WO2015078170A1 - Procédé et appareil d'accès à des ressources, serveur et terminal - Google Patents

Procédé et appareil d'accès à des ressources, serveur et terminal Download PDF

Info

Publication number
WO2015078170A1
WO2015078170A1 PCT/CN2014/080233 CN2014080233W WO2015078170A1 WO 2015078170 A1 WO2015078170 A1 WO 2015078170A1 CN 2014080233 W CN2014080233 W CN 2014080233W WO 2015078170 A1 WO2015078170 A1 WO 2015078170A1
Authority
WO
WIPO (PCT)
Prior art keywords
access
server
browser
terminal
authentication
Prior art date
Application number
PCT/CN2014/080233
Other languages
English (en)
Chinese (zh)
Inventor
徐少泽
张锐利
金学骥
包之凡
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2015078170A1 publication Critical patent/WO2015078170A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/14Multichannel or multilink protocols

Definitions

  • the present invention relates to mobile internet technologies, and in particular, to a method and device for accessing resources, a server, and a terminal. Background technique
  • HTML5 Hyper Text Markup Language 5
  • WEB web page
  • webApp web application
  • the traditional native app local application
  • webapp has the advantages of lower development cost, simpler upgrade, easier maintenance and no need to install and not consume user storage space.
  • the so-called webApp is for Iphone, Android (Android).
  • the disadvantages of web sites optimized by mobile terminals are also obvious.
  • webApp access to local resources is restricted, such as searching local databases, reading local files, Operate terminal hardware resources, etc. Summary of the invention
  • the embodiments of the present invention provide a method and device for accessing resources, a server, and a terminal, so as to ensure secure access of the webApp to local resources.
  • the embodiment of the invention provides a method for resource access, including:
  • the server receives the hypertext transfer protocol request of the visited terminal resource, and establishes a dedicated control message channel with the browser of the corresponding terminal;
  • the server authenticates the hypertext transfer protocol request and processes according to the authentication result.
  • a dedicated control message channel with the browser of the corresponding terminal also includes:
  • the server will establish a peer-to-peer network connection relationship with the browser of the terminal into the connection table.
  • the server authenticating the access includes:
  • the server extracts an application identifier and user login information of the browser from the hypertext transfer protocol request;
  • the processing by the server according to the authentication result includes:
  • the corresponding access control command message is sent to the browser; if the authentication fails, the access restricted message is sent to the browser.
  • the embodiment of the invention further provides a server, which includes:
  • Establishing a module configured to receive a hypertext transfer protocol request, and establish a dedicated control message channel with a browser of the corresponding terminal;
  • the processing module is configured to: if the hypertext transfer protocol is requested to access the resource of the terminal, perform authentication on the access, and perform processing according to the authentication result.
  • the establishing module is further configured to put a peer-to-peer network connection with a browser of the terminal into a connection table.
  • the processing module authenticating the access includes: extracting, by the hypertext transfer protocol request, an application identifier of the browser and user login information; and detecting, according to the application identifier, whether the version of the browser is If the version of the browser is legal and the user has access rights, the authentication is passed.
  • the processing by the processing module according to the authentication result includes: sending, by the browser, a corresponding access control command message, if the authentication is passed; if the authentication fails, sending the access restricted to the browser Message.
  • the embodiment of the invention further provides a method for resource access, including: When the web application is opened, a hypertext transfer protocol request for accessing the terminal resource is sent to the server, and a dedicated control message channel is established with the server;
  • the method includes: sending an access result to the server.
  • the embodiment of the invention further provides a device for accessing resources, which includes:
  • a sending module configured to open a webpage application, send a hypertext transfer protocol request for accessing the terminal resource to the server, and establish a dedicated control message channel with the server;
  • the processing module is configured to receive an access control command message sent by the server, and perform access processing according to the access control command message.
  • the processing module is further configured to: after the access processing is performed according to the access control command message, send the access result to the server.
  • the device comprises: a browser.
  • the embodiment of the invention further provides a terminal, including the above device.
  • the embodiment of the present invention further provides a computer readable storage medium, the storage medium includes an embodiment of the invention, and a computer readable storage medium, the storage medium includes a set of computer executable instructions, and the instructions are used by the A method of performing resource access on the terminal side.
  • the embodiment of the invention provides a method, a device, a server and a terminal for resource access, which can ensure secure access of the webApp to local resources.
  • FIG. 1 is a flowchart of a method for resource access on a terminal side according to an embodiment of the present invention
  • FIG. 2 is a flowchart of a method for resource access on a server side according to an embodiment of the present invention
  • 3 is a schematic diagram of a protocol field according to an embodiment of the present invention
  • 4 is a schematic diagram of a server according to an embodiment of the present invention
  • FIG. 5 is a schematic diagram of an apparatus for resource access according to an embodiment of the present invention. detailed description
  • webApps are software that performs a specific task.
  • the functions are relatively simple. They are mainly used to meet a specific user's usage requirements. However, in order to enhance the user experience and make full use of the unique features of the webApp. At the same time, it is better to replace the native app.
  • the webApp also needs to have some features of the native app. One of the most important ones is how to ensure the secure access of the webApp to local resources.
  • the embodiment of the invention provides a method for resource access, and the browser-based webApp securely accesses local resources.
  • the browser integrates a web fiction reading software with night mode and day switching functions, as well as saving bookmarks, viewing bookmarks, etc., when the user views the bookmark list, the terminal database needs to be accessed, and the webApp is essentially It is a web page that is like a native app and displayed through the browser kernel.
  • front-end JS Java script program, which is used to implement various logic functions in WEB applications
  • directly access local resources such as phonegap. Etc., but in order to prevent the abuse of local resources by developers or some malware and to protect the security of user information, it has made many restrictions.
  • This solution provides a secure access mechanism through server authentication, which is determined according to the security level. Which terminal resources and devices can be accessed.
  • server authentication is determined according to the security level. Which terminal resources and devices can be accessed.
  • the server is first notified. After the server authentication is passed, the special control protocol is used to interact with the terminal browser in a dedicated control message channel to complete the terminal resource. Access and Control of the device and feedback the results to the front end.
  • FIG. 1 is a flowchart of a method for accessing a resource on a terminal side according to an embodiment of the present invention.
  • the method in this embodiment may include: Step 11: When the terminal opens the webpage application, the browser sends an HTTP (Hyper Text Transfer Protocol) request for accessing the terminal resource to the server, and establishes a dedicated control message channel with the server;
  • HTTP Hyper Text Transfer Protocol
  • Step 12 The browser of the terminal receives the access control command message sent by the server, and performs access processing according to the access control command message.
  • Step 21 The server receives the HTTP request, and establishes a dedicated control message channel with the browser of the corresponding terminal.
  • Step 22 If the server finds that the HTTP request is to access the resource of the terminal, the server authenticates the access and performs processing according to the authentication result.
  • the embodiment of the present invention aims to enable the webApp to securely access terminal resources.
  • technologies such as the phonegap framework also support web applications to directly access local resources, but phonegap cannot guarantee that terminal resources are not abused or guaranteed.
  • the user information is secure.
  • Other similar technical standards also use the access restriction method.
  • the embodiment of the present invention uses the indirect access method through the server. The server performs security management in a unified manner, which avoids the above problems to some extent.
  • Step 101 First, when the user opens a webApp, send an HTTP request to the server; the server acquires the user terminal information according to the HTTP request header field, and establishes a dedicated control information channel with the terminal browser.
  • webAp runs on the browser.
  • connection control management module is responsible for establishing a P2P connection with the terminal browser, and placing the connection table for management, and the management module can close the connection according to the terminal status or network status. Delete the corresponding index in the connection table, retrieve the connection table according to the server requirements, and so on.
  • Step 102 After receiving the HTTP request, the server finds that it needs to access the terminal resource (such as accessing the terminal database to obtain a bookmark, etc.), and then invokes the authentication module to calculate the access security level, and determines whether the accessed terminal resource is allowed according to the security level.
  • the user security level may be determined by the terminal browser AppID and the user login information.
  • the server first extracts the terminal browser AppID and the user login information; and then determines whether to publish the version for the official channel according to the AppID of the terminal browser. Since the application published by the official channel has been tested in advance, it is ensured that the malicious plug-in is not included, and has certain Reliability, so set its security level to 1, allowing webApps running on this browser to have certain terminal resource access rights; then checking user login information, such as the user is already a logged-in user, automatically has the highest access Permissions.
  • the corresponding control command message corresponds to the request sent by the webApp.
  • the HTTP request sent to the server, after receiving the request, the server finds that it needs to access the database on the terminal, and then goes to the terminal browser.
  • the message requesting access to the database is sent through a dedicated control information channel, and after receiving the message, the browser performs related data operations and returns the result.
  • Control messages between the server and the terminal browser can interact with a custom internal protocol format.
  • the specific composition of the protocol field in this embodiment is shown in Figure 3.
  • the length of the protocol data is not fixed, and varies according to the number of parameters and the length of the parameter values.
  • T is used as a separator between the parts of the protocol field, and T is also used between the parameters.
  • the protocol parsing unit extracts relevant parameters according to the command. For example, if the browser receives a command to adjust the brightness of the screen of the terminal, it searches for the corresponding keyword in the field, and then extracts the brightness value parameter. Pass commands and parameters to the command execution unit. Finally, the command execution unit calls the corresponding system interface to complete the adjustment of the screen brightness control. If the authentication fails, you can give the user a corresponding prompt, and ask the user to log in.
  • Step 104 After receiving the command message, the terminal browser performs a corresponding operation, and returns the operation result to the server.
  • Step 105 The server sends an HTTP response to the front end of the webApp, and delivers the access result and the return data to the front end.
  • Step 106 After receiving the response, the webAp front end performs the corresponding subsequent action.
  • the webApp front end can display the results of the query after receiving the message.
  • connection relationship between the server and the terminal browser is relatively simple, and the positions of the network elements are equivalent, which is a typical star structure.
  • FIG. 4 is a schematic diagram of a server according to an embodiment of the present invention. As shown in FIG. 4, the server 10 of this embodiment includes:
  • the establishing module 11 may be further configured to put a peer-to-peer network connection with a browser of the terminal into a connection table.
  • the processing module 12, the authenticating the access may include: extracting, by the hypertext transfer protocol request, an application identifier and user login information of the browser; and detecting, by the application identifier, the browser If the version is legal, the user's access rights are detected according to the user login information. If the version of the browser is valid and the user has access rights, the authentication is passed.
  • the processing module 12 when processing according to the authentication result, may include: sending, by the browser, a corresponding access control command message, if the authentication is passed; if the authentication fails, the browsing is performed to the browser
  • the foregoing establishing module 11 and the processing module 12 may be configured by a central processing unit (CPU), a processor (MPU, a Micro Processing Unit), a digital signal processor (DSP), or Programmable Array (FPGA) implementation.
  • CPU central processing unit
  • MPU Micro Processing Unit
  • DSP digital signal processor
  • FPGA Programmable Array
  • FIG. 5 is a schematic diagram of an apparatus for accessing resources according to an embodiment of the present invention.
  • the apparatus for accessing a resource includes a browser installed on the terminal.
  • the apparatus 20 of this embodiment may include:
  • the processing module 22 is configured to receive an access control command message sent by the server, and perform access processing according to the access control command message.
  • sending module 21 and processing module 22 can be implemented by a CPU, MPU, DSP or FPGA of a device accessed by a resource.
  • the function modules in the server and the device in this embodiment may have different partitions according to specific functions.
  • the webApp server includes a user security level authentication unit, a protocol data processing unit, and a peer router (P2P). a communication control unit or the like; the terminal browser includes a protocol processing unit, a command execution unit, and a P2P communication control unit.
  • the web application front end cannot directly access the local resource by using the JS, and the webApp indirectly completes the access to the terminal resource and the device through the server, that is, the server and the terminal browser establish a dedicated control message channel, when the terminal resource needs to be accessed, The corresponding command message is sent to the terminal browser, and the browser performs the corresponding access operation after receiving the command and returns the result.
  • the user security level authentication unit of the server performs authentication according to the AppID and user login information of the terminal browser to determine the security access level of the webApp to the terminal resource, different security, etc.
  • the terminal resources and devices that the level allows to access are also different.
  • the server protocol processing unit receives the HTTP request and encapsulates the custom protocol data (the commands and parameters carried in the HTTP request), and then transmits the data to the communication control unit, and is also responsible for receiving the data from the communication control unit, and performing data on the data. Parsing and passing to the interactive interface single TL o
  • the server communication control unit is responsible for completing the establishment of the connection, managing the dedicated control message channel with each terminal browser, transmitting and receiving protocol data, etc., while maintaining a P2P connection table between the server and each terminal browser, when The connection channel is updated as soon as it changes.
  • the terminal browser side protocol processing unit also completes the parsing of the protocol data, and generates a control command to be transmitted to the command processing unit, and at the same time, the command execution result is encapsulated and transmitted to the communication unit and returned to the server.
  • the browser side command execution unit is configured to execute various operation instructions such as adjusting screen brightness, saving bookmarks, accessing bookmarks, vibrating the mobile phone, etc., and returning the execution result to the protocol processing unit.
  • the browser side P2P communication unit is responsible for establishing connections, transmitting and receiving protocol data.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

L'invention porte sur un procédé et un appareil d'accès à des ressources, ainsi que sur un serveur et un terminal. Ledit procédé comprend : la réception, par le serveur, d'un appel au protocole de transfert hypertexte (HTTP) de ressources d'un terminal auxquelles l'accès est obtenu, et l'établissement d'un canal de message de commande spécialisé avec un navigateur d'un terminal correspondant; puis l'authentification, par le serveur, de l'appel au protocole HTTP, et le traitement de cet appel selon le résultat de l'authentification.
PCT/CN2014/080233 2013-11-26 2014-06-18 Procédé et appareil d'accès à des ressources, serveur et terminal WO2015078170A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201310624479.1A CN104683297A (zh) 2013-11-26 2013-11-26 一种资源访问的方法及装置、服务器及终端
CN201310624479.1 2013-11-26

Publications (1)

Publication Number Publication Date
WO2015078170A1 true WO2015078170A1 (fr) 2015-06-04

Family

ID=53198296

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2014/080233 WO2015078170A1 (fr) 2013-11-26 2014-06-18 Procédé et appareil d'accès à des ressources, serveur et terminal

Country Status (2)

Country Link
CN (1) CN104683297A (fr)
WO (1) WO2015078170A1 (fr)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109241343A (zh) * 2018-07-27 2019-01-18 北京奇艺世纪科技有限公司 一种刷量用户识别系统、方法及装置
CN115065516A (zh) * 2022-06-06 2022-09-16 上海华信长安网络科技有限公司 一种voip设备自定义请求鉴权的方法和装置
WO2023104117A1 (fr) * 2021-12-09 2023-06-15 中兴通讯股份有限公司 Procédé et système d'accès à une ressource, dispositif électronique et support d'enregistrement lisible par ordinateur

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106549989B (zh) * 2015-09-17 2020-02-18 腾讯科技(深圳)有限公司 一种数据传输方法及其系统、用户终端、应用服务器
CN105933766B (zh) * 2016-01-21 2019-01-15 东方明珠新媒体股份有限公司 基于机顶盒的WebOS系统及机顶盒
CN106101127A (zh) * 2016-06-30 2016-11-09 Tcl集团股份有限公司 一种应用鉴权方法、装置和系统
CN108390844A (zh) * 2017-06-30 2018-08-10 勤智数码科技股份有限公司 一种通过可信第三方进行数据安全访问的方法级装置
CN112632159B (zh) * 2020-12-01 2021-09-28 腾讯科技(深圳)有限公司 数据库访问控制方法及装置、电子设备、存储介质

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2226988A1 (fr) * 2009-03-03 2010-09-08 NEC Corporation Procédé pour l'accès aux ressources locales d'un terminal client dans une architecture client/serveur
CN102414690A (zh) * 2009-04-27 2012-04-11 高通股份有限公司 用特权签字创建安全网页浏览环境的方法和设备
CN102611709A (zh) * 2012-03-31 2012-07-25 奇智软件(北京)有限公司 一种对第三方资源的访问控制方法及系统
CN102929638A (zh) * 2012-11-07 2013-02-13 广州市动景计算机科技有限公司 扩展WebApp应用功能的方法和系统

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9152732B2 (en) * 2011-11-02 2015-10-06 Microsoft Technology Licensing, Llc. Browser cache assist for accessing web-based content

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2226988A1 (fr) * 2009-03-03 2010-09-08 NEC Corporation Procédé pour l'accès aux ressources locales d'un terminal client dans une architecture client/serveur
CN102414690A (zh) * 2009-04-27 2012-04-11 高通股份有限公司 用特权签字创建安全网页浏览环境的方法和设备
CN102611709A (zh) * 2012-03-31 2012-07-25 奇智软件(北京)有限公司 一种对第三方资源的访问控制方法及系统
CN102929638A (zh) * 2012-11-07 2013-02-13 广州市动景计算机科技有限公司 扩展WebApp应用功能的方法和系统

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109241343A (zh) * 2018-07-27 2019-01-18 北京奇艺世纪科技有限公司 一种刷量用户识别系统、方法及装置
WO2023104117A1 (fr) * 2021-12-09 2023-06-15 中兴通讯股份有限公司 Procédé et système d'accès à une ressource, dispositif électronique et support d'enregistrement lisible par ordinateur
CN115065516A (zh) * 2022-06-06 2022-09-16 上海华信长安网络科技有限公司 一种voip设备自定义请求鉴权的方法和装置
CN115065516B (zh) * 2022-06-06 2024-04-09 上海华信长安网络科技有限公司 一种voip设备自定义请求鉴权的方法和装置

Also Published As

Publication number Publication date
CN104683297A (zh) 2015-06-03

Similar Documents

Publication Publication Date Title
WO2015078170A1 (fr) Procédé et appareil d'accès à des ressources, serveur et terminal
US9954855B2 (en) Login method and apparatus, and open platform system
US10484385B2 (en) Accessing an application through application clients and web browsers
CN102694772B (zh) 一种访问互联网网页的装置、系统及方法
US9143511B2 (en) Validation of conditional policy attachments
US20190089810A1 (en) Resource access method, apparatus, and system
CA2930255C (fr) Pontage de groupe d'identites pour des services de repertoire gere
US8056125B2 (en) Recording medium storing control program and communication system
US8966572B2 (en) Dynamic identity context propagation
WO2017008581A1 (fr) Procédé, client et système de test d'application
US10972507B2 (en) Content policy based notification of application users about malicious browser plugins
WO2016101635A1 (fr) Procédé, appareil et dispositif de synchronisation d'état de connexion, et support de stockage informatique
CN107257372B (zh) 一种支持多种浏览器与本地应用程序进行通信的方法
US9471533B1 (en) Defenses against use of tainted cache
CA2930292A1 (fr) Ajout automatique d'instances de machine virtuelle a un repertoire
US20130036154A1 (en) Intelligent content delivery
US10574703B1 (en) Content delivery employing multiple security levels
JP2014534498A (ja) JavaScriptを保護する装置、方法及びコンピューター可読性記憶媒体
WO2014094611A1 (fr) Procédé et dispositif permettant de télécharger des données sur une plateforme sociale
CN115189897A (zh) 零信任网络的访问处理方法、装置、电子设备及存储介质
US10701073B2 (en) Terminal authentication method and device
US9398066B1 (en) Server defenses against use of tainted cache
US8381269B2 (en) System architecture and method for secure web browsing using public computers
CN112202813B (zh) 网络访问方法及装置
CN108509229B (zh) 窗口跨域控制的方法、终端设备及计算机可读存储介质

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14865933

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14865933

Country of ref document: EP

Kind code of ref document: A1