminal identity and capability herein is merely an example, and the present invention is not limited thereto, and can be set according to specific needs.
  • Step 102 Receive a registration request of the terminal group and perform unified registration on the terminal group to obtain identity information of the terminal.
  • the terminal group may include heterogeneous terminals, and may also include similar terminals.
  • the terminal group registration request is responded to and the terminals in the terminal are registered, and the terminals in the terminal group may include a handheld terminal, a workstation, a data collector, an in-vehicle terminal, a medical terminal, and the like.
  • the terminal is required to provide the identity information when the terminal registers, including Ordinary users or administrator users are information such as students, staff, or seniors.
  • Step 103 Compare the identity information registered by the terminal with the identity requirement of the service to the terminal, and form a preliminary terminal service mapping table.
  • the terminal identity information obtained in step 102 is compared with the identity requirement information of the service obtained by the terminal in step 101. Before the decision, all the terminals have the right to roam the whole network by default. After the decision, the services that do not meet the identity of the terminal are deleted from the service access list of the terminal to form a preliminary terminal service mapping table. Decision-making methods include elimination method, ring method, classification method, and so on.
  • Step 104 The organization performs unified digital authentication on the terminal in the terminal group, and obtains the capability of the terminal. Information.
  • all the terminals in the terminal group are organized to log in for the first time by issuing a digital certificate, and the identity of the terminal is confirmed by digital information such as a password, and the capability information of the terminal is obtained.
  • the digital certificate is based on the existing digital certificate technology, and adds a collection of capability information of the terminal. Identity authentication Using unified group authentication, you can improve authentication efficiency. At the same time, the digital certificate function has been extended to support the collection of terminal capabilities, providing sufficient information for the terminal capability decision provided in step 105.
  • Step 105 Compare the obtained terminal capability information with the capability requirement information of the service to the terminal, form a final terminal service mapping table, and authorize the terminal.
  • the terminal capability information obtained in step 104 is compared with the capability requirement information of the service obtained by the terminal in step 101.
  • the preliminary terminal service mapping table formed in step 103 is determined according to the terminal capability, and the services conforming to the identity and capability of the terminal are filtered and filtered to form a final terminal service mapping table, and the terminal is uniformly authorized.
  • Unified authorization means that the terminal service mapping table is sent to the gateway through the combination with the gateway, and then the gateway authorizes the terminal in the group.
  • Step 106 Determine whether there is a service update. If there is an update, perform steps 107 and 108. If there is no update, perform step 109 directly.
  • steps 107 and 108 are required to regenerate the terminal service mapping table and The terminal re-authorizes.
  • Step 107 Update the terminal service mapping table.
  • the new terminal service mapping table is automatically generated according to the identity information and capability information of the terminal obtained in steps 102 and 104, and the original terminal service mapping table is replaced.
  • Step 108 re-authorize and notify the terminal.
  • the changed terminal is re-authorized according to the newly generated terminal service mapping table in step 107, and the terminal is notified.
  • Step 109 Receive a service access request of the terminal.
  • Step 110 Determine, according to the terminal service mapping table, whether the terminal has access rights, if not Step 111 is performed if access is available, and step 112 is performed if access is available.
  • step 105 the terminal service mapping table in step 105 or step 107 is invoked to query whether the terminal has the right to access the service. If not, step 111 is performed, and if access rights are available, step 112 is performed.
  • Step 111 When the terminal does not have the access right, block the access and notify the terminal that the access right is not available, and the process ends.
  • the terminal when the terminal requests access to the service without having access rights, the terminal blocks the access and notifies the terminal that the access right is not available.
  • the case where there is no access right includes: The service does not exist after the service update, and the corresponding service option cannot be found in the mapping table; on the other hand, malicious access may be caused due to attack or destructiveness of the terminal.
  • Step 112 Submit a service access request of the terminal to an application server.
  • the service access request of the terminal is sent to the corresponding application server, and the response of the application server is awaited.
  • Step 113 After obtaining the response from the application server, the terminal accesses the service and ends.
  • the execution sequence between the above steps 106-108 and steps 109-113 may be changed, that is, steps 109-113 are performed first, and then steps 106-108 are performed; in addition, steps 106-108 and steps 109-113 may be performed as many times as needed. Execution, steps 106-108 are performed when the service update occurs, and steps 109-113 are performed when the service request of the terminal is received.
  • the terminal group formed by the heterogeneous terminal can perform identity registration, capability information collection, service authority decision and generation, and access control, thereby ensuring the security of the access and improving the efficiency of registration and authentication.
  • This embodiment provides a unified management and control platform for a ubiquitous terminal, including:
  • the service registration module is configured to: receive a registration request of the application server, register the service of the application server, and obtain an identity and capability requirement of the service to the terminal;
  • the mapping module is configured to: receive a registration request of the terminal group, obtain identity information and capability information of each terminal in the terminal group, and establish a terminal according to the identity information and capability information and the identity and capability requirements of the service to the terminal a service mapping table, where the terminal service mapping table indicates a mapping relationship between the terminal and a service that can be accessed by the terminal;
  • the terminal authorization module is configured to: authorize each terminal to access the services it can access.
  • the mapping module includes: a terminal registration module and a terminal authentication module, where:
  • the terminal registration module is configured to: organize a terminal in the terminal group to register, obtain identity information of each terminal from registration information submitted by each terminal, and perform identity information of each terminal and identity requirements of the service to the terminal. Comparing, generating a preliminary terminal service mapping table and sending the terminal authentication module to the terminal;
  • the terminal authentication module is configured to: deliver a digital certificate to the terminal in the terminal group, and obtain capability information that each terminal uploads through the digital certificate; and perform capability information of each terminal and capability requirements of the service to the terminal.
  • the initial terminal service mapping table is filtered to generate a final terminal service mapping table.
  • the platform further includes a terminal rights management module, where:
  • the terminal authentication module is further configured to: send the terminal service mapping table to the terminal authority management module;
  • the terminal rights management module is configured to: after the service update, update the terminal service mapping table according to the identity information and capability information of each terminal in the terminal group, and the updated service to the identity and capability requirements of the terminal, and When the terminal service mapping table is changed, the terminal is re-authorized for the changed terminal.
  • the platform further includes a terminal access control module, configured to: after receiving the service access request of the terminal in the terminal group, determine, according to the terminal service mapping table, Whether the terminal has access rights, and if so, sends the service access request To the corresponding application server, if not, block access by the terminal.
  • a terminal access control module configured to: after receiving the service access request of the terminal in the terminal group, determine, according to the terminal service mapping table, Whether the terminal has access rights, and if so, sends the service access request To the corresponding application server, if not, block access by the terminal.
  • the authorization module is further configured to: upload the identity information of the terminal having the service access authority, or the identity and capability information to the corresponding application server.
  • the platform may further include a gateway, configured to form a heterogeneous terminal group to form a heterogeneous terminal group, and conveniently perform the terminal registration module, the terminal authentication module, the terminal authorization module, and the terminal authority. The interaction between the management module and the terminal access control module.
  • the device is illustrated by an example below. As shown in Figure 2, this example provides a unified management and control platform.
  • the platform is built between the terminal group and the application server, and provides a solution for forming a secure and reliable mapping table between the ubiquitous terminal and the ubiquitous service.
  • the unified management and control platform 10 includes: a service registration module 11, a terminal registration module 12, a terminal authentication module 13, a terminal authorization module 14, a terminal rights management module 15, a terminal access control module 16, and a gateway 17, wherein:
  • the service registration module 11 is configured to: communicate with the ubiquitous service layer, the terminal unified registration module, and the terminal unified authentication module, and respond to the service registration request, provide an API interface for the service registration request and a registration API interface for the service layer, and register the terminal. Module and terminal authentication modules provide the information needed for decision making.
  • the service layer can request service registration by calling the API interface. After obtaining the response, the service can register the service and submit the requirements for the identity and capability of the terminal.
  • the information obtained by the service registration module 11 can be called when the terminal is uniformly registered and authenticated.
  • Terminal Registration Module 12 Set to: Uniform registration for the terminal.
  • the module can communicate with the gateway 17 through the registration interface, respond to the registration request sent by the gateway, and receive the identity information of the terminal group from the gateway.
  • the module also calls the existing service to the terminal identity request from the service registration module 11.
  • the information, the decision generates a preliminary terminal service mapping table, and transmits the registration information and the terminal service mapping table to the terminal authentication module 13.
  • Terminal Authentication Module 13 Set to: Unified authentication for the terminal.
  • the module can communicate with the gateway 17 through the authentication interface, and issue a digital certificate to the gateway 17.
  • the organization gateway 17 logs in to the terminal accessing the gateway for the first time, collects login information of all terminals in the network through the gateway 17, and performs proofreading with the registration information. .
  • the module also obtains the capability information of all the terminals in the network from the gateway 17, invokes the information about the terminal capability in the service registration module 11, and determines the final terminal service mapping table.
  • the terminal service mapping table is delivered to the terminal authorization module 14.
  • Terminal Authorization Module 14 Set to: Upload the terminal authorization and authorization information connected to the gateway 17.
  • the module sends the terminal service mapping table generated by the terminal authentication module 13 to the gateway 17, and organizes the gateway 17 to perform unified authorization on the terminals in the network, and also extracts the identity and capability information of the terminals registered in each service.
  • the service center is used to upload the terminal information that has the service authority to the corresponding application server.
  • the module also passes the authorized information (authorized information including the terminal service mapping table) to the terminal rights management module 15.
  • the terminal rights management module 15 is set to: receive a notification of the service server update, update the terminal service mapping table, and notify the terminal.
  • the module provides a notification interface for the service update for the ubiquitous service layer.
  • the API interface can be called to notify the terminal authority management module.
  • the terminal rights management module regenerates the terminal service mapping table. The terminal notifies the change information of the terminal service through the query and notification interface, and the terminal can also query the authority according to the requirement.
  • the terminal access control module 16 is set to: respond to the service access request of the terminal and notify the application server to have a service access request of the terminal.
  • the terminal may invoke an access request API to request access to the service.
  • the terminal access control module 16 retrieves the latest permission information from the terminal rights management module 15 to confirm whether the access right of the service is available. Then notify the corresponding application server to provide services for the terminal.
  • the gateway 17 is configured to: manage the accessed terminal, and is responsible for communication with the terminal registration module 12, the terminal authentication module 13, and the terminal authorization module 14, and the organization terminal registers and integrates the identity information of the terminal to be uniformly registered to the terminal registration module 12, The capability information of all the terminals in the network to log in and integrate the terminal is uploaded to the terminal authentication module 13. After obtaining the authorization of the terminal authentication module 13, the unified authorization information is distributed to each terminal in the network.
  • Step 301 The ubiquitous service layer performs service registration with the unified management and control platform and submits the identity and capability requirements of the terminal to the service registration module.
  • Step 302 The ubiquitous terminal submits a registration request to the unified management and control platform.
  • Step 303 The unified management and control platform organizes the terminal to register after responding to the registration request.
  • Step 305 The unified management and control platform organizes the terminal to log in for the first time and issue a digital certificate.
  • Step 306 The terminal logs in and uploads the capability information to the gateway through the digital certificate, and the gateway transmits the capability information to the terminal authentication module.
  • Step 307 The unified management and control platform extracts terminal information authorized by each service and uploads the information to the corresponding application server.
  • Step 308 The unified management and control platform notifies the authorization information obtained by the terminal in the network through the gateway.
  • Step 309 If there is a service update notification, the application server notifies the unified management and control platform through the service update notification interface.
  • Step 310 After the unified management and control platform regenerates the terminal service mapping table, notify the terminal permission update information.
  • Step 311 The terminal submits a service access request to the unified management and control platform.
  • Step 312 After confirming that the terminal has the access right, the unified management and control platform notifies the application server that there is a terminal service access request.
  • Step 313 The application server serves the terminal after responding to the access request.
  • FIG. 4 is a schematic diagram of an embodiment of unified registration, authentication, authorization, and access control by using the method of the embodiment of the present invention.
  • a heterogeneous terminal group consisting of a computer, a mobile phone, a PDA (Personal Digital Assistant), a Pad (tablet), a camera, a copier, a printer, etc.
  • a unified management and control platform can achieve unified registration, authentication and authorization of heterogeneous terminals, And control it to achieve secure access to ubiquitous services.
  • the unified management and control platform includes registration, authentication, authorization servers, relational databases, communication servers, and gateways.
  • the registration, authentication, and authorization server implement the functions of the terminal registration module, the service registration module, the terminal authentication module, and the terminal authorization module, the relational database implements the function of the terminal authority management module, and the communication server implements the function of the terminal access control module.
  • the present application provides a unified management and control method and platform, which can uniformly register and authenticate the terminal group formed by the heterogeneous terminal. And empower, and achieve control of terminal rights management and business access, improve efficiency and security.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

An embodiment of the present invention provides a unified management and control method for a ubiquitous terminal. A unified management and control platform receives a registration request of an application server, performs registration on a service of the application server, and acquires requirements of the service on identity and capability of a terminal; receives a registration request of a terminal group, acquires identity information and capability information of each terminal in the terminal group, establishes a terminal service mapping table according to the identity information and capability information and the requirements of the service on the identity and capability of the terminal, the terminal service mapping table indicating mapping relationship between a terminal and a service capable of being accessed by the terminal, and authorizes each terminal the service capable of being accessed by the terminal. An embodiment of the present invention further provides a unified management and control system for a ubiquitous terminal.

Description

一种泛在终端统一管理与控制方法及平台 技术领域  Universal ubiquitous terminal unified management and control method and platform
本发明涉及无线通信技术领域, 特别是涉及一种泛在终端统一管理与控 制方法及平台。  The present invention relates to the field of wireless communication technologies, and in particular, to a ubiquitous terminal unified management and control method and platform.
背景技术 Background technique
随着人们生活生平的提高和网络技术的发展, 泛在的业务提供及泛在的 接入成为了趋势。 为了更高效、 更安全地为异构终端提供泛在的业务, 对异 构终端形成的终端组进行统一的管理和接入控制成为了现实的需求。 对终端 的统一管理与控制包括统一注册、 认证、 授权和访问控制。  With the improvement of people's life and the development of network technology, ubiquitous service provision and ubiquitous access have become a trend. In order to provide ubiquitous services for heterogeneous terminals more efficiently and safely, unified management and access control of terminal groups formed by heterogeneous terminals has become a real need. Unified management and control of the terminal includes unified registration, authentication, authorization, and access control.
相关技术中对终端注册和认证主要集中在物联网中的同构终端的组认 证, 所有参与组认证的终端在身份和能力上不存在明显差异, 访问的服务基 本相同。 已公开的基于统一认证的单点登录系统虽然能够实现终端一次注册 和认证、 单点登录实现全网访问, 但同时也带来了安全的问题, 尤其在泛在 服务和终端异构的情形下, 各终端身份和能力都迥异, 全网访问不仅给应用 服务器带来信息管理的负担, 而且存在数据污染和身份欺骗等安全隐患。  In the related art, the terminal registration and authentication mainly focus on the group authentication of the homogeneous terminal in the Internet of Things, and all the terminals participating in the group authentication have no significant difference in identity and capability, and the services accessed are basically the same. The publicly-listed single-sign-on system based on unified authentication can realize one-time registration and authentication of the terminal and single-point login to achieve network-wide access, but it also brings security problems, especially in the case of ubiquitous services and terminal heterogeneous. The identity and capabilities of each terminal are different. The entire network access not only brings the burden of information management to the application server, but also has security risks such as data pollution and identity spoofing.
发明内容 Summary of the invention
本发明实施例提供一种泛在终端统一管理和控制方法和平台, 实现对异 构终端组的管理和控制, 提高注册和认证效率, 提高业务访问的安全性和可 靠性。  The embodiments of the present invention provide a unified management and control method and platform for a ubiquitous terminal, which implements management and control of a heterogeneous terminal group, improves registration and authentication efficiency, and improves security and reliability of service access.
为了解决上述问题, 本发明实施例提供了一种泛在终端统一管理与控制 方法, 包括:  In order to solve the above problem, an embodiment of the present invention provides a unified management and control method for a ubiquitous terminal, including:
统一管理与控制平台接收应用服务器的注册请求, 对所述应用服务器的 业务进行注册, 获取所述业务对终端的身份及能力要求;  The unified management and control platform receives the registration request of the application server, registers the service of the application server, and obtains the identity and capability requirements of the service to the terminal;
统一管理与控制平台接收终端组的注册请求, 获取所述终端组中各终端 的身份信息和能力信息, 根据所述身份信息和能力信息与所述业务对终端的 身份及能力要求, 建立终端业务映射表, 所述终端业务映射表中指示终端及 其能够访问的业务之间的映射关系, 并对各终端授权其能访问的业务。 Receiving, by the unified management and control platform, a registration request of the terminal group, acquiring identity information and capability information of each terminal in the terminal group, according to the identity information and capability information, and the service to the terminal The identity and capability requirements are used to establish a terminal service mapping table, where the terminal service mapping table indicates a mapping relationship between the terminal and a service that can be accessed, and authorizes each terminal to access the service.
上述方法还可具有以下特点, 所述获取所述终端组中各终端的身份信息 和能力信息, 根据所述身份信息和能力信息与所述业务对终端的身份及能力 要求, 建立终端业务映射表包括:  The foregoing method may further have the following feature: acquiring identity information and capability information of each terminal in the terminal group, and establishing a terminal service mapping table according to the identity information and capability information and the identity and capability requirements of the service to the terminal Includes:
统一管理与控制平台组织所述终端组中的终端进行注册, 从各终端提交 的注册信息中获取各终端的身份信息;  The unified management and control platform organizes the terminals in the terminal group to register, and obtains the identity information of each terminal from the registration information submitted by each terminal;
将各终端的身份信息与所述业务对终端的身份要求进行比对, 生成初步 的终端业务映射表;  Comparing the identity information of each terminal with the identity requirements of the service to the terminal, and generating a preliminary terminal service mapping table;
对所述终端组内的终端下发数字证书, 获取各终端通过所述数字证书上 传的能力信息;  And transmitting, by the terminal in the terminal group, a digital certificate, and acquiring capability information that is transmitted by each terminal by using the digital certificate;
将各终端的能力信息与所述业务对终端的能力要求进行比对, 对所述初 步的终端业务映射表进行过滤, 生成最终的终端业务映射表。  The capability information of each terminal is compared with the capability requirements of the service to the terminal, and the initial terminal service mapping table is filtered to generate a final terminal service mapping table.
上述方法还可具有以下特点, 所述方法还包括:  The above method may also have the following features, the method further comprising:
所述统一管理与控制平台在进行业务更新后, 根据所述终端组中各终端 的身份信息和能力信息, 以及更新后的业务对终端的身份及能力要求更新所 述终端业务映射表, 并在所述终端业务映射表有变更时对变更的终端重新进 行业务授权。  After performing the service update, the unified management and control platform updates the terminal service mapping table according to the identity information and capability information of each terminal in the terminal group, and the updated service identity and capability requirements of the terminal, and When the terminal service mapping table is changed, the terminal is re-authorized for the changed terminal.
上述方法还可具有以下特点, 所述方法还包括:  The above method may also have the following features, the method further comprising:
所述统一管理与控制平台接收到所述终端组中的终端的业务访问请求 后, 根据所述终端业务映射表判断所述终端是否具有访问权限, 如果有, 则 将所述业务访问请求发送给相应的应用服务器, 如果没有, 则阻止所述终端 的访问。  After receiving the service access request of the terminal in the terminal group, the unified management and control platform determines, according to the terminal service mapping table, whether the terminal has access rights, and if yes, sends the service access request to The corresponding application server, if not, blocks access by the terminal.
上述方法还可具有以下特点, 所述方法还包括, 所述统一管理与控制平 台将拥有业务访问权限的终端的身份信息, 或者身份和能力信息上传至相应 的应用服务器。  The above method may further have the following features, the method further comprising: the unified management and control platform uploading identity information, or identity and capability information of the terminal having the service access authority to the corresponding application server.
上述方法还可具有以下特点, 所述终端组中包括一个或多个异构终端。 本发明实施例还提供了一种泛在终端统一管理与控制平台, 包括: 业务注册模块, 其设置为: 接收应用服务器的注册请求, 对所述应用服 务器的业务进行注册, 获取所述业务对终端的身份及能力要求; The above method may also have the following features: the terminal group includes one or more heterogeneous terminals. The embodiment of the invention further provides a ubiquitous terminal unified management and control platform, including: a service registration module, configured to: receive a registration request of an application server, register a service of the application server, and obtain an identity and capability requirement of the service to the terminal;
映射模块, 其设置为: 接收终端组的注册请求, 获取所述终端组中各终 端的身份信息和能力信息 , 根据所述身份信息和能力信息与所述业务对终端 的身份及能力要求, 建立终端业务映射表, 所述终端业务映射表中指示终端 及其能够访问的业务之间的映射关系;  a mapping module, configured to: receive a registration request of the terminal group, obtain identity information and capability information of each terminal in the terminal group, and establish, according to the identity information and capability information, the identity and capability requirements of the service to the terminal, a terminal service mapping table, where the terminal service mapping table indicates a mapping relationship between the terminal and a service that the terminal can access;
终端授权模块, 其设置为: 对各终端授权其能访问的业务。  A terminal authorization module, which is configured to: authorize each terminal to access services.
上述平台还可具有以下特点, 所述映射模块包括: 终端注册模块和终端 认证模块, 其中:  The above platform may also have the following features, the mapping module includes: a terminal registration module and a terminal authentication module, where:
所述终端注册模块设置为: 组织所述终端组中的终端进行注册, 从各终 端提交的注册信息中获取各终端的身份信息; 将各终端的身份信息与所述业 务对终端的身份要求进行比对, 生成初步的终端业务映射表并发送给所述终 端认证模块;  The terminal registration module is configured to: organize a terminal in the terminal group to register, obtain identity information of each terminal from registration information submitted by each terminal, and perform identity information of each terminal and identity requirements of the service to the terminal. Comparing, generating a preliminary terminal service mapping table and sending the terminal authentication module to the terminal;
所述终端认证模块设置为: 对所述终端组内的终端下发数字证书, 获取 各终端通过所述数字证书上传的能力信息; 将各终端的能力信息与所述业务 对终端的能力要求进行比对, 对所述初步的终端业务映射表进行过滤, 生成 最终的终端业务映射表。  The terminal authentication module is configured to: deliver a digital certificate to the terminal in the terminal group, and obtain capability information that each terminal uploads through the digital certificate; and perform capability information of each terminal and capability requirements of the service to the terminal. The initial terminal service mapping table is filtered to generate a final terminal service mapping table.
上述平台还可具有以下特点, 所述平台还包括终端权限管理模块, 其中: 所述终端认证模块还设置为, 将所述终端业务映射表发送给所述终端权 限管理模块;  The platform may also have the following features, the platform further includes a terminal rights management module, where: the terminal authentication module is further configured to send the terminal service mapping table to the terminal rights management module;
所述终端权限管理模块设置为, 在进行业务更新后, 根据所述终端组中 各终端的身份信息和能力信息, 以及更新后的业务对终端的身份及能力要求 更新所述终端业务映射表, 并在所述终端业务映射表有变更时对变更的终端 重新进行业务授权。  The terminal rights management module is configured to: after the service update, update the terminal service mapping table according to the identity information and capability information of each terminal in the terminal group, and the updated service to the identity and capability requirements of the terminal, And when the terminal service mapping table is changed, the service authorization is re-authorized to the changed terminal.
上述平台还可具有以下特点, 所述平台还包括终端访问控制模块, 设置 为: 接收到所述终端组中的终端的业务访问请求后, 根据所述终端业务映射 表判断所述终端是否具有访问权限, 如果有, 则将所述业务访问请求发送给 相应的应用服务器; 如果没有, 则阻止所述终端的访问。 上述平台还可具有以下特点, 所述授权模块还设置为: 将拥有业务访问 权限的终端的身份信息, 或者身份和能力信息上传至相应的应用服务器。 The platform may further have the following features, the platform further includes a terminal access control module, configured to: after receiving the service access request of the terminal in the terminal group, determine, according to the terminal service mapping table, whether the terminal has access Permissions, if any, send the service access request to the corresponding application server; if not, block access by the terminal. The above-mentioned platform may also have the following features: The authorization module is further configured to: upload identity information of the terminal having the service access right, or identity and capability information to the corresponding application server.
上述平台还可具有以下特点, 所述终端组中包括一个或多个异构终端。 本发明实施例提供的统一管理与控制方法及平台可以通过对异构终端形 成的终端组进行有效的管理和控制, 完成统一认证、 注册、 授权、 权限管理 和访问控制功能。 在身份和能力的双重认证下保证了业务访问的安全性, 同 时, 也能够有效屏蔽异构终端之间的差异, 实现了异构终端的高效注册和认 证。 附图概述  The above platform may also have the following features: the terminal group includes one or more heterogeneous terminals. The unified management and control method and platform provided by the embodiments of the present invention can effectively manage and control terminal groups formed by heterogeneous terminals, and complete unified authentication, registration, authorization, rights management, and access control functions. The security of service access is ensured under the dual authentication of identity and capability. At the same time, the difference between heterogeneous terminals can be effectively shielded, and the efficient registration and authentication of heterogeneous terminals is realized. BRIEF abstract
图 1是本发明实施例一的一种统一管理与控制方法的流程图;  1 is a flow chart of a unified management and control method according to Embodiment 1 of the present invention;
图 2是本发明实施例二的统一管理与控制平台的结构示意图;  2 is a schematic structural diagram of a unified management and control platform according to Embodiment 2 of the present invention;
图 3是本发明实施例三的一种利用统一管理与控制平台进行统一管理和 控制的方法流程图;  3 is a flowchart of a method for unified management and control by using a unified management and control platform according to Embodiment 3 of the present invention;
图 4是本发明实施例四示意图。  4 is a schematic view of Embodiment 4 of the present invention.
本发明的较佳实施方式 Preferred embodiment of the invention
下文中将结合附图对本发明的实施例进行详细说明。 需要说明的是, 在 不冲突的情况下, 本申请中的实施例及实施例中的特征可以相互任意组合。  Embodiments of the present invention will be described in detail below with reference to the accompanying drawings. It should be noted that, in the case of no conflict, the features in the embodiments and the embodiments in the present application may be arbitrarily combined with each other.
另外, 虽然在流程图中示出了逻辑顺序, 但是在某些情况下, 可以以不 同于此处的顺序执行所示出或描述的步骤。  Additionally, although logical sequences are shown in the flowcharts, in some cases the steps shown or described may be performed in a different order than the ones described herein.
本申请实施例中以异构终端形成的终端组为例, 但本发明不限于此, 终 端组也可以包括同构终端。 另外, 终端组也不排除只包含一个终端的情形。  In the embodiment of the present application, a terminal group formed by a heterogeneous terminal is taken as an example, but the present invention is not limited thereto, and the terminal group may also include a homogeneous terminal. In addition, the terminal group does not exclude the case where only one terminal is included.
实施例一  Embodiment 1
本发明实施例提供了一种统一管理与控制的方法, 所述方法包括如下步 骤:  The embodiment of the invention provides a method for unified management and control, and the method includes the following steps:
统一管理与控制平台接收应用服务器的注册请求, 对所述应用服务器的 业务进行注册, 获取所述业务对终端的身份及能力要求; The unified management and control platform receives a registration request of the application server, and the application server The service is registered to obtain the identity and capability requirements of the service to the terminal;
接收终端组的注册请求, 获取所述终端组中各终端的身份信息和能力信 息, 根据所述身份信息和能力信息与所述业务对终端的身份及能力要求, 建 立终端业务映射表, 所述终端业务映射表中指示终端及其能够访问的业务之 间的映射关系, 并对各终端授权其能访问的业务。  Receiving a registration request of the terminal group, acquiring identity information and capability information of each terminal in the terminal group, and establishing a terminal service mapping table according to the identity information and the capability information and the identity and capability requirements of the service to the terminal, where The terminal service mapping table indicates the mapping relationship between the terminal and the services that the terminal can access, and authorizes each terminal to access the services that it can access.
在本实施例的一种备选方案中, 按如下方式建立所述终端业务映射表: 统一管理与控制平台组织所述终端组中的终端进行注册, 从各终端提交 的注册信息中获取各终端的身份信息;  In an alternative of the embodiment, the terminal service mapping table is established as follows: The unified management and control platform organizes the terminals in the terminal group to register, and obtains each terminal from the registration information submitted by each terminal. Identity information;
将各终端的身份信息与所述业务对终端的身份要求进行比对, 生成初步 的终端业务映射表;  Comparing the identity information of each terminal with the identity requirements of the service to the terminal, and generating a preliminary terminal service mapping table;
对所述终端组内的终端下发数字证书, 获取各终端通过所述数字证书上 传的能力信息;  And transmitting, by the terminal in the terminal group, a digital certificate, and acquiring capability information that is transmitted by each terminal by using the digital certificate;
将各终端的能力信息与所述业务对终端的能力要求进行比对, 对初步的 终端业务映射表进行过滤, 生成最终的终端业务映射表。  The capability information of each terminal is compared with the capability requirements of the service to the terminal, and the preliminary terminal service mapping table is filtered to generate a final terminal service mapping table.
在本实施例的一种备选方案中, 还包括:  In an alternative of this embodiment, the method further includes:
所述统一管理与控制平台在业务更新后, 根据所述终端组中各终端的身 份信息和能力信息, 以及更新后的业务对终端的身份及能力要求更新所述终 端业务映射表, 并在所述终端业务映射表有变更时对变更的终端重新进行业 务授权。  After the service is updated, the unified management and control platform updates the terminal service mapping table according to the identity information and capability information of each terminal in the terminal group, and the updated service identity and capability requirements of the terminal, and When the terminal service mapping table is changed, the terminal is re-authorized for the changed terminal.
在本实施例的一种备选方案中, 还包括:  In an alternative of this embodiment, the method further includes:
所述统一管理与控制平台接收到所述终端组中的终端的业务访问请求 后, 根据所述终端业务映射表判断所述终端是否具有访问权限, 如果有, 则 将所述业务访问请求发送给相应的应用服务器, 得到应用服务器的响应后, 实现终端对业务的访问; 如果没有, 则阻止所述终端的访问, 还可以通知终 端不具备访问权限。  After receiving the service access request of the terminal in the terminal group, the unified management and control platform determines, according to the terminal service mapping table, whether the terminal has access rights, and if yes, sends the service access request to The corresponding application server obtains the access of the terminal to the service after receiving the response from the application server; if not, the access of the terminal is blocked, and the terminal is notified that the terminal does not have the access right.
在本实施例的一种备选方案中, 所述统一管理与控制平台将拥有业务访 问权限的终端的身份信息, 或者身份和能力信息上传至相应的应用服务器。  In an alternative of the embodiment, the unified management and control platform uploads the identity information of the terminal having the service access authority, or the identity and capability information to the corresponding application server.
下面以一个实例说明该本发明。 本实例提供一种统一管理与控制方法, 如图 1所示, 包括以下步骤: The invention will now be described by way of an example. This example provides a unified management and control method. As shown in Figure 1, the following steps are included:
步骤 101 , 接收到应用服务器的业务注册请求后, 对应用服务器进行注 册, 获得业务对终端的身份及能力要求。  Step 101: After receiving the service registration request of the application server, register the application server to obtain the identity and capability requirements of the service to the terminal.
该步骤中, 对应用服务器的业务注册请求进行响应并注册, 所述业务包 括: 灾难预警、 环境监测、 医疗服务、 车载服务、 移动办公、 数据通信、 社 交服务等, 考虑到业务的特定对象和特殊要求, 需要在业务注册时一并注册 业务对执行该业务的终端的身份及能力的要求。 比如, 终端的身份包括普通 用户和管理员等在管理上的身份, 还可包括社会的身份, 如学生、 工作人员、 老年人等, 没有身份要求的业务默认面向所有终端用户。 比如, 终端能力包 括终端的 CPU、 存储能力、 显示能力、 网络接口能力、 移动性等。 此处的终 端身份和能力的具体信息仅为示例, 本发明不限于此, 可以根据具体需要进 行设定。  In this step, the service registration request of the application server is responded to and registered, and the service includes: disaster warning, environmental monitoring, medical service, in-vehicle service, mobile office, data communication, social service, etc., taking into account the specific object of the service and Special requirements require that the business be registered with the identity and capabilities of the terminal that performs the service. For example, the identity of the terminal includes the identity of the general user and the administrator, and may also include the identity of the society, such as students, staff, seniors, etc., and the service without identity requirements defaults to all end users. For example, terminal capabilities include the terminal's CPU, storage capabilities, display capabilities, network interface capabilities, mobility, and more. The specific information of the terminal identity and capability herein is merely an example, and the present invention is not limited thereto, and can be set according to specific needs.
步骤 102 , 接收终端组的注册请求并对终端组进行统一注册, 获得终端 的身份信息。  Step 102: Receive a registration request of the terminal group and perform unified registration on the terminal group to obtain identity information of the terminal.
该终端组可以包括异构终端, 也可以包括同类终端。  The terminal group may include heterogeneous terminals, and may also include similar terminals.
该步骤中, 对终端组的注册请求进行响应并对终端中的终端注册, 终端 组中的终端可以包括手持终端、 工作站、 数据釆集器、 车载终端、 医疗终端 等。 考虑到各终端的用户具有不同的身份信息, 而不同身份在统一的业务平 台中漫游时并不符合所有业务对身份的要求, 所以, 在终端进行注册的时候 要求终端提供其身份信息, 包括为普通用户还是管理员用户, 是学生、 工作 人员或者老年人等信息。  In this step, the terminal group registration request is responded to and the terminals in the terminal are registered, and the terminals in the terminal group may include a handheld terminal, a workstation, a data collector, an in-vehicle terminal, a medical terminal, and the like. Considering that the users of the terminals have different identity information, and the different identities do not meet the requirements of all services when roaming in the unified service platform, the terminal is required to provide the identity information when the terminal registers, including Ordinary users or administrator users are information such as students, staff, or seniors.
步骤 103 , 将终端注册的身份信息与业务对终端的身份要求进行比对, 形成初步的终端业务映射表。  Step 103: Compare the identity information registered by the terminal with the identity requirement of the service to the terminal, and form a preliminary terminal service mapping table.
该步骤中, 将步骤 102中获得的终端身份信息与步骤 101中获得的业务 对终端的身份要求信息进行比对。 在决策前, 默认所有终端具有全网漫游的 权限, 而在决策后, 将不符合终端身份的业务从终端的业务访问列表中删除, 形成初步的终端业务映射表。 决策方法包括淘汰法, 环比法, 归类法等。  In this step, the terminal identity information obtained in step 102 is compared with the identity requirement information of the service obtained by the terminal in step 101. Before the decision, all the terminals have the right to roam the whole network by default. After the decision, the services that do not meet the identity of the terminal are deleted from the service access list of the terminal to form a preliminary terminal service mapping table. Decision-making methods include elimination method, ring method, classification method, and so on.
步骤 104 , 组织对终端组内的终端进行统一的数字认证, 获得终端的能 力信息。 Step 104: The organization performs unified digital authentication on the terminal in the terminal group, and obtains the capability of the terminal. Information.
该步骤中, 通过下发数字证书, 组织终端组内所有终端进行首次登录, 利用口令等数字信息确认终端的身份, 并获得终端的能力信息。 所述数字证 书为现有数字证书技术的基础上, 增加对终端的能力信息的釆集。 身份认证 釆用统一的组认证, 可以提高认证效率。 同时, 也扩展了数字证书功能, 支 持对终端能力的收集, 为步骤 105提供的根据终端能力决策提供了充分的信 息。  In this step, all the terminals in the terminal group are organized to log in for the first time by issuing a digital certificate, and the identity of the terminal is confirmed by digital information such as a password, and the capability information of the terminal is obtained. The digital certificate is based on the existing digital certificate technology, and adds a collection of capability information of the terminal. Identity authentication Using unified group authentication, you can improve authentication efficiency. At the same time, the digital certificate function has been extended to support the collection of terminal capabilities, providing sufficient information for the terminal capability decision provided in step 105.
步骤 105 , 将获得的终端能力信息与业务对终端的能力要求信息进行比 对, 形成最终的终端业务映射表并对终端进行授权。  Step 105: Compare the obtained terminal capability information with the capability requirement information of the service to the terminal, form a final terminal service mapping table, and authorize the terminal.
该步骤中, 将步骤 104中获得终端能力信息与步骤 101中获得的业务对 终端的能力要求信息进行比对。 将步骤 103中形成的初步的终端业务映射表 根据终端能力进行决策, 筛选和过滤出符合终端身份和能力的业务, 形成最 终的终端业务映射表, 并对终端进行统一授权。 统一授权指通过与网关的结 合, 将终端业务映射表发送至网关, 再由网关对组内终端进行授权。  In this step, the terminal capability information obtained in step 104 is compared with the capability requirement information of the service obtained by the terminal in step 101. The preliminary terminal service mapping table formed in step 103 is determined according to the terminal capability, and the services conforming to the identity and capability of the terminal are filtered and filtered to form a final terminal service mapping table, and the terminal is uniformly authorized. Unified authorization means that the terminal service mapping table is sent to the gateway through the combination with the gateway, and then the gateway authorizes the terminal in the group.
步骤 106, 判断是否有业务更新, 如果存在更新则执行步骤 107和 108, 如果不存在更新, 则直接执行步骤 109。  Step 106: Determine whether there is a service update. If there is an update, perform steps 107 and 108. If there is no update, perform step 109 directly.
该步骤中, 由于业务的开发的发布是动态的, 所以随时都有可能存在新 的业务的生成、 升级或者撤销, 如果存在业务更新, 则需要执行步骤 107和 108重新生成终端业务映射表并对终端进行重新授权。  In this step, since the release of the development of the service is dynamic, there may be a new service generation, upgrade, or revocation at any time. If there is a service update, steps 107 and 108 are required to regenerate the terminal service mapping table and The terminal re-authorizes.
步骤 107 , 更新终端业务映射表。  Step 107: Update the terminal service mapping table.
该步骤中, 在获得新的业务注册信息后, 才艮据步骤 102和步骤 104中获 得的终端的身份信息和能力信息自动生成新的终端业务映射表并替代原有终 端业务映射表。  In this step, after obtaining the new service registration information, the new terminal service mapping table is automatically generated according to the identity information and capability information of the terminal obtained in steps 102 and 104, and the original terminal service mapping table is replaced.
步骤 108, 重新授权并通知终端。  Step 108, re-authorize and notify the terminal.
在该步骤中, 根据步骤 107中新生成的终端业务映射表对有变更的终端 重新进行业务授权, 并通知终端。  In this step, the changed terminal is re-authorized according to the newly generated terminal service mapping table in step 107, and the terminal is notified.
步骤 109, 接收到终端的业务访问请求。  Step 109: Receive a service access request of the terminal.
步骤 110 , 根据终端业务映射表判断该终端是否具有访问权限, 如果不 具备访问权限则执行步骤 111 , 如果具备访问权限则执行步骤 112。 Step 110: Determine, according to the terminal service mapping table, whether the terminal has access rights, if not Step 111 is performed if access is available, and step 112 is performed if access is available.
该步骤中, 调用步骤 105或者步骤 107中的终端业务映射表, 查询终端 是否具有访问该业务的权限, 如果不具备则执行步骤 111 , 如果具备访问权 限则执行步骤 112。  In this step, the terminal service mapping table in step 105 or step 107 is invoked to query whether the terminal has the right to access the service. If not, step 111 is performed, and if access rights are available, step 112 is performed.
步骤 111 , 在终端不具备访问权限时阻止其访问并通知终端不具备访问 权限, 结束。  Step 111: When the terminal does not have the access right, block the access and notify the terminal that the access right is not available, and the process ends.
该步骤中, 在终端不具备访问权限而请求访问业务的时候, 阻止其访问, 并通知终端不具备访问权限。 出现不具备访问权限的情况包括: 业务更新之 后不存在该业务, 在映射表中找不到对应的业务选项; 另一方面可能由于终 端存在攻击或者破坏性, 进行恶意访问。 通过对访问权限的判断, 可以有效 杜绝上述不安全性。  In this step, when the terminal requests access to the service without having access rights, the terminal blocks the access and notifies the terminal that the access right is not available. The case where there is no access right includes: The service does not exist after the service update, and the corresponding service option cannot be found in the mapping table; on the other hand, malicious access may be caused due to attack or destructiveness of the terminal. By judging the access rights, the above insecurities can be effectively eliminated.
步骤 112, 向应用服务器提交所述终端的业务访问请求。  Step 112: Submit a service access request of the terminal to an application server.
该步骤中, 将终端的业务访问请求发送给相应的应用服务器, 等待应用 服务器的应答。  In this step, the service access request of the terminal is sent to the corresponding application server, and the response of the application server is awaited.
步骤 113 , 在得到应用服务器响应后, 实现终端对业务的访问, 结束。 上述步骤 106 ~ 108, 以及步骤 109 ~ 113之间的执行顺序可以变化, 即 先执行步骤 109 - 113 , 后执行步骤 106 ~ 108; 另外, 步骤 106 ~ 108及步骤 109 - 113 可根据需要多次执行, 在发生业务更新的时候就执行步骤 106 ~ 108, 接收到终端的业务请求时就执行步骤 109 ~ 113。  Step 113: After obtaining the response from the application server, the terminal accesses the service and ends. The execution sequence between the above steps 106-108 and steps 109-113 may be changed, that is, steps 109-113 are performed first, and then steps 106-108 are performed; in addition, steps 106-108 and steps 109-113 may be performed as many times as needed. Execution, steps 106-108 are performed when the service update occurs, and steps 109-113 are performed when the service request of the terminal is received.
该步骤中, 在得到应用服务器的响应之后, 也就形成了终端与业务之间 的链路, 实现了终端对业务的访问。  In this step, after the response of the application server is obtained, a link between the terminal and the service is formed, and the terminal accesses the service.
通过上述方法, 可以对异构终端形成的终端组进行统一进行身份注册, 能力信息收集, 业务权限决策与生成, 访问控制等, 既保证了访问的安全性, 又提高了注册与认证的效率。  Through the foregoing method, the terminal group formed by the heterogeneous terminal can perform identity registration, capability information collection, service authority decision and generation, and access control, thereby ensuring the security of the access and improving the efficiency of registration and authentication.
实施例二 Embodiment 2
本实施例提供一种泛在终端统一管理与控制平台, 包括: 业务注册模块, 设置为: 接收应用服务器的注册请求, 对所述应用服务 器的业务进行注册, 获取所述业务对终端的身份及能力要求; This embodiment provides a unified management and control platform for a ubiquitous terminal, including: The service registration module is configured to: receive a registration request of the application server, register the service of the application server, and obtain an identity and capability requirement of the service to the terminal;
映射模块, 设置为: 接收终端组的注册请求, 获取所述终端组中各终端 的身份信息和能力信息 , 根据所述身份信息和能力信息与所述业务对终端的 身份及能力要求, 建立终端业务映射表, 所述终端业务映射表中指示终端及 其能够访问的业务之间的映射关系;  The mapping module is configured to: receive a registration request of the terminal group, obtain identity information and capability information of each terminal in the terminal group, and establish a terminal according to the identity information and capability information and the identity and capability requirements of the service to the terminal a service mapping table, where the terminal service mapping table indicates a mapping relationship between the terminal and a service that can be accessed by the terminal;
终端授权模块, 设置为: 对各终端授权其能访问的业务。  The terminal authorization module is configured to: authorize each terminal to access the services it can access.
在本实施例的一种备选方案中, 所述映射模块包括: 终端注册模块和终 端认证模块, 其中:  In an alternative of the embodiment, the mapping module includes: a terminal registration module and a terminal authentication module, where:
所述终端注册模块设置为: 组织所述终端组中的终端进行注册, 从各终 端提交的注册信息中获取各终端的身份信息; 将各终端的身份信息与所述业 务对终端的身份要求进行比对, 生成初步的终端业务映射表并发送给所述终 端认证模块;  The terminal registration module is configured to: organize a terminal in the terminal group to register, obtain identity information of each terminal from registration information submitted by each terminal, and perform identity information of each terminal and identity requirements of the service to the terminal. Comparing, generating a preliminary terminal service mapping table and sending the terminal authentication module to the terminal;
所述终端认证模块设置为: 对所述终端组内的终端下发数字证书, 获取 各终端通过所述数字证书上传的能力信息; 将各终端的能力信息与所述业务 对终端的能力要求进行比对, 对所述初步的终端业务映射表进行过滤, 生成 最终的终端业务映射表。  The terminal authentication module is configured to: deliver a digital certificate to the terminal in the terminal group, and obtain capability information that each terminal uploads through the digital certificate; and perform capability information of each terminal and capability requirements of the service to the terminal. The initial terminal service mapping table is filtered to generate a final terminal service mapping table.
在本实施例的一种备选方案中, 所述平台还包括终端权限管理模块, 其 中:  In an alternative of this embodiment, the platform further includes a terminal rights management module, where:
所述终端认证模块还设置为: 将所述终端业务映射表发送给所述终端权 限管理模块;  The terminal authentication module is further configured to: send the terminal service mapping table to the terminal authority management module;
所述终端权限管理模块设置为: 在业务更新后, 根据所述终端组中各终 端的身份信息和能力信息, 以及更新后的业务对终端的身份及能力要求更新 所述终端业务映射表, 并在所述终端业务映射表有变更时对变更的终端重新 进行业务授权。  The terminal rights management module is configured to: after the service update, update the terminal service mapping table according to the identity information and capability information of each terminal in the terminal group, and the updated service to the identity and capability requirements of the terminal, and When the terminal service mapping table is changed, the terminal is re-authorized for the changed terminal.
在本实施例的一种备选方案中, 所述平台还包括终端访问控制模块, 设 置为: 接收到所述终端组中的终端的业务访问请求后, 根据所述终端业务映 射表判断所述终端是否具有访问权限, 如果有, 则将所述业务访问请求发送 给相应的应用服务器, 如果没有, 则阻止所述终端的访问。 In an alternative of the embodiment, the platform further includes a terminal access control module, configured to: after receiving the service access request of the terminal in the terminal group, determine, according to the terminal service mapping table, Whether the terminal has access rights, and if so, sends the service access request To the corresponding application server, if not, block access by the terminal.
在本实施例的一种备选方案中, 所述授权模块还设置为: 将拥有业务访 问权限的终端的身份信息, 或者身份和能力信息上传至相应的应用服务器。  In an alternative of the embodiment, the authorization module is further configured to: upload the identity information of the terminal having the service access authority, or the identity and capability information to the corresponding application server.
在本实施例的一种备选方案中, 所述平台还可包括网关, 用于组织异构 终端形成异构终端组, 方便统一进行与终端注册模块、 终端认证模块、 终端 授权模块、 终端权限管理模块、 终端访问控制模块之间的交互。  In an alternative of the embodiment, the platform may further include a gateway, configured to form a heterogeneous terminal group to form a heterogeneous terminal group, and conveniently perform the terminal registration module, the terminal authentication module, the terminal authorization module, and the terminal authority. The interaction between the management module and the terminal access control module.
下面以一个实例说明该装置。 如图 2所示, 本实例提供了一种统一管理 与控制平台, 本平台构建于终端组和应用服务器之间, 为泛在终端和泛在业 务之间形成安全可靠的映射表提供了解决方案。 所述统一管理与控制平台 10 包括: 业务注册模块 11、 终端注册模块 12、 终端认证模块 13、 终端授权模 块 14、 终端权限管理模块 15、 终端访问控制模块 16及网关 17, 其中: The device is illustrated by an example below. As shown in Figure 2, this example provides a unified management and control platform. The platform is built between the terminal group and the application server, and provides a solution for forming a secure and reliable mapping table between the ubiquitous terminal and the ubiquitous service. . The unified management and control platform 10 includes: a service registration module 11, a terminal registration module 12, a terminal authentication module 13, a terminal authorization module 14, a terminal rights management module 15, a terminal access control module 16, and a gateway 17, wherein:
业务注册模块 11 , 设置为: 和泛在业务层、 终端统一注册模块和终端统 一认证模块的通信,响应业务的注册请求,为业务层提供业务注册请求的 API 接口和注册 API接口, 为终端注册模块和终端认证模块提供决策所需信息。 业务层通过调用 API接口可以请求业务注册, 在获得响应后可以进行业务注 册, 提交对终端身份和能力的要求。 在终端统一注册和认证时可以调用业务 注册模块 11所获得的信息。  The service registration module 11 is configured to: communicate with the ubiquitous service layer, the terminal unified registration module, and the terminal unified authentication module, and respond to the service registration request, provide an API interface for the service registration request and a registration API interface for the service layer, and register the terminal. Module and terminal authentication modules provide the information needed for decision making. The service layer can request service registration by calling the API interface. After obtaining the response, the service can register the service and submit the requirements for the identity and capability of the terminal. The information obtained by the service registration module 11 can be called when the terminal is uniformly registered and authenticated.
终端注册模块 12: 设置为: 对终端的统一注册。 该模块通过注册接口可 以与网关 17通信, 响应网关发出的注册请求, 并接收来自网关的终端组的身 份信息, 同时, 该模块还从业务注册模块 11中调用已有的业务对终端的身份 要求信息, 决策生成初步的终端业务映射表, 将注册信息及该终端业务映射 表传递给终端认证模块 13。  Terminal Registration Module 12: Set to: Uniform registration for the terminal. The module can communicate with the gateway 17 through the registration interface, respond to the registration request sent by the gateway, and receive the identity information of the terminal group from the gateway. At the same time, the module also calls the existing service to the terminal identity request from the service registration module 11. The information, the decision generates a preliminary terminal service mapping table, and transmits the registration information and the terminal service mapping table to the terminal authentication module 13.
终端认证模块 13: 设置为: 对终端的统一认证。 该模块通过认证接口可 以与网关 17通信, 下发数字证书给网关 17, 组织网关 17对接入该网关的终 端进行首次登录, 通过网关 17收集网内所有终端的登录信息, 与注册信息进 行校对。 同时, 该模块还从网关 17获得所有网内终端的能力信息, 调用业务 注册模块 11中对终端能力的要求信息, 决策生成最终的终端业务映射表, 将 该终端业务映射表传递给终端授权模块 14。 Terminal Authentication Module 13: Set to: Unified authentication for the terminal. The module can communicate with the gateway 17 through the authentication interface, and issue a digital certificate to the gateway 17. The organization gateway 17 logs in to the terminal accessing the gateway for the first time, collects login information of all terminals in the network through the gateway 17, and performs proofreading with the registration information. . At the same time, the module also obtains the capability information of all the terminals in the network from the gateway 17, invokes the information about the terminal capability in the service registration module 11, and determines the final terminal service mapping table. The terminal service mapping table is delivered to the terminal authorization module 14.
终端授权模块 14: 设置为: 给连接在网关 17上的终端授权及授权信息 上传。 该模块将由终端认证模块 13生成的终端业务映射表发送至网关 17, 并组织网关 17对网内的终端进行统一的授权, 同时, 还提取出各项业务中注 册的终端的身份及能力信息, 以业务为中心, 将拥有该业务权限的终端信息 上传至相应的应用服务器。 另外, 为了方便进行访问控制, 该模块还将授权 的信息 (授权的信息包括终端业务映射表)传递至终端权限管理模块 15。  Terminal Authorization Module 14: Set to: Upload the terminal authorization and authorization information connected to the gateway 17. The module sends the terminal service mapping table generated by the terminal authentication module 13 to the gateway 17, and organizes the gateway 17 to perform unified authorization on the terminals in the network, and also extracts the identity and capability information of the terminals registered in each service. The service center is used to upload the terminal information that has the service authority to the corresponding application server. In addition, in order to facilitate access control, the module also passes the authorized information (authorized information including the terminal service mapping table) to the terminal rights management module 15.
终端权限管理模块 15: 设置为: 接收业务服务器更新的通知, 更新终端 业务映射表, 并通知终端。 该模块为泛在业务层提供了服务更新的通知接口, 在业务层应用服务器升级、 更新或者撤销时可以调用该 API接口通知终端权 限管理模块。 终端权限管理模块在获得更新信息之后, 会重新生成终端业务 映射表。 通过查询与通知接口通知终端业务的变更信息, 终端也可以根据需 求对权限进行查询。  The terminal rights management module 15: is set to: receive a notification of the service server update, update the terminal service mapping table, and notify the terminal. The module provides a notification interface for the service update for the ubiquitous service layer. When the service layer application server is upgraded, updated, or revoked, the API interface can be called to notify the terminal authority management module. After obtaining the update information, the terminal rights management module regenerates the terminal service mapping table. The terminal notifies the change information of the terminal service through the query and notification interface, and the terminal can also query the authority according to the requirement.
终端访问控制模块 16: 设置为: 响应终端的业务访问请求和通知应用服 务器有终端的业务访问请求。 终端可以调用访问请求 API, 请求访问业务, 在响应该请求后, 终端访问控制模块 16从终端权限管理模块 15中调取最新 的权限信息, 确认是否具有该业务的访问权限, 如果具有访问权限, 则通知 相应的应用服务器为该终端提供服务。  The terminal access control module 16: is set to: respond to the service access request of the terminal and notify the application server to have a service access request of the terminal. The terminal may invoke an access request API to request access to the service. After responding to the request, the terminal access control module 16 retrieves the latest permission information from the terminal rights management module 15 to confirm whether the access right of the service is available. Then notify the corresponding application server to provide services for the terminal.
网关 17: 设置为: 管理接入的终端, 负责与终端注册模块 12、 终端认证 模块 13、 终端授权模块 14之间的通信, 组织终端注册并整合终端的身份信 息统一注册到终端注册模块 12, 组织所有网内终端进行登录并整合终端的能 力信息上传至终端认证模块 13 , 在获得终端认证模块 13 的授权后将统一的 授权信息分发给网内各终端。  The gateway 17 is configured to: manage the accessed terminal, and is responsible for communication with the terminal registration module 12, the terminal authentication module 13, and the terminal authorization module 14, and the organization terminal registers and integrates the identity information of the terminal to be uniformly registered to the terminal registration module 12, The capability information of all the terminals in the network to log in and integrate the terminal is uploaded to the terminal authentication module 13. After obtaining the authorization of the terminal authentication module 13, the unified authorization information is distributed to each terminal in the network.
实施例三 Embodiment 3
下面再结合图 2所示的统一管理与控制平台结构, 对本发明实施例中利 用统一管理与控制平台对泛在终端进行统一的注册、 认证、 授权和访问控制 的方法流程进行详细阐述, 如图 3所示, 该流程包括以下步骤: 步骤 301 , 泛在业务层向统一管理与控制平台进行业务注册并提交对终 端的身份及能力要求至业务注册模块。 In the following, in conjunction with the unified management and control platform structure shown in FIG. 2, a method for uniformly registering, authenticating, authorizing, and accessing the ubiquitous terminal by using the unified management and control platform in the embodiment of the present invention is described in detail. As shown in 3, the process includes the following steps: Step 301: The ubiquitous service layer performs service registration with the unified management and control platform and submits the identity and capability requirements of the terminal to the service registration module.
步骤 302, 泛在终端向统一管理与控制平台提交注册请求。  Step 302: The ubiquitous terminal submits a registration request to the unified management and control platform.
步骤 303 , 统一管理与控制平台在响应注册请求后组织终端进行注册。 步骤 304 , 泛在终端提交注册信息给统一管理与控制平台的网关, 并由 网关上传至终端注册模块。  Step 303: The unified management and control platform organizes the terminal to register after responding to the registration request. Step 304: The ubiquitous terminal submits the registration information to the gateway of the unified management and control platform, and is uploaded by the gateway to the terminal registration module.
步骤 305 , 统一管理与控制平台组织终端进行首次登录并下发数字证书。 步骤 306 , 终端登录并通过数字证书上传能力信息至网关, 并由网关上 传至终端认证模块。  Step 305: The unified management and control platform organizes the terminal to log in for the first time and issue a digital certificate. Step 306: The terminal logs in and uploads the capability information to the gateway through the digital certificate, and the gateway transmits the capability information to the terminal authentication module.
步骤 307 , 统一管理与控制平台提取各业务所授权终端信息并上传至相 应的应用服务器。  Step 307: The unified management and control platform extracts terminal information authorized by each service and uploads the information to the corresponding application server.
步骤 308 , 统一管理与控制平台通过网关通知网内终端所获得的授权信 息。  Step 308: The unified management and control platform notifies the authorization information obtained by the terminal in the network through the gateway.
步骤 309 , 如果有业务更新通知, 则应用服务器通过业务更新通知接口 通知统一管理与控制平台。  Step 309: If there is a service update notification, the application server notifies the unified management and control platform through the service update notification interface.
步骤 310 , 统一管理与控制平台在重新生成终端业务映射表之后, 通知 终端权限更新信息。  Step 310: After the unified management and control platform regenerates the terminal service mapping table, notify the terminal permission update information.
步骤 311 , 终端向统一管理与控制平台提交业务访问请求。  Step 311: The terminal submits a service access request to the unified management and control platform.
步骤 312 , 在确认终端具有访问权限后, 统一管理与控制平台通知应用 服务器有终端业务访问请求。  Step 312: After confirming that the terminal has the access right, the unified management and control platform notifies the application server that there is a terminal service access request.
步骤 313 , 应用服务器在响应访问请求后对终端进行服务。  Step 313: The application server serves the terminal after responding to the access request.
实施例四 Embodiment 4
如图 4所示是一个利用本发明实施例的方法进行统一注册、 认证、 授权 和访问控制实施例示意图。  FIG. 4 is a schematic diagram of an embodiment of unified registration, authentication, authorization, and access control by using the method of the embodiment of the present invention.
如图 4所示, 由电脑、手机、 PDA ( Personal Digital Assistant,掌上电脑 )、 Pad (平板电脑) 、 相机、 复印机、 打印机等组成的异构终端组, 需要访问泛 在的业务, 如数据通信、 打印业务、 互联网业务、 流媒体业务、 社交、 邮件、 文件共享等服务, 构建由统一管理与控制平台, 可以实现对异构终端进行统 一的注册、 认证和授权, 并控制其实现对泛在业务的安全访问。 统一管理与 控制平台包括注册、 认证、 授权服务器、 关系数据库、 通信服务器和网关。 其中, 注册、 认证、 授权服务器实现终端注册模块、 业务注册模块、 终端认 证模块和终端授权模块的功能, 关系数据库实现终端权限管理模块的功能, 通信服务器实现终端访问控制模块的功能。 As shown in Figure 4, a heterogeneous terminal group consisting of a computer, a mobile phone, a PDA (Personal Digital Assistant), a Pad (tablet), a camera, a copier, a printer, etc., needs to access the pan. In the business, such as data communication, printing business, Internet business, streaming media business, social, mail, file sharing and other services, the establishment of a unified management and control platform, can achieve unified registration, authentication and authorization of heterogeneous terminals, And control it to achieve secure access to ubiquitous services. The unified management and control platform includes registration, authentication, authorization servers, relational databases, communication servers, and gateways. The registration, authentication, and authorization server implement the functions of the terminal registration module, the service registration module, the terminal authentication module, and the terminal authorization module, the relational database implements the function of the terminal authority management module, and the communication server implements the function of the terminal access control module.
综上所述, 为满足提高泛在终端的注册和认证效率及访问的安全性, 本 申请提供一种统一管理和控制的方法及平台, 可以将异构终端形成的终端组 进行统一注册、 认证并授权, 并实现对终端权限管理与业务访问的控制, 提 高效率和安全。  In summary, in order to improve the registration and authentication efficiency of the ubiquitous terminal and the security of the access, the present application provides a unified management and control method and platform, which can uniformly register and authenticate the terminal group formed by the heterogeneous terminal. And empower, and achieve control of terminal rights management and business access, improve efficiency and security.
本领域普通技术人员可以理解上述方法中的全部或部分步骤可通过程序 来指令相关硬件完成, 所述程序可以存储于计算机可读存储介质中, 如只读 存储器、 磁盘或光盘等。 可选地, 上述实施例的全部或部分步骤也可以使用 一个或多个集成电路来实现。 相应地, 上述实施例中的各模块 /单元可以釆用 硬件的形式实现, 也可以釆用软件功能模块的形式实现。 本发明不限制于任 何特定形式的硬件和软件的结合。  One of ordinary skill in the art will appreciate that all or a portion of the above steps may be accomplished by a program instructing the associated hardware, such as a read-only memory, a magnetic disk, or an optical disk. Alternatively, all or part of the steps of the above embodiments may also be implemented using one or more integrated circuits. Correspondingly, each module/unit in the above embodiment may be implemented in the form of hardware or in the form of a software function module. The invention is not limited to any specific form of combination of hardware and software.
工业实用性 Industrial applicability
制, 完成统一认证、 注册、 授权、 权限管理和访问控制功能。 在身份和能力 的双重认证下保证了业务访问的安全性, 同时, 也能够有效屏蔽异构终端之 间的差异, 实现了异构终端的高效注册和认证。 System, complete unified authentication, registration, authorization, rights management and access control functions. The security of service access is ensured under the dual authentication of identity and capability. At the same time, the difference between heterogeneous terminals can be effectively shielded, and the efficient registration and authentication of heterogeneous terminals is realized.

Claims

权 利 要 求 书 claims
1、 一种泛在终端统一管理与控制方法, 包括: 1. A unified management and control method for ubiquitous terminals, including:
统一管理与控制平台接收应用服务器的注册请求, 对所述应用服务器的 业务进行注册, 获取所述业务对终端的身份及能力要求; The unified management and control platform receives the registration request of the application server, registers the business of the application server, and obtains the identity and capability requirements of the terminal for the business;
所述统一管理与控制平台接收终端组的注册请求, 获取所述终端组中各 终端的身份信息和能力信息, 根据所述身份信息和能力信息与所述业务对终 端的身份及能力要求, 建立终端业务映射表, 所述终端业务映射表中指示终 端及其能够访问的业务之间的映射关系, 并对各终端授权其能访问的业务。 The unified management and control platform receives the registration request of the terminal group, obtains the identity information and capability information of each terminal in the terminal group, and establishes based on the identity information and capability information and the identity and capability requirements of the terminal for the service. Terminal service mapping table. The terminal service mapping table indicates the mapping relationship between the terminal and the services it can access, and authorizes each terminal to access the services it can access.
2、 如权利要求 1所述的方法, 其中, 所述获取所述终端组中各终端的身 份信息和能力信息, 根据所述身份信息和能力信息与所述业务对终端的身份 及能力要求, 建立终端业务映射表包括: 2. The method of claim 1, wherein, said obtaining the identity information and capability information of each terminal in the terminal group is based on the identity information and capability information and the identity and capability requirements of the terminal for the service, Establishing a terminal service mapping table includes:
所述统一管理与控制平台组织所述终端组中的终端进行注册, 从各终端 提交的注册信息中获取各终端的身份信息; The unified management and control platform organizes the terminals in the terminal group to register, and obtains the identity information of each terminal from the registration information submitted by each terminal;
将各终端的身份信息与所述业务对终端的身份要求进行比对, 生成初步 的终端业务映射表; Compare the identity information of each terminal with the identity requirements of the terminal for the service, and generate a preliminary terminal service mapping table;
对所述终端组内的终端下发数字证书, 获取各终端通过所述数字证书上 传的能力信息; Issue digital certificates to the terminals in the terminal group and obtain the capability information uploaded by each terminal through the digital certificate;
将各终端的能力信息与所述业务对终端的能力要求进行比对, 对所述初 步的终端业务映射表进行过滤, 生成最终的终端业务映射表。 Compare the capability information of each terminal with the capability requirements of the terminal by the service, filter the preliminary terminal service mapping table, and generate a final terminal service mapping table.
3、 如权利要求 1所述的方法, 所述方法还包括: 3. The method of claim 1, further comprising:
所述统一管理与控制平台在进行业务更新后, 根据所述终端组中各终端 的身份信息和能力信息, 以及更新后的业务对终端的身份及能力要求更新所 述终端业务映射表, 并在所述终端业务映射表有变更时对变更的终端重新进 行业务授权。 After updating the service, the unified management and control platform updates the terminal service mapping table according to the identity information and capability information of each terminal in the terminal group, as well as the updated service's identity and capability requirements for the terminal, and When the terminal service mapping table is changed, service authorization is performed again on the changed terminal.
4、 如权利要求 1所述的方法, 所述方法还包括: 4. The method of claim 1, further comprising:
所述统一管理与控制平台接收到所述终端组中的终端的业务访问请求 后, 根据所述终端业务映射表判断所述终端是否具有访问权限, 如果有, 则 将所述业务访问请求发送给相应的应用服务器, 如果没有, 则阻止所述终端 的访问。 After receiving the service access request of the terminal in the terminal group, the unified management and control platform determines whether the terminal has access rights according to the terminal service mapping table. If so, then The service access request is sent to the corresponding application server, and if there is no corresponding application server, access by the terminal is blocked.
5、 如权利要求 1所述的方法, 所述方法还包括, 所述统一管理与控制平 台将拥有业务访问权限的终端的身份信息, 或者身份和能力信息上传至相应 的应用服务器。 5. The method of claim 1, further comprising: the unified management and control platform uploading the identity information of the terminal with business access rights, or the identity and capability information to the corresponding application server.
6、 如权利要求 1至 5任一所述的方法, 其中, 所述终端组中包括一个或 多个异构终端。 6. The method according to any one of claims 1 to 5, wherein the terminal group includes one or more heterogeneous terminals.
7、 一种泛在终端统一管理与控制平台, 包括: 7. A ubiquitous terminal unified management and control platform, including:
业务注册模块, 其设置为: 接收应用服务器的注册请求, 对所述应用服 务器的业务进行注册, 获取所述业务对终端的身份及能力要求; A business registration module, which is configured to: receive a registration request from an application server, register the business of the application server, and obtain the identity and capability requirements of the terminal for the business;
映射模块, 其设置为: 接收终端组的注册请求, 获取所述终端组中各终 端的身份信息和能力信息 , 根据所述身份信息和能力信息与所述业务对终端 的身份及能力要求, 建立终端业务映射表, 所述终端业务映射表中指示终端 及其能够访问的业务之间的映射关系; 以及 A mapping module, which is configured to: receive a registration request from a terminal group, obtain the identity information and capability information of each terminal in the terminal group, and establish based on the identity information and capability information and the identity and capability requirements of the terminal for the service. Terminal service mapping table, the terminal service mapping table indicates the mapping relationship between the terminal and the services it can access; and
终端授权模块, 其设置为: 对各终端授权其能访问的业务。 The terminal authorization module is configured to: authorize each terminal to access the services it can access.
8、 如权利要求 7所述的平台, 其中, 所述映射模块包括: 终端注册模块 和终端认证模块, 其中: 8. The platform of claim 7, wherein the mapping module includes: a terminal registration module and a terminal authentication module, wherein:
所述终端注册模块设置为: 组织所述终端组中的终端进行注册, 从各终 端提交的注册信息中获取各终端的身份信息; 将各终端的身份信息与所述业 务对终端的身份要求进行比对, 生成初步的终端业务映射表并发送给所述终 端认证模块; The terminal registration module is configured to: organize the terminals in the terminal group to register, obtain the identity information of each terminal from the registration information submitted by each terminal; compare the identity information of each terminal with the identity requirements of the terminal for the business Compare, generate a preliminary terminal service mapping table and send it to the terminal authentication module;
所述终端认证模块设置为: 对所述终端组内的终端下发数字证书, 获取 各终端通过所述数字证书上传的能力信息; 将各终端的能力信息与所述业务 对终端的能力要求进行比对, 对所述初步的终端业务映射表进行过滤, 生成 最终的终端业务映射表。 The terminal authentication module is configured to: issue digital certificates to terminals in the terminal group, obtain the capability information uploaded by each terminal through the digital certificate; compare the capability information of each terminal with the capability requirements of the terminal by the service Compare and filter the preliminary terminal service mapping table to generate a final terminal service mapping table.
9、如权利要求 8所述的平台,其中,所述平台还包括终端权限管理模块, 其中: 9. The platform of claim 8, wherein the platform further includes a terminal authority management module, wherein:
所述终端认证模块还设置为, 将所述终端业务映射表发送给所述终端权 限管理模块; The terminal authentication module is also configured to send the terminal service mapping table to the terminal authority. Limited management module;
所述终端权限管理模块设置为, 在进行业务更新后, 根据所述终端组中 各终端的身份信息和能力信息, 以及更新后的业务对终端的身份及能力要求 更新所述终端业务映射表, 并在所述终端业务映射表有变更时对变更的终端 重新进行业务授权。 The terminal authority management module is configured to update the terminal service mapping table according to the identity information and capability information of each terminal in the terminal group and the identity and capability requirements of the terminal by the updated service after the service is updated, And when the terminal service mapping table is changed, service authorization is performed again on the changed terminal.
10、 如权利要求 7所述的平台, 其中, 所述平台还包括终端访问控制模 块, 其设置为: 接收到所述终端组中的终端的业务访问请求后, 根据所述终 端业务映射表判断所述终端是否具有访问权限, 如果有, 则将所述业务访问 请求发送给相应的应用服务器; 如果没有, 则阻止所述终端的访问。 10. The platform of claim 7, wherein the platform further includes a terminal access control module, which is configured to: after receiving a service access request from a terminal in the terminal group, determine according to the terminal service mapping table Whether the terminal has access rights, if so, the service access request is sent to the corresponding application server; if not, access by the terminal is blocked.
11、 如权利要求 7所述的平台, 其中, 所述授权模块还设置为: 将拥有 业务访问权限的终端的身份信息, 或者身份和能力信息上传至相应的应用服 务器。 11. The platform of claim 7, wherein the authorization module is further configured to: upload the identity information of the terminal with business access rights, or the identity and capability information, to the corresponding application server.
12、 如权利要求 7至 11任一所述的平台, 其中, 所述终端组中包括一个 或多个异构终端。 12. The platform according to any one of claims 7 to 11, wherein the terminal group includes one or more heterogeneous terminals.
PCT/CN2013/079351 2012-11-20 2013-07-15 Unified management and control method and platform for ubiquitous terminal WO2013182126A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201210472186.1 2012-11-20
CN201210472186.1A CN103841557A (en) 2012-11-20 2012-11-20 Ubiquitous terminal unified management and control method and platform

Publications (1)

Publication Number Publication Date
WO2013182126A1 true WO2013182126A1 (en) 2013-12-12

Family

ID=49711410

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2013/079351 WO2013182126A1 (en) 2012-11-20 2013-07-15 Unified management and control method and platform for ubiquitous terminal

Country Status (2)

Country Link
CN (1) CN103841557A (en)
WO (1) WO2013182126A1 (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104092786A (en) * 2014-06-11 2014-10-08 中国科学技术大学苏州研究院 Method for addressing heterogeneous equipment in ubiquitous network
CN105323090A (en) 2014-07-18 2016-02-10 中兴通讯股份有限公司 Terminal configuration service method, device and system of Internet of Things
JP6771544B2 (en) 2016-04-12 2020-10-21 株式会社ヴァレオジャパン Blower
WO2018112946A1 (en) 2016-12-23 2018-06-28 深圳前海达闼云端智能科技有限公司 Registration and authorization method, device and system
CN107454110A (en) * 2017-09-26 2017-12-08 武汉斗鱼网络科技有限公司 A kind of data verification method and server

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060215692A1 (en) * 2005-03-11 2006-09-28 Samsung Electronics Co., Ltd. Method for generating and registering identification in wireless sensor network
CN101355797A (en) * 2007-07-25 2009-01-28 华为技术有限公司 Method for obtaining user terminal equipment information and communication service function entity
CN102752204A (en) * 2012-07-03 2012-10-24 中兴通讯股份有限公司 Service platform and service realization method of ubiquitous network
WO2012151986A1 (en) * 2011-09-20 2012-11-15 中兴通讯股份有限公司 Service processing apparatus, system and method

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101018238B (en) * 2006-02-09 2011-11-02 华为技术有限公司 User identification system, registration, service and route configuration method
CN101227457A (en) * 2007-01-18 2008-07-23 华为技术有限公司 System and method for identifying communication service
CN101557381A (en) * 2008-04-11 2009-10-14 华为技术有限公司 Method and equipment for obtaining user equipment capability
CN102263653A (en) * 2010-05-28 2011-11-30 中兴通讯股份有限公司 Management system and method of equipment identification in ubiquitous network
CN102281251B (en) * 2010-06-09 2014-12-17 中兴通讯股份有限公司 Device, system and method for realizing intelligent household application
WO2012051668A1 (en) * 2010-10-22 2012-04-26 Ausanda Communications Pty Ltd Bispectrum method and apparatus for recovery of optically transmitted signals
CN102523630A (en) * 2011-11-30 2012-06-27 南京邮电大学 Wireless ubiquitous network system structure
CN102572721B (en) * 2012-01-13 2014-08-13 中兴通讯股份有限公司 Mobility management method, system and equipment for group terminals

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060215692A1 (en) * 2005-03-11 2006-09-28 Samsung Electronics Co., Ltd. Method for generating and registering identification in wireless sensor network
CN101355797A (en) * 2007-07-25 2009-01-28 华为技术有限公司 Method for obtaining user terminal equipment information and communication service function entity
WO2012151986A1 (en) * 2011-09-20 2012-11-15 中兴通讯股份有限公司 Service processing apparatus, system and method
CN102752204A (en) * 2012-07-03 2012-10-24 中兴通讯股份有限公司 Service platform and service realization method of ubiquitous network

Also Published As

Publication number Publication date
CN103841557A (en) 2014-06-04

Similar Documents

Publication Publication Date Title
CN108512862B (en) Internet of things terminal security authentication management and control platform based on certificate-free identification authentication technology
US10523656B2 (en) Session migration between network policy servers
EP3017582B1 (en) Method to enroll a certificate to a device using scep and respective management application
US9038138B2 (en) Device token protocol for authorization and persistent authentication shared across applications
JP6599341B2 (en) Method, device and system for dynamic network access management
RU2414086C2 (en) Application authentication
US8411562B2 (en) Network system and method for providing an ad-hoc access environment
US9021059B2 (en) Data hub server
US20130346745A1 (en) Management of certificates for mobile devices
WO2013180356A1 (en) Method for establishing resource access authorization in m2m communication
JP2008500607A (en) Method for realizing device grouping and conversation between grouped devices
US20060075222A1 (en) System for personal group management based on subscriber certificates
CN104054321A (en) Security management for cloud services
US20100030346A1 (en) Control system and control method for controlling controllable device such as peripheral device, and computer program for control
WO2013075661A1 (en) Login and open platform identifying method, open platform and system
WO2013182126A1 (en) Unified management and control method and platform for ubiquitous terminal
EP3930361A1 (en) System and method for operating a user device with personalized identity module profiles
WO2019056971A1 (en) Authentication method and device
WO2007112692A1 (en) A communication method in the user network and a system thereof
WO2007115505A1 (en) A personal area network and a communication method and device for the equipment thereof
CN103906050A (en) WPKI security monitoring and control method and system based on mobile terminal
WO2011063658A1 (en) Method and system for unified security authentication
WO2011017921A1 (en) System and method for visiting a visited service provider
JP2006270431A (en) Call controller, terminal, their programs, and communication channel establishment method
JP2005217679A (en) Authentication server performing authentication of communication partner

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 13800400

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 13800400

Country of ref document: EP

Kind code of ref document: A1