WO2015078170A1 - Procédé et appareil d'accès à des ressources, serveur et terminal - Google Patents
Procédé et appareil d'accès à des ressources, serveur et terminal Download PDFInfo
- Publication number
- WO2015078170A1 WO2015078170A1 PCT/CN2014/080233 CN2014080233W WO2015078170A1 WO 2015078170 A1 WO2015078170 A1 WO 2015078170A1 CN 2014080233 W CN2014080233 W CN 2014080233W WO 2015078170 A1 WO2015078170 A1 WO 2015078170A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- access
- server
- browser
- terminal
- authentication
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 32
- 238000012545 processing Methods 0.000 claims abstract description 45
- 238000012546 transfer Methods 0.000 claims abstract description 23
- 239000000284 extract Substances 0.000 claims description 5
- 230000008569 process Effects 0.000 claims description 2
- 238000004891 communication Methods 0.000 description 7
- 230000006870 function Effects 0.000 description 6
- 238000010586 diagram Methods 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 5
- 238000011161 development Methods 0.000 description 3
- 230000004044 response Effects 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 239000000203 mixture Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000005192 partition Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/14—Multichannel or multilink protocols
Definitions
- the present invention relates to mobile internet technologies, and in particular, to a method and device for accessing resources, a server, and a terminal. Background technique
- HTML5 Hyper Text Markup Language 5
- WEB web page
- webApp web application
- the traditional native app local application
- webapp has the advantages of lower development cost, simpler upgrade, easier maintenance and no need to install and not consume user storage space.
- the so-called webApp is for Iphone, Android (Android).
- the disadvantages of web sites optimized by mobile terminals are also obvious.
- webApp access to local resources is restricted, such as searching local databases, reading local files, Operate terminal hardware resources, etc. Summary of the invention
- the embodiments of the present invention provide a method and device for accessing resources, a server, and a terminal, so as to ensure secure access of the webApp to local resources.
- the embodiment of the invention provides a method for resource access, including:
- the server receives the hypertext transfer protocol request of the visited terminal resource, and establishes a dedicated control message channel with the browser of the corresponding terminal;
- the server authenticates the hypertext transfer protocol request and processes according to the authentication result.
- a dedicated control message channel with the browser of the corresponding terminal also includes:
- the server will establish a peer-to-peer network connection relationship with the browser of the terminal into the connection table.
- the server authenticating the access includes:
- the server extracts an application identifier and user login information of the browser from the hypertext transfer protocol request;
- the processing by the server according to the authentication result includes:
- the corresponding access control command message is sent to the browser; if the authentication fails, the access restricted message is sent to the browser.
- the embodiment of the invention further provides a server, which includes:
- Establishing a module configured to receive a hypertext transfer protocol request, and establish a dedicated control message channel with a browser of the corresponding terminal;
- the processing module is configured to: if the hypertext transfer protocol is requested to access the resource of the terminal, perform authentication on the access, and perform processing according to the authentication result.
- the establishing module is further configured to put a peer-to-peer network connection with a browser of the terminal into a connection table.
- the processing module authenticating the access includes: extracting, by the hypertext transfer protocol request, an application identifier of the browser and user login information; and detecting, according to the application identifier, whether the version of the browser is If the version of the browser is legal and the user has access rights, the authentication is passed.
- the processing by the processing module according to the authentication result includes: sending, by the browser, a corresponding access control command message, if the authentication is passed; if the authentication fails, sending the access restricted to the browser Message.
- the embodiment of the invention further provides a method for resource access, including: When the web application is opened, a hypertext transfer protocol request for accessing the terminal resource is sent to the server, and a dedicated control message channel is established with the server;
- the method includes: sending an access result to the server.
- the embodiment of the invention further provides a device for accessing resources, which includes:
- a sending module configured to open a webpage application, send a hypertext transfer protocol request for accessing the terminal resource to the server, and establish a dedicated control message channel with the server;
- the processing module is configured to receive an access control command message sent by the server, and perform access processing according to the access control command message.
- the processing module is further configured to: after the access processing is performed according to the access control command message, send the access result to the server.
- the device comprises: a browser.
- the embodiment of the invention further provides a terminal, including the above device.
- the embodiment of the present invention further provides a computer readable storage medium, the storage medium includes an embodiment of the invention, and a computer readable storage medium, the storage medium includes a set of computer executable instructions, and the instructions are used by the A method of performing resource access on the terminal side.
- the embodiment of the invention provides a method, a device, a server and a terminal for resource access, which can ensure secure access of the webApp to local resources.
- FIG. 1 is a flowchart of a method for resource access on a terminal side according to an embodiment of the present invention
- FIG. 2 is a flowchart of a method for resource access on a server side according to an embodiment of the present invention
- 3 is a schematic diagram of a protocol field according to an embodiment of the present invention
- 4 is a schematic diagram of a server according to an embodiment of the present invention
- FIG. 5 is a schematic diagram of an apparatus for resource access according to an embodiment of the present invention. detailed description
- webApps are software that performs a specific task.
- the functions are relatively simple. They are mainly used to meet a specific user's usage requirements. However, in order to enhance the user experience and make full use of the unique features of the webApp. At the same time, it is better to replace the native app.
- the webApp also needs to have some features of the native app. One of the most important ones is how to ensure the secure access of the webApp to local resources.
- the embodiment of the invention provides a method for resource access, and the browser-based webApp securely accesses local resources.
- the browser integrates a web fiction reading software with night mode and day switching functions, as well as saving bookmarks, viewing bookmarks, etc., when the user views the bookmark list, the terminal database needs to be accessed, and the webApp is essentially It is a web page that is like a native app and displayed through the browser kernel.
- front-end JS Java script program, which is used to implement various logic functions in WEB applications
- directly access local resources such as phonegap. Etc., but in order to prevent the abuse of local resources by developers or some malware and to protect the security of user information, it has made many restrictions.
- This solution provides a secure access mechanism through server authentication, which is determined according to the security level. Which terminal resources and devices can be accessed.
- server authentication is determined according to the security level. Which terminal resources and devices can be accessed.
- the server is first notified. After the server authentication is passed, the special control protocol is used to interact with the terminal browser in a dedicated control message channel to complete the terminal resource. Access and Control of the device and feedback the results to the front end.
- FIG. 1 is a flowchart of a method for accessing a resource on a terminal side according to an embodiment of the present invention.
- the method in this embodiment may include: Step 11: When the terminal opens the webpage application, the browser sends an HTTP (Hyper Text Transfer Protocol) request for accessing the terminal resource to the server, and establishes a dedicated control message channel with the server;
- HTTP Hyper Text Transfer Protocol
- Step 12 The browser of the terminal receives the access control command message sent by the server, and performs access processing according to the access control command message.
- Step 21 The server receives the HTTP request, and establishes a dedicated control message channel with the browser of the corresponding terminal.
- Step 22 If the server finds that the HTTP request is to access the resource of the terminal, the server authenticates the access and performs processing according to the authentication result.
- the embodiment of the present invention aims to enable the webApp to securely access terminal resources.
- technologies such as the phonegap framework also support web applications to directly access local resources, but phonegap cannot guarantee that terminal resources are not abused or guaranteed.
- the user information is secure.
- Other similar technical standards also use the access restriction method.
- the embodiment of the present invention uses the indirect access method through the server. The server performs security management in a unified manner, which avoids the above problems to some extent.
- Step 101 First, when the user opens a webApp, send an HTTP request to the server; the server acquires the user terminal information according to the HTTP request header field, and establishes a dedicated control information channel with the terminal browser.
- webAp runs on the browser.
- connection control management module is responsible for establishing a P2P connection with the terminal browser, and placing the connection table for management, and the management module can close the connection according to the terminal status or network status. Delete the corresponding index in the connection table, retrieve the connection table according to the server requirements, and so on.
- Step 102 After receiving the HTTP request, the server finds that it needs to access the terminal resource (such as accessing the terminal database to obtain a bookmark, etc.), and then invokes the authentication module to calculate the access security level, and determines whether the accessed terminal resource is allowed according to the security level.
- the user security level may be determined by the terminal browser AppID and the user login information.
- the server first extracts the terminal browser AppID and the user login information; and then determines whether to publish the version for the official channel according to the AppID of the terminal browser. Since the application published by the official channel has been tested in advance, it is ensured that the malicious plug-in is not included, and has certain Reliability, so set its security level to 1, allowing webApps running on this browser to have certain terminal resource access rights; then checking user login information, such as the user is already a logged-in user, automatically has the highest access Permissions.
- the corresponding control command message corresponds to the request sent by the webApp.
- the HTTP request sent to the server, after receiving the request, the server finds that it needs to access the database on the terminal, and then goes to the terminal browser.
- the message requesting access to the database is sent through a dedicated control information channel, and after receiving the message, the browser performs related data operations and returns the result.
- Control messages between the server and the terminal browser can interact with a custom internal protocol format.
- the specific composition of the protocol field in this embodiment is shown in Figure 3.
- the length of the protocol data is not fixed, and varies according to the number of parameters and the length of the parameter values.
- T is used as a separator between the parts of the protocol field, and T is also used between the parameters.
- the protocol parsing unit extracts relevant parameters according to the command. For example, if the browser receives a command to adjust the brightness of the screen of the terminal, it searches for the corresponding keyword in the field, and then extracts the brightness value parameter. Pass commands and parameters to the command execution unit. Finally, the command execution unit calls the corresponding system interface to complete the adjustment of the screen brightness control. If the authentication fails, you can give the user a corresponding prompt, and ask the user to log in.
- Step 104 After receiving the command message, the terminal browser performs a corresponding operation, and returns the operation result to the server.
- Step 105 The server sends an HTTP response to the front end of the webApp, and delivers the access result and the return data to the front end.
- Step 106 After receiving the response, the webAp front end performs the corresponding subsequent action.
- the webApp front end can display the results of the query after receiving the message.
- connection relationship between the server and the terminal browser is relatively simple, and the positions of the network elements are equivalent, which is a typical star structure.
- FIG. 4 is a schematic diagram of a server according to an embodiment of the present invention. As shown in FIG. 4, the server 10 of this embodiment includes:
- the establishing module 11 may be further configured to put a peer-to-peer network connection with a browser of the terminal into a connection table.
- the processing module 12, the authenticating the access may include: extracting, by the hypertext transfer protocol request, an application identifier and user login information of the browser; and detecting, by the application identifier, the browser If the version is legal, the user's access rights are detected according to the user login information. If the version of the browser is valid and the user has access rights, the authentication is passed.
- the processing module 12 when processing according to the authentication result, may include: sending, by the browser, a corresponding access control command message, if the authentication is passed; if the authentication fails, the browsing is performed to the browser
- the foregoing establishing module 11 and the processing module 12 may be configured by a central processing unit (CPU), a processor (MPU, a Micro Processing Unit), a digital signal processor (DSP), or Programmable Array (FPGA) implementation.
- CPU central processing unit
- MPU Micro Processing Unit
- DSP digital signal processor
- FPGA Programmable Array
- FIG. 5 is a schematic diagram of an apparatus for accessing resources according to an embodiment of the present invention.
- the apparatus for accessing a resource includes a browser installed on the terminal.
- the apparatus 20 of this embodiment may include:
- the processing module 22 is configured to receive an access control command message sent by the server, and perform access processing according to the access control command message.
- sending module 21 and processing module 22 can be implemented by a CPU, MPU, DSP or FPGA of a device accessed by a resource.
- the function modules in the server and the device in this embodiment may have different partitions according to specific functions.
- the webApp server includes a user security level authentication unit, a protocol data processing unit, and a peer router (P2P). a communication control unit or the like; the terminal browser includes a protocol processing unit, a command execution unit, and a P2P communication control unit.
- the web application front end cannot directly access the local resource by using the JS, and the webApp indirectly completes the access to the terminal resource and the device through the server, that is, the server and the terminal browser establish a dedicated control message channel, when the terminal resource needs to be accessed, The corresponding command message is sent to the terminal browser, and the browser performs the corresponding access operation after receiving the command and returns the result.
- the user security level authentication unit of the server performs authentication according to the AppID and user login information of the terminal browser to determine the security access level of the webApp to the terminal resource, different security, etc.
- the terminal resources and devices that the level allows to access are also different.
- the server protocol processing unit receives the HTTP request and encapsulates the custom protocol data (the commands and parameters carried in the HTTP request), and then transmits the data to the communication control unit, and is also responsible for receiving the data from the communication control unit, and performing data on the data. Parsing and passing to the interactive interface single TL o
- the server communication control unit is responsible for completing the establishment of the connection, managing the dedicated control message channel with each terminal browser, transmitting and receiving protocol data, etc., while maintaining a P2P connection table between the server and each terminal browser, when The connection channel is updated as soon as it changes.
- the terminal browser side protocol processing unit also completes the parsing of the protocol data, and generates a control command to be transmitted to the command processing unit, and at the same time, the command execution result is encapsulated and transmitted to the communication unit and returned to the server.
- the browser side command execution unit is configured to execute various operation instructions such as adjusting screen brightness, saving bookmarks, accessing bookmarks, vibrating the mobile phone, etc., and returning the execution result to the protocol processing unit.
- the browser side P2P communication unit is responsible for establishing connections, transmitting and receiving protocol data.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
- Information Transfer Between Computers (AREA)
Abstract
L'invention porte sur un procédé et un appareil d'accès à des ressources, ainsi que sur un serveur et un terminal. Ledit procédé comprend : la réception, par le serveur, d'un appel au protocole de transfert hypertexte (HTTP) de ressources d'un terminal auxquelles l'accès est obtenu, et l'établissement d'un canal de message de commande spécialisé avec un navigateur d'un terminal correspondant; puis l'authentification, par le serveur, de l'appel au protocole HTTP, et le traitement de cet appel selon le résultat de l'authentification.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310624479.1A CN104683297A (zh) | 2013-11-26 | 2013-11-26 | 一种资源访问的方法及装置、服务器及终端 |
CN201310624479.1 | 2013-11-26 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2015078170A1 true WO2015078170A1 (fr) | 2015-06-04 |
Family
ID=53198296
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2014/080233 WO2015078170A1 (fr) | 2013-11-26 | 2014-06-18 | Procédé et appareil d'accès à des ressources, serveur et terminal |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN104683297A (fr) |
WO (1) | WO2015078170A1 (fr) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109241343A (zh) * | 2018-07-27 | 2019-01-18 | 北京奇艺世纪科技有限公司 | 一种刷量用户识别系统、方法及装置 |
CN115065516A (zh) * | 2022-06-06 | 2022-09-16 | 上海华信长安网络科技有限公司 | 一种voip设备自定义请求鉴权的方法和装置 |
WO2023104117A1 (fr) * | 2021-12-09 | 2023-06-15 | 中兴通讯股份有限公司 | Procédé et système d'accès à une ressource, dispositif électronique et support d'enregistrement lisible par ordinateur |
Families Citing this family (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106549989B (zh) * | 2015-09-17 | 2020-02-18 | 腾讯科技(深圳)有限公司 | 一种数据传输方法及其系统、用户终端、应用服务器 |
CN105933766B (zh) * | 2016-01-21 | 2019-01-15 | 东方明珠新媒体股份有限公司 | 基于机顶盒的WebOS系统及机顶盒 |
CN106101127A (zh) * | 2016-06-30 | 2016-11-09 | Tcl集团股份有限公司 | 一种应用鉴权方法、装置和系统 |
CN108390844A (zh) * | 2017-06-30 | 2018-08-10 | 勤智数码科技股份有限公司 | 一种通过可信第三方进行数据安全访问的方法级装置 |
CN112632159B (zh) * | 2020-12-01 | 2021-09-28 | 腾讯科技(深圳)有限公司 | 数据库访问控制方法及装置、电子设备、存储介质 |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP2226988A1 (fr) * | 2009-03-03 | 2010-09-08 | NEC Corporation | Procédé pour l'accès aux ressources locales d'un terminal client dans une architecture client/serveur |
CN102414690A (zh) * | 2009-04-27 | 2012-04-11 | 高通股份有限公司 | 用特权签字创建安全网页浏览环境的方法和设备 |
CN102611709A (zh) * | 2012-03-31 | 2012-07-25 | 奇智软件(北京)有限公司 | 一种对第三方资源的访问控制方法及系统 |
CN102929638A (zh) * | 2012-11-07 | 2013-02-13 | 广州市动景计算机科技有限公司 | 扩展WebApp应用功能的方法和系统 |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9152732B2 (en) * | 2011-11-02 | 2015-10-06 | Microsoft Technology Licensing, Llc. | Browser cache assist for accessing web-based content |
-
2013
- 2013-11-26 CN CN201310624479.1A patent/CN104683297A/zh active Pending
-
2014
- 2014-06-18 WO PCT/CN2014/080233 patent/WO2015078170A1/fr active Application Filing
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP2226988A1 (fr) * | 2009-03-03 | 2010-09-08 | NEC Corporation | Procédé pour l'accès aux ressources locales d'un terminal client dans une architecture client/serveur |
CN102414690A (zh) * | 2009-04-27 | 2012-04-11 | 高通股份有限公司 | 用特权签字创建安全网页浏览环境的方法和设备 |
CN102611709A (zh) * | 2012-03-31 | 2012-07-25 | 奇智软件(北京)有限公司 | 一种对第三方资源的访问控制方法及系统 |
CN102929638A (zh) * | 2012-11-07 | 2013-02-13 | 广州市动景计算机科技有限公司 | 扩展WebApp应用功能的方法和系统 |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109241343A (zh) * | 2018-07-27 | 2019-01-18 | 北京奇艺世纪科技有限公司 | 一种刷量用户识别系统、方法及装置 |
WO2023104117A1 (fr) * | 2021-12-09 | 2023-06-15 | 中兴通讯股份有限公司 | Procédé et système d'accès à une ressource, dispositif électronique et support d'enregistrement lisible par ordinateur |
CN115065516A (zh) * | 2022-06-06 | 2022-09-16 | 上海华信长安网络科技有限公司 | 一种voip设备自定义请求鉴权的方法和装置 |
CN115065516B (zh) * | 2022-06-06 | 2024-04-09 | 上海华信长安网络科技有限公司 | 一种voip设备自定义请求鉴权的方法和装置 |
Also Published As
Publication number | Publication date |
---|---|
CN104683297A (zh) | 2015-06-03 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2015078170A1 (fr) | Procédé et appareil d'accès à des ressources, serveur et terminal | |
US9954855B2 (en) | Login method and apparatus, and open platform system | |
US10484385B2 (en) | Accessing an application through application clients and web browsers | |
CN102694772B (zh) | 一种访问互联网网页的装置、系统及方法 | |
US9143511B2 (en) | Validation of conditional policy attachments | |
US20190089810A1 (en) | Resource access method, apparatus, and system | |
CA2930255C (fr) | Pontage de groupe d'identites pour des services de repertoire gere | |
US8056125B2 (en) | Recording medium storing control program and communication system | |
US8966572B2 (en) | Dynamic identity context propagation | |
WO2017008581A1 (fr) | Procédé, client et système de test d'application | |
US10972507B2 (en) | Content policy based notification of application users about malicious browser plugins | |
WO2016101635A1 (fr) | Procédé, appareil et dispositif de synchronisation d'état de connexion, et support de stockage informatique | |
CN107257372B (zh) | 一种支持多种浏览器与本地应用程序进行通信的方法 | |
US9471533B1 (en) | Defenses against use of tainted cache | |
CA2930292A1 (fr) | Ajout automatique d'instances de machine virtuelle a un repertoire | |
US20130036154A1 (en) | Intelligent content delivery | |
US10574703B1 (en) | Content delivery employing multiple security levels | |
JP2014534498A (ja) | JavaScriptを保護する装置、方法及びコンピューター可読性記憶媒体 | |
WO2014094611A1 (fr) | Procédé et dispositif permettant de télécharger des données sur une plateforme sociale | |
CN115189897A (zh) | 零信任网络的访问处理方法、装置、电子设备及存储介质 | |
US10701073B2 (en) | Terminal authentication method and device | |
US9398066B1 (en) | Server defenses against use of tainted cache | |
US8381269B2 (en) | System architecture and method for secure web browsing using public computers | |
CN112202813B (zh) | 网络访问方法及装置 | |
CN108509229B (zh) | 窗口跨域控制的方法、终端设备及计算机可读存储介质 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 14865933 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 14865933 Country of ref document: EP Kind code of ref document: A1 |