WO2014005268A1 - Resource access method and device - Google Patents

Resource access method and device Download PDF

Info

Publication number
WO2014005268A1
WO2014005268A1 PCT/CN2012/078071 CN2012078071W WO2014005268A1 WO 2014005268 A1 WO2014005268 A1 WO 2014005268A1 CN 2012078071 W CN2012078071 W CN 2012078071W WO 2014005268 A1 WO2014005268 A1 WO 2014005268A1
Authority
WO
WIPO (PCT)
Prior art keywords
access
resource
rule
parsing
identifier
Prior art date
Application number
PCT/CN2012/078071
Other languages
French (fr)
Chinese (zh)
Inventor
许斌
张永靖
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to PCT/CN2012/078071 priority Critical patent/WO2014005268A1/en
Priority to CN201280001197.XA priority patent/CN104169930B/en
Publication of WO2014005268A1 publication Critical patent/WO2014005268A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • G06F21/105Arrangements for software license management or administration, e.g. for managing licenses at corporate level
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2145Inheriting rights or properties, e.g., propagation of permissions or restrictions within a hierarchy

Definitions

  • the present invention relates to the field of communications, and in particular, to a resource access method and device
  • Machine-to-Machine Communications is a networked application and service centered on intelligent machine interaction. It embeds wireless or wired communication modules and application processing logic inside the machine to realize data communication without manual intervention to meet the information needs of users for monitoring, command and dispatch, data acquisition and measurement.
  • the access control mechanism is used to prevent data from being illegally accessed by unauthorized applications in M2M terminals, gateways, and service platforms, thereby ensuring the privacy and security of various types of data.
  • the elements involved in a single visit include the requester (access subject), access operations (such as "read”, “write”, etc.) and access objects (access object).
  • the access control mechanism works by: When the accessing entity initiates an access request for accessing certain access operations of the object, the access rule is allowed or prohibited according to the access rule associated with the accessing object.
  • the access rule set is configured in the access rights resource, and the configuration is limited.
  • Method 1 If the resource to be configured has no relationship with other resources, then create a new access right that meets the requirements. Resource and reference the resource; Method 2: The resource to be configured is related to other resources in access rights. For example, a resource with a parent-child relationship has an inheritance relationship, and directly refers to an access resource of another resource. Because M2M is organized and managed in the structure of resource tree, there are hierarchical relationships among resources, and resources have many relationships. Therefore, method 2 (that is, directly accessing access resources of other resources) is used to configure access rights of resources.
  • the invention provides a resource access method and device, which realizes access authority inheritance between resources and improves management efficiency of resource access rights.
  • a resource access method including receiving a resource access request of an access device, where the resource access request includes an access device identifier, an access resource identifier, and a resource access operation indication; the rights resource identifier, according to the at least two access rights
  • the resource identifier reads an access authority resource indicated by each access authority resource identifier; determining an access rule set for the resource according to the parsing rule for the resource and the access authority resource; and according to the access rule set and the device
  • the identification and the resource access operation indication are responsive to a resource access request of the access device.
  • the method further includes: receiving a setting request for accessing the resource, where the setting request includes at least two access rights resource identifiers, and setting the access rights for the resources according to the at least two access rights resource identifiers .
  • the setting request further includes a rule parsing identifier, where determining, according to the parsing rule for the resource and the accessing authority resource, an access rule set for the resource, including: parsing according to the rule The parsing rule corresponding to the identifier parses the access authority resource, and acquires an access rule set for the resource.
  • the setting request further includes an access authority resource priority rule, and determining, according to the parsing rule for the resource and the access authority resource, an access rule set for the resource, including: according to the The access authority resource priority rule and the parsing rule corresponding to the rule resolution identifier parse the access authority resource, and obtain an access rule set for the resource.
  • the setting request further includes an access authority resource priority rule, and determining, according to the parsing rule for the resource and the access authority resource, an access rule set for the resource, including: according to the The access authority resource priority rule and the parsing rule corresponding to the rule resolution identifier parse the access authority resource, and obtain an access rule set for the resource.
  • the setting request further includes: dividing a plurality of access rights resources, so that the multiple The access authority resource includes an access authority resource parent block and a plurality of sub-blocks corresponding to the parent block, and the parent block and the plurality of sub-blocks corresponding to the parent block each include a corresponding rule resolution identifier, and the Determining the access rule set for the resource by the parsing rule and the access authority resource, including: first parsing the access authority resource according to a parsing rule corresponding to the parent block rule parsing identifier, and then according to the The rule resolution identifier corresponding to the plurality of sub-blocks parses the access authority resource corresponding to the sub-block, and acquires an access rule set for the resource.
  • the setting request further includes a priority rule of the parent block and the sub-block, and determining, according to the parsing rule for the resource and the access authority resource, an access rule set for the resource, including: And parsing the access authority resource according to the parsing rule and the priority rule corresponding to the parent block rule parsing identifier, and then accessing the rule set according to the parsing rule resource corresponding to the plurality of sub-block rule parsing identifiers.
  • the setting request includes at least two indirect access rights resource identifiers, and determining, according to the parsing rules for the resources and the access rights resources, an access rule set for the resources, including:
  • the indirect access authority resource identifier obtains the access authority resource address, and the access authority resource is read according to the access authority resource address; the access authority resource is parsed according to the parsing rule corresponding to the rule parsing identifier, and the resource is obtained for the resource Access rule set.
  • the access rule set includes an access subject set and an access operation set corresponding to the access body, and the resource that responds to the access device according to the access rule set and the device identifier and the resource access operation indication
  • the access request includes: if the access device matches the set of access subjects, and the resource access operation indicates that the indicated access operation matches the access operation set, allowing the access device to access the resource; The access device does not match the set of access subjects, or the access device matches the set of access subjects, but the access operation indicated by the resource access operation indication does not match the access operation set of the access device, And the access device is denied access to the resource; if the access device matches the set of access subjects, but the access operation set of the access device is “None”, the various access operation requests of the access device are rejected.
  • a resource access apparatus including: a receiving unit, configured to receive a resource access request of an access device, where the resource access request includes an access device identifier, an access resource identifier, and a resource Identifying at least two access rights resource identifiers of the corresponding resources, and reading the access rights resources indicated by the access rights resource identifiers according to the at least two access rights resource identifiers; and further, according to the parsing rules for the resources, Accessing a permission resource, determining an access rule set for the resource; and a response unit, configured to respond to the resource access request of the access device according to the access rule set and the device identifier and the resource access operation indication.
  • the resource accessing device further includes: a setting unit, configured to set an access right of the resource, where the setting unit includes: a receiving subunit, configured to receive a setting request for accessing the resource, The setting request includes at least two access rights resource identifiers; and a setting subunit, configured to identify an access authority resource identifier of the resource according to the setting request received by the receiving subunit.
  • a setting unit configured to set an access right of the resource
  • the setting unit includes: a receiving subunit, configured to receive a setting request for accessing the resource, The setting request includes at least two access rights resource identifiers; and a setting subunit, configured to identify an access authority resource identifier of the resource according to the setting request received by the receiving subunit.
  • the receiving subunit is specifically configured to: receive a setting request for accessing the resource, where the setting request further includes a rule parsing identifier, where the acquiring unit includes: a first acquiring unit, Obtaining at least two access rights resource identifiers in the access right identifiers of the resources, respectively reading the access rights resources according to the access rights resource identifiers; the second obtaining unit, according to the parsing rules corresponding to the rule parsing identifiers Parsing the access authority resource to obtain an access rule set for the resource.
  • the receiving subunit is further configured to: receive an access permission setting request for the resource, where the setting request further includes an access authority resource priority rule, where the acquiring unit further includes: a third acquiring unit And the step of parsing the access authority resource according to the access authority resource priority rule and the parsing rule corresponding to the rule parsing identifier, and obtaining an access rule for the resource, where the receiving subunit further Specifically, the method is: receiving a setting request for accessing the resource, where the setting request further includes: dividing a plurality of access rights resources, wherein the multiple access rights resources include an access rights resource parent block and the a plurality of sub-blocks corresponding to the parent block, the parent block and the plurality of sub-blocks corresponding to the parent block each include a corresponding rule-resolving identifier, and the acquiring unit further includes: a fourth acquiring unit, configured to first The parsing rule corresponding to the block rule parsing identifier parses the access authority resource, and then parses the identifier according to
  • the receiving sub-unit is further configured to: receive a setting request for accessing the resource, where the setting request further includes a priority rule of the parent block and the sub-block, and the acquiring unit further includes And a fifth acquiring unit, configured to parse the access permission resource according to a parsing rule and a priority rule corresponding to the parent block rule parsing identifier, and then describe an access rule set of the resource according to a rule corresponding to the multiple sub-blocks .
  • the receiving sub-unit is further configured to: receive a setting request for accessing a resource, where the setting request includes at least two indirect access rights resource identifiers, and the acquiring unit further includes a sixth acquiring unit, And the access authority resource is obtained according to the indirect access authority resource identifier, and the access authority resource is read according to the access authority resource address; and the access permission resource is parsed according to the parsing rule corresponding to the rule parsing identifier. An access rule set for the resource.
  • the response unit is specifically configured to: if the access device matches the access subject set, and the resource access operation indicates that the indicated access operation matches the access operation set of the access device, The access device accesses the resource; if the access device does not match the set of access subjects, or the access device matches the set of access subjects but the resource access operation does not match the access operation set, And the access device is denied access to the resource; if the access device matches the access subject set, but the access device has an access operation set of “None”, the access device requests of the access device are rejected.
  • the device includes: an M2M terminal, an M2M platform, and an M2M gateway.
  • the entity having the resource configuration authority sets the access authority resource identifier of the resource in the resource access device, and adds the access authority resource identifier of the other resource to the access authority resource identifier.
  • the resource access device can obtain the relevant access authority resource according to the access authority resource identifier, and parse the access permission resource according to the parsing rule set by itself, thereby implementing mutual inheritance of the access authority resources between the resources, so that the resource The access rights can be adjusted according to the modification of the access rights of the inherited resources, thereby improving the management efficiency of the resource access rights, and at the same time, improving the utilization of the access resource storage space and saving storage space.
  • Figure 1 is a typical M2M system architecture diagram
  • 2 is a flowchart of a resource access method according to an embodiment of the present invention
  • FIG. 3B is a representational state transition resource tree of resources according to an embodiment of the present invention.
  • FIG. 4 is a signaling interaction diagram of a resource access method according to an embodiment
  • FIG. 5 is a schematic diagram of a signaling interaction configuration of a resource access authority resource identifier in a resource access method according to another embodiment of the present invention.
  • FIG. 6 is a resource access method of this embodiment
  • FIG. 7 is a diagram showing an access authority resource identifier setting signal interaction diagram of a resource access method according to another embodiment of the present invention.
  • FIG. 8 is a signaling interaction diagram of a resource access method according to another embodiment; setting a signaling interaction diagram
  • FIG. 9B is a structural diagram of an access authority resource identifier having multiple access rights resource blocks according to an embodiment of the present invention.
  • FIG. 10 is a signaling interaction diagram of a resource access method according to still another embodiment of the present invention.
  • FIG. 11 is a schematic diagram of a resource access apparatus according to an embodiment of the present invention.
  • FIG. 12 is a schematic diagram of a setting unit in a resource access device according to an embodiment of the present invention.
  • FIG. 13 is a schematic diagram of an acquiring unit in a resource access device according to an embodiment of the present invention.
  • FIG. 14 is a schematic diagram of a resource access apparatus according to another embodiment of the present invention. detailed description
  • Figure 1 shows a typical M2M system architecture diagram, including:
  • the M2M network application NA 101 is used for registering to the M2M service platform 102, accessing data collected by the M2M device through the mid interface, and also for remote device management of the M2M device;
  • the M2M device D, 104 is connected to the M2M service platform 102 through the M2M gateway G103;
  • the M2M device dl05 is connected to the M2M service platform 102 through the M2M gateway G103;
  • the M2M device dl05 connects to the M2M service platform 102 through the M2M device D 106.
  • the M2M device dl05 and the M2M device dl05 are traditional devices that do not conform to the ETSI M2M specification; the M2M device D and the M2M device D are devices that conform to the ETSI M2M specification, wherein the M2M device D has the service capability layer defined by the ETSI M2M standard.
  • SCL Service Capability Layer
  • M2M device D does not have the Service Capability Layer (SCL) defined by the ETSI M2M standard.
  • M2M Gateway G103 uses Gateway Interworking Proxy (GIP, Gateway Interworking Proxy) by wireless or wired communication (eg, Zigbee, Bluetooth, DLMS/COSEM, Zwave, BACnet, ANSIC12, mBus, etc.) with M2M legacy device d and M2M device D ,interconnected.
  • GIP Gateway Interworking Proxy
  • the mid interface between the M2M gateway or the M2M device D and the M2M platform generally uses wired or wireless wide area network communication (eg, Xdsl, HFC, satellite, GERAN, UTRAN, eUTRAN, W-LAN and WiMAX, etc.).
  • FIG. 2 is a flowchart of a resource access method according to an embodiment of the present invention, including:
  • 201 Receive a resource access request of an access device, where the resource access request includes an access device identifier, an access resource identifier, and a resource access operation indication.
  • the middleware receives the resource access request from the access device, and requests related operations on the resource, such as: reading, writing, and the like.
  • the middleware is a logical entity set in the M2M terminal or the M2M gateway or the M2M platform.
  • the resource access request includes an access device identifier, an access resource identifier, and a specific access operation indication for the resource.
  • the access device may be an M2M terminal, an M2M platform, or an M2M gateway.
  • the middleware performs related setting on the access authority of the resource in advance. Specifically, the middleware sets a request according to the access authority of the requesting device to the resource, and the access authority resource identifier of the resource is entered into the source identifier, and the access authority resource identifier points to the access.
  • the access authority resource includes an access rule set, and each access rule includes at least an access subject set and an access operation set.
  • the set of access subjects includes a plurality of access subjects that allow access to the resource, the access subject may employ a URI, a global identifier, or An identifier of a specific meaning is described.
  • the access operation set includes allowable access operations corresponding to the allowed access subject, such as "read”, "write”, etc.
  • the access operation can also be described by using a URI, a global identifier, or an identifier of a specific meaning.
  • the two access rights resource identifiers are used to read the access rights resources indicated by the access rights resource identifiers according to the at least two access rights resource identifiers.
  • the middleware may view the access authority resource identifier of the resource corresponding to the resource identifier according to the resource identifier specified in the access request, and obtain the corresponding access authority resource identifier from the access authority resource identifier, according to the access
  • the rights resource ID reads the access rights resource it points to.
  • the access authority resource identifier includes a URI of the access authority resource
  • the middleware can be based on the
  • the URI gets its corresponding access rights resource.
  • the middleware may preset a rule resolution identifier of the access authority resource, where the rule resolution identifier indicates a default parsing rule of the middleware default configuration.
  • the access rule can be parsed by the parsing rule to obtain the access rule set of the resource.
  • the middleware determines whether the access device identifier matches the access subject set in the access rule set, that is, whether it is an access subject in the access subject set, and then determines whether the access operation of the access device matches the subject access operation set, that is, the subject Whether the access operation is an access operation allowed in the access operation set.
  • the middleware allows the access device to perform access operations on the specified resource. Otherwise, when the access device does not satisfy any of the above conditions, the middleware denies the access device from accessing the specified resource. .
  • the access authority of the resource having the resource configuration authority is set, and the access authority resource identifier of the other resource is added to the access authority resource identifier, so that the middleware can be Obtaining the related access authority resource according to the access authority resource identifier, thereby implementing mutual inheritance of the access authority resources between the resources, so that the access authority of the resource can be
  • the access rights of the inherited resources are modified by themselves to improve the management efficiency of the resource access rights.
  • the utilization of the access resource storage space can be improved, and the storage space is saved.
  • a signaling interaction diagram for setting an access authority identifier of a resource in a resource access method according to an embodiment of the present invention includes:
  • the resource setting requesting device sends a setting request for accessing a resource to a receiving device, such as an M2M terminal, an M2M gateway, or an M2M platform, where the setting request includes at least two resource access rights identifiers and resource identifiers to request a pair.
  • a receiving device such as an M2M terminal, an M2M gateway, or an M2M platform
  • the setting request includes at least two resource access rights identifiers and resource identifiers to request a pair.
  • Set the access rights of the resource corresponding to the identifier of the resource includes the permission to set the access resource, and may be an M2M platform.
  • the resources in the M2M describe a Representational State Transfer (RESTful) of the resource as described in FIG. 3B.
  • RESTful Representational State Transfer
  • the field container contains one or more containers ⁇ container>.
  • the container ⁇ container> is a container resource representation of the prior art, and mainly includes data information resources for describing applications or M2M terminals, platforms, and gateways.
  • the container ⁇ container> has the accessRightID attribute, and the accessRightID is the access resource identifier.
  • the accessRightID attribute can be set to AnyURI[0...1 ], which means 0 to 1 URI, which points to the access resource. accessRight. If the accessRightID property is set to "htt : //m2m. o . com/accessRights/ ⁇ ar5 >", the access rule indicating the resource is described by the access resource ⁇ & 5>.
  • Step 302 Set access rights of the resource according to the setting request.
  • the receiving device may modify the setting accessRightID attribute AnyURI[0...1] to AnyURI[0...unbounded] (that is, AnyURIList), and each URI needs to point to the access authority resource ⁇ accessRight>, that is, The resource access permission identifier is introduced. This enables a combined reference to at least two access rights resources.
  • the requesting device may be an M2M platform or an M2M2 gateway
  • the receiving device may be an M2M terminal, an M2M platform or an M2M2 gateway.
  • the M2M platform or the M2M2 gateway may request access rights to resources located in other devices such as an M2M terminal, an M2M platform, or an M2M2 gateway through a setting request for access rights of resources, or may also access the resources.
  • the limit setting requests the setting of access rights to resources located locally on the requesting device. That is to say, the requesting device and the receiving device may be the same device or different devices.
  • the embodiments of the present invention are not limited herein.
  • the signaling interaction diagram of the resource access method in this embodiment includes:
  • the access device sends a resource access request to the receiving device, where the resource access request includes an access identifier, a resource identifier, and a resource access operation indication for the resource.
  • the receiving device is configured to view the access right resource identifier of the resource according to the resource identifier, obtain at least two access rights resource identifiers, and read the corresponding access rights resource according to the at least two access rights resource identifiers, and parse the identifier according to the preset rule.
  • the specified parsing rule parses at least two access rights resources to obtain a resource access rule set for the resource.
  • the receiving device returns a resource access response to the access device according to the access rule set, the access device identifier, and the access device operation indication of the resource.
  • the rule resolution identifier is described by a string.
  • the preset rule resolution identifier is "overlay”, and the resolution rule specified by the rule resolution identifier is "sequential coverage”. Specifically, the resources are sequentially acquired from the previous ones, and at least two imported access rights resources are used to identify respective access rights resources. The access rules in each access permission resource are analyzed sequentially.
  • the set of allowed access actions is determined by the first access rule that contains the access subject. If the access device matches the set of access subjects in the access rule set, it is determined whether the access operation of the access device belongs to the access operation set, and if so, the access device is allowed to access and operate the resource. If the access device does not belong to the access subject set in the access rule set, or if the access device belongs to the access subject set in the access rule set, but the access operation does not match the allowed access operation set, or the access operation set is "none", The resource access request of the access device is rejected.
  • FIG. 5 is a schematic diagram showing the signaling interaction configuration of the resource access authority resource identifier in the resource access method according to another embodiment of the present invention. Includes:
  • the requester sends an access authority resource identifier setting request for the resource to the receiving device, where the setting request includes a resource identifier, an access authority resource identifier, and a rule resolution identifier.
  • the resource identifier points to a resource that needs to set a privilege resource identifier
  • the privilege resource identifier is an identifier of the imported access privilege resource
  • the rule parsing identifier is an identifier corresponding to the parsing rule to be set, and is described by a character or a string, for example, Set to "overlay”, “union”, etc., respectively, to use “sequential coverage", "take the collection” way to parse access rights resources.
  • the rule resolution identifier may be set to any other form that can be understood by those skilled in the art. If there is no rule resolution identifier or the value of the rule resolution identifier is not set, the default parsing rules are used, such as: parsing the permission resources one by one from the back to the front.
  • the receiving device such as the M2M terminal, the M2M gateway, or the M2M platform, adds the imported rights resource identifier and the rule resolution identifier to the access rights identifier of the resource corresponding to the resource identifier according to the setting request.
  • accessRightlD includes an imports element
  • the element includes one or more import elements and at least one resolveMode element
  • each import element is used for the bow I.
  • the resolveMode is used to describe the rule resolution identifier to indicate a certain parsing rule.
  • the rule parsing identifier can be set to "RFC4745 or "RFC3530", etc., to indicate that the access authority resource is parsed according to the RFC4745 or RFC3530 specifications. Please refer to the relevant specifications for the resolution rules specified by the RFC4745 or RFC3530 rule resolution identifier.
  • the resource access method in this embodiment includes:
  • the access device sends an access request to the receiving device, where the access request carries a resource identifier, an access device identifier, and an access operation to the resource.
  • the receiving device checks the access permission identifier and the rule resolution identifier according to the access permission identifier of the resource, and reads the access permission resource of the resource according to the access permission resource identifier, and then accesses the access according to the parsing manner corresponding to the rule resolution identifier.
  • the permission resource is parsed to obtain an access rule set for the resource.
  • the access device identifier belongs to the access subject set in the access rule set, and the access operation belongs to the allowed access operation set of the access rule set, the resource access request of the device is allowed to be accessed, otherwise the jumbo color is given.
  • the middleware when the access device reads the resource, the middleware first obtains the value of resolveMode, which is "RFC4745", and then parses the access rule set for the resource according to the RFC 4745 specification of the rule resolution identifier. According to the parsed access rule set, it is judged whether the access device can read the resource, and if so, the read is allowed, if otherwise, the reject response is given.
  • resolveMode which is "RFC4745”
  • resolveMode if some of the resolution modes indicated by resolveMode have priority requirements for the imported rights resources, the access rights resources are parsed according to the priority requirements.
  • the following access resource resource identifier points to multiple access rights resources, and the access rights resources are excellent.
  • the configuration of the resource access identifier setting signaling interaction diagram of another embodiment of the present invention is as follows:
  • the requesting device sends a setting request for an access right identifier of a specific resource to a receiving device, such as an M2M terminal, an M2M gateway, or an M2M platform, where the setting request includes a resource identifier, an imported access right resource identifier, a rule parsing identifier, and an access. Permission resource priority rules.
  • the receiving device sets an access authority resource identifier of the specified resource according to the setting request.
  • the access authority resource for each entry defines a priority value according to the access authority resource priority rule.
  • the priority attribute is set for each import element of the access resource identifier.
  • the value of the attribute can be a numeric value or a character to describe the priority relationship of the imported access rights resource.
  • the signaling interaction diagram of the resource access method in this embodiment includes:
  • the access device sends a resource access request to the receiving device, where the resource access request includes a resource identifier, an access device identifier, and an access operation to the resource.
  • the receiving device may be an M2M terminal, an M2M gateway, or an M2M platform
  • the access device may also be an M2M terminal, an M2M gateway, or an M2M platform.
  • the receiving device searches for an access right resource identifier under the resource corresponding to the resource identifier according to the resource identifier in the resource access request, and reads the access right resource according to the access right identifier under the access right resource identifier, and according to the
  • the rule resolution identifier under the access authority resource identifier is parsed by the parsing rule corresponding to the rule parsing identifier, and the access rule set for the resource is obtained.
  • the receiving device accesses the device according to the access device identifier, the access operation, and the access rule set. Returns the resource access response.
  • the access device belongs to the access subject set in the access rule set, and determines whether the access operation carried in the access request indicates that the access operation corresponding to the access operation belongs to the access operation set allowed by the access subject, if yes, the access device is allowed to perform resources on the resource. Access and operation; if the access device does not match the set of access subjects in the access rule set, or if the access operation does not match the allowed access operation set, the resource access and operation of the access device are rejected.
  • ⁇ /imports> The example shown above shows that the access rights of the resource are described by the access rights resources ⁇ ar3> and ⁇ ar4>, and the imported access rights have a priority relationship.
  • the ⁇ ar3> has higher priority.
  • the priority of ⁇ ar4> is also indicated by the resolveMode indicating that the parsing rules are based on the "sequential coverage" method.
  • the parsed rule set is:
  • the parsed rule set is the access subject "Appl” allows access operations “Write” and “Read”, the access body body “App2” allows access operation “Read”, the main body “App3” allows access operation”Write”.
  • the resolveMode can also be set to "RFC4745", “RFC3530”, etc., respectively, according to the "RFC4745” specification,
  • the "RFC3530" specification performs rule analysis. For details, please refer to the corresponding specification.
  • the resource access method will be described below by taking an access right identifier from a plurality of access rights resources, and the access rights resource is introduced in a block, including a parent block and a plurality of sub-blocks corresponding to the parent block.
  • a signaling interaction diagram for setting an access authority resource identifier of a resource in a resource access method includes:
  • the requester sends a setting request for an access right identifier of the resource to a receiving device, such as an M2M terminal, an M2M gateway, or an M2M platform, where the setting request includes a resource identifier, an access authority resource identifier, and a parent block for the access authority resource.
  • a receiving device such as an M2M terminal, an M2M gateway, or an M2M platform
  • the setting request includes a resource identifier, an access authority resource identifier, and a parent block for the access authority resource.
  • the rule of sub-block division, and the rule resolution identifier corresponding to the parent block and each sub-block respectively.
  • the parent block is specified by setting an "introduction” (ie, "imports”) element of the access authority identifier
  • the child block is specified by setting a “reference” (ie, "import”) element of the access authority identifier.
  • the receiving device sets an access right of the specified resource according to the setting request. Specifically, the receiving device obtains the resource according to the resource identifier specified in the setting request, and updates the access right identifier of the resource to the access right identifier carried in the request. That is, the access rights resource is partitioned, that is, the parent block and the plurality of sub-block access rights resources corresponding to the parent block are set. Each sub-block includes at least one access rights resource identifier. A separate rule resolution ID can be set for each sub-block and each parent block. At the same time, each sub-block and each parent block can also set a priority rule.
  • an access rights resource identifier that introduces access rights resources into chunks can be described as a data structure as shown in Figure 9B.
  • the accessRightID structure map of the access authority resource identifier having multiple imports includes an ersmissionsRef element, the element further includes one or more imports elements, and each imports element includes one or more import elements, each The import element includes one or more access rights resource identifiers.
  • the signaling interaction diagram of the resource access method in this embodiment includes:
  • the access device sends a resource access request to the receiving device, where the resource access request includes a resource identifier, an access device identifier, and an access operation to the resource.
  • the receiving device may be an M2M terminal, an M2M gateway, or an M2M platform, and the access device may also be an M2M terminal, an M2M gateway, or an M2M platform.
  • the receiving device checks, according to the resource identifier in the resource access request, an access right resource identifier under the resource corresponding to the resource identifier, and first performs a parent node according to the parsing rule and the priority rule corresponding to the parent block rule parsing identifier.
  • the corresponding access permission resource is parsed, and then the access permission resource corresponding to the sub-block is parsed according to the rule parsing identifier and the priority rule corresponding to the multiple sub-blocks, and the resource access rule set for the resource is obtained.
  • the receiving device returns a resource access response to the access device according to the access device identifier, the access operation indication, and the access rule set.
  • the access rights of the resource are jointly described by the access rights resources ⁇ arl>, ⁇ ar2>, ⁇ ar3>, ⁇ ar4>, ⁇ ar5>, ⁇ ar6> ⁇ ar7>, when the access device
  • the receiving device first obtains the value of the resolve parameter of the "permission reference" (ie, permissionsRef) element, "RFC3530" (ie, the rule resolution identifier is RFC3530).
  • the RFC 3530 specification that resolves the identity indication in accordance with the rule parses the access rule set for the resource.
  • the RFC 3530 specification parsing method has priority requirements for access rights resources.
  • the receiving device reads the priority priority attribute of the imports element, and prioritizes according to the attribute value.
  • the priority of the last imports is the value of the priority attribute. Therefore, first the access permission resource in the imports element is parsed, and then the first imports element is parsed, because the importance attribute value of the imports element is 2, and finally the intermediate imports element is parsed because the imports
  • the element's priority attribute value is 1, and the analysis of the imports element is based on the parsing method indicated by the value of the sub-element resolveMode. Finally, based on the parsed access rule set, it is determined whether the requester can read the resource and respond.
  • the middleware rejects or allows the response not always triggered after all the rules are parsed, but is triggered immediately when it is determined that the access device's resource access request does not meet the access rules.
  • the resource access method of another embodiment of the present invention is further described below by taking an access resource identifier directly or indirectly pointing to multiple access rights resources as an example.
  • the access authority resource identifier of the resource and the resource are directly or indirectly pointed to the access authority resource identifier, and the indirect meaning means that the access authority resource identifier does not point to the access authority resource itself.
  • access rights associated with a resource consist of zero or more direct or indirect pointing access resource IDs. For example, set the accessRightID property of the resource Resource to "http://m2m.o.com/containers/ ⁇ container 1 >;http://m2m.op.com/accessRights/ ⁇ ar5>" to indicate that the resource has access rights.
  • resource htt ://m2m. o . com/containers/ ⁇ container2> accessRightID indicates access rights to access device to resource Resource When the read operation is performed, the default access rights of the receiving device are received.
  • the resource-resolving rule first parses whether the access subject set of the access rule set after ⁇ 5> contains the requester, and if it exists and the allowed access operation set includes the read operation, the requester is allowed to read the resource, if The allowed access operation set does not contain a read operation, and the requestor is not allowed to read the resource.
  • the access subject set of the access rule set after parsing ⁇ 5> does not include the requester, continue to analyze the access authority resources indicated by the resource ⁇ container2> ⁇ accessRightlD until all the access rights resources are resolved. It is worth noting that after parsing " http://m2m.op om/containers/ ⁇ container2>/accessRightID''H ⁇ , the device needs to be parsed by the source identifier. In parsing htt : ⁇ m2m.op.
  • i refers to the accessRightlD resource of the resource.
  • i refers to the accessRightlD resource of the resource.
  • the resource access device includes: a setting unit 1101, configured to set an access authority resource identifier of a resource, and enable an access authority resource identifier of the resource.
  • the resource access request includes at least two resource access rights identifiers, and the resource access rights identifiers are directed to the access rights resources.
  • the 1102 receiving unit is configured to receive a resource access request of the access device, where the resource access request includes an access device identifier and a resource access operation;
  • the obtaining unit, the resource identifier identifies the access authority resource; parses the access authority resource according to a preset parsing rule, and obtains a resource access rule set for the resource;
  • 1104 a response unit, configured to use the resource access rule according to the resource access rule
  • the set and the access device identity are responsive to the access device resource access request.
  • the setting unit 1101 includes as shown in FIG. 12:
  • the acquisition unit is shown in Figure 13, and includes:
  • the first obtaining unit is configured to acquire an access right resource identifier in the access right identifier of the resource, and read the access right resource according to the access right resource identifier;
  • the second obtaining unit 11032 parses the access authority resource according to the parsing rule corresponding to the rule parsing identifier, and acquires a resource access rule set for the resource.
  • the third obtaining unit 11033 is configured to parse the access authority resource according to the access authority resource priority rule and the parsing rule corresponding to the rule resolution identifier, and acquire a resource access rule set for the resource.
  • the fourth obtaining unit 11034 is configured to parse the access permission resource according to the parsing rule corresponding to the parent block rule parsing identifier, and then corresponding to the sub-block according to the rule parsing identifier corresponding to the multiple sub-blocks
  • the access rights resource is parsed to obtain a resource access rule set for the resource.
  • the fifth obtaining unit 11035 is configured to parse the access permission resource according to the parsing rule and the priority rule corresponding to the parent block rule parsing identifier, and then, according to the resource corresponding to the resource, corresponding to the multiple sub-blocks Access rule sets.
  • the sixth obtaining unit 11036 is configured to obtain an access authority resource address according to the indirect access authority resource identifier, and read the access authority resource according to the access authority resource address.
  • the resource access device in the embodiment of the present invention may be an M2M terminal, an M2M platform, or an M2M gateway.
  • the resource access device of the embodiment of the present invention sets the access authority resource identifier of the resource in the resource access device by the entity having the resource configuration authority, and adds the access authority resource identifier of the other resource to the access authority resource identifier.
  • the resource access device can obtain the related access authority resource according to the access authority resource identifier, thereby implementing mutual inheritance of the access authority resources between the resources, so that the access authority of the resource can be modified according to the access authority of the inherited resource.
  • Self-adjustment improves the management efficiency of resource access rights. At the same time, it can improve the utilization of access resource storage space and save storage space.
  • FIG. 14 is a schematic structural diagram of another resource access apparatus according to an embodiment of the present invention, including a memory 1401, and a processor 1402.
  • the memory 1401 is used to store the units described in FIG. 11-13
  • the processor 1402 is coupled to the memory 1401, and each unit in the operational memory 1401 performs the respective functions of the units in the memory 1401.
  • the functions of the units in the memory 1401 in FIG. 14 are the same as those in the units in FIG. 11-13, and the embodiments of the present invention are not described in detail herein.
  • the M2M platform can be a computer, a device with a processor.
  • M2M gateways and M2M terminals are not strictly distinguished on the device.
  • devices that use gateways can also serve as terminals.
  • various terminal devices such as mobile phones, computers, PDAs, notebook computers, remote controllers, household appliances, and various instruments , sensors, etc. can be used as gateways or terminals for M2M networks.
  • each unit included is only divided according to functional logic, but is not limited to the above division, as long as the corresponding function can be implemented; in addition, the specific names of the functional units are only for convenience. They are distinguished from each other and are not intended to limit the scope of protection of the present invention.
  • the above-mentioned method for realizing the charging and the functions of each functional unit of the charging device can be completed by the M2M gateway or the processor running the M2M platform.
  • the storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM: Read Random Memory), or a random access memory (RAM).

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)
  • Technology Law (AREA)
  • Multimedia (AREA)

Abstract

Disclosed are a resource access method and device. The method comprises: receiving a resource access request of an access device; according to the resource access request, obtaining at least two access authority resources of the resource; according to a parsing rule for the resource and the access authority resources, determining an access rule set for the resource; and according to the access rule set, the device identifier and the resource access operation indication, responding to the resource access request of the access device. The resource access method and device in the embodiments of the present invention achieve the mutual inheritance of access authority resources between resources to enable the access authority of the resources to conduct self-adjustment with the modification of the access authority of the inherited resource, thereby improving the efficiency of resource access authority management.

Description

资源访问方法及装置  Resource access method and device
技术领域 Technical field
本发明涉及通信领域, 特别涉及一种资源访问方法及装置  The present invention relates to the field of communications, and in particular, to a resource access method and device
背景技术 Background technique
机器通信 ( Machine-to-Machine Communications, M2M )是一种以机器智 能交互为核心的、 网络化的应用与服务。 它通过在机器内部嵌入无线或有线通 信模块以及应用处理逻辑,实现无需人工干预的数据通信,以满足用户对监控、 指挥调度、 数据采集和测量等方面的信息化需求。  Machine-to-Machine Communications (M2M) is a networked application and service centered on intelligent machine interaction. It embeds wireless or wired communication modules and application processing logic inside the machine to realize data communication without manual intervention to meet the information needs of users for monitoring, command and dispatch, data acquisition and measurement.
在 M2M中, 访问控制机制是用于防止 M2M终端, 网关和业务平台中数据 被未授权的应用非法访问, 从而保障各类数据的私密性, 安全性。 一般的, 一 次访问涉及的要素包括请求者(访问主体) , 访问操作(如"读"、 "写"等)和 访问对象(访问客体 )。 访问控制机制的作用方式为: 当访问主体发起对访问 客体的某些访问操作的访问请求时,依据与该访问客体相关各访问规则即访问 规则集, 允许或禁止该次访问请求。  In M2M, the access control mechanism is used to prevent data from being illegally accessed by unauthorized applications in M2M terminals, gateways, and service platforms, thereby ensuring the privacy and security of various types of data. In general, the elements involved in a single visit include the requester (access subject), access operations (such as "read", "write", etc.) and access objects (access object). The access control mechanism works by: When the accessing entity initiates an access request for accessing certain access operations of the object, the access rule is allowed or prohibited according to the access rule associated with the accessing object.
目前欧洲电信标准组织 ( European Telecommunication Standardization European Telecommunication Standardization
Institute , ETSI )所制定的 M2M规范中, 在访问权限资源中配置访问规则集, 限的配置。 In the M2M specification developed by the Institute, ETSI, the access rule set is configured in the access rights resource, and the configuration is limited.
由于 ETSI所制定的 M2M规范规定访问权限资源标识符仅可引用零个或一 个访问权限资源, 当引用零个资源时, 系统默认引用该资源的父资源的访问权 限资源, 因此实质上仍是引用一个访问权限资源。 这种情况下, 在配置资源的 访问权限资源标识符时, 依据不同的需求有二种方法: 方法一, 待配置资源与 其他资源在访问权限上没有任何关系,则新建一个满足要求的访问权限资源并 引用该资源; 方法二, 待配置资源与其他资源在访问权限上相关, 比如具备父 子关系的资源具有继承关系,则直接引用其他资源的访问权限资源。由于 M2M 是以资源树的结构进行组织和管理, 资源间具有层次关系, 并且资源存在较多 关系, 因此往往使用方法二(即直接引用其他资源的访问权限资源 )配置资源 的访问权限。  Since the M2M specification defined by ETSI stipulates that the access resource identifier can only reference zero or one access rights resource, when zero resources are referenced, the system defaults to the access resource of the parent resource of the resource, so it is still substantially a reference. An access resource. In this case, when configuring the access resource identifier of a resource, there are two methods according to different requirements: Method 1: If the resource to be configured has no relationship with other resources, then create a new access right that meets the requirements. Resource and reference the resource; Method 2: The resource to be configured is related to other resources in access rights. For example, a resource with a parent-child relationship has an inheritance relationship, and directly refers to an access resource of another resource. Because M2M is organized and managed in the structure of resource tree, there are hierarchical relationships among resources, and resources have many relationships. Therefore, method 2 (that is, directly accessing access resources of other resources) is used to configure access rights of resources.
然而当一个资源被多个应用访问,且各应用具有不同的访问权限。或当资 源的访问权限部分引用其他资源,但却与被引用资源具有不相同的权限时,现 有技术就只能采用针对该资源重新进行权限配置的方法,而不能通过访问权限 发明内容 However, when a resource is accessed by multiple applications, and each application has different access rights. Or as a capital When the access permission part of the source refers to other resources, but has different permissions from the referenced resource, the prior art can only adopt the method of re-configuring the rights for the resource, and cannot invent the content through the access rights.
本发明提供一种资源访问方法及装置, 实现资源之间的访问权限继承,提 高资源访问权限的管理效率。  The invention provides a resource access method and device, which realizes access authority inheritance between resources and improves management efficiency of resource access rights.
一方面, 提供一种资源访问方法, 包括接收访问设备的资源访问请求, 所 述资源访问请求包括访问设备标识、 访问资源标识以及资源访问操作指示; 权限资源标识,根据所述至少二个访问权限资源标识读取各访问权限资源标识 指示的访问权限资源; 根据针对所述资源的解析规则与所述访问权限资源,确 定针对所述资源的访问规则集;根据所述访问规则集以及所述设备标识和所述 资源访问操作指示响应所述访问设备的资源访问请求。  In one aspect, a resource access method is provided, including receiving a resource access request of an access device, where the resource access request includes an access device identifier, an access resource identifier, and a resource access operation indication; the rights resource identifier, according to the at least two access rights The resource identifier reads an access authority resource indicated by each access authority resource identifier; determining an access rule set for the resource according to the parsing rule for the resource and the access authority resource; and according to the access rule set and the device The identification and the resource access operation indication are responsive to a resource access request of the access device.
可选的, 还包括: 接收对所述资源的访问权限的设置请求, 所述设置请求 中包括至少二个访问权限资源标识,根据所述至少二个访问权限资源标识设置 针对所述资源访问权限。  Optionally, the method further includes: receiving a setting request for accessing the resource, where the setting request includes at least two access rights resource identifiers, and setting the access rights for the resources according to the at least two access rights resource identifiers .
可选的, 所述设置请求中还包括规则解析标识, 所述根据针对所述资源的 解析规则与所述访问权限资源, 确定针对所述资源的访问规则集, 包括: 根据 与所述规则解析标识对应的解析规则对所述访问权限资源进行解析,获取针对 所述资源的访问规则集。  Optionally, the setting request further includes a rule parsing identifier, where determining, according to the parsing rule for the resource and the accessing authority resource, an access rule set for the resource, including: parsing according to the rule The parsing rule corresponding to the identifier parses the access authority resource, and acquires an access rule set for the resource.
可选的, 所述设置请求中还包括访问权限资源优先级规则, 所述根据针对 所述资源的解析规则与所述访问权限资源, 确定针对所述资源的访问规则集, 包括:根据所述访问权限资源优先级规则和与所述规则解析标识对应的解析规 则对所述访问权限资源进行解析, 获取针对所述资源的访问规则集。  Optionally, the setting request further includes an access authority resource priority rule, and determining, according to the parsing rule for the resource and the access authority resource, an access rule set for the resource, including: according to the The access authority resource priority rule and the parsing rule corresponding to the rule resolution identifier parse the access authority resource, and obtain an access rule set for the resource.
可选的, 所述设置请求中还包括访问权限资源优先级规则, 所述根据针对 所述资源的解析规则与所述访问权限资源, 确定针对所述资源的访问规则集, 包括:根据所述访问权限资源优先级规则和与所述规则解析标识对应的解析规 则对所述访问权限资源进行解析, 获取针对所述资源的访问规则集。  Optionally, the setting request further includes an access authority resource priority rule, and determining, according to the parsing rule for the resource and the access authority resource, an access rule set for the resource, including: according to the The access authority resource priority rule and the parsing rule corresponding to the rule resolution identifier parse the access authority resource, and obtain an access rule set for the resource.
可选的, 所述设置请求中还包括对多种访问权限资源进行分块,使所述多 种访问权限资源包括访问权限资源父块和与该父块对应的多个子块 ,所述父块 和与该父块对应的多个子块均包括对应的规则解析标识 ,所述根据针对所述资 源的解析规则与所述访问权限资源, 确定针对所述资源的访问规则集, 包括: 先根据与所述父块规则解析标识对应的解析规则对所述访问权限资源进行解 析,然后依据与所述多个子块对应的规则解析标识对所述子块对应的访问权限 资源进行解析, 获取针对所述资源的访问规则集。 Optionally, the setting request further includes: dividing a plurality of access rights resources, so that the multiple The access authority resource includes an access authority resource parent block and a plurality of sub-blocks corresponding to the parent block, and the parent block and the plurality of sub-blocks corresponding to the parent block each include a corresponding rule resolution identifier, and the Determining the access rule set for the resource by the parsing rule and the access authority resource, including: first parsing the access authority resource according to a parsing rule corresponding to the parent block rule parsing identifier, and then according to the The rule resolution identifier corresponding to the plurality of sub-blocks parses the access authority resource corresponding to the sub-block, and acquires an access rule set for the resource.
可选的, 所述设置请求中还包括父块和子块的优先级规则, 所述根据针对 所述资源的解析规则与所述访问权限资源, 确定针对所述资源的访问规则集, 包括:先根据与所述父块规则解析标识对应的解析规则和优先级规则对所述访 问权限资源进行解析,然后依据与所述多个子块规则解析标识对应的解析规则 资源访问规则集。  Optionally, the setting request further includes a priority rule of the parent block and the sub-block, and determining, according to the parsing rule for the resource and the access authority resource, an access rule set for the resource, including: And parsing the access authority resource according to the parsing rule and the priority rule corresponding to the parent block rule parsing identifier, and then accessing the rule set according to the parsing rule resource corresponding to the plurality of sub-block rule parsing identifiers.
可选的, 所述设置请求中包括至少两个间接访问权限资源标识, 所述根据 针对所述资源的解析规则与所述访问权限资源,确定针对所述资源的访问规则 集, 包括: 依据所述间接访问权限资源标识获取访问权限资源地址, 根据所述 访问权限资源地址读取访问权限资源;根据与所述规则解析标识对应的解析规 则对所述访问权限资源进行解析, 获取针对所述资源的访问规则集。  Optionally, the setting request includes at least two indirect access rights resource identifiers, and determining, according to the parsing rules for the resources and the access rights resources, an access rule set for the resources, including: The indirect access authority resource identifier obtains the access authority resource address, and the access authority resource is read according to the access authority resource address; the access authority resource is parsed according to the parsing rule corresponding to the rule parsing identifier, and the resource is obtained for the resource Access rule set.
可选的 ,所述访问规则集包括访问主体集和与访问主体对应的访问操作集 , 所述根据所述访问规则集以及所述设备标识和所述资源访问操作指示响应所 述访问设备的资源访问请求, 包括: 若所述访问设备与所述访问主体集匹配, 且所述资源访问操作指示所指示的访问操作与所述访问操作集匹配,则允许所 述访问设备访问所述资源; 若所述访问设备与所述访问主体集不匹配, 或者所 述访问设备与所述访问主体集匹配,但所述资源访问操作指示所指示的访问操 作与所述访问设备的访问操作集不匹配, 则拒绝所述访问设备访问所述资源; 若所述访问设备与所述访问主体集匹配,但所述访问设备的访问操作集为 "无" , 则拒绝该访问设备的各类访问操作请求。  Optionally, the access rule set includes an access subject set and an access operation set corresponding to the access body, and the resource that responds to the access device according to the access rule set and the device identifier and the resource access operation indication The access request includes: if the access device matches the set of access subjects, and the resource access operation indicates that the indicated access operation matches the access operation set, allowing the access device to access the resource; The access device does not match the set of access subjects, or the access device matches the set of access subjects, but the access operation indicated by the resource access operation indication does not match the access operation set of the access device, And the access device is denied access to the resource; if the access device matches the set of access subjects, but the access operation set of the access device is “None”, the various access operation requests of the access device are rejected.
另一方面, 提供一种资源访问装置, 包括: 接收单元, 用于接收访问设备 的资源访问请求, 所述资源访问请求包括访问设备标识、访问资源标识以及资 标识对应的资源的至少二个访问权限资源标识,根据所述至少二个访问权限资 源标识读取各访问权限资源标识指示的访问权限资源;还用于根据针对所述资 源的解析规则与所述访问权限资源,确定针对所述资源的访问规则集; 响应单 元,用于根据所述访问规则集以及所述设备标识和所述资源访问操作指示响应 所述访问设备的资源访问请求。 In another aspect, a resource access apparatus is provided, including: a receiving unit, configured to receive a resource access request of an access device, where the resource access request includes an access device identifier, an access resource identifier, and a resource Identifying at least two access rights resource identifiers of the corresponding resources, and reading the access rights resources indicated by the access rights resource identifiers according to the at least two access rights resource identifiers; and further, according to the parsing rules for the resources, Accessing a permission resource, determining an access rule set for the resource; and a response unit, configured to respond to the resource access request of the access device according to the access rule set and the device identifier and the resource access operation indication.
可选的, 该资源访问装置还包括: 设置单元, 用于对所述资源的访问权限 进行设置, 所述设置单元包括: 接收子单元, 用于接收对所述资源的访问权限 的设置请求, 所述设置请求中包括至少二个访问权限资源标识; 设置子单元, 用于根据接收子单元接收的所述设置请求对所述资源的访问权限资源标识符 标识。  Optionally, the resource accessing device further includes: a setting unit, configured to set an access right of the resource, where the setting unit includes: a receiving subunit, configured to receive a setting request for accessing the resource, The setting request includes at least two access rights resource identifiers; and a setting subunit, configured to identify an access authority resource identifier of the resource according to the setting request received by the receiving subunit.
可选的, 所述接收子单元具体用于: 接收对所述资源的访问权限的设置请 求, 所述所述设置请求中还包括规则解析标识, 所述获取单元包括: 第一获取 单元, 用于获取所述资源的访问权限标识符中的至少二个访问权限资源标识, 根据所述访问权限资源标识分别读取访问权限资源; 第二获取单元,根据与所 述规则解析标识对应的解析规则对所述访问权限资源进行解析,获取针对所述 资源的访问规则集。  Optionally, the receiving subunit is specifically configured to: receive a setting request for accessing the resource, where the setting request further includes a rule parsing identifier, where the acquiring unit includes: a first acquiring unit, Obtaining at least two access rights resource identifiers in the access right identifiers of the resources, respectively reading the access rights resources according to the access rights resource identifiers; the second obtaining unit, according to the parsing rules corresponding to the rule parsing identifiers Parsing the access authority resource to obtain an access rule set for the resource.
可选的, 所述接收子单元还具体用于: 接收对所述资源的访问权限设置请 求, 所述设置请求中还包括访问权限资源优先级规则, 所述获取单元还包括: 第三获取单元,用于根据所述访问权限资源优先级规则和与所述规则解析标识 对应的解析规则对所述访问权限资源进行解析,获取针对所述资源的访问规则 可选的, 所述接收子单元还具体用于: 接收对所述资源的访问权限的设置 请求, 所述设置请求中还包括对多种访问权限资源进行分块,使所述多种访问 权限资源包括访问权限资源父块和与该父块对应的多个子块 ,所述父块和与该 父块对应的多个子块均包括对应的规则解析标识, 所述获取单元还包括: 第四 获取单元,用于先根据与所述父块规则解析标识对应的解析规则对所述访问权 限资源进行解析,然后依据与所述多个子块对应的规则解析标识对所述子块对 应的访问权限资源进行解析, 获取针对所述资源的访问规则集。 可选的, 所述接收子单元还具体用于: 接收对所述资源的访问权限的设置 请求, 所述设置请求中还包括父块和子块各自的优先级规则, 所述获取单元还 包括第五获取单元,用于先根据与所述父块规则解析标识对应的解析规则和优 先级规则对所述访问权限资源进行解析,然后依据与所述多个子块对应的规则 述资源的访问规则集。 Optionally, the receiving subunit is further configured to: receive an access permission setting request for the resource, where the setting request further includes an access authority resource priority rule, where the acquiring unit further includes: a third acquiring unit And the step of parsing the access authority resource according to the access authority resource priority rule and the parsing rule corresponding to the rule parsing identifier, and obtaining an access rule for the resource, where the receiving subunit further Specifically, the method is: receiving a setting request for accessing the resource, where the setting request further includes: dividing a plurality of access rights resources, wherein the multiple access rights resources include an access rights resource parent block and the a plurality of sub-blocks corresponding to the parent block, the parent block and the plurality of sub-blocks corresponding to the parent block each include a corresponding rule-resolving identifier, and the acquiring unit further includes: a fourth acquiring unit, configured to first The parsing rule corresponding to the block rule parsing identifier parses the access authority resource, and then parses the identifier according to the rule corresponding to the multiple sub-blocks The sub-block corresponding to the resource access parses the rule set for gaining access to the resource. Optionally, the receiving sub-unit is further configured to: receive a setting request for accessing the resource, where the setting request further includes a priority rule of the parent block and the sub-block, and the acquiring unit further includes And a fifth acquiring unit, configured to parse the access permission resource according to a parsing rule and a priority rule corresponding to the parent block rule parsing identifier, and then describe an access rule set of the resource according to a rule corresponding to the multiple sub-blocks .
可选的,所述接收子单元还具体用于:接收对资源的访问权限的设置请求, 所述设置请求中包括至少两个间接访问权限资源标识,所述获取单元还包括第 六获取单元, 用于依据所述间接访问权限资源标识获取访问权限资源地址,根 据所述访问权限资源地址读取访问权限资源;根据与所述规则解析标识对应的 解析规则对所述访问权限资源进行解析, 获取针对所述资源的访问规则集。  Optionally, the receiving sub-unit is further configured to: receive a setting request for accessing a resource, where the setting request includes at least two indirect access rights resource identifiers, and the acquiring unit further includes a sixth acquiring unit, And the access authority resource is obtained according to the indirect access authority resource identifier, and the access authority resource is read according to the access authority resource address; and the access permission resource is parsed according to the parsing rule corresponding to the rule parsing identifier. An access rule set for the resource.
可选的 ,所述响应单元具体用于:若所述访问设备与所述访问主体集匹配 , 且所述资源访问操作指示所指示的访问操作与所述访问设备的访问操作集匹 配, 则允许所述访问设备访问所述资源; 若所述访问设备与所述访问主体集不 匹配,或者所述访问设备与所述访问主体集匹配但所述资源访问操作与所述访 问操作集不匹配, 则拒绝所述访问设备访问所述资源; 若所述访问设备与所述 访问主体集匹配, 但所述访问设备的访问操作集为 "无", 则拒绝该访问设备 的各类访问操作请求。  Optionally, the response unit is specifically configured to: if the access device matches the access subject set, and the resource access operation indicates that the indicated access operation matches the access operation set of the access device, The access device accesses the resource; if the access device does not match the set of access subjects, or the access device matches the set of access subjects but the resource access operation does not match the access operation set, And the access device is denied access to the resource; if the access device matches the access subject set, but the access device has an access operation set of “None”, the access device requests of the access device are rejected.
可选的, 所述装置包括: M2M终端、 M2M平台和 M2M网关。  Optionally, the device includes: an M2M terminal, an M2M platform, and an M2M gateway.
本发明实施例的资源访问方法及资源访问装置,由拥有资源配置权限的主 体对资源访问装置中的资源的访问权限资源标识符进行设置 ,将其他资源的访 问权限资源标识添加到访问权限资源标识符中,使得资源访问装置可根据该访 问权限资源标识获取相关访问权限资源,并根据自身设置的解析规则对该访问 权限资源进行解析,从而实现各资源间的访问权限资源的相互继承,使得资源 的访问权限可以随着被继承的资源的访问权限的修改而自行调整,提高资源访 问权限的管理效率, 同时, 可以提高访问权限资源存储空间的利用率, 节省存 储空间。  In the resource access method and the resource access device of the embodiment of the present invention, the entity having the resource configuration authority sets the access authority resource identifier of the resource in the resource access device, and adds the access authority resource identifier of the other resource to the access authority resource identifier. In the symbol, the resource access device can obtain the relevant access authority resource according to the access authority resource identifier, and parse the access permission resource according to the parsing rule set by itself, thereby implementing mutual inheritance of the access authority resources between the resources, so that the resource The access rights can be adjusted according to the modification of the access rights of the inherited resources, thereby improving the management efficiency of the resource access rights, and at the same time, improving the utilization of the access resource storage space and saving storage space.
附图说明 DRAWINGS
图 1为典型的 M2M系统架构图; 图 2为本发明一实施例的资源访问方法流程图; 令交互图; Figure 1 is a typical M2M system architecture diagram; 2 is a flowchart of a resource access method according to an embodiment of the present invention;
图 3B为本发明一实施例的资源的表述性状态转移资源树;  FIG. 3B is a representational state transition resource tree of resources according to an embodiment of the present invention; FIG.
图 4为一实施例的资源访问方法信令交互图;  4 is a signaling interaction diagram of a resource access method according to an embodiment;
图 5 为本发明另一实施例的资源访问方法中资源的访问权限资源标识符 配置信令交互图;  FIG. 5 is a schematic diagram of a signaling interaction configuration of a resource access authority resource identifier in a resource access method according to another embodiment of the present invention; FIG.
图 6为本实施例的资源访问方法;  FIG. 6 is a resource access method of this embodiment;
图 7 为本发明另一实施例的资源访问方法的访问权限资源标识符设置信 令交互图;  FIG. 7 is a diagram showing an access authority resource identifier setting signal interaction diagram of a resource access method according to another embodiment of the present invention; FIG.
图 8为另一实施例的资源访问方法信令交互图; 设置信令交互图;  FIG. 8 is a signaling interaction diagram of a resource access method according to another embodiment; setting a signaling interaction diagram;
图 9B为本发明一实施例的具有多个访问权限资源块的访问权限资源标识 符结构图;  FIG. 9B is a structural diagram of an access authority resource identifier having multiple access rights resource blocks according to an embodiment of the present invention; FIG.
图 10为本发明又一实施例的资源访问方法信令交互图;  FIG. 10 is a signaling interaction diagram of a resource access method according to still another embodiment of the present invention;
图 11为本发明一实施例的资源访问装置示意图;  FIG. 11 is a schematic diagram of a resource access apparatus according to an embodiment of the present invention; FIG.
图 12为本发明一实施例的资源访问装置中设置单元示意图;  FIG. 12 is a schematic diagram of a setting unit in a resource access device according to an embodiment of the present invention; FIG.
图 13为本发明一实施例的资源访问装置中获取单元示意图;  FIG. 13 is a schematic diagram of an acquiring unit in a resource access device according to an embodiment of the present invention; FIG.
图 14为本发明另一实施例的资源访问装置示意图。 具体实施方式  FIG. 14 is a schematic diagram of a resource access apparatus according to another embodiment of the present invention. detailed description
下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清 楚、 完整地描述, 显然, 所描述的实施例仅仅是本发明一部分实施例, 而不是 全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有作出创造 性劳动前提下所获得的所有其他实施例, 都属于本发明保护的范围。  BRIEF DESCRIPTION OF THE DRAWINGS The technical solutions in the embodiments of the present invention will be described in detail below with reference to the accompanying drawings. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present invention without creative work are within the scope of the present invention.
图 1为典型的 M2M系统架构图, 包括:  Figure 1 shows a typical M2M system architecture diagram, including:
M2M网络应用 NA 101 , 用于注册到 M2M业务平台 102, 通过 mid接口 接入 M2M设备采集的数据, 还用于对 M2M设备进行远程设备管理; M2M设备 D,104, 通过 M2M网关 G103连接到 M2M业务平台 102; The M2M network application NA 101 is used for registering to the M2M service platform 102, accessing data collected by the M2M device through the mid interface, and also for remote device management of the M2M device; The M2M device D, 104 is connected to the M2M service platform 102 through the M2M gateway G103;
M2M设备 dl05, 通过 M2M网关 G103连接到 M2M业务平台 102;  The M2M device dl05 is connected to the M2M service platform 102 through the M2M gateway G103;
M2M设备 dl05,, 通过 M2M设备 D 106连接 M2M业务平台 102。  The M2M device dl05, connects to the M2M service platform 102 through the M2M device D 106.
其中, M2M设备 dl05 , 和 M2M设备 dl05,为不符合 ETSI M2M规范的 传统设备; M2M设备 D和 M2M设备 D,为符合 ETSI M2M规范的设备, 其中 M2M设备 D具有 ETSI M2M标准定义的业务能力层( SCL, Service Capability Layer ), M2M设备 D,不具有 ETSI M2M标准定义的业务能力层( SCL, Service Capability Layer )。  The M2M device dl05 and the M2M device dl05 are traditional devices that do not conform to the ETSI M2M specification; the M2M device D and the M2M device D are devices that conform to the ETSI M2M specification, wherein the M2M device D has the service capability layer defined by the ETSI M2M standard. (SCL, Service Capability Layer), M2M device D, does not have the Service Capability Layer (SCL) defined by the ETSI M2M standard.
M2M网关 G103使用网关互联代理功能( GIP, Gateway Interworking Proxy ) 通过无线或有线通信方式 (例如, Zigbee、 Bluetooth, DLMS/COSEM、 Zwave、 BACnet, ANSIC12、 mBus等)与 M2M传统设备 d和 M2M设备 D,互联。 而 M2M网关或 M2M设备 D与 M2M平台之间的 mid接口一般采用有线或无线 的广域局域网通信(如: Xdsl, HFC, satellite, GERAN, UTRAN, eUTRAN, W-LAN and WiMAX等;)。  M2M Gateway G103 uses Gateway Interworking Proxy (GIP, Gateway Interworking Proxy) by wireless or wired communication (eg, Zigbee, Bluetooth, DLMS/COSEM, Zwave, BACnet, ANSIC12, mBus, etc.) with M2M legacy device d and M2M device D ,interconnected. The mid interface between the M2M gateway or the M2M device D and the M2M platform generally uses wired or wireless wide area network communication (eg, Xdsl, HFC, satellite, GERAN, UTRAN, eUTRAN, W-LAN and WiMAX, etc.).
下面整体介绍本发明一实施例的技术方案,如图 2所示为本发明一实施例 的资源访问方法流程图, 包括:  The following is a description of the technical solution of an embodiment of the present invention. FIG. 2 is a flowchart of a resource access method according to an embodiment of the present invention, including:
201、 接收访问设备的资源访问请求, 所述资源访问请求包括访问设备标 识、 访问资源标识以及资源访问操作指示;  201. Receive a resource access request of an access device, where the resource access request includes an access device identifier, an access resource identifier, and a resource access operation indication.
具体的, 中间件接收来自访问设备的资源访问请求,请求对资源进行相关 操作, 如: 读、 写等操作。 其中中间件为设置于 M2M终端或者 M2M网关或 M2M平台中的逻辑实体。 该资源访问请求中包括访问设备标识、 访问资源标 识和对该资源的具体访问操作指示。  Specifically, the middleware receives the resource access request from the access device, and requests related operations on the resource, such as: reading, writing, and the like. The middleware is a logical entity set in the M2M terminal or the M2M gateway or the M2M platform. The resource access request includes an access device identifier, an access resource identifier, and a specific access operation indication for the resource.
需要注意的是, 访问设备可以是 M2M终端、 M2M平台或者 M2M网关。 另外, 中间件事先对资源的访问权限进行了相关设置, 具体的, 中间件根 据请求设备对该资源的访问权限设置请求 ,对该资源的访问权限资源标识符进 源标识, 该访问权限资源标识指向访问权限资源。其中该访问权限资源包括访 问规则集,每个访问规则至少包括访问主体集和访问操作集。该访问主体集包 括允许访问该资源的多个访问主体, 该访问主体可采用 URI, 全局标识符或者 特定含义的标识符进行描述。访问操作集包括与允许访问主体对应的可允许的 访问操作, 如 "读"、 "写" 等, 同样地, 访问操作也可采用 URI, 全局标识符 或者特定含义的标识符进行描述。 二个访问权限资源标识,根据所述至少二个访问权限资源标识读取各访问权限 资源标识指示的访问权限资源。 It should be noted that the access device may be an M2M terminal, an M2M platform, or an M2M gateway. In addition, the middleware performs related setting on the access authority of the resource in advance. Specifically, the middleware sets a request according to the access authority of the requesting device to the resource, and the access authority resource identifier of the resource is entered into the source identifier, and the access authority resource identifier points to the access. Permission resources. The access authority resource includes an access rule set, and each access rule includes at least an access subject set and an access operation set. The set of access subjects includes a plurality of access subjects that allow access to the resource, the access subject may employ a URI, a global identifier, or An identifier of a specific meaning is described. The access operation set includes allowable access operations corresponding to the allowed access subject, such as "read", "write", etc. Similarly, the access operation can also be described by using a URI, a global identifier, or an identifier of a specific meaning. The two access rights resource identifiers are used to read the access rights resources indicated by the access rights resource identifiers according to the at least two access rights resource identifiers.
具体的,中间件可根据访问请求中指定的资源标识查看与该资源标识对应 的资源的访问权限资源标识符,并从该访问权限资源标识符中获取其对应的访 问权限资源标识, 根据该访问权限资源标识读取其指向的访问权限资源。  Specifically, the middleware may view the access authority resource identifier of the resource corresponding to the resource identifier according to the resource identifier specified in the access request, and obtain the corresponding access authority resource identifier from the access authority resource identifier, according to the access The rights resource ID reads the access rights resource it points to.
一般的, 访问权限资源标识包括访问权限资源的 URI, 中间件可根据该 Generally, the access authority resource identifier includes a URI of the access authority resource, and the middleware can be based on the
URI获取其对应的访问权限资源。 The URI gets its corresponding access rights resource.
203、 根据针对所述资源的解析规则与所述访问权限资源, 确定针对所述 资源的访问规则集。  203. Determine an access rule set for the resource according to the parsing rule for the resource and the access authority resource.
具体的, 中间件可以预设访问权限资源的规则解析标识, 该规则解析标识 指明中间件缺省配置默认的解析规则。通过该解析规则可对访问权限资源进行 解析, 获取资源的访问规则集。  Specifically, the middleware may preset a rule resolution identifier of the access authority resource, where the rule resolution identifier indicates a default parsing rule of the middleware default configuration. The access rule can be parsed by the parsing rule to obtain the access rule set of the resource.
204、 根据所述访问规则集以及所述设备标识和所述资源访问操作指示响 应所述访问设备的资源访问请求。  204. Respond to the resource access request of the access device according to the access rule set and the device identifier and the resource access operation indication.
具体的,中间件判断访问设备标识是否与访问规则集中的访问主体集匹配, 即是否为访问主体集中的访问主体,然后判断该访问设备的访问操作是否与该 主体访问操作集匹配,即该主体的访问操作是否为访问操作集中允许的访问操 作。  Specifically, the middleware determines whether the access device identifier matches the access subject set in the access rule set, that is, whether it is an access subject in the access subject set, and then determines whether the access operation of the access device matches the subject access operation set, that is, the subject Whether the access operation is an access operation allowed in the access operation set.
当访问设备同时满足上述两个条件时,中间件允许访问设备对其指定的资 源进行访问操作, 否则, 当访问设备不满足上述任何一个条件, 中间件拒绝访 问设备对其指定的资源进行访问操作。  When the access device meets the above two conditions at the same time, the middleware allows the access device to perform access operations on the specified resource. Otherwise, when the access device does not satisfy any of the above conditions, the middleware denies the access device from accessing the specified resource. .
如上所述的本发明一实施例的资源访问方法,由拥有资源配置权限的主体 对资源的访问权限进行设置,将其他资源的访问权限资源标识添加到访问权限 资源标识符中,使得中间件可根据该访问权限资源标识获取相关访问权限资源 , 从而实现各资源间的访问权限资源的相互继承,使得资源的访问权限可以随着 被继承的资源的访问权限的修改而自行调整, 提高资源访问权限的管理效率, 同时, 可以提高访问权限资源存储空间的利用率, 节省存储空间。 In the resource access method according to an embodiment of the present invention, the access authority of the resource having the resource configuration authority is set, and the access authority resource identifier of the other resource is added to the access authority resource identifier, so that the middleware can be Obtaining the related access authority resource according to the access authority resource identifier, thereby implementing mutual inheritance of the access authority resources between the resources, so that the access authority of the resource can be The access rights of the inherited resources are modified by themselves to improve the management efficiency of the resource access rights. At the same time, the utilization of the access resource storage space can be improved, and the storage space is saved.
下面从访问权限资源标识符设置角度,对本发明一实施例的资源访问方法 进行描述。 如图 3A所示为本发明一实施例的资源访问方法中资源的访问权限 标识符设置信令交互图, 包括:  The resource access method according to an embodiment of the present invention will be described below from the perspective of access authority resource identifier setting. As shown in FIG. 3A, a signaling interaction diagram for setting an access authority identifier of a resource in a resource access method according to an embodiment of the present invention includes:
301、 资源设置请求设备向接收设备, 如 M2M终端、 M2M网关或 M2M 平台发送对资源的访问权限的设置请求,所述设置请求中包括至少二个资源访 问权限标识和资源的标识,以请求对与资源的标识对应的资源的访问权限进行 设置。 其中, 资源设置请求设备的包括具有访问权限资源设置权限的设备, 可 以是 M2M平台。  301. The resource setting requesting device sends a setting request for accessing a resource to a receiving device, such as an M2M terminal, an M2M gateway, or an M2M platform, where the setting request includes at least two resource access rights identifiers and resource identifiers to request a pair. Set the access rights of the resource corresponding to the identifier of the resource. The device of the resource setting requesting device includes the permission to set the access resource, and may be an M2M platform.
具体的, M2M中的资源采用如图 3B所述, 描述一种资源的表述性状 转移 ( RepresentationalState Transfer, RESTful )。  Specifically, the resources in the M2M describe a Representational State Transfer (RESTful) of the resource as described in FIG. 3B.
其中,字段 containers包含一个或多个容器 <container>。其中容器 <container> 为现有技术的容器资源表述, 主要包含用于描述应用或 M2M终端, 平台、 网 关的数据信息资源。  Where the field container contains one or more containers <container>. The container <container> is a container resource representation of the prior art, and mainly includes data information resources for describing applications or M2M terminals, platforms, and gateways.
容器 <container>存在 accessRightID属性, accessRightID为访问权限资源 标识符, 根据 ETSI M2M规范, accessRightID属性可设置为 AnyURI[0...1 ] , 其含义为 0 至 1 个 URI , 该 URI 指向访问权限资源 accessRight。 如将 accessRightID属性设置为 "htt : //m2m. o . com/accessRights/<ar5 >", 表示该资源 的访问规则由访问权限资源<& 5>描述。  The container <container> has the accessRightID attribute, and the accessRightID is the access resource identifier. According to the ETSI M2M specification, the accessRightID attribute can be set to AnyURI[0...1 ], which means 0 to 1 URI, which points to the access resource. accessRight. If the accessRightID property is set to "htt : //m2m. o . com/accessRights/<ar5 >", the access rule indicating the resource is described by the access resource <& 5>.
步骤 302、 根据所述设置请求对资源的访问权限进行设置。  Step 302: Set access rights of the resource according to the setting request.
具体的, 接收设备可以将设置 accessRightID属性 AnyURI[0...1]修改为 AnyURI[0...unbounded] (也即 AnyURIList ) ,且其中每个 URI需指向访问权限 资源 <accessRight>, 即被引入的为资源访问权限标识。 以此实现对至少两个访 问权限资源的组合引用。  Specifically, the receiving device may modify the setting accessRightID attribute AnyURI[0...1] to AnyURI[0...unbounded] (that is, AnyURIList), and each URI needs to point to the access authority resource <accessRight>, that is, The resource access permission identifier is introduced. This enables a combined reference to at least two access rights resources.
在本发明实施例中,请求设备可以是 M2M平台或 M2M2网关, 而接收设 备可以是 M2M终端 , M2M平台或 M2M2网关。 M2M平台或 M2M2网关可 以通过对资源的访问权限的设置请求对位于其它的装置如 M2M终端, M2M 平台或 M2M2 网关的资源进行访问权限的设置, 也可以通过对资源的访问权 限的设置请求对位于请求设备本地的资源进行访问权限的设置。也就是说,请 求设备和接收设备可以是同一设备,也可以是不同的设备。本发明实施例在此 不丈限定。 In the embodiment of the present invention, the requesting device may be an M2M platform or an M2M2 gateway, and the receiving device may be an M2M terminal, an M2M platform or an M2M2 gateway. The M2M platform or the M2M2 gateway may request access rights to resources located in other devices such as an M2M terminal, an M2M platform, or an M2M2 gateway through a setting request for access rights of resources, or may also access the resources. The limit setting requests the setting of access rights to resources located locally on the requesting device. That is to say, the requesting device and the receiving device may be the same device or different devices. The embodiments of the present invention are not limited herein.
如图 4所示为本实施例的资源访问方法信令交互图, 包括:  As shown in FIG. 4, the signaling interaction diagram of the resource access method in this embodiment includes:
401、 访问设备向接收设备发送资源访问请求, 该资源访问请求中包括访 问标识、 资源标识以及对该资源的资源访问操作指示。  401. The access device sends a resource access request to the receiving device, where the resource access request includes an access identifier, a resource identifier, and a resource access operation indication for the resource.
402、 接收设备根据资源标识查看该资源的访问权限资源标识符, 获取至 少二个访问权限资源标识,并根据至少二个访问权限资源标识读取相应的访问 权限资源,根据预设的规则解析标识所指明的解析规则对至少二个访问权限资 源进行解析, 获取针对该资源的资源访问规则集。  The receiving device is configured to view the access right resource identifier of the resource according to the resource identifier, obtain at least two access rights resource identifiers, and read the corresponding access rights resource according to the at least two access rights resource identifiers, and parse the identifier according to the preset rule. The specified parsing rule parses at least two access rights resources to obtain a resource access rule set for the resource.
403、 接收设备根据该资源的访问规则集、 访问设备标识和访问设备操作 指示向该访问设备返回资源访问响应。  403. The receiving device returns a resource access response to the access device according to the access rule set, the access device identifier, and the access device operation indication of the resource.
规则解析标识由字符串描述, 预设的规则解析标识为 "overlay" , 该规则 解析标识所指明的解析规则为 "依序覆盖"。 具体的, 由后之前依序获取资源 取至少两个被引入的访问权限资源标识各自的访问权限资源。依序分析各访问 权限资源中的访问规则。  The rule resolution identifier is described by a string. The preset rule resolution identifier is "overlay", and the resolution rule specified by the rule resolution identifier is "sequential coverage". Specifically, the resources are sequentially acquired from the previous ones, and at least two imported access rights resources are used to identify respective access rights resources. The access rules in each access permission resource are analyzed sequentially.
对于在多个访问规则的访问主体集中都出现的访问主体,其允许的访问操 作集由包含该访问主体的第一个访问规则决定。若访问设备与该访问规则集中 的访问主体集匹配, 则判断访问设备的访问操作是否属于访问操作集,如是则 允许该访问设备对资源进行访问和操作。若访问设备不属于该访问规则集中的 访问主体集, 或者若访问设备属于该访问规则集中的访问主体集,但其访问操 作与其允许的访问操作集不吻合, 或者访问操作集为 "无", 则拒绝该访问设 备的资源访问请求。  For an access subject that appears in an access subject set of multiple access rules, the set of allowed access actions is determined by the first access rule that contains the access subject. If the access device matches the set of access subjects in the access rule set, it is determined whether the access operation of the access device belongs to the access operation set, and if so, the access device is allowed to access and operate the resource. If the access device does not belong to the access subject set in the access rule set, or if the access device belongs to the access subject set in the access rule set, but the access operation does not match the allowed access operation set, or the access operation set is "none", The resource access request of the access device is rejected.
列^口: accessRightID属'! "生设置为" htt :〃 m2m.op.com/accessRights/<ar3>; http://m2m.op.com/accessRights/<ar4>" , 表示该资源的访问权限由访问权限资 源<& 3>与<& 4>共同描述, 当访问设备对该资源进行读操作时, 接收设 据 预设的规则解析标识(本实施例假设为 "overlay" , 默认的访问解析规则 "依 序覆盖"), 首先获取访问权限资源<& 4>, 比如 <ar4>中设置规则集为访问主体 集 "Appl"和 "App2"允许访问操作 "Read" , 进而获取访问权限资源<& 3>, 比如 <ar3>中设置规则集为访问主体集 " App 1 "和 " App3 "允许访问操作 "Write" , 则解析后的规则集为访问主体 "Appl" 允许访问操作 "Read" , 访问主体主体 "App2" 允许访问操作 "Read" , 主体 "App3" 允许访问操作 "Write"。 Column ^: accessRightID belongs to '! "Life is set to" htt :〃 m2m.op.com/accessRights/<ar3>;http://m2m.op.com/accessRights/<ar4>" , indicating that the resource is accessed by the access resource <& 3 > Commonly described with <&4>, when the access device reads the resource, it receives the preset rule resolution identifier of the device (this embodiment assumes "overlay", and the default access resolution rule "sequentially overwrites") , first get access rights resource <&4>, such as <ar4> set the rule set as the access subject The set "Appl" and "App2" allow access to the operation "Read", which in turn gets the access rights resource <&3>, such as setting the rule set in <ar3> to access the subject set "App 1" and "App3" to allow access operation "Write"" , the parsed rule set for the access subject "Appl" allows access operation "Read", the access body body "App2" allows access operation "Read", and the body "App3" allows access operation "Write".
下面从规则解析标识作配置的角度, 对本发明另一实施例作详细说明, 如 图 5 所示为本发明另一实施例的资源访问方法中资源的访问权限资源标识符 配置信令交互图, 包括:  The following is a detailed description of another embodiment of the present invention from the perspective of the configuration of the rule resolution identifier. FIG. 5 is a schematic diagram showing the signaling interaction configuration of the resource access authority resource identifier in the resource access method according to another embodiment of the present invention. Includes:
501、 请求者向接收设备发送资源的访问权限资源标识符设置请求, 该设 置请求中包括资源标识, 访问权限资源标识以及规则解析标识。  501. The requester sends an access authority resource identifier setting request for the resource to the receiving device, where the setting request includes a resource identifier, an access authority resource identifier, and a rule resolution identifier.
具体的, 资源标识指向需要设置权限资源标识符的资源,访问权限资源标 识为引入的访问权限资源的标识,规则解析标识为需设置的解析规则对应的标 识, 由字符或字符串描述, 比如可设置为 "overlay" , "union" 等, 分别表示 采用 "依序覆盖", "取合集"的方式对访问权限资源进行解析。需要注意的是, 此处仅是示例,规则解析标识可以设置为任何本领域技术人员能够理解的其他 形式。如没有规则解析标识或对规则解析标识的值未进行设置, 则采用默认的 解析规则, 如: 从后至前逐一对访问权限资源进行解析。  Specifically, the resource identifier points to a resource that needs to set a privilege resource identifier, and the privilege resource identifier is an identifier of the imported access privilege resource, and the rule parsing identifier is an identifier corresponding to the parsing rule to be set, and is described by a character or a string, for example, Set to "overlay", "union", etc., respectively, to use "sequential coverage", "take the collection" way to parse access rights resources. It should be noted that here is merely an example, and the rule resolution identifier may be set to any other form that can be understood by those skilled in the art. If there is no rule resolution identifier or the value of the rule resolution identifier is not set, the default parsing rules are used, such as: parsing the permission resources one by one from the back to the front.
502、 根据所述设置请求对资源的访问权限资源标识符进行设置。  502. Set an access authority resource identifier of the resource according to the setting request.
具体的,接收设备如 M2M终端、 M2M网关或 M2M平台根据该设置请求, 将引入的权限资源标识符和规则解析标识添加到与资源标识对应资源的访问 权限标识符中。  Specifically, the receiving device, such as the M2M terminal, the M2M gateway, or the M2M platform, adds the imported rights resource identifier and the rule resolution identifier to the access rights identifier of the resource corresponding to the resource identifier according to the setting request.
可选的, 如下图所示为表述访问权限资源标识符的一种数据结构, accessRightlD包含一个 imports元素, 该元素包括一个或多个 import元素和至 少一个 resolveMode元素,每个 import元素用于弓 I入访问权限资源, resolveMode 用以描述规则解析标识, 以表示某种解析规则, 例如该规则解析标识可设置为 "RFC4745或 "RFC3530" 等, 以表示依据 RFC4745或 RFC3530规范对访问 权限资源进行解析。 RFC4745或 RFC3530规则解析标识所指明的解析规则请 参考相关规范。  Optionally, as shown in the following figure is a data structure for expressing an access resource identifier, and accessRightlD includes an imports element, the element includes one or more import elements and at least one resolveMode element, and each import element is used for the bow I. In the access permission resource, the resolveMode is used to describe the rule resolution identifier to indicate a certain parsing rule. For example, the rule parsing identifier can be set to "RFC4745 or "RFC3530", etc., to indicate that the access authority resource is parsed according to the RFC4745 or RFC3530 specifications. Please refer to the relevant specifications for the resolution rules specified by the RFC4745 or RFC3530 rule resolution identifier.
下面是以 XML可扩展标记语描述访问权限标识符的例子。 <imports> The following is an example of describing an access rights identifier as an XML extensible tag. <imports>
<import>  <import>
http://m2m.op.com/accessRights ar3>  http://m2m.op.com/accessRights ar3>
</import>  </import>
<import>  <import>
http://m2m.op.com/accessRights ar4>  http://m2m.op.com/accessRights ar4>
</import>  </import>
<resolveMode>  <resolveMode>
RFC4745  RFC4745
</resolveMode>  </resolveMode>
</imports>  </imports>
如图 6所示为本实施例的资源访问方法, 包括: As shown in FIG. 6, the resource access method in this embodiment includes:
601、 访问设备向接收设备发送访问请求, 该访问请求中携带资源标识、 访问设备标识和对资源的访问操作;  601. The access device sends an access request to the receiving device, where the access request carries a resource identifier, an access device identifier, and an access operation to the resource.
602、 接收设备根据该资源的访问权限标识符查看访问权限标识和规则解 析标识, 并根据该访问权限资源标识读取该资源的访问权限资源, 然后根据与 规则解析标识对应的解析方式对该访问权限资源进行解析 ,获得针对该资源的 访问规则集。  602. The receiving device checks the access permission identifier and the rule resolution identifier according to the access permission identifier of the resource, and reads the access permission resource of the resource according to the access permission resource identifier, and then accesses the access according to the parsing manner corresponding to the rule resolution identifier. The permission resource is parsed to obtain an access rule set for the resource.
603、 根据该访问规则集与访问设备标识及访问操作指示响应所述访问请 求。  603. Respond to the access request according to the access rule set and the access device identifier and the access operation indication.
具体的, 若访问设备标识属于访问规则集中的访问主体集,且访问操作属 于访问规则集的允许访问操作集, 则允许访问设备的资源访问请求, 否则给出 巨色 。  Specifically, if the access device identifier belongs to the access subject set in the access rule set, and the access operation belongs to the allowed access operation set of the access rule set, the resource access request of the device is allowed to be accessed, otherwise the jumbo color is given.
例如, 当访问设备对该资源进行读操作时, 中间件首先获取 resolveMode 的值, 即 "RFC4745", 然后依据该规则解析标识表示的 RFC 4745规范解析针 对该资源的访问规则集。依据解析后的访问规则集判断访问设备是否可以对该 资源进行读操作, 若是则允许读, 若否则给出拒绝响应。  For example, when the access device reads the resource, the middleware first obtains the value of resolveMode, which is "RFC4745", and then parses the access rule set for the resource according to the RFC 4745 specification of the rule resolution identifier. According to the parsed access rule set, it is judged whether the access device can read the resource, and if so, the read is allowed, if otherwise, the reject response is given.
值得提及的是, 若某些 resolveMode所指示的解析方式对引入的权限资源 有优先级要求, 则按照优先级要求对访问权限资源进行解析。  It is worth mentioning that if some of the resolution modes indicated by resolveMode have priority requirements for the imported rights resources, the access rights resources are parsed according to the priority requirements.
下面从访问权限资源标识符指向多个访问权限资源 ,访问权限资源具有优 先级设定,且对规则解析标识做配置为例,说明本发明另一实施例的资源访问 符设置信令交互图, 包括: The following access resource resource identifier points to multiple access rights resources, and the access rights resources are excellent. The configuration of the resource access identifier setting signaling interaction diagram of another embodiment of the present invention is as follows:
701、 请求设备向接收设备, 如 M2M终端、 M2M网关或 M2M平台发送 对特定资源的访问权限标识符的设置请求, 该设置请求中包括资源标识、 引入 的访问权限资源标识、 规则解析标识以及访问权限资源优先级规则。  701. The requesting device sends a setting request for an access right identifier of a specific resource to a receiving device, such as an M2M terminal, an M2M gateway, or an M2M platform, where the setting request includes a resource identifier, an imported access right resource identifier, a rule parsing identifier, and an access. Permission resource priority rules.
702、 接收设备根据该设置请求对所指定的资源的访问权限资源标识符进 行设置。  702. The receiving device sets an access authority resource identifier of the specified resource according to the setting request.
具体的,对每个弓 I入的访问权限资源根据访问权限资源优先级规则定义优 先级值。  Specifically, the access authority resource for each entry defines a priority value according to the access authority resource priority rule.
如: 对访问权限资源标识符的每个 import元素设置 Priority属性, 该属性 的取值可以为数值或字符, 用以描述引入的访问权限资源的优先级关系。 比如 在访问权限资源标识符中由前之后依序的三个 import元素的 Priority属性分别 设置为: "Priority=l " , "Priority=2" , "Priority=3" , 说明具备 "Priority=3" 的 import元素的优先级高于具备 "Priority=2" 的 import元素的优先级, 具备 "Priority=2" 的 import元素的优先级高于具备 "Priority=l" 的 import元素的 优先级。 若三个 import元素的 Priority属性取值相同, 则采用默认的优先级顺 序, 即由后至前的 import元素的优先级逐级降低。  For example, the priority attribute is set for each import element of the access resource identifier. The value of the attribute can be a numeric value or a character to describe the priority relationship of the imported access rights resource. For example, in the access resource identifier, the priority attributes of the three imported elements are set to: "Priority=l", "Priority=2", "Priority=3", which means "Priority=3" The import element has a higher priority than the import element with "Priority=2", and the import element with "Priority=2" has a higher priority than the import element with "Priority=l". If the priority attributes of the three import elements have the same value, the default priority order is adopted, that is, the priority of the import element from the back to the top is gradually reduced.
如图 8所示为本实施例的资源访问方法信令交互图, 包括:  As shown in FIG. 8, the signaling interaction diagram of the resource access method in this embodiment includes:
801、 访问设备向接收设备发送资源访问请求, 该资源访问请求中包括资 源标识、 访问设备标识和对该资源的访问操作。  801. The access device sends a resource access request to the receiving device, where the resource access request includes a resource identifier, an access device identifier, and an access operation to the resource.
其中,接收设备可以为 M2M终端、 M2M网关或者 M2M平台, 访问设备 也可以为 M2M终端、 M2M网关或者 M2M平台。  The receiving device may be an M2M terminal, an M2M gateway, or an M2M platform, and the access device may also be an M2M terminal, an M2M gateway, or an M2M platform.
802、 接收设备根据该资源访问请求中的资源标识查看与该资源标识对应 的资源下的访问权限资源标识符,根据该访问权限资源标识符下的访问权限标 识读取访问权限资源, 并根据该访问权限资源标识符下的规则解析标识,采用 与所述规则解析标识对应的解析规则对访问权限资源进行解析,获取针对该资 源的访问规则集。  802. The receiving device searches for an access right resource identifier under the resource corresponding to the resource identifier according to the resource identifier in the resource access request, and reads the access right resource according to the access right identifier under the access right resource identifier, and according to the The rule resolution identifier under the access authority resource identifier is parsed by the parsing rule corresponding to the rule parsing identifier, and the access rule set for the resource is obtained.
803、 接收设备根据访问设备标识、 访问操作以及访问规则集向访问设备 返回资源访问响应。 803. The receiving device accesses the device according to the access device identifier, the access operation, and the access rule set. Returns the resource access response.
具体的, 若访问设备属于该访问规则集中的访问主体集, 且判断访问请求 中携带的访问操作指示对应的访问操作是否属于该访问主体允许的访问操作 集,如是则允许该访问设备对资源进行访问和操作; 若访问设备与该访问规则 集中的访问主体集不吻合, 或者其访问操作与其允许的访问操作集不吻合, 则 拒绝该访问设备的资源访问和操作。  Specifically, if the access device belongs to the access subject set in the access rule set, and determines whether the access operation carried in the access request indicates that the access operation corresponding to the access operation belongs to the access operation set allowed by the access subject, if yes, the access device is allowed to perform resources on the resource. Access and operation; if the access device does not match the set of access subjects in the access rule set, or if the access operation does not match the allowed access operation set, the resource access and operation of the access device are rejected.
例如, 引入优先级属性后, 一种用 XML 语言访问权限资源标识符 accessRightID的例子: ¾口下图所示:  For example, after introducing the priority attribute, an example of accessing the resource identifier identifier accessRightID in the XML language: 3⁄4 port as shown below:
<imports>  <imports>
<import priority=2>  <import priority=2>
http://m2m.op. com/access ights/<ar3>  Http://m2m.op. com/access ights/<ar3>
</import>  </import>
<import priority=l>  <import priority=l>
http://m2m.op. com/access ights/<ar4>  Http://m2m.op. com/access ights/<ar4>
</import>  </import>
<resolveMode>  <resolveMode>
overlay  Overlay
</resolveMode>  </resolveMode>
</imports> 如上图所示的例子表示该资源的访问权限由访问权限资源 <ar3 >与 <ar4> 共同描述,且引入的访问权限资源间存在优先级关系, <ar3>的优先级高于 <ar4> 的优先级, 此外通过 resolveMode指示解析规则依据"依序覆盖"的方法进行。 首先获取访问权限资源<& 3>, 比如 <ar3>中设置规则集为访问主体集 "Appl" 和" App3"允许访问操作" Write" ,进而获取访问权限资源 <ar4> , 比如 <ar4>中设 置规则集为访问主体集 "ΑρρΓ,和" App2"允许访问操作 "Read", 则解析后的规 则集为访问主体" App 1 "允许访问操作 "Write" , 访问主体主体" App2"允许访问 操作" Read",主体" App3"允许访问操作 "Write"。若 resolveMode设置为 "union", 即"取合集"的解析方式, 由于该方式对优先级没有要求, 因此忽略 "priority" 的取值。
Figure imgf000015_0001
解析后的规则集为: 解析后的规则 集为访问主体" Appl"允许访问操作 "Write"和" Read", 访问主体主体" App2"允 许访问操作" Read" , 主体" App3"允许访问操作" Write"。 此外, resolveMode还 可以设置为" RFC4745" , "RFC3530"等, 分别表示依据 "RFC4745"规范, "RFC3530"规范进行规则解析, 具体方式请参考相应规范内容。 </imports> The example shown above shows that the access rights of the resource are described by the access rights resources <ar3> and <ar4>, and the imported access rights have a priority relationship. The <ar3> has higher priority. The priority of <ar4> is also indicated by the resolveMode indicating that the parsing rules are based on the "sequential coverage" method. First get the access permission resource <&3>, for example, set the rule set in <ar3> to access the subject set "Appl" and "App3" to allow the access operation "Write", and then obtain the access permission resource <ar4>, such as <ar4> Set the rule set to access the subject set "ΑρρΓ, and "App2" to allow access to the operation "Read", then the parsed rule set for the access subject "App 1" allows access operation "Write", access to the body body "App2" allows access operations "Read", the main body "App3" allows access operation "Write". If the resolveMode is set to "union", that is, the "collection" is resolved, since this method does not require priority, the value of "priority" is ignored.
Figure imgf000015_0001
The parsed rule set is: The parsed rule set is the access subject "Appl" allows access operations "Write" and "Read", the access body body "App2" allows access operation "Read", the main body "App3" allows access operation"Write". In addition, the resolveMode can also be set to "RFC4745", "RFC3530", etc., respectively, according to the "RFC4745" specification, The "RFC3530" specification performs rule analysis. For details, please refer to the corresponding specification.
下面从访问权限标识符指向多个访问权限资源, 访问权限资源分块引入, 包括父块及与父块对应的多个子块为例,对本发明另一实施例的资源访问方法 进行说明。  The resource access method according to another embodiment of the present invention will be described below by taking an access right identifier from a plurality of access rights resources, and the access rights resource is introduced in a block, including a parent block and a plurality of sub-blocks corresponding to the parent block.
如图 9A所示, 为本发明另一实施例的资源访问方法中资源的访问权限资 源标识符设置信令交互图, 包括:  As shown in FIG. 9A, a signaling interaction diagram for setting an access authority resource identifier of a resource in a resource access method according to another embodiment of the present invention includes:
901、 请求者向接收设备, 如 M2M终端、 M2M网关或 M2M平台发送对 资源的访问权限标识符的设置请求,该设置请求中包括资源标识、访问权限资 源标识、 对访问权限资源进行父块、 子块划分的规则, 以及与父块、 各子块分 别对应的规则解析标识。  901. The requester sends a setting request for an access right identifier of the resource to a receiving device, such as an M2M terminal, an M2M gateway, or an M2M platform, where the setting request includes a resource identifier, an access authority resource identifier, and a parent block for the access authority resource. The rule of sub-block division, and the rule resolution identifier corresponding to the parent block and each sub-block respectively.
具体的, 通过设置访问权限标识符的 "引入"(即 "imports" )元素指明父 块, 通过设置访问权限标识符的 "引用" (即 "import" )元素指明子块。  Specifically, the parent block is specified by setting an "introduction" (ie, "imports") element of the access authority identifier, and the child block is specified by setting a "reference" (ie, "import") element of the access authority identifier.
902、 接收设备根据该设置请求对所指定的资源的访问权限进行设置。 具体的, 接收设备根据设置请求中所指定的资源标识, 获得该资源, 并更 新该资源的访问权限标识符为请求中携带的访问权限标识符。即设置对访问权 限资源进行分块, 即设置父块和与父块对应的多个子块访问权限资源。每个子 块包括至少一个访问权限资源标识。对每个子块和每个父块均可设置各自的规 则解析标识。 同时每个子块和每个父块均也可设置优先级规则。  902. The receiving device sets an access right of the specified resource according to the setting request. Specifically, the receiving device obtains the resource according to the resource identifier specified in the setting request, and updates the access right identifier of the resource to the access right identifier carried in the request. That is, the access rights resource is partitioned, that is, the parent block and the plurality of sub-block access rights resources corresponding to the parent block are set. Each sub-block includes at least one access rights resource identifier. A separate rule resolution ID can be set for each sub-block and each parent block. At the same time, each sub-block and each parent block can also set a priority rule.
例如, 分块引入访问权限资源的访问权限资源标识符可描述为如图 9B所 示的数据结构。  For example, an access rights resource identifier that introduces access rights resources into chunks can be described as a data structure as shown in Figure 9B.
如图 9B所示的具有多个 imports的访问权限资源标识符 accessRightID结 构图, accessRightID包含一个 ermissionsRef元素, 该元素又包括一至多个 imports元素 , 每个 imports元素包括一个或多个 import元素 , 每个 import元 素包括一个或多个访问权限资源标识。  As shown in FIG. 9B, the accessRightID structure map of the access authority resource identifier having multiple imports, the accessRightID includes an ersmissionsRef element, the element further includes one or more imports elements, and each imports element includes one or more import elements, each The import element includes one or more access rights resource identifiers.
如图 10所示为本实施例的资源访问方法信令交互图, 包括:  As shown in FIG. 10, the signaling interaction diagram of the resource access method in this embodiment includes:
1001、访问设备向接收设备发送资源访问请求, 该资源访问请求中包括资 源标识、 访问设备标识和对该资源的访问操作。  1001: The access device sends a resource access request to the receiving device, where the resource access request includes a resource identifier, an access device identifier, and an access operation to the resource.
其中,接收设备可以为 M2M终端、 M2M网关或者 M2M平台, 访问设备 也可以为 M2M终端、 M2M网关或者 M2M平台。 1002、接收设备根据该资源访问请求中的资源标识查看与该资源标识对应 的资源下的访问权限资源标识符,先根据与所述父块规则解析标识对应的解析 规则和优先级规则对父块对应的访问权限资源进行解析,然后依据与该多个子 块对应的规则解析标识和优先级规则对所述子块对应的访问权限资源进行解 析, 获取针对所述资源的资源访问规则集。 The receiving device may be an M2M terminal, an M2M gateway, or an M2M platform, and the access device may also be an M2M terminal, an M2M gateway, or an M2M platform. 1002: The receiving device checks, according to the resource identifier in the resource access request, an access right resource identifier under the resource corresponding to the resource identifier, and first performs a parent node according to the parsing rule and the priority rule corresponding to the parent block rule parsing identifier. The corresponding access permission resource is parsed, and then the access permission resource corresponding to the sub-block is parsed according to the rule parsing identifier and the priority rule corresponding to the multiple sub-blocks, and the resource access rule set for the resource is obtained.
1003、接收设备根据访问设备标识、访问操作指示以及访问规则集向访问 设备返回资源访问响应。  1003. The receiving device returns a resource access response to the access device according to the access device identifier, the access operation indication, and the access rule set.
如下所示为用 XML语言描述如上图所示访问权限资 accessRightID的例子 The following is an example of describing the access permission accessRightID shown in the above figure in XML language.
<permissions ef> <permissions ef>
< imports priority=2>  <insert priority=2>
<import priority=l>  <import priority=l>
http://m2m.op. com/access ights/<ar3>  Http://m2m.op. com/access ights/<ar3>
</import>  </import>
<import priority=3>  <import priority=3>
http://m2m.op. com/access ights/<ar4>  Http://m2m.op. com/access ights/<ar4>
</import>  </import>
<import priority=2>  <import priority=2>
http://m2m.op. com/access ights/<ar5>  Http://m2m.op. com/access ights/<ar5>
</import>  </import>
<resolveMode>  <resolveMode>
RFC4745  RFC4745
</resolveMode>  </resolveMode>
</imports>  </imports>
< imports priority=l>  <insert priority=l>
<import priority=2>  <import priority=2>
http://m2m.op. com/access ights/<arl>  Http://m2m.op. com/access ights/<arl>
</import>  </import>
<import priority=l>  <import priority=l>
http://m2m.op. com/access ights/<ar2>  Http://m2m.op. com/access ights/<ar2>
</import>  </import>
<resolveMode>  <resolveMode>
RFC3530  RFC3530
</resolveMode>  </resolveMode>
</imports>  </imports>
< imports priority=3>  < imports priority=3>
<import priority=l>  <import priority=l>
http://m2m.op. com/access ights/<ar6>  Http://m2m.op. com/access ights/<ar6>
</import>  </import>
<import priority=2>  <import priority=2>
http://m2m.op. com/access ights/<ar7>  Http://m2m.op. com/access ights/<ar7>
</import>  </import>
<resolveMode>  <resolveMode>
RFC4745  RFC4745
</resolveMode>  </resolveMode>
</imports>  </imports>
<resolveMode>  <resolveMode>
RFC3530 如上所示例子中,该资源的访问权限由访问权限资源 <arl>, <ar2>, <ar3>, <ar4>, <ar5>, <ar6>^<ar7>共同描述, 当访问设备对该资源发送访问操作请 求欲进行读操作时, 接收设备首先获取 "权限引用"(即 permissionsRef )元素 的子元素规则解释 resolveMode的值" RFC3530"(即规则解析标识为 RFC3530 )。 然后依据该规则解析标识指示的 RFC 3530规范解析针对该资源的访问规则集。 RFC 3530规范解析方式对访问权限资源具有优先级要求, 因此接收设备读取 imports元素的优先级 priority属性, 依据该属性值大小进行优先级排序, 此处 最后一个 imports的优先级 riority属性值为 3 , 因此首先对该 imports元素中 的访问权限资源进行解析, 然后是对第一个 imports 元素进行解析, 因为该 imports元素的 priority属性值为 2,最后是对中间的 imports元素进行解析, 因 为该 imports元素的 priority属性值为 1 , 对 imports元素的解析方式则依据子 元素 resolveMode的值所指示的解析方式进行。 最后, 依据解析后的访问规则 集判断请求者是否可以对该资源进行读操作, 并作出响应。 RFC3530 In the example shown above, the access rights of the resource are jointly described by the access rights resources <arl>, <ar2>, <ar3>, <ar4>, <ar5>, <ar6>^<ar7>, when the access device When the resource sends an access operation request to perform a read operation, the receiving device first obtains the value of the resolve parameter of the "permission reference" (ie, permissionsRef) element, "RFC3530" (ie, the rule resolution identifier is RFC3530). The RFC 3530 specification that resolves the identity indication in accordance with the rule parses the access rule set for the resource. The RFC 3530 specification parsing method has priority requirements for access rights resources. Therefore, the receiving device reads the priority priority attribute of the imports element, and prioritizes according to the attribute value. Here, the priority of the last imports is the value of the priority attribute. Therefore, first the access permission resource in the imports element is parsed, and then the first imports element is parsed, because the importance attribute value of the imports element is 2, and finally the intermediate imports element is parsed because the imports The element's priority attribute value is 1, and the analysis of the imports element is based on the parsing method indicated by the value of the sub-element resolveMode. Finally, based on the parsed access rule set, it is determined whether the requester can read the resource and respond.
需要注意的是,中间件作出拒绝或者允许响应并非总是在所有规则解析完 毕后触发,而是当判断出该访问设备的资源访问请求不符合访问规则时立即被 触发。  It should be noted that the middleware rejects or allows the response not always triggered after all the rules are parsed, but is triggered immediately when it is determined that the access device's resource access request does not meet the access rules.
下面以访问权限资源标识直接或间接指向多个访问权限资源为例对本发 明另一实施例的资源访问方法作进一步说明。  The resource access method of another embodiment of the present invention is further described below by taking an access resource identifier directly or indirectly pointing to multiple access rights resources as an example.
本实施例,和资源的访问权限资源标识符由多个直接或间接指向访问权限 资源标识构成,间接的含义是指访问权限资源标识并非指向访问权限资源本身。  In this embodiment, the access authority resource identifier of the resource and the resource are directly or indirectly pointed to the access authority resource identifier, and the indirect meaning means that the access authority resource identifier does not point to the access authority resource itself.
例如,和资源关联的访问权限由零个或多个直接或间接指向访问权限资源 标识构 成 。 例 如设置 资源 Resource 的 accessRightID 属性 为 "http://m2m.o . com/containers/<container 1 > ; http://m2m.op.com/accessRights/<ar5>" , 表示该资源的访问权限由资源 htt ://m2m. o . com/containers/<container 1 > 的 访 问 权 限 资 源 , 资 源 htt ://m2m. o . com/containers/<container2> accessRightID 所指示访问权限资 当访问设备对资源 Resource进行读操作时, 接收设 ^^据默认的访问权 限资源解析规则, 首先解析< 5>后的访问规则集的访问主体集是否包含请求 者, 若存在且其允许的访问操作集包含读操作, 则允许请求者对该资源进行读 操作, 若其允许的访问操作集中不包含读操作, 则不允许请求者对该资源进行 读操作。 For example, access rights associated with a resource consist of zero or more direct or indirect pointing access resource IDs. For example, set the accessRightID property of the resource Resource to "http://m2m.o.com/containers/<container 1 >;http://m2m.op.com/accessRights/<ar5>" to indicate that the resource has access rights. Resource htt ://m2m. o . com/containers/<container 1 > access resource, resource htt ://m2m. o . com/containers/<container2> accessRightID indicates access rights to access device to resource Resource When the read operation is performed, the default access rights of the receiving device are received. The resource-resolving rule first parses whether the access subject set of the access rule set after <5> contains the requester, and if it exists and the allowed access operation set includes the read operation, the requester is allowed to read the resource, if The allowed access operation set does not contain a read operation, and the requestor is not allowed to read the resource.
若解析 < 5>后的访问规则集的访问主体集是不否包含请求者, 则继续解 析资源 <container2>^ accessRightlD所指示访问权限资源, 直至所有的访问权 限 资 源 都 解 析 完 毕 。 值 得 注 意 的 是 , 在 解 析 " http://m2m.op om/containers/<container2>/accessRightID''H† ,接^ L设备还需要 源标识符进行解析。 在解析 htt :〃 m2m.op.com/containers/<containerl>时, 中间 件需读取 htt :〃 m2m.op.com/containers/<containerl> i"指资源的 accessRightlD 这个访问权限资源标识符进行解析。 此夕卜, 针对 <container2>^ accessRightlD resolveMode, 故采用默认的访问权限解析规则。  If the access subject set of the access rule set after parsing <5> does not include the requester, continue to analyze the access authority resources indicated by the resource <container2>^ accessRightlD until all the access rights resources are resolved. It is worth noting that after parsing " http://m2m.op om/containers/<container2>/accessRightID''H† , the device needs to be parsed by the source identifier. In parsing htt :〃 m2m.op. For com/containers/<containerl>, the middleware needs to read htt: 〃 m2m.op.com/containers/<containerl> i" refers to the accessRightlD resource of the resource. In addition, for <container2>^ accessRightlD resolveMode, the default access permission resolution rule is adopted.
下面介绍本发明一实施例的资源访问装置, 如图 11所示, 该资源访问装 置包括: 设置单元 1101 , 用于对资源的访问权限资源标识符进行设置, 使所 述资源的访问权限资源标识符包括至少二个资源访问权限标识,所述资源访问 权限标识指向访问权限资源; 1102接收单元, 用于接收访问设备的资源访问 请求,所述资源访问请求包括访问设备标识和资源访问操作; 1103获取单元, 限资源标识读取访问权限资源;根据预设的解析规则对所述访问权限资源进行 解析, 获取针对所述资源的资源访问规则集; 1104 响应单元, 用于依据所述 资源访问规则集和所述访问设备标识响应所述访问设备资源访问请求。  The resource access device according to an embodiment of the present invention is as follows. As shown in FIG. 11, the resource access device includes: a setting unit 1101, configured to set an access authority resource identifier of a resource, and enable an access authority resource identifier of the resource. The resource access request includes at least two resource access rights identifiers, and the resource access rights identifiers are directed to the access rights resources. The 1102 receiving unit is configured to receive a resource access request of the access device, where the resource access request includes an access device identifier and a resource access operation; The obtaining unit, the resource identifier identifies the access authority resource; parses the access authority resource according to a preset parsing rule, and obtains a resource access rule set for the resource; 1104 a response unit, configured to use the resource access rule according to the resource access rule The set and the access device identity are responsive to the access device resource access request.
其中, 设置单元 1101如图 12所示包括:  The setting unit 1101 includes as shown in FIG. 12:
接收子单元 11011 , 用于接收对资源的访问权限资源标识符的设置请求, 设置子单元 11012, 用于根据接收子单元接收的所述设置请求对所述资源 的访问权限资源标识符进行设置,使所述资源的访问权限资源标识符包括所述 至少二个被引入的资源访问权限标识。 获取单元如图 13所示所示, 包括: a receiving subunit 11011, configured to receive a setting request for an access right resource identifier of the resource, where the setting subunit 11012 is configured to set an access authority resource identifier of the resource according to the setting request received by the receiving subunit, The access authority resource identifier of the resource is included in the at least two introduced resource access rights identifiers. The acquisition unit is shown in Figure 13, and includes:
第一获取单元, 11031用于获取所述资源的访问权限标识符中的访问权限 资源标识, 根据所述访问权限资源标识读取访问权限资源;  The first obtaining unit, the first acquiring unit, is configured to acquire an access right resource identifier in the access right identifier of the resource, and read the access right resource according to the access right resource identifier;
第二获取单元 11032, 根据与所述规则解析标识对应的解析规则对所述访 问权限资源进行解析, 获取针对所述资源的资源访问规则集。  The second obtaining unit 11032 parses the access authority resource according to the parsing rule corresponding to the rule parsing identifier, and acquires a resource access rule set for the resource.
第三获取单元 11033 , 用于根据所述访问权限资源优先级规则和与所述规 则解析标识对应的解析规则对所述访问权限资源进行解析,获取针对所述资源 的资源访问规则集。  The third obtaining unit 11033 is configured to parse the access authority resource according to the access authority resource priority rule and the parsing rule corresponding to the rule resolution identifier, and acquire a resource access rule set for the resource.
第四获取单元 11034, 用于先根据与所述父块规则解析标识对应的解析规 则对所述访问权限资源进行解析,然后依据与所述多个子块对应的规则解析标 识对所述子块对应的访问权限资源进行解析,获取针对所述资源的资源访问规 则集。  The fourth obtaining unit 11034 is configured to parse the access permission resource according to the parsing rule corresponding to the parent block rule parsing identifier, and then corresponding to the sub-block according to the rule parsing identifier corresponding to the multiple sub-blocks The access rights resource is parsed to obtain a resource access rule set for the resource.
第五获取单元 11035 , 用于先根据与所述父块规则解析标识对应的解析规 则和优先级规则对所述访问权限资源进行解析,然后依据与所述多个子块对应 针对所述资源的资源访问规则集。  The fifth obtaining unit 11035 is configured to parse the access permission resource according to the parsing rule and the priority rule corresponding to the parent block rule parsing identifier, and then, according to the resource corresponding to the resource, corresponding to the multiple sub-blocks Access rule sets.
第六获取单元 11036, 用于依据所述间接访问权限资源标识获取访问权限 资源地址, 根据所述访问权限资源地址读取访问权限资源。  The sixth obtaining unit 11036 is configured to obtain an access authority resource address according to the indirect access authority resource identifier, and read the access authority resource according to the access authority resource address.
需要注意的是, 本发明实施例的资源访问装置可以是 M2M终端, M2M 平台或者 M2M网关。  It should be noted that the resource access device in the embodiment of the present invention may be an M2M terminal, an M2M platform, or an M2M gateway.
如上所示的本发明实施例的资源访问装置,由拥有资源配置权限的主体对 资源访问装置中的资源的访问权限资源标识符进行设置,将其他资源的访问权 限资源标识添加到访问权限资源标识符中,使得资源访问装置可根据该访问权 限资源标识获取相关访问权限资源,从而实现各资源间的访问权限资源的相互 继承,使得资源的访问权限可以随着被继承的资源的访问权限的修改而自行调 整, 提高资源访问权限的管理效率, 同时, 可以提高访问权限资源存储空间的 利用率, 节省存储空间。  The resource access device of the embodiment of the present invention, as shown above, sets the access authority resource identifier of the resource in the resource access device by the entity having the resource configuration authority, and adds the access authority resource identifier of the other resource to the access authority resource identifier. In the symbol, the resource access device can obtain the related access authority resource according to the access authority resource identifier, thereby implementing mutual inheritance of the access authority resources between the resources, so that the access authority of the resource can be modified according to the access authority of the inherited resource. Self-adjustment improves the management efficiency of resource access rights. At the same time, it can improve the utilization of access resource storage space and save storage space.
图 14为本发明实施例提供的又一资源访问装置的结构示意图,包括存储器 1401 , 和处理器 1402。 其中存储器 1401用于存储图 11-13中所述的各单元, 处 理器 1402与存储器 1401连接,运行存储器 1401中的各单元执行存储器 1401中各 单元的相应功能。 图 14中存储器 1401中各单元的功能与图 11-13中的各单元的 功能相同, 本发明实施例在此不再详述。 FIG. 14 is a schematic structural diagram of another resource access apparatus according to an embodiment of the present invention, including a memory 1401, and a processor 1402. Wherein the memory 1401 is used to store the units described in FIG. 11-13, The processor 1402 is coupled to the memory 1401, and each unit in the operational memory 1401 performs the respective functions of the units in the memory 1401. The functions of the units in the memory 1401 in FIG. 14 are the same as those in the units in FIG. 11-13, and the embodiments of the present invention are not described in detail herein.
上述针对资源访问的装置中包含的各单元的处理功能的实施方式在之前 的方法实施例中已经描述, 在此不再重复描述。 此外, 在 M2M网络中, M2M 平台可以是各计算机, 具有处理器的设备。 M2M网关和 M2M终端在设备上 没有严格的区分, 比如做网关的设备也可以作为终端, 此外各种终端设备, 如 手机, 计算机, PDA, 笔记本电脑, 远程控制器, 家用电器, 各种仪器仪表、 传感器等都可以作为 M2M网络的网关或终端。 在上述单元实施例中, 所包括 的各个单元只是按照功能逻辑进行划分的,但并不局限于上述的划分, 只要能 够实现相应的功能即可; 另外,各功能单元的具体名称也只是为了便于相互区 分, 并不用于限制本发明的保护范围。上述实现对计费的方法及计费的装置的 各功能单元的功能均可以由 M2M网关或 M2M平台的处理器运行各单元完成。  The implementation of the processing functions of the units included in the above-mentioned device for resource access has been described in the previous method embodiments, and the description thereof will not be repeated here. In addition, in an M2M network, the M2M platform can be a computer, a device with a processor. M2M gateways and M2M terminals are not strictly distinguished on the device. For example, devices that use gateways can also serve as terminals. In addition, various terminal devices, such as mobile phones, computers, PDAs, notebook computers, remote controllers, household appliances, and various instruments , sensors, etc. can be used as gateways or terminals for M2M networks. In the above unit embodiment, each unit included is only divided according to functional logic, but is not limited to the above division, as long as the corresponding function can be implemented; in addition, the specific names of the functional units are only for convenience. They are distinguished from each other and are not intended to limit the scope of protection of the present invention. The above-mentioned method for realizing the charging and the functions of each functional unit of the charging device can be completed by the M2M gateway or the processor running the M2M platform.
本领域普通技术人员可以理解实现上述实施例方法中的全部或部分流程, 是可以通过计算机程序来指令相关的硬件来完成,上述的程序可存储于一计算 机可读取存储介质中,该程序在执行时,可包括如上述各方法的实施例的流程。 其中, 上述的存储介质可为磁碟、 光盘、 只读存储记忆体(ROM: Read-Only Memory )或随机存储记忆体 ( RAM: Random Access Memory )等。  A person skilled in the art can understand that all or part of the process of implementing the above embodiments can be completed by a computer program to instruct related hardware, and the above program can be stored in a computer readable storage medium. When executed, the flow of an embodiment of the methods as described above may be included. The storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM: Read Random Memory), or a random access memory (RAM).
综上所述, 以上仅为本发明的较佳实施例而已, 并非用于限定本发明的保 护范围。凡在本发明的精神和原则之内,所作的任何修改、等同替换、改进等, 均应包含在本发明的保护范围之内。  In conclusion, the above is only a preferred embodiment of the present invention and is not intended to limit the scope of the present invention. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and scope of the invention are intended to be included within the scope of the invention.

Claims

权 利 要 求 Rights request
1、 一种资源访问方法, 其特征在于, 包括: 1. A resource access method, characterized by including:
接收访问设备的资源访问请求, 所述资源访问请求包括访问设备标识、访 问资源标识以及资源访问操作指示; 访问权限资源标识,根据所述至少二个访问权限资源标识读取各访问权限资源 标识指示的访问权限资源; Receive a resource access request from the access device, where the resource access request includes an access device identifier, an access resource identifier, and a resource access operation instruction; an access permission resource identifier, and reads each access permission resource identifier indication based on the at least two access permission resource identifiers. access rights resources;
根据针对所述资源的解析规则与所述访问权限资源,确定针对所述资源的 访问规则集; Determine an access rule set for the resource based on the parsing rules for the resource and the access permission resource;
根据所述访问规则集以及所述设备标识和所述资源访问操作指示响应所 述访问设备的资源访问请求。 Respond to the resource access request of the access device according to the access rule set and the device identification and the resource access operation indication.
2、 如权利要求 1所述的方法, 其特征在于, 该方法进一步包括: 2. The method of claim 1, wherein the method further includes:
接收对所述资源的访问权限的设置请求,所述设置请求中包括至少二个访 问权限资源标识; Receive a request for setting access rights to the resource, where the setting request includes at least two access rights resource identifiers;
根据所述至少二个访问权限资源标识设置针对所述资源访问权限。 Set the access permission for the resource according to the at least two access permission resource identifiers.
3、 如权利要求 2所述的方法, 其特征在于, 所述设置请求中还包括规则 解析标识, 所述根据针对所述资源的解析规则与所述访问权限资源,确定针对 所述资源的访问规则集, 包括: 3. The method of claim 2, wherein the setting request further includes a rule parsing identifier, and the access to the resource is determined based on the parsing rule for the resource and the access permission resource. Rule sets, including:
根据与所述规则解析标识对应的解析规则对所述访问权限资源进行解析, 获取针对所述资源的访问规则集。 The access permission resource is parsed according to the parsing rule corresponding to the rule parsing identifier, and an access rule set for the resource is obtained.
4、 如权利要求 3所述的方法, 其特征在于, 所述设置请求中还包括访问 权限资源优先级规则,所述根据针对所述资源的解析规则与所述访问权限资源, 确定针对所述资源的访问规则集, 包括: 4. The method of claim 3, wherein the setting request further includes an access rights resource priority rule, and the method for determining the access rights resource is determined based on the parsing rules for the resource and the access rights resource. Resource access rule set, including:
根据所述访问权限资源优先级规则和与所述规则解析标识对应的解析规 则对所述访问权限资源进行解析, 获取针对所述资源的访问规则集。 The access permission resource is parsed according to the access permission resource priority rule and the parsing rule corresponding to the rule parsing identifier, and an access rule set for the resource is obtained.
5、 如权利要求 3所述的方法, 其特征在于, 所述设置请求中还包括对多 种访问权限资源进行分块,使所述多种访问权限资源包括访问权限资源父块和 与该父块对应的多个子块,所述父块和与该父块对应的多个子块均包括对应的 规则解析标识, 所述根据针对所述资源的解析规则与所述访问权限资源,确定 针对所述资源的访问规则集, 包括: 5. The method of claim 3, wherein the setting request further includes dividing multiple access rights resources into blocks, so that the multiple access rights resources include a parent block of access rights resources and a block corresponding to the parent block. A plurality of sub-blocks corresponding to a block, the parent block and the plurality of sub-blocks corresponding to the parent block all include corresponding rule parsing identifiers, and the determination is made based on the parsing rules for the resource and the access permission resource. Access rule set for the resource, including:
先根据与所述父块规则解析标识对应的解析规则对所述访问权限资源进 行解析,然后依据与所述多个子块对应的规则解析标识对所述子块对应的访问 权限资源进行解析, 获取针对所述资源的访问规则集。 First, the access rights resources are parsed according to the parsing rules corresponding to the parent block rule parsing identification, and then the access rights resources corresponding to the sub-blocks are parsed according to the rule parsing identifications corresponding to the multiple sub-blocks, and the access rights resources corresponding to the sub-blocks are obtained. A set of access rules for the resource in question.
6、 如权利要求 5所述的方法, 其特征在于, 所述设置请求中还包括父块 和子块的优先级规则,所述根据针对所述资源的解析规则与所述访问权限资源, 确定针对所述资源的访问规则集, 包括: 6. The method of claim 5, wherein the setting request further includes priority rules for parent blocks and child blocks, and the determination for the resource is based on the parsing rules for the resource and the access rights resource. The set of access rules for the resource includes:
先根据与所述父块规则解析标识对应的解析规则和优先级规则对所述访 问权限资源进行解析,然后依据与所述多个子块规则解析标识对应的解析规则 和优先级规则对所述子块对应的访问权限资源进行解析,获取针对所述资源的 资源访问规则集。 First, the access permission resource is parsed according to the parsing rules and priority rules corresponding to the parent block rule parsing identifier, and then the child block rule parsing identifiers are parsed according to the parsing rules and priority rules corresponding to the multiple child block rule parsing identifiers. The access permission resource corresponding to the block is parsed to obtain the resource access rule set for the resource.
7、 如权利要求 3-6任一项所述的方法, 其特征在于, 所述设置请求中包 括至少两个间接访问权限资源标识,所述根据针对所述资源的解析规则与所述 访问权限资源, 确定针对所述资源的访问规则集, 包括: 7. The method according to any one of claims 3 to 6, characterized in that the setting request includes at least two indirect access permission resource identifiers, which are determined according to the parsing rules for the resource and the access permission. Resource, determine the set of access rules for the resource, including:
依据所述间接访问权限资源标识获取访问权限资源地址,根据所述访问权 限资源地址读取访问权限资源; Obtain the access permission resource address according to the indirect access permission resource identification, and read the access permission resource according to the access permission resource address;
根据与所述规则解析标识对应的解析规则对所述访问权限资源进行解析, 获取针对所述资源的访问规则集。 The access permission resource is parsed according to the parsing rule corresponding to the rule parsing identifier, and an access rule set for the resource is obtained.
8、 如权利要求 1所述的方法, 其特征在于, 所述访问规则集包括访问主 体集和与访问主体对应的访问操作集,所述根据所述访问规则集以及所述设备 标识和所述资源访问操作指示响应所述访问设备的资源访问请求, 包括: 8. The method of claim 1, wherein the access rule set includes an access subject set and an access operation set corresponding to the access subject, and the access rule set and the device identification and the access operation set are The resource access operation instruction responds to the resource access request of the access device, including:
若所述访问设备与所述访问主体集匹配,且所述资源访问操作指示所指示 的访问操作与所述访问操作集匹配, 则允许所述访问设备访问所述资源; If the access device matches the access subject set, and the access operation indicated by the resource access operation indication matches the access operation set, then the access device is allowed to access the resource;
若所述访问设备与所述访问主体集不匹配,或者所述访问设备与所述访问 主体集匹配,但所述资源访问操作指示所指示的访问操作与所述访问设备的访 问操作集不匹配, 则拒绝所述访问设备访问所述资源; If the access device does not match the access subject set, or the access device matches the access subject set, but the access operation indicated by the resource access operation indication does not match the access operation set of the access device , then the access device is denied access to the resource;
若所述访问设备与所述访问主体集匹配,但所述访问设备的访问操作集为 "无", 则拒绝该访问设备的各类访问操作请求。 If the access device matches the access subject set, but the access operation set of the access device is "none", then various access operation requests of the access device are rejected.
9、 一种资源访问装置, 其特征在于, 包括: 接收单元, 用于接收访问设备的资源访问请求, 所述资源访问请求包括访 问设备标识、 访问资源标识以及资源访问操作指示; 源的至少二个访问权限资源标识,根据所述至少二个访问权限资源标识读取各 访问权限资源标识指示的访问权限资源;还用于根据针对所述资源的解析规则 与所述访问权限资源, 确定针对所述资源的访问规则集; 9. A resource access device, characterized by including: A receiving unit, configured to receive a resource access request from an access device, where the resource access request includes an access device identifier, an access resource identifier, and a resource access operation instruction; at least two access permission resource identifiers of the source, according to the at least two access permissions The resource identifier reads the access permission resource indicated by each access permission resource identifier; and is also used to determine the access rule set for the resource based on the parsing rules for the resource and the access permission resource;
响应单元,用于根据所述访问规则集以及所述设备标识和所述资源访问操 作指示响应所述访问设备的资源访问请求。 A response unit configured to respond to the resource access request of the access device according to the access rule set, the device identification, and the resource access operation indication.
10、 如权利要求 9所述的装置, 其特征在于, 所述装置还包括: 设置单元, 用于对所述资源的访问权限进行设置, 所述设置单元包括: 接收子单元, 用于接收对所述资源的访问权限的设置请求, 所述设置请求 中包括至少二个访问权限资源标识; 10. The device according to claim 9, characterized in that, the device further includes: a setting unit, used to set the access permission of the resource, the setting unit includes: a receiving subunit, used to receive the A request to set the access rights of the resource, the setting request including at least two access rights resource identifiers;
设置子单元,用于根据接收子单元接收的所述设置请求对所述资源的访问 个访问权限资源标识。 The setting subunit is configured to request access to the resource according to the setting request received by the receiving subunit.
11、如权利要求 10所述的装置,其特征在于,所述接收子单元具体用于: 接收对所述资源的访问权限的设置请求,所述所述设置请求中还包括规则 解析标识, 所述获取单元包括: 11. The device of claim 10, wherein the receiving subunit is specifically configured to: receive a setting request for access rights to the resource, where the setting request further includes a rule parsing identifier, so The acquisition units include:
第一获取单元,用于获取所述资源的访问权限标识符中的至少二个访问权 限资源标识, 根据所述访问权限资源标识分别读取访问权限资源; The first acquisition unit is used to obtain at least two access rights resource identifiers among the access rights identifiers of the resources, and respectively read the access rights resources according to the access rights resource identifiers;
第二获取单元,根据与所述规则解析标识对应的解析规则对所述访问权限 资源进行解析, 获取针对所述资源的访问规则集。 The second acquisition unit parses the access permission resource according to the parsing rule corresponding to the rule parsing identifier, and obtains an access rule set for the resource.
12、 如权利要求 10所述的装置, 其特征在于, 所述接收子单元还具体用 于: 12. The device according to claim 10, characterized in that the receiving subunit is also specifically used for:
接收对所述资源的访问权限设置请求,所述设置请求中还包括访问权限资 源优先级规则, 所述获取单元还包括: Receive an access permission setting request for the resource, the setting request also includes access permission resource priority rules, and the acquisition unit also includes:
第三获取单元,用于根据所述访问权限资源优先级规则和与所述规则解析 标识对应的解析规则对所述访问权限资源进行解析,获取针对所述资源的访问 规则集。 The third acquisition unit is configured to parse the access authority resource according to the access authority resource priority rule and the parsing rule corresponding to the rule parsing identifier, and obtain an access rule set for the resource.
13、 如权利要求 11所述的装置, 其特征在于, 所述接收子单元还具体用 于: 13. The device according to claim 11, characterized in that the receiving subunit is also specifically used for:
接收对所述资源的访问权限的设置请求,所述设置请求中还包括对多种访 问权限资源进行分块,使所述多种访问权限资源包括访问权限资源父块和与该 父块对应的多个子块,所述父块和与该父块对应的多个子块均包括对应的规则 解析标识, 所述获取单元还包括: Receive a request for setting access rights to the resource, the setting request also includes dividing multiple access rights resources into blocks, so that the multiple access rights resources include a parent block of access rights resources and a block corresponding to the parent block. Multiple sub-blocks, the parent block and multiple sub-blocks corresponding to the parent block include corresponding rule parsing identifiers, and the acquisition unit further includes:
第四获取单元,用于先根据与所述父块规则解析标识对应的解析规则对所 述访问权限资源进行解析,然后依据与所述多个子块对应的规则解析标识对所 述子块对应的访问权限资源进行解析, 获取针对所述资源的访问规则集。 The fourth acquisition unit is configured to first parse the access rights resources according to the parsing rules corresponding to the parent block rule parsing identification, and then parse the access rights resources corresponding to the sub-blocks according to the rule parsing identifications corresponding to the plurality of sub-blocks. Access permission resources are parsed to obtain the access rule set for the resource.
14、 如权利要求 13所述的装置, 其特征在于, 所述接收子单元还具体用 于: 14. The device according to claim 13, characterized in that the receiving subunit is also specifically used for:
接收对所述资源的访问权限的设置请求,所述设置请求中还包括父块和子 块各自的优先级规则, 所述获取单元还包括第五获取单元, 用于先根据与所述 父块规则解析标识对应的解析规则和优先级规则对所述访问权限资源进行解 析,然后依据与所述多个子块对应的规则解析标识和优先级规则对所述子块对 应的访问权限资源进行解析, 获取针对所述资源的访问规则集。 Receive a setting request for access rights to the resource. The setting request also includes priority rules for the parent block and the child block. The acquisition unit also includes a fifth acquisition unit for first according to the rules of the parent block. Parse the access permission resources corresponding to the parsing identification and priority rules, and then parse the access permission resources corresponding to the sub-blocks according to the parsing identification and priority rules corresponding to the multiple sub-blocks, and obtain A set of access rules for the resource in question.
15、 如权利要求 10-14任一项所述的装置, 其特征在于, 所述接收子单元 还具体用于: 15. The device according to any one of claims 10 to 14, characterized in that the receiving subunit is also specifically used for:
接收对资源的访问权限的设置请求,所述设置请求中包括至少两个间接访 问权限资源标识, 所述获取单元还包括第六获取单元,用于依据所述间接访问 权限资源标识获取访问权限资源地址,根据所述访问权限资源地址读取访问权 限资源; Receive a setting request for access rights to resources, the setting request includes at least two indirect access rights resource identifiers, and the acquisition unit further includes a sixth acquisition unit for acquiring access rights resources based on the indirect access rights resource identifiers. Address, read the access permission resource according to the access permission resource address;
根据与所述规则解析标识对应的解析规则对所述访问权限资源进行解析, 获取针对所述资源的访问规则集。 The access permission resource is parsed according to the parsing rule corresponding to the rule parsing identifier, and an access rule set for the resource is obtained.
16、 如权利要求 9所述的装置, 其特征在于, 所述响应单元具体用于: 若所述访问设备与所述访问主体集匹配,且所述资源访问操作指示所指示 的访问操作与所述访问设备的访问操作集匹配,则允许所述访问设备访问所述 资源; 16. The device according to claim 9, wherein the response unit is specifically configured to: if the access device matches the access subject set, and the access operation indicated by the resource access operation indication is the same as the access subject set. If the access operation set of the access device matches, the access device is allowed to access the resource;
若所述访问设备与所述访问主体集不匹配,或者所述访问设备与所述访问 主体集匹配但所述资源访问操作与所述访问操作集不匹配,则拒绝所述访问设 备访问所述资源; If the access device does not match the access subject set, or the access device does not match the access subject set, If the subject set matches but the resource access operation does not match the access operation set, then the access device is denied access to the resource;
若所述访问设备与所述访问主体集匹配,但所述访问设备的访问操作集为 "无", 则拒绝该访问设备的各类访问操作请求。 If the access device matches the access subject set, but the access operation set of the access device is "None", then various access operation requests of the access device are rejected.
17、 如权利要求 9-17任一项所述的装置, 其特征在于, 所述装置包括: M2M终端、 M2M平台和 M2M网关。 17. The device according to any one of claims 9-17, characterized in that the device includes: an M2M terminal, an M2M platform and an M2M gateway.
PCT/CN2012/078071 2012-07-02 2012-07-02 Resource access method and device WO2014005268A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/CN2012/078071 WO2014005268A1 (en) 2012-07-02 2012-07-02 Resource access method and device
CN201280001197.XA CN104169930B (en) 2012-07-02 2012-07-02 resource access method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2012/078071 WO2014005268A1 (en) 2012-07-02 2012-07-02 Resource access method and device

Publications (1)

Publication Number Publication Date
WO2014005268A1 true WO2014005268A1 (en) 2014-01-09

Family

ID=49881221

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2012/078071 WO2014005268A1 (en) 2012-07-02 2012-07-02 Resource access method and device

Country Status (2)

Country Link
CN (1) CN104169930B (en)
WO (1) WO2014005268A1 (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3295652B1 (en) * 2015-10-19 2020-02-05 Huawei Technologies Co., Ltd. Methods, systems, and apparatuses of service provisioning for resource management in a constrained environment
CN105915621A (en) * 2016-05-11 2016-08-31 深圳市永兴元科技有限公司 Data access method and pretreatment server
CN109150815B (en) * 2017-06-28 2021-11-23 阿里巴巴集团控股有限公司 Resource processing method, device and machine readable medium
CN113128200B (en) * 2019-12-31 2023-07-21 北京百度网讯科技有限公司 Method and device for processing information
CN116980182B (en) * 2023-06-21 2024-02-27 杭州明实科技有限公司 Abnormal request detection method and device and electronic equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1848022A (en) * 2005-04-13 2006-10-18 华为技术有限公司 Authority control method based on access control list
CN101197026A (en) * 2007-12-20 2008-06-11 浙江大学 Design and storage method for resource and its access control policy in high-performance access control system
CN101655892A (en) * 2009-09-22 2010-02-24 成都市华为赛门铁克科技有限公司 Mobile terminal and access control method
CN102129539A (en) * 2011-03-11 2011-07-20 清华大学 Data resource authority management method based on access control list

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1845104B (en) * 2006-05-22 2012-04-25 赵开灏 System and method for intelligent retrieval and processing of information

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1848022A (en) * 2005-04-13 2006-10-18 华为技术有限公司 Authority control method based on access control list
CN101197026A (en) * 2007-12-20 2008-06-11 浙江大学 Design and storage method for resource and its access control policy in high-performance access control system
CN101655892A (en) * 2009-09-22 2010-02-24 成都市华为赛门铁克科技有限公司 Mobile terminal and access control method
CN102129539A (en) * 2011-03-11 2011-07-20 清华大学 Data resource authority management method based on access control list

Also Published As

Publication number Publication date
CN104169930A (en) 2014-11-26
CN104169930B (en) 2017-02-22

Similar Documents

Publication Publication Date Title
US10255370B2 (en) Automated compliance checking through analysis of cloud infrastructure templates
US20200280604A1 (en) Lightweight iot information model
US11799711B2 (en) Service layer resource management for generic interworking and extensibility
US11093556B2 (en) Restful operations for semantic IoT
US9686362B2 (en) Smart access point and method for controlling internet of things apparatus using the smart access point apparatus
US11563819B2 (en) Operation triggering method and apparatus for machine-to-machine communications
JP5981662B2 (en) Method and apparatus for access authorization authentication in a wireless communication system
WO2019042110A1 (en) Subscription publication method, and server
US20170187831A1 (en) Universal Abstraction Layer and Management of Resource Devices
KR101417194B1 (en) Identifier management server, application service platform, method and system for recognizing device using identifier of senser node
RU2609134C2 (en) Method, device and network equipment to obtain attribute information
JP7433294B2 (en) Arrangement method, device, system and storage medium of access control policy
US20140164544A1 (en) Enabling a computing device to utilize another computing device
US20160234212A1 (en) Network Access Control Method and Apparatus
Hirmer et al. Automated Sensor Registration, Binding and Sensor Data Provisioning.
JP6888078B2 (en) Network function NF management method and NF management device
WO2014005268A1 (en) Resource access method and device
WO2017107473A1 (en) Method for controlling network access of intelligent instrument, master station and data concentration unit
CN107306247B (en) Resource access control method and device
WO2016141783A1 (en) Method for access control, policy acquisition, attribute acquisition and related apparatus
WO2017121240A1 (en) Resource access control method, device and system
EP2814217B1 (en) Access control method for wifi device and wifi device thereof
US20210075869A1 (en) Cross-domain discovery between service layer systems and web of things systems
TWI428765B (en) Electronic system and method thereof capable of sharing application configurations
WO2017076129A1 (en) Role issuing method, access control method, and relevant device

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 12880474

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 12880474

Country of ref document: EP

Kind code of ref document: A1