WO2018227802A1 - 一种权限获取方法、装置、设备和存储介质 - Google Patents

一种权限获取方法、装置、设备和存储介质 Download PDF

Info

Publication number
WO2018227802A1
WO2018227802A1 PCT/CN2017/102299 CN2017102299W WO2018227802A1 WO 2018227802 A1 WO2018227802 A1 WO 2018227802A1 CN 2017102299 W CN2017102299 W CN 2017102299W WO 2018227802 A1 WO2018227802 A1 WO 2018227802A1
Authority
WO
WIPO (PCT)
Prior art keywords
access
information
user information
permission
request
Prior art date
Application number
PCT/CN2017/102299
Other languages
English (en)
French (fr)
Inventor
李晓龙
Original Assignee
西安中兴新软件有限责任公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 西安中兴新软件有限责任公司 filed Critical 西安中兴新软件有限责任公司
Publication of WO2018227802A1 publication Critical patent/WO2018227802A1/zh

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0892Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles

Definitions

  • the present application relates to, but is not limited to, the field of communication technologies, and in particular, to a method, device, device and storage medium for obtaining rights.
  • a device that stores an accessible resource or a usable resource may be referred to as a resource device, and the resource device may provide a resource requestor with a resource on the resource device.
  • the resource device When the resource requester requests the resource device to access or use the resource on the resource device, the resource device performs identity authentication on the resource requester according to the pre-stored authority data of the legal user, and if the authentication passes, provides the resource requester with the legal user identity. Resources on the resource device.
  • the rights data of the legitimate user is stored on the resource device, if the resource device is stolen or encounters a network attack, the illegal user may still acquire resources on the resource device, thereby causing great security risks.
  • the embodiment of the present invention provides a method, an apparatus, a device, and a storage medium for acquiring an authority, which can prevent an illegal user from acquiring a resource stored on the resource device.
  • the embodiment of the present application provides a method for obtaining a privilege, the method comprising: sending a privilege acquisition request carrying user information to a remote user dialing authentication system (radius) server, where the privilege acquisition request is used to acquire the user Access permission information corresponding to the information; receiving a permission acquisition response sent by the radius server and carrying the access permission information.
  • the method before the sending the permission acquisition request carrying the user information to the radius server, the method may further include: receiving a resource access request carrying the user information, where the resource access request is used to acquire the The user information is correspondingly accessible on the resource device The method may further include: determining, according to the access rights information, that the user information is in the resource, after the receiving the rights acquisition response that is sent by the radius server and carrying the access rights information. The corresponding accessible resource on the device.
  • the resource device may be a home gateway
  • the receiving a resource access request that carries the user information may include: receiving a login request that is sent by the Internet of Things terminal and carrying the user information; The login request is used to request an accessible resource corresponding to the user information in the home gateway; and determining, according to the access permission information, the accessible resource corresponding to the user information on the resource device, may include Determining, according to the access authority information, a corresponding accessible resource of the Internet of Things terminal on the home gateway.
  • the user information may include a media access control (MAC) address and a password of the Internet of Things terminal, and the same MAC address and the combination of different passwords correspond to the same or different access rights information.
  • MAC media access control
  • the resource device may be a terminal device, and the accessible resource is a set of applications that are allowed to be enabled, and the foregoing method may further be used before the sending the permission request for carrying the user information to the radius server.
  • the method includes: entering a user information acquisition state after receiving an activation operation for initiating an application on the terminal device; receiving user information in the user information acquisition state; and transmitting, at the receiving the radius server, After the method for obtaining the access permission information, the method may further include: determining, according to the set of applications that are allowed to be enabled corresponding to the access rights information, whether to enable the application.
  • the user information may include a username and a password, and the combination of the same username and different passwords corresponds to different access rights information.
  • the sending, by the remote user, the dialing authentication system, the radius server, the request for obtaining the user's information may include: sending an access request message carrying the user information and the access permission identifier to the radius server. (Access-Request); receiving the permission acquisition response that is sent by the radius server and carrying the access permission information, may include: receiving an access success response report that is sent by the radius server and carrying the access permission information Text (Access-Accept).
  • the foregoing method may further include And sending an accounting request message (Accounting-Request) carrying the access right information to the radius server, where the charging request message is used to request the radius server to determine the user according to the access right information. At least one of a billing method and a billing rate corresponding to the information.
  • the access request message may include a type number (AVP) field that characterizes the access permission identifier.
  • AVP type number
  • the embodiment of the present application provides a method for obtaining a privilege, the method includes: a remote user dialing authentication system (radius) server receives a request for acquiring a user information right sent by a radius client, where the privilege acquisition request is used for Acquiring the access authority information corresponding to the user information; and transmitting, to the radius client, a permission acquisition response that carries the access authority information corresponding to the user information.
  • a remote user dialing authentication system (radius) server receives a request for acquiring a user information right sent by a radius client, where the privilege acquisition request is used for Acquiring the access authority information corresponding to the user information; and transmitting, to the radius client, a permission acquisition response that carries the access authority information corresponding to the user information.
  • the RADIUS server receiving the privilege acquisition request that is sent by the radius client and carrying the user information may include: the radius server receiving the RADIUS client sending the user information and the access permission identifier An access request (Access-Request); the sending, to the radius client, the permission to obtain the access permission information corresponding to the user information, may include: sending, to the radius client, the information corresponding to the user information Access-acceptance access message (Access-Accept).
  • the access rights information is used to determine an accessible resource corresponding to the user information, and different access rights information corresponds to different accessible resources.
  • the method may further include: receiving the radius client And the at least one of the charging method and the charging rate corresponding to the user information is determined according to the access right information.
  • the embodiment of the present application provides a privilege acquisition device, where the privilege acquisition device includes: a first sending module, configured to send a privilege acquisition request carrying user information to a radius server, where the privilege acquisition request is used to acquire The access authority information corresponding to the user information is configured, and the first receiving module is configured to receive a permission acquisition response that is sent by the radius server and that carries the access permission information.
  • an embodiment of the present application provides a rights acquiring apparatus, where the rights acquiring device package
  • the second receiving module is configured to receive a permission acquisition request that is sent by the radius client and that carries the user information; the permission obtaining request is used to obtain access permission information corresponding to the user information; and a second sending module, The method is configured to send, to the radius client, a permission acquisition response that carries the access permission information corresponding to the user information.
  • the access rights information is used to determine an accessible resource corresponding to the user information, and different access rights information corresponds to different accessible resources.
  • the embodiment of the present application provides a resource device, where the resource device includes:
  • an embodiment of the present application provides a remote user dialing authentication system authentication server, where the remote user dialing authentication system authentication server includes: a memory, a processor, and a permission acquiring program stored in the memory and operable on the processor. And executing, by the processor, the permission acquiring method according to any one of the second aspects when the program is executed.
  • the embodiment of the present application provides a computer readable storage medium, where a privilege acquisition program is stored, where the privilege acquisition program is executed by a processor, and implements any one of the first aspect or the second aspect. The steps of the permission acquisition method.
  • the privilege acquisition method provided by the embodiment of the present application is configured to send a privilege acquisition request that carries the user information to the radius server, where the privilege acquisition request is used to obtain the access privilege information corresponding to the user information;
  • the access permission information of the access authority information is obtained by the RADIUS server set on the network side according to the user information and the authority data stored in the radius server, and the illegal user cannot obtain the radius server.
  • the stored permission data so that the illegal user cannot obtain the resources on the resource device.
  • FIG. 1A is a schematic diagram 1 of a network architecture of a method for obtaining rights in an embodiment of the present application
  • FIG. 1B is a flowchart of a method for obtaining a permission based on a radius server according to an embodiment of the present application; schematic diagram;
  • FIG. 2A is a schematic diagram 1 of an interaction process of a method for obtaining rights in an embodiment of the present application
  • 2B is a schematic diagram of a format of an attribute pair field in a method for obtaining rights in an embodiment of the present application
  • FIG. 3 is a schematic flowchart 1 of a process for obtaining a permission in an embodiment of the present application
  • 4A is a schematic diagram 2 of a network architecture of a method for obtaining rights in an embodiment of the present application
  • 4B is a second schematic diagram of an interaction process of a method for obtaining rights in an embodiment of the present application.
  • FIG. 5 is a second schematic diagram of a processing flow of a method for obtaining rights in an embodiment of the present application
  • 6A is a schematic diagram 3 of a network architecture of a method for obtaining rights in an embodiment of the present application
  • 6B is a schematic flowchart 3 of a process for obtaining a permission in the embodiment of the present application.
  • FIG. 7 is a schematic structural diagram 1 of a rights acquiring apparatus according to an embodiment of the present application.
  • FIG. 8 is a schematic structural diagram 2 of a rights acquiring apparatus according to an embodiment of the present application.
  • FIG. 9 is a schematic structural diagram of a resource device according to an embodiment of the present application.
  • FIG. 10 is a schematic structural diagram of a radius server according to an embodiment of the present application.
  • FIG. 1A is a schematic diagram 1 of a network architecture of a method for obtaining rights according to an embodiment of the present application.
  • the network architecture of this embodiment may include: a resource requester 10, a resource device 11, and an authentication server 12.
  • the resource device 11 may be a device, for example, a terminal device such as a home gateway or a mobile phone, and the resource requester 10 may be another device or a user, such as an Internet of Things terminal.
  • the resource device 11 can provide the resource requester 10 with an accessible resource corresponding to the access authority corresponding to the resource requester 12.
  • the resource requester 10 may send a resource access request carrying the user information to the resource device 11, where the resource access request may be a login request for requesting the user information corresponding to the accessible resource on the resource device, the resource The device 11 may send a permission acquisition request carrying the user information to the authentication server 12 to obtain the user information determined by the authentication server 12 according to the user information.
  • the resource device 11 determines the resource that the user information is allowed to access on the resource device 11 according to the access authority corresponding to the user information, and allows the resource requester 10 to use the resource that is allowed to access.
  • the resource access request sent by the resource requester 10 to the resource device 11 may also be an enable request for requesting activation of a certain resource on the resource device 11, and the resource device 11 may receive the resource access.
  • the resource requester 10 reports the user information, and then the resource device 11 can obtain the access authority corresponding to the user information from the authentication server 12 according to the user information, and determine whether the resource requester 10 is determined according to the access authority corresponding to the user information.
  • the requested resource is allowed to be enabled, and if the requested resource belongs to the corresponding allowed resource on the resource device 11 of the access right, the resource requester 10 is allowed to enable the requested resource.
  • the access authority corresponding to the user information may be access permission information, and the access permission information may include at least one of an access permission level, an access permission range, an access permission size, and an access permission content information.
  • the different user information may correspond to the same or different access rights information, the different access rights information may correspond to different accessible resources on the resource device 11, and the resource device 11 or the authentication server 12 may store the access permission level.
  • the range of corresponding accessible resources or the size or number of accessible resources enables the resource device 11 to provide the resource requester 10 with corresponding accessible resources according to the access rights information corresponding to the user information.
  • the user information may include a username and a password.
  • different user information may refer to different user names, and different user names may correspond to the same or different access rights information; in another example, Different user information may also be a combination of a username and a password, and the combination of the same username and different passwords may also correspond to the same or different access rights information.
  • the resource device 11 can be provided with a more flexible control method of accessible resources.
  • the authentication server 12 may be a remote authentication dial in user service (radius) server, and the resource device 11 may perform the interaction process of the permission acquisition by the radius client and the radius server.
  • the radius client can be deployed on the resource device 11 or in the resource device 11 outer.
  • FIG. 1B is a schematic flowchart of a method for obtaining a privilege based on a radius server according to an embodiment of the present disclosure.
  • the executor of the embodiment may be a resource device deployed with a radius client, or a radius client deployed on a resource device, or A radius client deployed outside of the resource device and having a communication connection with the resource device.
  • the steps in this embodiment may include:
  • S101 Send a permission acquisition request carrying user information to the radius server, where the permission acquisition request is used to obtain access authority information corresponding to the user information.
  • the resource device 11 may send a permission acquisition request to the radius server through the radius client or the radius client deployed on the resource device 11.
  • the resource device 11 may send an authentication request carrying the user information to the radius client to trigger the radius client to initiate an authentication process to the radius server.
  • S102 Receive a rights acquisition response that is sent by the radius server and carries the access authority information corresponding to the user information.
  • the access rights information may be used to determine the accessible resources corresponding to the user information, and the different access rights information correspond to different accessible resources.
  • the RADIUS server authenticates and authenticates the user information according to the authentication data and the privilege data of the legal user stored by the RADIUS server. If the authentication succeeds, the access authority information corresponding to the user information is carried in the privilege acquisition response.
  • the access permission information may be used to determine an accessible resource corresponding to the user information, and different access rights information may correspond to different accessible resources.
  • the radius client can send the access authority information corresponding to the user information to the resource device 11 through the permission acquisition response.
  • the resource device 11 can determine the corresponding accessible resources of the user information on the resource device 11 according to the access rights information, where different access rights information can correspond to different accessible resources on the resource device.
  • the privilege acquisition method provided in this embodiment can be used by the RADIUS server to authenticate the user information used by the resource requester when the user wants to obtain the accessible resource on the resource device, and determine the access authority corresponding to the resource requester.
  • the information because different access rights information correspond to different accessible resources, can ensure that the data and resources stored on the resource device can only be opened to the device. A legitimate user with access rights accesses, thereby preventing unauthorized users from acquiring data stored on the resource device.
  • FIG. 2A is a schematic diagram of an interaction process of a method for obtaining a permission in the embodiment of the present application. As shown in FIG. 2A, the interaction process between the radius client and the radius server may include:
  • the radius client sends an access request message (Access-Request) to the radius server.
  • Access-Request access request message
  • the access request packet may carry an access-permission and user information, so that the access request packet is used to request access authority information corresponding to the user information.
  • this embodiment may extend the Attribute Value Pairs (AVP) field defined by the RFC2865 protocol, that is, the type field in the attribute list field.
  • the access request message includes a type number (type) characterizing the attribute pair (AVP) field of the access grant identity.
  • FIG. 2B is a schematic diagram of a format of an attribute pair field in a method for obtaining rights in the embodiment of the present application.
  • the AVP field may include a type field, a length field, and a value field, wherein the type number field is also referred to as a radius type field.
  • the type field, the length field, and the value field may occupy 1 byte, respectively.
  • the usage rules for the enumeration values of the type field field in the AVP field are defined as follows: Enumeration values ranging from 192 to 223 are reserved for experimental use. Enumeration values ranging from 224 to 240 are reserved for specific implementations, and enumeration values ranging from 241 to 255 are reserved.
  • the value of the type field may be optimized.
  • the access request message may carry an AVP field with a value of 224 in the type field to indicate that the access request message is used to request access rights.
  • the information may be an AVP field with a value of 224 in the type field as an identifier of a message flow related to requesting access rights information, and may be referred to as an access permission.
  • other values belonging to the range 224 to 240 may also be employed as the identifier indicating the request access authority information.
  • the value of the value field can be 0.
  • S202 The radius server sends an access success response message (Access-Accept) to the radius client.
  • Access-Accept access success response message
  • the radius server After the authentication of the user information is performed, the radius server carries the access permission information corresponding to the user information in the access success response message and sends the information to the radius client.
  • the value of the type field in the AVP field in the access success response message may be 224, and the value of the value field may be the access authority information corresponding to the user information.
  • the value of the value field may be 1 to Any value in 254.
  • the radius server may carry the type domain in the access success response message if the access authority information matching the user information is not found in the permission database.
  • the value is 224, and the value field has an AVP field value of 255 to indicate that the user information is not configured with any access rights information.
  • the radius server may also send an access rejection response message (Access-Reject) to the radius client. , carrying information for identifying that the user information does not have access rights.
  • the value of the type field in the AVP field in the access reject response message may be 224, and the value of the value field may be 255 to identify that the user information has no access rights information.
  • the access reject response message may also not carry an AVP field that includes a value of 224 in the type field.
  • the following steps may be included:
  • S203 The radius client sends an accounting request packet to the radius server.
  • the accounting request message may carry the user information, and may also carry the access authority information corresponding to the user information.
  • the value of the type field in the AVP field in the charging request message may be 224, and the value of the value field may be the access authority information corresponding to the user information.
  • S204 The radius server sends an accounting response packet to the radius client.
  • the radius server After the radius server sends an accounting response (Accounting-Response) to the radius client, the radius server can access the access according to the user information.
  • the limit information charges the resource access operation related to the user information.
  • different access rights information may correspond to at least one of different charging modes and charging rates.
  • the charging method may be, for example, charging according to a charging rate corresponding to different time periods, or a pay-per-view, etc., and the charging rate may be, for example, a resource usage rate per unit time.
  • This embodiment extends the RFC protocol and provides an interaction method for obtaining access rights information under the architecture of the radius client and the radius server authentication system.
  • the radius server is usually deployed on the core network side of the mobile network.
  • the radius server is used as the authentication server to obtain access rights information. It can provide enterprises with secure and flexible access to resource solutions on a large number of resource devices.
  • the user authentication data is not required to be stored on the resource device, and no loss of all user authentication data is caused when the single resource device is lost.
  • enterprises do not need to separately set up servers that store user authentication data and permission data, especially when some enterprises need to manage a large number of resource devices across regions and countries, and do not need to set up authentication separately in each region or country.
  • the server in turn, can reduce the possibility of user information being leaked during cross-regional transmission. It can be seen that the security obtaining method provided by the embodiment provides a powerful guarantee for the security of the user information in the process of managing the rights of a large number of resource devices.
  • FIG. 3 is a schematic diagram 1 of a processing flow of a method for obtaining rights according to an embodiment of the present application. As shown in FIG. 3, the steps in this embodiment may include:
  • S301 The radius client starts, and sends an access request message with an access permission identifier to the radius server.
  • the radius client can write the obtained username and password into an Access-Request (access request message), and add an access permission in the AVP field of the Access-Request.
  • Access-Request access request message
  • the AVP field carrying the access permission identifier in the access request message is parsed by the network packet analysis software as follows:
  • l represents a length field
  • t represents a type field
  • the value of t is 224
  • the value of the value field is 0.
  • the value of the length field may also be greater than or equal to 3.
  • the radius server receives the access request packet and queries the permission database.
  • the radius server may query the permission database when identifying the access permission identifier (Access Permission field) in the access request message.
  • S303 The radius server determines whether the access authority information corresponding to the user information is queried in the permission database. If the query is performed, the process proceeds to S305. If not, the process proceeds to S304.
  • S304 The radius server sends an access reject response packet to the radius client.
  • the radius server sends an access reject response packet (Access-Reject) to the radius client when the privilege information corresponding to the username is not found in the privilege database.
  • Access-Reject an access reject response packet
  • the radius server sends an access success response packet with an access permission identifier to the radius client.
  • the radius server writes the access authority information corresponding to the username that is queried in the privilege database to the value field of the access-receiving packet (Access-Accept).
  • the length of the value field in this embodiment can be defaulted. If the value is 1 byte, the value of the value field can be a value from 0 to 255. The value of the value field is 0, which can be used as the access permission in the access request packet. The value of the value field is 255. It can be used as the error response identifier in the access success response message when the access permission information corresponding to the user information is not queried, and 255 can also be used as the value of the value field in the access rejection response message when the authentication is not passed. Therefore, 254 types of permissions can be supported here.
  • the length of the value field may be extended, for example, 2 bytes.
  • the access authority information carried in the value field may be more.
  • the network packet analysis software parses the AVP field carrying the access permission identifier in the access success response message as follows:
  • the permission database of the radius server can not only configure different permissions according to different user names, but also configure different permissions according to different passwords.
  • a terminal device A uses the username "admin" to log in. If the password is "testA”, you can configure the access permission information in the permission database to be 1. If the password is "testB”, you can Configure the access permission information in the permission database to 2. That is, different users can be planned to have different permissions when logging in with the same username and different passwords, and can affect the subsequent charging phase.
  • the radius server can provide different billing parties for users with different access rights information. And at least one of the billing rates. For example, an Internet access rate per unit time when an Internet of Things terminal conducts an Internet service through a home gateway.
  • the radius client After receiving the Access-Accept packet, the radius client parses the Access-Permission field in the AVP field, and the login module of the terminal device releases the user login according to the value of the value field of the AVP field. Permissions.
  • a user with different access rights information can be configured to obtain different resources on the radius client. For example, different allowed online time can be obtained.
  • the radius client receives the access success response packet, and sends an accounting request packet to the radius server.
  • the AVP field in the Accounting Request message is also configured with the corresponding access permission identifier.
  • the network packet analysis software parses the AVP field carrying the access permission identifier in the charging request message as follows:
  • the radius server receives the charging request packet, sends the charging response packet, and performs at least one of the charging mode and the charging rate corresponding to the access authority information according to the access permission information corresponding to the access permission identifier. Start billing.
  • the radius server reads the value of the value field corresponding to the Access-Permission field in the AVP field of the Accounting Request message (Accounting-Request), and can perform the same username and different password combination.
  • the resource access operation corresponding to the user information for access authentication performs classified charging.
  • the AVP field carrying the access permission identifier in the charging request message and the charging response message is parsed into any one of the following by using the network packet analysis software:
  • S301 to S308 are the radius interaction processes related to the Access-Permission field, and the subsequent charging response message may be the same as the definition in the RFC2865 protocol, that is, the processing flow after S308 may not be needed.
  • the Access-Permission field is the radius interaction processes related to the Access-Permission field.
  • FIG. 1A to FIG. 2B Other technical details and technical effects of this embodiment can be referred to FIG. 1A to FIG. 2B.
  • FIG. 4A is a schematic diagram 2 of a network architecture of a method for obtaining rights according to an embodiment of the present application.
  • the Customer Premises Equipment (CPE) 130 and the Internet of Things terminal in this embodiment may be used as an alternative implementation of the resource device 11 and the resource requester 10 shown in FIG. 1A, respectively.
  • An accessible page on the home gateway can be used as an example of an accessible resource on the resource device 11.
  • the authentication server 12 may be a radius server or another authentication server.
  • FIG. 4A Based on the network architecture shown in FIG. 4A, the embodiment of the present application provides a method for obtaining a privilege
  • FIG. 4B is a second schematic diagram of an interaction process of a method for obtaining a privilege according to an embodiment of the present application. As shown in FIG. 4B, the steps in this embodiment include:
  • S401 The Internet of Things terminal sends a login request carrying the user information to the CPE.
  • the login request can be used to request access to an accessible page on the CPE.
  • the IoT terminal can obtain a login page developed by the Web User Interface (WEB UI) technology from the CPE after establishing a communication connection with the CPE, and the user can input the user information through the WEB UI.
  • the information can be, for example, a username and a password.
  • the Internet of Things terminal can carry the user information in the login request and send it to the CPE.
  • the accessible page can configure a page for the parameters of the CPE.
  • the Internet of Things terminal can establish a communication connection with the CPE in various ways.
  • a communication connection can be established with the CPE based on a long range (lora) network, a network cable, and a WiFi network.
  • the Internet of Things terminal can be, for example, a camera, a scanner, a printer, a projector, or the like.
  • the CPE sends a permission acquisition request carrying the user information to the authentication server, where the permission acquisition request is used to obtain the access authority corresponding to the user information.
  • the authentication server can be a radius server, and the CPE can send a permission acquisition request to the radius server through the radius client.
  • a radius client can be deployed on the CPE, and after receiving the login request of the Internet of Things terminal, the radius client is used to serve the radius.
  • the server sends a permission to get the request.
  • the privilege acquisition request may be an access request message (Access-Request).
  • the authentication server sends a permission acquisition response carrying the access authority corresponding to the user information to the CPE.
  • the permission acquisition response is an access success response message (Access-Accept).
  • the CPE determines, according to the access authority corresponding to the user information, the corresponding accessible page of the Internet of Things terminal on the CPE.
  • S405 The CPE sends an accessible page to the Internet of Things terminal.
  • the privilege acquisition request may be further used to obtain access authority information corresponding to the user information; then, S303 and S304 may be replaced by: the authentication server may send the CPE to carry the The permission of the access authority information corresponding to the user information is obtained.
  • the CPE may determine, according to the access authority information, an accessible page corresponding to the IoT terminal on the CPE.
  • the privilege acquisition request may be an access request message that includes a value of 224 in the AVP field and a value of 0 in the value field.
  • the privilege acquisition response may be a value of 224, value of the type field in the AVP field.
  • the value of the domain is the access success response packet of the access authority information corresponding to the user information.
  • different access rights information may correspond to different accessible pages on the home gateway.
  • an accessible page corresponding to a normal user right may be a configuration page of a common parameter.
  • the accessible page corresponding to the administrator authority can be the configuration page of the advanced parameter.
  • the accessible page corresponding to the super user right can be the configuration page of the internal parameters of the device manufacturer.
  • the data of the user information corresponding to different rights does not need to be stored in the home gateway, that is, the device manufacturer of the home gateway does not need to store the super user account and the corresponding password on the home gateway, thereby ensuring storage from the storage in the home gateway.
  • the super user account and password set by the device manufacturer cannot be cracked in the information.
  • the user information may include a user name and a password
  • different user names may correspond to different access rights information
  • the combination of the same user name and different passwords may also correspond to different access rights information.
  • the user information may also be a Media Access Control (MAC) address and password of the Internet of Things terminal, and the MAC address is also referred to as a physical address or a hardware address, and the same MAC address and the combination of different passwords are the same or Different access rights information.
  • MAC Media Access Control
  • the user name of the IoT terminal can be configured on the authentication server without the need to plan the user name. Since the user information is not required to be transmitted in the network, the user information can be avoided during the authentication process. .
  • FIG. 5 is a second schematic diagram of a processing flow of a method for obtaining rights according to an embodiment of the present application. As shown in FIG. 5, the steps in this embodiment may include:
  • S501 The CPE provides a login interface to obtain a username and password.
  • the user or the administrator can log in to the login interface of the web UI or Secure Shell (SSH) provided by the CPE through the Internet of Things terminal, and input the user name and password.
  • SSH Secure Shell
  • S502 The CPE checks whether the username and password are loaded with the character specification. If yes, execute S503. If no, execute S508.
  • the validity of the username and password can be detected by the login module of the CPE. For example, the legality of the length of the username or password can be detected.
  • S503 The CPE starts the radius client, and sends an authentication request packet carrying the access permission identifier to the radius server.
  • the CPE login module may send an internal message to notify the radius client of the corresponding username and password.
  • the authentication request packet sent by the radius client may be an access request packet (Access-Request), and the AVP field in the access request packet includes an access permission identifier (access permission field).
  • Access-Request an access request packet
  • AVP field carrying the access permission identifier in the access request message is parsed by the network packet analysis software as follows:
  • the access request message is used to request access rights information corresponding to the user information.
  • the radius server receives the authentication request packet and queries the permission database.
  • the radius server can receive the access request packet, and the packet interaction of the authentication process The process is consistent with that in RFC 2865.
  • the radius server adds the processing of the rights database query operation for the access permission identifier field, and queries the rights configuration data corresponding to the user name.
  • S505 The radius server determines whether the access authority corresponding to the user is queried in the permission database, and if yes, executes S506, and if not, executes S507.
  • the radius server sends an access success response packet with an access permission identifier to the radius client.
  • the radius server can send the queried user permission to the access success response packet to be returned.
  • the radius client can notify the CPE login module to open a different login interface to the user according to the corresponding user rights, and the login process ends.
  • S507 The radius server sends an access reject response packet to the radius client.
  • the radius server does not query the access permission information corresponding to the username.
  • the radius server can consider that the user name cannot be matched on the CPE because the user name and password are verified.
  • the corresponding access permission the radius server can also return an access denied message to the radius.
  • the radius client can notify the CPE login module that the user name corresponding to the username and password is not obtained, and no login interface can be opened to the user.
  • the login module can deny the login of this user, and the login process ends here.
  • the CPE can re-populate the web UI window and prompt the user of the IoT terminal to re-enter the username and password.
  • the radius server may also send the value of the carrying value field to the radius client: 255.
  • the access of the AVP field successfully responds to the packet.
  • the permission acquisition method provided by the embodiment of the present application can be applied to the network architecture of the French MF259 project similar to that shown in FIG. 5A, which provides a more secure and convenient centralized authority management. Way of management.
  • the function of the authentication and authorization of the radius is mainly applied, that is, the accounting request message related to the accounting function of the radius may not be triggered after the access successful response message.
  • the method for obtaining rights obtained by the embodiments of the present application has good technical effects in three aspects of security, storage, and load.
  • the privilege function is no longer controlled by each resource device or terminal device, but is managed uniformly.
  • all user information stored in the terminal device may have a leak problem, for example, in some In the Internet of Things network, for example, the lora network of a project in France, the IoT terminal establishes a communication connection with the home gateway.
  • this embodiment will perform the authentication process for requesting access to the available resources on the CPE by the radius server.
  • the process which is too much for management of CPE enterprises, so you can set a set of user names, each user name can be different permissions, so that when you log in to the terminal device in the lora network, you can get the user name.
  • Corresponding rights in which different terminal devices can be accessed by using the same user name, the same access rights information can be accessed, and different access rights can be obtained by logging in to the same terminal device with different user names. That is, the enterprise only needs to manage a small number of authentication data corresponding to the user name and a small amount of authority data corresponding to the user and the password, so that the management of the user data for logging in the massive CPE will be more concise and flexible. Moreover, in this embodiment, since the authentication data and the authority data corresponding to the user information are stored by the radius server, the enterprise only needs to ensure the security of the radius server, and it is no longer necessary to consider one or more terminal devices. Security, for enterprises, the loss of a terminal device will not cause security problems for the entire network.
  • the user authentication and permission data are stored in the radius server, that is, only one server needs to be set.
  • the user rights information data on the mass terminal device can be stored on the server, thereby reducing the storage cost of the single device on the stored data.
  • the complexity here mainly involves the complexity of user rights change operations.
  • the complexity of user rights changes is not serious due to the small number, but for the Internet of Things terminals.
  • the workload of user rights change is very large, and in the Internet of Things, in order to meet the needs of network management, it is necessary to change the accessible resources of the Internet of Things terminals on the home gateway. If the user information and the corresponding accessible resource are still stored on the home gateway, the data of the accessible resource corresponding to the user information stored on the home gateway needs to be modified one by one.
  • the method for storing the privilege data in the RADIUS server for unified management is provided in this embodiment.
  • the extended AVP field in the embodiment obtains the modified access authority information corresponding to the user information, and opens the accessible resource corresponding to the access rights information to the user who logs in using the user information.
  • FIG. 6A is a third schematic diagram of a network architecture of a method for obtaining rights according to an embodiment of the present application.
  • the terminal device 130 in this embodiment can be used as an alternative implementation of the resource device shown in FIG. 1A.
  • the available resources on the terminal device 130 may be pre-installed applications (Applications, APPs) on the terminal device 130, and the resource requesters may be users requesting to use the APPs on the terminal devices 130.
  • the authentication server 12 may be a Radius server or another authentication server.
  • FIG. 6B is a third schematic flowchart of a process for obtaining a permission in the embodiment of the present application. As shown in FIG. 6B, the steps of this embodiment include:
  • the terminal device enters a user information acquisition state after receiving an activation operation for instructing activation of an APP on the terminal device.
  • the terminal device may set the user to enter the user information acquisition state when detecting the request to enable the enable command of the APP.
  • the terminal device can detect a required permission on the screen. Control the click operation on the icon of the app.
  • the user information acquisition state may be a pop-up user information acquisition window or the like, or the input device on the terminal device enters a state of waiting for access input information, and the input device may be, for example, a touch screen, a microphone, or the like. This application does not limit this.
  • the APP may be an application installed in an Android operating system through an Android tool installation package, for example, a client such as WeChat, Weibo, Taobao, or some software provided by an operating system, for example, a photo library.
  • Software camera software, positioning function setting software.
  • the terminal device may pre-configure an APP set that needs to perform permission control, and the terminal device may enter the user information acquiring state only when the APP requested by the user is an APP in the APP set.
  • the terminal device receives user information in a state in which the user information is acquired.
  • the user information may include a user name and a password, or the user information may include a fingerprint, or the user information may include a sound, an iris, and the like, which is not limited in the embodiment of the present application.
  • the terminal device sends a permission acquisition request for carrying the user information to the authentication server, where the permission acquisition request is used to obtain the access authority corresponding to the user information.
  • the privilege acquisition request may be further used to obtain the access authority information corresponding to the user information.
  • the receiving the authentication server sends the access corresponding to the user information to the terminal device according to the privilege acquisition request.
  • the privilege acquisition response of the privilege includes: receiving a privilege acquisition response that is sent by the authentication server and carrying the access privilege information corresponding to the user information; correspondingly, the application set that is allowed to be enabled according to the access privilege Determining whether to enable the application includes: determining whether to enable the application according to the set of allowed applications corresponding to the access permission information, and different access permission information corresponding to different sets of applications that are allowed to be enabled.
  • the authentication server sends a permission acquisition response carrying the access authority corresponding to the user information to the terminal device.
  • the access authority corresponding to the user information may be that the access right corresponding to the authentication succeeds or the access right corresponding to the authentication failure does not have the access right, or the access authority corresponding to the user information may also be different access authority information. Different access rights or access rights information may correspond to different accessible resources on the terminal device.
  • the terminal device may configure the foregoing with access rights at the terminal
  • the corresponding accessible resource on the device is all APPs in the APP collection.
  • the terminal device may further configure that the accessible resource corresponding to the non-access right on the terminal device is not allowed to access all the APPs in the APP set.
  • the terminal device may further configure that the accessible resource corresponding to the lower access authority information on the terminal device is a partial APP in the APP set.
  • the terminal device may also configure the access rights information with the highest information.
  • the corresponding accessible resources on the terminal device are all APPs in the APP set.
  • the terminal device may configure different accessible resources for different access rights by using a combination of any one or more of the foregoing configuration manners.
  • the terminal device determines whether the APP is enabled according to the set of applications allowed to be enabled corresponding to the access authority.
  • the terminal device may determine whether the requested enabled APP belongs to an allowed application set configured by the access authority corresponding to the user information, and if yes, the terminal device enables the APP, and if not, the terminal device may output the corresponding rejection information. . Exemplarily, the terminal device may pop up a prompt message on the display screen that the user does not have permission to use the APP, and prohibits the APP from being enabled.
  • the APP enters the login process of the APP itself. For example, the WeChat APP can authenticate the account information of the WeChat user according to the default startup process, and display the dialog list page of the WeChat user after the authentication is passed.
  • the authentication server may be a radius server, and the terminal device may be configured with a radius client. After detecting the enable request, the terminal device may start the radius client and pass the obtained user information to the radius client. The end is sent to the radius authentication server.
  • the associated authentication process is similar to that shown in Figures 1A-2B.
  • the privilege acquisition method provided by the embodiment of the present application can be applied not only to the scenario in which the user requests to enable the APP on the terminal device, but also to the scenario in which the external device requests to enable the APP on the terminal device. It should be noted that the external device can establish a communication connection with the terminal device through a software or hardware interface.
  • a "secure phone” application can be installed on the mobile phone, and a radius client can be built in the application.
  • the owner of the mobile phone can pre-set one or more APPs that require permission control on the "Secure Phone” application, which may also include the “Secure Phone” application.
  • These apps are no longer controlled by the phone alone, but before each login using the APP's own account.
  • the mobile phone's own centralized authority authentication For example, the "Secure Phone” application can monitor the instructions for enabling these apps. When the enable command is monitored, the "Secure Phone” application can perform the user who uses the phone before the account of the APP itself to be enabled to log in to the authentication process.
  • Centralized authority authentication It should be noted that the account login of the APP itself is usually implemented by interacting with the authentication server corresponding to the APP, that is, the rights authentication initiated by the “secure phone” application and the account login of the APP itself requiring permission control are Independent certification process.
  • the “Secure Phone” application detects that APP1 receives the open command and enters the running state. Before inputting the user name and password that APP1 itself logs in, the user needs to input the user name and password of the “Secure Phone” application for permission authentication, and then, The "secure phone” application sends the access request message to the radius authentication server as the radius client, and receives the access success response message sent by the radius server. The access request message and the access success response message can be carried. Contains the AVP field of the access license ID. If the authorization is not authenticated, the "Secure Phone” application control closes APP1, and if it passes the authorization authentication, APP1 is turned on.
  • the illegal user does not have the rights management password of the mobile phone, such as the "secure mobile phone" application.
  • User name and password illegal users cannot operate APPs that require authentication.
  • the mobile phone owner only needs to set up on the radius server, so that the radius server refuses to receive any permission authentication request from the mobile phone, then the mobile phone cannot open the APP that needs the permission. It can be seen that the security acquisition method provided in this embodiment can well maintain the security of the private information stored in the mobile phone.
  • the owner of the mobile phone usually sets the default login information used when the APP logs in. However, when the mobile phone is stolen, the illegal user will also use the default login information to log in when using the APP. Private information stored in the APP may be stolen.
  • the permission obtaining method if an illegal user or a user with a lower access right wants to open an APP on the mobile phone, the mobile phone can set the third party when receiving the request to enable the activation request of the APP.
  • the authentication server authenticates the user, that is, only allows the authentication server to pass the authentication or authenticates the user with the corresponding access authority to use the APP, thereby avoiding the loss of private data stored in the APP. It can be seen that the privilege acquisition method provided in this embodiment can improve the security of data stored in a terminal device such as a mobile phone.
  • FIG. 7 is a schematic structural diagram 1 of the privilege acquisition device in the embodiment of the present application.
  • the privilege acquisition device 70 includes:
  • the first sending module 701 is configured to send, to the remote user dialing authentication system (radius) server, a permission obtaining request that carries the user information, where the right obtaining request is used to obtain the access right information corresponding to the user information;
  • the first receiving module 702 is configured to receive a rights acquisition response that is sent by the radius server and that carries the access rights information.
  • the access permission information may be used to determine an accessible resource corresponding to the user information, and different access rights information correspond to different accessible resources.
  • the rights obtaining device may be located on the home gateway side, then:
  • the first receiving module 702 is configured to receive a login request that is sent by the Internet of Things terminal and that carries the user information, where the login request is used to obtain an accessible resource on the home gateway;
  • the first sending module 701 may be configured to send an access request for carrying the user information to the authentication server, where the right obtaining request is used to obtain an access right corresponding to the user information;
  • the first receiving module 702 may be further configured to receive a rights acquisition response that is sent by the authentication server and that carries the access rights corresponding to the user information, and determine, according to the access rights, that the Internet of Things terminal is in the Corresponding accessible resources on the home gateway.
  • the rights acquiring device may be located on the terminal device side, then:
  • the first receiving module 702 may be configured to enter a user information acquiring state after receiving an enabling operation for initiating an application on the terminal device; and receiving user information in the user information acquiring state;
  • the first sending module 701 may be configured to send an access request for carrying the user information to the authentication server, where the right obtaining request is used to obtain an access right corresponding to the user information;
  • the first receiving module 702 may be further configured to receive a rights acquisition response that is sent by the authentication server and that carries the access rights corresponding to the user information, and determine, according to the set of applications that are allowed to be enabled corresponding to the access rights, Enable the app.
  • the privilege acquisition device of this embodiment may be used to perform the technical solution executed by the resource device or the radius client or the home gateway or the terminal device in which the radius client is deployed in the method embodiment shown in FIG. 1A to FIG.
  • the technical effects can be referred to the method shown in FIGS. 1A to 6.
  • FIG. 8 is a schematic structural diagram of the privilege acquisition device in the embodiment of the present application. As shown in FIG. 8 , the privilege acquisition device 80 includes:
  • the second receiving module 801 is configured to receive a permission acquisition request that is sent by the remote user's dialing authentication system (radius) client, and the permission obtaining request is used to obtain the access corresponding to the user information.
  • Permission information is sent by the remote user's dialing authentication system (radius) client, and the permission obtaining request is used to obtain the access corresponding to the user information.
  • the second sending module 802 is configured to send, to the radius client, a rights acquisition response that carries the access rights information corresponding to the user information.
  • the privilege acquisition request may be an access request message (Access-Request) carrying the access permission identifier
  • the privilege acquisition response may be an access success response message (Access-Accept);
  • the access right information is used to determine an accessible resource corresponding to the user information, and different access rights information corresponds to different accessible resources.
  • the privilege acquisition device of this embodiment may be used to perform the technical solution executed by the RADIUS server in the method embodiment shown in FIG. 1A to FIG. 6.
  • the implementation principle and technical effects may refer to the methods shown in FIG. 1A to FIG.
  • the resource device 90 includes a memory 903, a processor 904, and a rights acquisition program stored on the memory 903 and executable on the processor 904 (FIG. 9) Not shown), wherein the processor implements the following steps when executing the program:
  • the access right information is used to determine an accessible resource corresponding to the user information, and different access rights information corresponds to different accessible resources.
  • the resource device 90 may further include an interface 901, a bus 902, an interface 901, and a memory 903.
  • the processor 904 is coupled to the bus 902.
  • the interface 901 can be used to establish a communication connection with the authentication server.
  • the interface may be a wired transmission interface or a wireless transmission interface.
  • the interface 901 can also be used to obtain a resource access request of the resource requester, and the interface can also be an input device capable of receiving an instruction.
  • the interface may be a transmit or receive antenna or may be implemented by a program module integrated in a digital circuit processor.
  • the method when the program is executed by the processor 904, the following steps may be implemented: before the sending the permission acquisition request carrying the user information to the radius server, the method includes: receiving the resource access carrying the user information The request, the resource access request is used to obtain the accessable resource corresponding to the user information on the resource device, and after receiving the permission acquisition response that is sent by the radius server and carrying the access permission information, the method includes: Determining, according to the access authority information, the accessible resource corresponding to the user information on the resource device.
  • the resource device 90 may be a home gateway, a terminal device, or the like.
  • the program is further implemented by the processor 904.
  • the home gateway receives a login request that is sent by the Internet of Things terminal and carries the user information, where the login request is used to obtain the
  • the accessing resource on the home gateway is sent to the authentication server, and the permission acquisition request is used to obtain the access authority corresponding to the user information, and the access permission is sent by the authentication server.
  • the program is further implemented by the processor 904: the terminal device enters the user information acquisition state after receiving the activation operation for initiating the application on the terminal device. Receiving the user information in the user information acquisition state; sending a permission acquisition request carrying the user information to the authentication server, where the permission acquisition request is used to obtain the access authority corresponding to the user information; and receiving the authentication And obtaining, by the server, a permission acquisition response that carries the access authority corresponding to the user information, and determining whether to enable the application according to the set of applications allowed to be enabled corresponding to the access permission.
  • the privilege acquisition device of the present embodiment can be used to perform the technical solution executed by the resource device in the method embodiment shown in FIG. 1A to FIG. 6.
  • the implementation principle and technical effects can be referred to the method shown in FIG. 1A to FIG.
  • the radius server 100 includes a memory 1003, a processor 1004, and a permission acquisition program stored on the memory 1003 and executable on the processor 1004. Not shown), wherein the processor implements the following steps when executing the program:
  • the radius server receives the permission acquisition request that is sent by the radius client and carries the user information, where the permission acquisition request is used to obtain the access authority information corresponding to the user information, and the radius client sends the user information corresponding to the user information.
  • the permission of the access permission information gets a response.
  • the processor 1004 can implement the following steps when executing the program:
  • the radius server receives an access request message (Access-Request) that is sent by the radius client and carries the user information and the access permission identifier, and sends the access permission information corresponding to the user information to the radius client. Enter a successful response message (Access-Accept).
  • Access-Request an access request message
  • Access-Accept a successful response message
  • the access rights information may be used to determine an accessible resource corresponding to the user information, and different access rights information correspond to different accessible resources.
  • the radius server 100 may further include an interface 1001, a bus 1002.
  • the interface 1001, the memory 1003 and the processor 1004 are connected by a bus 1002.
  • the interface 1001 can be used to establish a communication connection with a radius client or a resource device.
  • the interface 1001 can be a wired transmission interface or a wireless transmission interface.
  • interface 1001 may be a transmit or receive antenna or may be implemented by a program module integrated in a digital circuit processor.
  • the privilege acquisition device of this embodiment may be used to perform the technical solution executed by the RADIUS server in the method embodiment shown in FIG. 1A to FIG. 6.
  • the implementation principle and technical effects may refer to the methods shown in FIG. 1A to FIG.
  • the processor may be a Central Processing Unit (CPU), a Micro Processor Unit (MPU), a Digital Signal Processor (DSP), or a field programmable gate located in the terminal.
  • CPU Central Processing Unit
  • MPU Micro Processor Unit
  • DSP Digital Signal Processor
  • FPGA Field Programmable Gate Array
  • the embodiment of the present application further provides a storage medium, where a permission acquisition program is stored, where the permission acquisition program is configured to execute:
  • the access rights information may be used to determine an accessible resource corresponding to the user information, and different access rights information correspond to different accessible resources.
  • the embodiment further provides a storage medium storing a permission acquisition program, wherein the permission acquisition program is configured to execute:
  • the radius server receives the permission acquisition request that is sent by the radius client and carries the user information, where the permission acquisition request is used to obtain the access authority information corresponding to the user information, and the radius client sends the user information corresponding to the user information.
  • the permission of the access permission information gets a response.
  • the permission acquisition program can be configured to execute:
  • the radius server receives an access request message (Access-Request) that is sent by the radius client and carries the user information and the access permission identifier, and sends the access permission information corresponding to the user information to the radius client. Enter a successful response message (Access-Accept).
  • Access-Request an access request message
  • Access-Accept a successful response message
  • the access rights information may be used to determine an accessible resource corresponding to the user information, and different access rights information correspond to different accessible resources.
  • the embodiment further provides a storage medium storing a permission acquisition program, wherein the permission acquisition program is configured to execute:
  • the home gateway receives a login request that is sent by the Internet of Things terminal and carries user information, where the login request is used to obtain an accessible resource on the home gateway; and the authorization server sends a permission acquisition request that carries the user information,
  • the privilege acquisition request is used to obtain the access authority corresponding to the user information; the privilege acquisition response sent by the authentication server that carries the access authority corresponding to the user information is received; and the Internet of Things is determined according to the access authority The corresponding accessable resource of the terminal on the home gateway.
  • the embodiment further provides a storage medium storing a permission acquisition program, wherein the permission acquisition program is configured to execute:
  • the terminal device After receiving the activation operation for initiating the application on the terminal device, the terminal device enters a user information acquisition state; in the user information acquisition state, receives user information; and sends the permission to carry the user information to the authentication server.
  • Obtaining a request the permission obtaining request is used to obtain an access right corresponding to the user information; and receiving a permission obtaining response that is sent by the authentication server and carrying an access right corresponding to the user information;
  • the corresponding set of applications allowed to be enabled determines whether the application is enabled.
  • computer storage medium includes volatile and nonvolatile, implemented in any method or technology for storing information, such as computer readable instructions, data structures, program modules or other data. Sex, removable and non-removable media.
  • Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, Flash or other memory technology, CD-ROM, digital versatile disc (DVD) or other optical disc storage, magnetic box, magnetic tape, disk storage or other magnetic storage device, or any that can be used to store desired information and be accessible by a computer Other media.
  • communication media typically includes computer readable instructions, data structures, program modules, or other data in a modulated data signal, such as a carrier wave or other transport mechanism, and can include any information delivery media. .
  • An embodiment of the present application provides a method, an apparatus, a device, and a storage medium for obtaining a privilege.
  • the accessible resource corresponding to the user information is obtained by the radius server set on the network side according to the user information and the privilege data stored in the radius server.
  • An unauthorized user cannot obtain the permission data stored on the radius server, so that the illegal user cannot obtain the resources on the resource device.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Power Engineering (AREA)
  • Storage Device Security (AREA)

Abstract

一种权限获取方法,包括:向远程用户拨号认证系统radius服务器发送携带用户信息的权限获取请求,所述权限获取请求用于获取所述用户信息对应的接入权限信息;接收所述radius服务器发送的携带所述接入权限信息的权限获取响应。

Description

一种权限获取方法、装置、设备和存储介质 技术领域
本申请涉及但不限于通信技术领域,尤其涉及一种权限获取方法、装置、设备和存储介质。
背景技术
存储有可访问资源或者可使用资源的设备可以称为资源设备,资源设备可以向资源请求者提供资源设备上的资源。
资源请求者向资源设备请求访问或使用资源设备上的资源时,资源设备根据预先存储的合法用户的权限数据对资源请求者进行身份认证,若认证通过,向具有合法用户身份的资源请求者提供资源设备上的资源。
但是,当合法用户的权限数据存储在资源设备上时,资源设备一旦被盗或者遭遇网络攻击,非法用户仍然可能获取资源设备上的资源,从而带来极大的安全隐患。
发明概述
以下是对本文详细描述的主题的概述。本概述并非是为了限制权利要求的保护范围。
本申请实施例提供一种权限获取方法、装置、设备和存储介质,能够避免非法用户获取存储在资源设备上的资源。
第一方面,本申请实施例提供一种权限获取方法,所述方法包括:向远程用户拨号认证系统(radius)服务器发送携带用户信息的权限获取请求,所述权限获取请求用于获取所述用户信息对应的接入权限信息;接收所述radius服务器发送的携带所述接入权限信息的权限获取响应。
在示例性实施方式中,在所述向radius服务器发送携带用户信息的权限获取请求之前,上述方法还可以包括:接收携带有所述用户信息的资源访问请求,所述资源访问请求用于获取所述用户信息在资源设备上对应的可访问 资源;相应地,在所述接收所述radius服务器发送的携带所述接入权限信息的权限获取响应之后,上述方法还可以包括:根据所述接入权限信息确定所述用户信息在所述资源设备上对应的可访问资源。
在示例性实施方式中,所述资源设备可以为家庭网关,所述接收携带有所述用户信息的资源访问请求,可以包括:接收物联网终端发送的携带有所述用户信息的登陆请求;所述登陆请求用于请求在所述家庭网关与所述用户信息对应的可访问资源;所述根据所述接入权限信息确定所述用户信息在所述资源设备上对应的可访问资源,可以包括:根据所述接入权限信息确定所述物联网终端在所述家庭网关上对应的可访问资源。
在示例性实施方式中,所述用户信息可以包括物联网终端的媒体访问控制(MAC)地址和密码,同一MAC地址与不同密码的组合对应相同或不同的接入权限信息。
在示例性实施方式中,所述资源设备可以为终端设备,所述可访问资源为允许启用的应用的集合,则在所述向radius服务器发送携带用户信息的权限获取请求之前,上述方法还可以包括:在接收到用于指示启动所述终端设备上的应用的启用操作后进入用户信息获取状态;在所述用户信息获取状态下,接收用户信息;则在所述接收所述radius服务器发送的携带所述接入权限信息的权限获取响应之后,上述方法还可以包括:根据所述接入权限信息对应的允许启用的应用的集合确定是否启用所述应用。
在示例性实施方式中,所述用户信息可以包括用户名和密码,同一用户名与不同密码的组合对应不同的接入权限信息。
在示例性实施方式中,所述向远程用户拨号认证系统radius服务器发送携带用户信息的权限获取请求,可以包括:向radius服务器发送携带有所述用户信息和接入许可标识的接入请求报文(Access-Request);所述接收所述radius服务器发送的携带所述接入权限信息的权限获取响应,可以包括:接收所述radius服务器发送的携带所述接入权限信息的接入成功回应报文(Access-Accept)。
在示例性实施方式中,在所述接收所述radius服务器发送的携带所述接入权限信息的接入成功回应报文(Access-Accept)之后,上述方法还可以包 括:向radius服务器发送携带所述接入权限信息的计费请求报文(Accounting-Request),所述计费请求报文用于请求所述radius服务器根据所述接入权限信息确定所述用户信息对应的计费方式和计费费率中至少一项。
在示例性实施方式中,所述接入请求报文可以包含类型号(type)表征所述接入许可标识的属性对(AVP)字段。
第二方面,本申请实施例提供一种权限获取方法,所述方法包括:远程用户拨号认证系统(radius)服务器接收radius客户端发送的携带有用户信息权限获取请求,所述权限获取请求用于获取所述用户信息对应的接入权限信息;向radius客户端发送携带有所述用户信息对应的接入权限信息的权限获取响应。
在示例性实施方式中,所述radius服务器接收radius客户端发送的携带有所述用户信息的权限获取请求可以包括:所述radius服务器接收radius客户端发送携带有用户信息和接入许可标识的接入请求报文(Access-Request);所述向radius客户端发送携带有所述用户信息对应的接入权限信息的权限获取响应,可以包括:向radius客户端发送携带有所述用户信息对应的接入权限信息的接入成功回应报文(Access-Accept)。
在示例性实施方式中,所述接入权限信息用于确定所述用户信息对应的可访问资源,且不同的接入权限信息对应不同的可访问资源。
在示例性实施方式中,在所述向radius客户端发送携带有所述用户信息对应的接入权限信息的接入成功回应报文(Access-Accept)之后,上述方法还可以包括:接收radius客户端发送的携带所述接入权限信息的计费请求报文(Accounting-Request);根据所述接入权限信息确定所述用户信息对应的计费方式和计费费率中至少一项。
第三方面,本申请实施例提供一种权限获取装置,所述权限获取装置包括:第一发送模块,配置为向radius服务器发送携带用户信息的权限获取请求,所述权限获取请求用于获取所述用户信息对应的接入权限信息;第一接收模块,配置为接收所述radius服务器发送的携带所述接入权限信息的权限获取响应。
第四方面,本申请实施例提供一种权限获取装置,所述权限获取装置包 括:第二接收模块,配置为接收radius客户端发送的携带有所述用户信息的权限获取请求;所述权限获取请求用于获取所述用户信息对应的接入权限信息;第二发送模块,配置为向radius客户端发送携带有所述用户信息对应的接入权限信息的权限获取响应。
在示例性实施方式中,所述接入权限信息用于确定所述用户信息对应的可访问资源,且不同的接入权限信息对应不同的可访问资源。
第五方面,本申请实施例提供一种资源设备,所述资源设备包括:
存储器、处理器及存储在存储器上并可在处理器上运行的权限获取程序,所述处理器执行所述程序时实现第一方面任一所述的权限获取方法。
第六方面,本申请实施例提供一种远程用户拨号认证系统认证服务器,所述远程用户拨号认证系统认证服务器包括:存储器、处理器及存储在存储器上并可在处理器上运行的权限获取程序,所述处理器执行所述程序时实现第二方面任一所述的权限获取方法。
第七方面,本申请实施例提供一种计算机可读存储介质,存储有权限获取程序,其中,所述权限获取程序被处理器执行时实现如第一方面任一种或第二方面任一种所述的权限获取方法的步骤。
本申请实施例提供的权限获取方法,通过向radius服务器发送携带用户信息的权限获取请求,所述权限获取请求用于获取所述用户信息对应的接入权限信息;接收所述radius服务器发送的携带所述接入权限信息的权限获取响应;由于用户信息对应的可访问资源是由设置在网络侧的radius服务器根据用户信息和存储在radius服务器的权限数据认证获得的,而非法用户无法获取radius服务器上存储的权限数据,从而使得非法用户无法获取到资源设备上的资源。
在阅读并理解了附图和详细描述后,可以明白其他方面。
附图概述
图1A为本申请实施例中权限获取方法的网络架构示意图一;
图1B为本申请实施例中基于radius服务器实现的权限获取方法的流程 示意图;
图2A为本申请实施例中权限获取方法的交互流程示意图一;
图2B为本申请实施例中权限获取方法中属性对字段的格式示意图;
图3为本申请实施例中权限获取方法的处理流程示意图一;
图4A为本申请实施例中权限获取方法的网络架构示意图二;
图4B为本申请实施例中权限获取方法的交互流程示意图二;
图5为本申请实施例中权限获取方法的处理流程示意图二;
图6A为本申请实施例中权限获取方法的网络架构示意图三;
图6B为本申请实施例中权限获取方法的处理流程示意图三;
图7为本申请实施例中权限获取装置的结构示意图一;
图8为本申请实施例中权限获取装置的结构示意图二;
图9为本申请实施例中资源设备的结构示意图;
图10为本申请实施例中radius服务器的结构示意图。
详述
下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行清楚、完整地描述。
图1A为本申请实施例中权限获取方法的网络架构示意图一。如图1A所示,本实施例的网络架构可以包括:资源请求者10、资源设备11、认证服务器12。其中,资源设备11可以是一个设备,例如,家庭网关、手机等终端设备,资源请求者10可以是另一设备或者用户,例如物联网终端。资源设备11可以向资源请求者10提供与资源请求者12对应的接入权限对应的可访问资源。
在本实施例中,资源请求者10可以向资源设备11发送携带有用户信息的资源访问请求,该资源访问请求可以是用于请求用户信息在资源设备上对应的可访问资源的登陆请求,资源设备11可以向认证服务器12发送携带有用户信息的权限获取请求,以获取认证服务器12根据用户信息确定的用户信 息对应的接入权限,资源设备11再根据用户信息对应的接入权限确定用户信息在资源设备11上对应的允许访问的资源,并允许资源请求者10使用被允许访问的资源。在本申请其他实施例中,资源请求者10向资源设备11发送的资源访问请求也可以是用于请求启用资源设备11上的某一资源的启用请求,资源设备11可以在接收到该资源访问请求后,触发资源请求者10上报用户信息,之后,资源设备11可以根据用户信息从认证服务器12获取用户信息对应的接入权限,并根据用户信息对应的接入权限确定资源请求者10是否被允许启用所请求的资源,若所请求的资源属于该接入权限在资源设备11上对应的允许使用的资源,则允许资源请求者10启用所请求的资源。
由于用户数据的存储和认证过程由认证服务器12执行,资源设备11上不需要存储所有合法用户数据,从而能够避免资源设备11丢失或遭遇网络攻击时,用户数据丢失的问题。
在本实施例中,用户信息对应的接入权限可以是接入权限信息,接入权限信息可以包括接入权限等级、接入权限范围、接入权限大小、接入权限内容信息中至少一种,不同的用户信息可以对应相同或者不同的接入权限信息,不同的接入权限信息可以对应资源设备11上的不同的可访问资源,资源设备11或认证服务器12上可以存储有接入权限等级对应的可访问资源的范围或者可访问资源的大小或者数量,从而能够使得资源设备11能够根据用户信息对应的接入权限信息向资源请求者10提供相应的可访问资源。举例来说,用户信息可以包括用户名和密码,在一示例中,不同的用户信息可以是指不同的用户名,不同的用户名可以对应相同或不同的接入权限信息;在另一示例中,不同的用户信息也可以是指用户名与密码的组合,则同一用户名与不同密码的组合也可以对应相同或者不同的接入权限信息。采用上述各种用户信息与接入权限信息的匹配规则,能够为资源设备11提供更灵活的可访问资源的控制方式。
在本实施例中,上述认证服务器12可以是远程用户拨号认证系统(Remote Authentication Dial In User Service,radius)服务器,则资源设备11可以通过radius客户端与radius服务器进行权限获取的交互过程,需要说明的是,radius客户端可以部署于资源设备11上,也可以位于资源设备11之 外。
图1B为本申请实施例中基于radius服务器实现的权限获取方法的流程示意图,本实施例的执行主体可以为部署有radius客户端的资源设备,或者,部署于资源设备上的radius客户端,或者,部署在资源设备之外且与资源设备建立有通信连接的radius客户端。如图1B所示,本实施例的步骤可以包括:
S101:向radius服务器发送携带用户信息的权限获取请求,该权限获取请求用于获取用户信息对应的接入权限信息。
在本实施例中,在资源设备11接收到携带有用户信息的资源访问请求之后,资源设备11可以通过radius客户端或者由部署在资源设备11上的radius客户端向radius服务器发送权限获取请求。示例性地,资源设备11可以在接收到资源访问请求之后,向radius客户端发送携带有用户信息的认证请求,以触发radius客户端向radius服务器发起认证流程。
S102:接收radius服务器发送的携带有用户信息对应的接入权限信息的权限获取响应。
在本实施例中,接入权限信息可以用于确定用户信息对应的可访问资源,且不同的接入权限信息对应不同的可访问资源。
在本实施例中,radius服务器根据自身存储的合法用户的认证数据和权限数据,对用户信息进行鉴权和认证,若认证通过,将用户信息对应的接入权限信息携带在权限获取响应中发送给资源设备11或者radius客户端。其中,接入权限信息可以用于确定用户信息对应的可访问资源,不同的接入权限信息可以对应不同的可访问资源。然后,radius客户端可以通过权限获取响应将用户信息对应的接入权限信息发送给资源设备11。之后,资源设备11就可以根据接入权限信息确定用户信息在资源设备11上对应的可访问资源,其中,不同的接入权限信息可以对应在资源设备上的不同的可访问资源。
本实施例提供的权限获取方法,能够在有用户想要获取资源设备上的可访问资源时,先由radius服务器对资源请求者使用的用户信息进行认证,确定资源请求者所对应的接入权限信息,由于不同的接入权限信息对应不同的可访问资源,因而能够保证资源设备上存储的数据、资源仅能够被开放给具 有接入权限的合法用户访问,从而避免非法用户获取存储在资源设备上存储的数据。
在本申请示例性实施例中,可以采用请求评议(Request For Comments,RFC)系列协议中的RFC2865协议中定义的接入请求报文(Access-Request)和接入成功回应报文(Access-Accept)分别作为上述权限获取请求和权限获取响应的替代实现方式。图2A为本申请实施例中权限获取方法的交互流程示意图一,如图2A所示,radius客户端与radius服务器之间的交互过程可以包括:
S201:radius客户端向radius服务器发送接入请求报文(Access-Request)。
其中,接入请求报文可以携带有接入许可标识(access-permission)和用户信息,以表示该接入请求报文用于请求用户信息对应的接入权限信息。举例来说,本实施例可以对RFC2865协议定义的属性对(Attribute Value Pairs,AVP)字段,即属性列表字段中的类型号(type)字段进行了扩展使用。示例性地,接入请求报文包含类型号(type)表征所述接入许可标识的属性对(AVP)字段。
图2B为本申请实施例中权限获取方法中属性对字段的格式示意图。如图2B所示,AVP字段可以包括:类型号(type)域、长度(length)域和值(value)域,其中,类型号域也称为radius type字段。示例性地,type域、length域和value域可以分别占用1个字节。在RFC 6协议的“指定号码(Assigned Number)”部分的描述中,AVP字段中的type域字段的枚举值的使用规则定义如下:范围为192至223的枚举值是保留给实验用的,范围为224至240的枚举值是保留给特定实现用的,范围为241至255的枚举值是预留的。
在本实施例中,可以对type域字段的取值进行优化,例如,可以在接入请求报文中携带type域的值为224的AVP字段来表示接入请求报文用于请求接入权限信息,即可以将type域的值为224的AVP字段作为与请求接入权限信息相关的报文流程的标识,可以将该标识称为接入许可标识(access permission)。在本申请其他实施例中,也可以采用属于范围224至240中的其他值作为表示请求接入权限信息的标识。在一示例中,接入请求报文中的 value域的值可以为0。
S202:radius服务器向radius客户端发送接入成功回应报文(Access-Accept)。
其中,radius服务器在对用户信息进行认证后,若认证通过,将用户信息对应的接入权限信息携带在接入成功回应报文中发送给radius客户端。示例性地,接入成功回应报文中的AVP字段中的type域的值可以为224,value域的值可以为该用户信息对应的接入权限信息,例如,value域的值可以为1至254中的任一值。在本申请其他实施例中,radius服务器在对用户信息认证通过之后,若在权限数据库中没有查询到该用户信息匹配的接入权限信息时,可以在接入成功回应报文中携带type域的值为224、value域的值为255的AVP字段,以表示该用户信息未被配置任何接入权限信息。
在本申请其他实施例中,若radius服务器对用户信息进行认证后确定用户为非法用户,即认证结果为认证失败,radius服务器也可以向radius客户端发送接入拒绝回应报文(Access-Reject),其中携带用于标识该用户信息没有接入权限的信息。示例性地,接入拒绝回应报文中的AVP字段中的type域的值可以为224,值域的值可以为255,以标识该用户信息没有接入权限信息。在本申请其他实施例中,接入拒绝回应报文中也可以不携带包含type域的值为224的AVP字段。
在本申请其他实施例中,在radius服务器向radius客户端发送接入成功回应报文之后,还可以包括如下的启动计费流程的步骤:
S203:radius客户端向radius服务器发送计费请求报文。
其中,计费请求报文(Accounting-Request)中可以携带用户信息,也可以同时携带用户信息对应的接入权限信息。示例性地,计费请求报文中的AVP字段中的type域的值可以为224,value域的值可以为该用户信息对应的接入权限信息。
S204:radius服务器向radius客户端发送计费响应报文。
其中,在radius服务器向radius客户端发送计费响应(Accounting-Response)后,radius服务器可以根据用户信息对应的接入权 限信息对与用户信息有关的资源访问操作进行计费。在本实施例中,不同的接入权限信息可以对应不同的计费方式和计费费率中至少一项。计费方式例如可以是按不同的时间段对应的计费费率计费,或者,按次计费等等,计费费率例如可以是单位时间的资源使用费率。
本实施例对RFC协议进行扩展,提供了一种在radius客户端与radius服务器认证系统架构下获取接入权限信息的交互方法。由于radius服务器通常部署在移动网络的核心网侧,采用radius服务器作为认证服务器,获取接入权限信息的方式,能够向企业提供安全、灵活的管理大量资源设备上的可访问资源解决方案。一方面,资源设备上不需要存储用户认证数据,在单一资源设备丢失时不会造成全部用户认证数据丢失。另一方面,企业不需要单独设置存储用户认证数据和权限数据的服务器,特别是在一些企业需要管理跨地区、跨国家的海量的资源设备时,不需要企业在每个地区或国家单独设置认证服务器,进而能够减少用户信息在跨地区传输过程中被泄露的可能。可见采用本实施例提供的权限获取方法,在企业对大量资源设备的权限管理过程中,用户信息的安全得到了有力的保证。
图3为本申请实施例中权限获取方法的处理流程示意图一。如图3所示,本实施例的步骤可以包括:
S301:radius客户端启动,并向radius服务器发送带有接入许可标识的接入请求报文。
其中,radius客户端可以将获取到的用户名和密码写入Access-Request(即接入请求报文)中,并且在Access-Request的AVP字段中添加接入许可标识(access permission)。示例性地,利用网络封包分析软件对接入请求报文中携带有接入许可标识的AVP字段解析如下:
AVP:l=3t=Access-Permission(224):0
其中,该AVP字段中,l表示length域,l的值为3,t表示type域,t的值为224,value域的值为0。在本申请其他实施例中,length域的值也可以大于或者等于3。
S302:radius服务器收到接入请求报文,并查询权限数据库。
其中,radius服务器可以在识别到接入请求报文中标识接入许可标识(Access Permission字段)时,查询权限数据库。
S303:radius服务器判断是否在权限数据库中查询到用户信息对应的接入权限信息,若查询到,执行S305,如果未查询到,执行S304。
S304:radius服务器向radius客户端发送接入拒绝回应报文。
其中,radius服务器在权限数据库中未查询到此用户名对应的权限信息时,向radius客户端发送接入拒绝回应报文(Access-Reject)。
S305:radius服务器向radius客户端发送带有接入许可标识的接入成功回应报文。
其中,radius服务器将从权限数据库中查询到的用户名对应的接入权限信息写入到接入成功回应报文(Access-Accept)的value域字段,本实施例中的value域的长度可以默认为1字节,则,value域的值可以为0至255中的数值,其中,value域的值为0可以作为接入请求报文中的接入权限获取标识的,value域的值为255可以作为未查询到用户信息对应的接入权限信息时接入成功回应报文中的错误回应标识,255也可以作为未认证通过时接入拒绝回应报文中的value域的值。故此处可支持254种类型的权限。在本申请其他实施例中,value域的长度可以进行扩展,例如2字节,则当value域的字节数增长时,value域中支持携带的接入权限信息可以更多。示例性地,利用网络封包分析软件对接入成功回应报文中携带有接入许可标识的AVP字段解析如下:
AVP:l=3t=Access-Permission(224):1
此时,radius服务器的权限数据库不仅可以根据用户名的不同来配置不同的权限,也可以根据密码的不同来配置不同的权限。例如,某终端设备A使用用户名为“admin”进行登录,如果输入的密码为“testA”,则可以在权限数据库中配置接入权限信息为1,如果输入的密码为“testB”,则可以在权限数据库中配置接入权限信息为2。即可以规划不同用户在使用同一用户名和不同密码登录时拥有不同的权限,并可以影响后续的计费阶段。
此外,radius服务器可以为不同的接入权限信息的用户提供不同计费方 式和计费费率中至少一项。例如,物联网终端通过家庭网关进行上网业务时单位时间的上网费率。
当radius客户端接收到Access-Accept报文后,解析AVP字段中的接入许可标识(Access-Permission)字段,终端设备的登录模块根据AVP该字段的value域的值来放开此用户登录的权限。例如,radius客户端上可以配置具有不同接入权限信息的用户获得不同的资源,示例性地,可以获得不同的允许上网时间。
S306:radius客户端接收到接入成功回应报文,向radius服务器发送计费请求报文。
其中,计费请求报文(Accounting-Request)中的AVP字段同样配置相应的接入许可标识。示例性地,利用网络封包分析软件对计费请求报文中携带有接入许可标识的AVP字段解析如下:
AVP:l=3t=Access-Permission(224):1
S307:radius服务器收到计费请求报文,发送计费回应报文,根据接入许可标识对应的接入权限信息进行采用接入权限信息对应的计费方式和计费费率中至少一项开始计费。
其中,radius服务器读取计费请求报文(Accounting-Request)的AVP字段中的接入许可标识(Access-Permission)字段对应的value域的值,并可以对使用同一用户名与不同密码组合进行接入认证的用户信息所对应的资源访问操作实行分类计费。示例性地,利用网络封包分析软件对计费请求报文和计费回应报文中携带有接入许可标识的AVP字段解析为以下任一种:
AVP:l=3t=Access-Permission(224):1或,
AVP:l=3t=Access-Permission(224):2
需要说明的是,S301至S308为涉及接入许可标识(Access-Permission)字段的radius交互流程,后续的计费回应报文可以与RFC2865协议中的定义相同,即S308之后的处理流程可以不需要考虑接入许可标识(Access-Permission)字段。
S308:计费结束时,radius客户端向radius服务器发送计费结束请求报 文。
S309:radius服务器接收到计费结束请求报文后停止计费,并向radius客户端发送计费结束回应报文。
本实施例的其他技术方案细节和技术效果可参考图1A至图2B所示。
图4A为本申请实施例权限获取方法的网络架构示意图二。如图4A所示,本实施例中的家庭网关(Customer Premises Equipment,CPE)130和物联网终端可以分别作为图1A中所示的资源设备11和资源请求者10的一种替代实现方式,相应的,家庭网关上的可访问页面可以作为资源设备11上的可访问资源的一种示例。在本实施例中,认证服务器12可以为radius服务器,也可以为其他的认证服务器。
基于图4A所示的网络架构,本申请实施例提供一种权限获取方法,图4B为本申请实施例中权限获取方法的交互流程示意图二。如图4B所示,本实施例的步骤包括:
S401:物联网终端向CPE发送携带有用户信息的登陆请求。
其中,该登陆请求可以用于请求获取CPE上的可访问页面。在本实施例中,物联网终端可以在与CPE建立通信连接后,从CPE获取基于网络产品界面设计(Website User Interface,WEB UI)技术开发的登陆页面,用户可以通过WEB UI输入用户信息,用户信息例如可以是用户名和密码。然后,物联网终端可以将用户信息携带在登陆请求中发送给CPE。示例性地,可访问页面可以为CPE的参数配置页面。在本实施例中,物联网终端可以通过多种方式与CPE建立通信连接,例如,可以基于超长距离低功耗数据传输技术(long range,lora)网络、网线、WiFi网络与CPE建立通信连接。物联网终端例如可以是相机、扫描仪、打印机、投影仪等。
S402:CPE向认证服务器发送携带有用户信息的权限获取请求,权限获取请求用于获取所述用户信息对应的接入权限。
其中,认证服务器可以为radius服务器,则CPE可以通过radius客户端向radius服务器发送权限获取请求。举例来说,CPE上可以部署有radius客户端,并在接收到物联网终端的登陆请求后,通过radius客户端向radius服 务器发送权限获取请求。示例性地,权限获取请求可以为接入请求报文(Access-Request)。
S403:认证服务器向CPE发送携带有用户信息对应的接入权限的权限获取响应。
其中,权限获取响应为接入成功回应报文(Access-Accept)。
S404:CPE根据用户信息对应的接入权限确定物联网终端在CPE上对应的可访问页面。
S405:CPE向物联网终端发送可访问页面。
在本实施例中,作为S302的一种替代实现方式,权限获取请求还可以用于获取用户信息对应的接入权限信息;则S303和S304可以替换为:认证服务器可以向CPE发送携带有所述用户信息对应的接入权限信息的权限获取响应。CPE可以根据接入权限信息确定物联网终端在CPE上对应的可访问页面。
示例性地,权限获取请求可以为包含AVP字段中type域的值为224、value域的值为0的接入请求报文,权限获取响应可以为包含AVP字段中type域的值为224、value域的值为用户信息对应的接入权限信息的接入成功回应报文。
在本实施例中,不同的接入权限信息可以对应家庭网关上的不同的可访问页面。例如,普通用户权限对应的可访问页面可以为常用参数的配置页面。管理员权限对应的可访问页面可以为高级参数的配置页面。超级用户权限对应的可访问页面可以为设备厂商内部参数的配置页面。由于对应不同权限的用户信息的数据不需要存储在家庭网关上,即家庭网关的设备厂商不需要将超级用户账号和对应的密码存储在家庭网关上,因而能够保证从存储在家庭网关中存储的信息中无法破解出设备厂商设置的超级用户账号和密码。
在一示例中,用户信息可以包括用户名和密码,不同的用户名可以对应不同的接入权限信息,同一用户名与不同密码的组合也可以对应不同的接入权限信息。采用这种方式,可以方便管理操作,利用相同的用户名和不同的密码配置不同的接入权限信息,从而可以减少需要规划的用户名资源。
另一示例中,用户信息也可以为物联网终端的媒体访问控制(Media Access Control,MAC)地址和密码,MAC地址也称为物理地址或硬件地址,同一MAC地址与不同密码的组合对应相同或不同的接入权限信息。采用这种方式,可以不需要规划用户名,资源设备可以在认证服务器上配置各个物联网终端对应的接入权限,由于不需要在网络中传输用户信息,因而能够避免在认证过程中泄露用户信息。
图5为本申请实施例中权限获取方法的处理流程示意图二。如图5所示,本实施例的步骤可以包括:
S501:CPE提供登陆界面,获取用户名和密码。
其中,用户或管理员可以通过物联网终端登录CPE提供的基于web UI或安全外壳协议(Secure Shell,SSH)等技术的登录界面,输入用户名和密码。
S502:CPE检查用户名和密码是否负荷字符规范,若是,执行S503,若否,执行S508。
其中,可以由CPE的登录模块进行用户名和密码的合法性检测,示例性的,可以对用户名或密码的长度进行合法性检测。
S503:CPE启动radius客户端,向radius服务器发送携带有接入许可标识的认证请求报文。
其中,可以由CPE的登录模块发送内部消息通知radius客户端相应的用户名和密码等信息。radius客户端发送的认证请求报文可以为接入请求报文(Access-Request),接入请求报文中的AVP字段包含接入许可标识(access permission字段)。示例性地,利用网络封包分析软件对接入请求报文中携带有接入许可标识的AVP字段解析如下:
AVP:l=3t=Access-Permission(224):0
其中,AVP字段中value域的值为0时,认为此接入请求报文用于请求用户信息对应的接入权限信息。
S504:radius服务器接收认证请求报文,并查询权限数据库。
其中,radius服务器可以接收该接入请求报文,该认证流程的报文交互 过程与RFC2865中一致,当接入请求报文中包括接入许可标识字段时,radius服务器增加针对该接入许可标识字段的权限数据库查询操作的处理,查询用户名对应的权限配置数据。
S505:radius服务器判断是否在权限数据库查询到此用户对应的接入权限,若是,执行S506,若否,执行S507。
S506:radius服务器向radius客户端发送带有接入许可标识的接入成功回应报文。
其中,radius服务器可以将查询到的用户权限写入将要返回的接入成功回应报文后发送。radius客户端在接收到接入成功回应报文后,可以通知CPE的登录模块根据相应的用户权限,开放不同的登录界面给此用户,登陆过程至此结束。
S507:radius服务器向radius客户端发送接入拒绝回应报文。
其中,radius服务器由于未查询到此用户名对应的接入权限信息,radius服务器可以认为即使此用户名和密码是验证通过的,但由于无法匹配相应的用户登录权限,该用户信息无法在CPE上获取相应的访问权限,故radius服务器也可以向radius返回接入拒绝报文。radius客户端在接收到接入拒绝报文后,可以通知CPE的登录模块未获取到此用户名和密码对应的用户权限,无法开放任何登录界面给此用户。登陆模块可以拒绝此用户的登录,则登陆过程至此结束。
S508:CPE重新获取用户名和密码,若错误次数达到预设次数则停止重新获取。
其中,CPE可以重新弹出web UI窗口并提示使用物联网终端的用户重新输入用户名和密码。
在本申请其他实施例中,在用户名和密码的认证结果为验证通过但未在权限数据库查询到对应的接入权限信息时,radius服务器也可以向radius客户端发送携带value域的值为255的AVP字段的接入成功回应报文。
本申请实施例提供的权限获取方法可以应用于与图5A所示类似的法国MF259项目的网络架构中,该技术方案提供了更安全和便利的集中式权限管 理方式。本实施例中主要应用了radius的鉴权和授权的功能,即在接入成功回应报文之后也可以不触发与radius的计费功能相关的计费请求报文。
本实施例的其他技术方案细节与图1A至图4B类似,可参考图1A至图4B所示技术方案中的相关描述。
本申请实施例提供的权限获取方法,在安全性、存储性和负载度三个方面都具有较好的技术效果。
在安全性方面,通过扩展radius协议中的AVP中具有特定的实现的字段,利用radius标准化协议的可扩展性,将权限功能不再由各个资源设备或者终端设备独自控制,而是将其统一管理,对于一些采用将用户权限数据单独存储在各个终端设备中的设置方式,一旦某个终端设备丢失,则这个终端设备里存储的所有用户信息都可能存在泄露的问题,举例来说,在某些物联网网络中,例如,法国某项目的lora网络,物联网终端与家庭网关建立有通信连接,由于作为资源设备的CPE(即终端设备)众多,如果将允许访问CPE的用户权限数据存储在每个CPE中,整个lora网络都面临的安全泄露的风险,这对物联网来说是不可接受的。为了提升安全性,本实施例将对请求访问CPE上的可用资源的认证过程改由radius服务器执行,但是,由于不可能在radius服务器为每个CPE都设置一个用户名和密码来进行认证和权限获取的过程,这对于管理CPE的企业来说,管理数据太多,因而可以通过设置一组用户名,每个用户名可以对于不同的权限,使得登陆lora网络中的终端设备时可以获得与用户名对应的权限,其中,采用相同的用户名登陆不同终端设备可以具有相同的接入权限信息,采用不同的用户名登陆同一终端设备可以具有不同的接入权限信息。即企业只需要管理少量的用户名对应的认证数据和少量的用户和密码对应的权限数据,使得企业对用于登陆海量CPE的用户数据的管理将更加简洁和灵活。并且,在本实施例中,由于将用户信息对应的认证数据和权限数据交由radius服务器来存储,因此,企业只需要确保radius服务器的安全性,而不再需要考虑一个或多个终端设备的安全性,对于企业来说,某个终端设备丢失也不会引起整个网络的安全性问题。
在存储性方面,对于CPE设备以及一般的物联网中的设备来说,存储空间是一个非常重要的问题,如果需要将用户认证数据和权限数据存储到每个 家庭网关中,这就将占用设备的一部分存储空间,进而造成设备成本上升,设备竞争力下降,在本实施例中,用户认证和权限数据均是存储到radius服务器中,即只需要设置一个服务器,就可以将海量终端设备上的用户权限信息数据都存储到服务器上,从而降低的单个设备的在存储数据上需要耗费的存储成本。
在复杂度方面,这里的复杂度主要是涉及用户权限变更操作的复杂度,对于核心网路由设备来说,由于数量较少,用户权限变更的复杂度问题并非很严重,但对于物联网的终端设备来说,由于家庭网关的数量众多,用户权限变更的工作量是非常大的,并且,在物联网中,为了网络管理的需要,需要变更物联网终端在家庭网关上对应的可访问资源,如果仍然在家庭网关上存储用户信息及对应可访问资源,需要逐个修改家庭网关上存储的用户信息对应的可访问资源的数据。采用本实施例提供的将权限数据存储在radius服务器进行统一管理的方式,当需要变更用户信息对应的可访问资源时,只需要在服务器的权限数据库中进行修改即可,终端设备只需要根据本实施例中扩展的AVP字段,获取用户信息对应的修改后的接入权限信息,并将该接入权限信息对应的可访问资源开放给使用该用户信息登陆的用户即可。
图6A为本申请实施例中权限获取方法的网络架构示意图三。如图6A所示,本实施例中的终端设备130可以作为图1A中所示的资源设备的一种替代实现方式。终端设备130上的可用资源可以为终端设备130上预先安装的应用(Application,APP),则资源请求者可以为请求使用终端设备130上的APP的用户。在本实施例中,认证服务器12可以为Radius服务器,也可以为其他的认证服务器。
基于图6A所示的网络架构,本申请实施例还提供一种权限获取方法,图6B为本申请实施例中权限获取方法的处理流程示意图三。如图6B所示,本实施例的步骤包括:
S601:终端设备在接收到用于指示启动终端设备上的APP的启用操作后进入用户信息获取状态。
其中,终端设备可以在检测到请求启用APP的启用指令时,设置自身进入用户信息获取状态。举例来说,终端设备可以在屏幕上检测某一需要权限 控制的APP的图标上的点击触摸操作。在本实施例中,示例性地,该用户信息获取状态可以是弹出用户信息获取窗口等,或者,终端设备上的输入设备进入等待接入输入信息的状态,输入设备例如可以是触摸屏、话筒等,本申请对此不做限制。在本实施例中,APP可以是通过安卓工具安装包在安卓操作系统中安装的应用,例如,微信、微博、淘宝等客户端,也可以是一些操作系统提供的工具软件,例如,图片库软件、拍照软件、定位功能设置软件。
需要说明的是,在本申请其他实施例中,终端设备可以预先配置需要进行权限控制的APP集合,终端设备可以仅在用户请求启动的APP是APP集合中的APP时进入用户信息获取状态。
S602:终端设备在用户信息获取状态下,接收用户信息。
其中,用户信息可以包括用户名和密码,或者,用户信息可以包括指纹,或者,用户信息可以包括声音、虹膜等等,本申请实施例对此不做限制。
S603:终端设备向认证服务器发送携带用户信息的权限获取请求,该权限获取请求用于获取用户信息对应的接入权限。
其中,权限获取请求还可以用于获取所述用户信息对应的接入权限信息;则所述接收所述认证服务器根据所述权限获取请求向所述终端设备发送携带所述用户信息对应的接入权限的权限获取响应,包括:接收所述认证服务器发送的携带有所述用户信息对应的接入权限信息的权限获取响应;相应的,所述根据所述接入权限对应的允许启用的应用集合确定是否启用所述应用,包括:根据所述接入权限信息对应的允许启用的应用集合确定是否启用所述应用,不同的接入权限信息对应不同的允许启用的应用集合。
S604:认证服务器向终端设备发送携带有用户信息对应的接入权限的权限获取响应。
其中,用户信息对应的接入权限可以是认证成功对应的具有接入权限或者认证失败对应的不具有接入权限,或者,用户信息对应的接入权限也可以是不同的接入权限信息。不同的接入权限或者接入权限信息可以对应终端设备的上的不同的可访问资源。
举例来说,在一示例中,终端设备可以配置上述的具有接入权限在终端 设备上对应的可访问资源是APP集合中的所有APP。在另一示例中,终端设备还可以配置上述的不具有接入权限在终端设备上对应的可访问资源是不允许访问APP集合中的所有的APP。在再一示例中,终端设备还可以配置具有较低的接入权限信息在终端设备上对应的可访问资源是APP集合中的部分APP。在又一示例中,终端设备还可以配置具有最高信息的接入权限信息在终端设备上对应的可访问资源是APP集合中的所有APP。终端设备可以采用上述任一种或多种的配置方式的组合对不同的接入权限配置不同的可访问资源。
S605:终端设备根据接入权限对应的允许启用的应用集合确定是否启用该APP。
其中,终端设备可以判断所请求启用的APP是否属于该用户信息对应的接入权限所配置的允许启用的应用集合,若是,则终端设备启用APP,若不是,则终端设备可以输出相应的拒绝信息。示例性地,终端设备可以在显示屏弹出用户没有权限使用该APP的提示信息,并禁止启用APP。在终端设备启用APP之后,APP进入APP自身的登陆处理流程,例如,微信APP可以按照默认的启动流程对微信用户的账户信息进行认证,待认证通过后显示该微信用户的对话列表页面。
在本申请其他实施例中,认证服务器可以为radius服务器,则终端设备上可以部署有radius客户端,终端设备可以在检测到启用请求之后,启动radius客户端并将获取到的用户信息通过radius客户端发送给radius认证服务器。相关的认证过程与图1A至图2B所示类似。
本申请实施例提供的权限获取方法不仅可以应用于用户请求启用终端设备上的APP的场景,还可应用于外部设备请求启用终端设备上的APP的场景。需要说明的是,外部设备可以通过软件或硬件接口与终端设备建立通信连接。
以手机为例,手机上可以安装“安全手机”应用,该应用中可以内置一个radius客户端。手机的所有者可以在“安全手机”应用上预先设置一个或多个需要进行权限控制的APP,其中也可以包括该“安全手机”应用。这些APP不再单独由手机进行权限控制,而是在每次使用APP自身账号登录前, 先进行手机自身的集中权限认证。举例来说,“安全手机”应用可以监控启用这些APP的指令,在监控到启用指令时,“安全手机”应用可以在要启用的APP自身的账号登陆认证过程之前,先对使用手机的用户进行集中权限认证。需要说明的是,该APP自身的账号登陆通常是通过该APP与该APP对应的认证服务器进行交互实现的,即“安全手机”应用发起的权限认证与需要进行权限控制的APP自身的账号登陆是相互独立的认证过程。
在一示例中,“安全手机”应用检测APP1接收到开启指令进入运行状态,用户在输入APP1自身登录的用户名和密码之前,需要先输入“安全手机”应用进行权限认证的用户名和密码,然后,“安全手机”应用作为radius客户端向radius认证服务器发送接入请求报文,并接收radius服务器发送的接入成功回应报文,其中,接入请求报文和接入成功回应报文中可以携带包含接入许可标识的AVP字段。如果未通过权限认证则“安全手机”应用控制关闭APP1,如果通过权限认证则开启APP1。
在此场景的应用中,对于一些对安全性要求极高的手机所有者来说,即使APP的用户名和密码被盗,由于非法用户不具有本手机的权限管理密码,如“安全手机”应用的用户名和密码,非法用户无法操作需要认证才能使用的APP。示例性地,手机所有者只需要在radius服务器上进行设置,以使radius服务器拒绝接收来自此手机的任何权限认证请求,那么此手机也就无法开启对权限有需求的APP。可见,采用本实施例提供的权限获取方法可以很好的维护手机中存储的私人信息的安全。
此外,为了提升APP的启动速度,手机所有者通常会设置APP登陆时所需使用的默认登陆信息,但是,当手机被盗时,非法用户在点击启用APP时会也使用默认登陆信息进行APP登陆,APP中存储的私人信息就可能被窃取。采用本实施例提供的权限获取方法,若非法用户或者具有较低的接入权限的用户想要打开手机上的APP时,手机可以在接收到请求启用APP的启用请求时,通过设置在第三方的认证服务器对用户进行认证,即仅允许认证服务器认证通过或者认证具有相应的接入权限的用户使用APP,从而可以避免APP中存储的私人数据丢失。可见,本实施例提供的权限获取方法能够提升手机等终端设备中存储的数据的安全性。
本实施例的其他技术方案细节和技术效果与图1A至图3类似,可参考图1A至图3所示技术方案中的相关描述。
本申请实施例还提供一种权限获取装置,图7为本申请实施例中权限获取装置的结构示意图一,如图7所示,权限获取装置70包括:
第一发送模块701,配置为向远程用户拨号认证系统(radius)服务器发送携带用户信息的权限获取请求,其中,所述权限获取请求用于获取所述用户信息对应的接入权限信息;
第一接收模块702,配置为接收所述radius服务器发送的携带所述接入权限信息的权限获取响应。
其中,所述接入权限信息可以用于确定所述用户信息对应的可访问资源,且不同的接入权限信息对应不同的可访问资源。
在上述方案中,所述权限获取装置可以位于家庭网关侧,则:
第一接收模块702,可以配置为接收物联网终端发送的携带有用户信息的登陆请求,其中,所述登陆请求用于获取在所述家庭网关上的可访问资源;
第一发送模块701,可以配置为向认证服务器发送携带所述用户信息的权限获取请求,所述权限获取请求用于获取所述用户信息对应的接入权限;
第一接收模块702,还可以配置为接收所述认证服务器发送的携带有所述用户信息对应的接入权限的权限获取响应;以及,根据所述接入权限确定所述物联网终端在所述家庭网关上对应的可访问资源。
在上述方案中,所述权限获取装置可以位于终端设备侧,则:
第一接收模块702,可以配置为在接收到用于指示启动所述终端设备上的应用的启用操作后进入用户信息获取状态;并在所述用户信息获取状态下,接收用户信息;
第一发送模块701,可以配置为向认证服务器发送携带所述用户信息的权限获取请求,所述权限获取请求用于获取所述用户信息对应的接入权限;
第一接收模块702,还可以配置为接收所述认证服务器发送的携带有所述用户信息对应的接入权限的权限获取响应;以及,根据所述接入权限对应的允许启用的应用集合确定是否启用所述应用。
本实施例的权限获取装置,可以用于执行图1A至图6所示方法实施例的中部署有radius客户端的资源设备或者radius客户端或者家庭网关或者终端设备执行的技术方案,其实现原理和技术效果可参考图1A至图6所示方法。
本申请实施例还提供一种权限获取装置,图8为本申请实施例中权限获取装置的结构示意图二,如图8所示,权限获取装置80包括:
第二接收模块801,配置为接收远程用户拨号认证系统(radius)客户端发送的携带有所述用户信息的权限获取请求,其中,所述权限获取请求用于获取所述用户信息对应的接入权限信息;
第二发送模块802,配置为向radius客户端发送携带有所述用户信息对应的接入权限信息的权限获取响应。
在上述方案中,所述权限获取请求可以为携带有和接入许可标识的接入请求报文(Access-Request),所述权限获取响应可以为接入成功回应报文(Access-Accept);其中,所述接入权限信息用于确定所述用户信息对应的可访问资源,且不同的接入权限信息对应不同的可访问资源。
本实施例的权限获取装置,可以用于执行图1A至图6所示方法实施例的中radius服务器执行的技术方案,其实现原理和技术效果可参考图1A至图6所示方法。
图9为本申请实施例中资源设备的结构示意图,如图9所示,资源设备90包括存储器903、处理器904及存储在存储器903上并可在处理器904上运行的权限获取程序(图中未示出),其中,所述处理器执行所述程序时实现以下步骤:
向radius服务器发送携带用户信息的权限获取请求,所述权限获取请求用于获取所述用户信息对应的接入权限信息;接收所述radius服务器发送的携带所述接入权限信息的权限获取响应;其中,所述接入权限信息用于确定所述用户信息对应的可访问资源,且不同的接入权限信息对应不同的可访问资源。
所述资源设备90还可以包括接口901、总线902;接口901、存储器903 与处理器904通过总线902相连接。其中,接口901可以用于与认证服务器建立通信连接。其中,接口可以是有线传输接口、无线传输接口。接口901还可以用于获取资源请求者的资源访问请求,接口还可以是能够接收指令的输入设备。示例性地,接口可以是发射或接收天线,也可以是由集成在数字电路处理器中的程序模块实现的。
在本申请其他实施例中,该程序被处理器904执行时还可以实现以下步骤:在所述向radius服务器发送携带用户信息的权限获取请求之前,包括:接收携带有所述用户信息的资源访问请求,所述资源访问请求用于获取所述用户信息在资源设备上对应的可访问资源;则在所述接收所述radius服务器发送的携带所述接入权限信息的权限获取响应之后,包括:根据所述接入权限信息确定所述用户信息在所述资源设备上对应的可访问资源。
在上述方案中,所述资源设备90可以是家庭网关、终端设备等。
若所述资源设备90为家庭网关,所述程序被处理器904执行时还进一步实现一下步骤:家庭网关接收物联网终端发送的携带有用户信息的登陆请求,所述登陆请求用于获取在所述家庭网关上的可访问资源;向认证服务器发送携带所述用户信息的权限获取请求,所述权限获取请求用于获取所述用户信息对应的接入权限;接收所述认证服务器发送的携带有所述用户信息对应的接入权限的权限获取响应;根据所述接入权限确定所述物联网终端在所述家庭网关上对应的可访问资源。
若所述资源设备90为家庭网关,所述程序被处理器904执行时还进一步实现一下步骤:终端设备在接收到用于指示启动所述终端设备上的应用的启用操作后进入用户信息获取状态;在所述用户信息获取状态下,接收用户信息;向认证服务器发送携带所述用户信息的权限获取请求,所述权限获取请求用于获取所述用户信息对应的接入权限;接收所述认证服务器发送的携带有所述用户信息对应的接入权限的权限获取响应;根据所述接入权限对应的允许启用的应用集合确定是否启用所述应用。
本实施例的权限获取装置,可以用于执行图1A至图6所示方法实施例的中资源设备执行的技术方案,其实现原理和技术效果可参考图1A至图6所示方法。
图10为本申请实施例中radius服务器的结构示意图,如图10所示,radius服务器100包括存储器1003、处理器1004及存储在存储器1003上并可在处理器1004上运行的权限获取程序(图中未示出),其中,所述处理器执行所述程序时实现以下步骤:
radius服务器接收radius客户端发送的携带有所述用户信息的权限获取请求,所述权限获取请求用于获取所述用户信息对应的接入权限信息;向radius客户端发送携带有所述用户信息对应的接入权限信息的权限获取响应。
所述处理器1004执行所述程序时可以实现以下步骤:
radius服务器接收radius客户端发送的携带有所述用户信息和接入许可标识的接入请求报文(Access-Request);向radius客户端发送携带有所述用户信息对应的接入权限信息的接入成功回应报文(Access-Accept)。
在本实施例中,所述接入权限信息可以用于确定所述用户信息对应的可访问资源,且不同的接入权限信息对应不同的可访问资源。
所述radius服务器100还可以包括接口1001,总线1002;接口1001、存储器1003与处理器1004通过总线1002相连接。其中,接口1001可以用于与radius客户端或者资源设备建立通信连接。其中,接口1001可以是有线传输接口、无线传输接口。示例性地,接口1001可以是发射或接收天线,也可以是由集成在数字电路处理器中的程序模块实现的。
本实施例的权限获取装置,可以用于执行图1A至图6所示方法实施例的中radius服务器执行的技术方案,其实现原理和技术效果可参考图1A至图6所示方法。
在实际应用中,处理器可由位于终端中的中央处理器(Central Processing Unit,CPU)、微处理器(Micro Processor Unit,MPU)、数字信号处理器(Digital Signal Processor,DSP)或现场可编程门阵列(Field Programmable Gate Array,FPGA)等实现。
本申请实施例还提供一种存储介质,存储有权限获取程序,其中,所述权限获取程序配置为执行:
向radius服务器发送携带用户信息的权限获取请求,所述权限获取请求 用于获取所述用户信息对应的接入权限信息;接收所述radius服务器发送的携带所述接入权限信息的权限获取响应。
在本实施例中,所述接入权限信息可以用于确定所述用户信息对应的可访问资源,且不同的接入权限信息对应不同的可访问资源。
本实施例的其他技术方案细节和技术效果与上述与部署有radius客户端的资源设备或者radius客户端相关实施例类似。
本实施例还提供一种存储介质,存储有权限获取程序,其中,所述权限获取程序配置为执行:
radius服务器接收radius客户端发送的携带有所述用户信息的权限获取请求,所述权限获取请求用于获取所述用户信息对应的接入权限信息;向radius客户端发送携带有所述用户信息对应的接入权限信息的权限获取响应。
所述权限获取程序可以配置为执行:
radius服务器接收radius客户端发送的携带有所述用户信息和接入许可标识的接入请求报文(Access-Request);向radius客户端发送携带有所述用户信息对应的接入权限信息的接入成功回应报文(Access-Accept)。
在本实施例中,所述接入权限信息可以用于确定所述用户信息对应的可访问资源,且不同的接入权限信息对应不同的可访问资源。
本实施例的其他技术方案细节和技术效果与上述与radius服务器相关实施例类似。
本实施例还提供一种存储介质,存储有权限获取程序,其中,所述权限获取程序配置为执行:
家庭网关接收物联网终端发送的携带有用户信息的登陆请求,所述登陆请求用于获取在所述家庭网关上的可访问资源;向认证服务器发送携带所述用户信息的权限获取请求,所述权限获取请求用于获取所述用户信息对应的接入权限;接收所述认证服务器发送的携带有所述用户信息对应的接入权限的权限获取响应;根据所述接入权限确定所述物联网终端在所述家庭网关上对应的可访问资源。
本实施例的其他技术方案细节和技术效果与上述与家庭网关相关实施例 类似。
本实施例还提供一种存储介质,存储有权限获取程序,其中,所述权限获取程序配置为执行:
终端设备在接收到用于指示启动所述终端设备上的应用的启用操作后进入用户信息获取状态;在所述用户信息获取状态下,接收用户信息;向认证服务器发送携带所述用户信息的权限获取请求,所述权限获取请求用于获取所述用户信息对应的接入权限;接收所述认证服务器发送的携带有所述用户信息对应的接入权限的权限获取响应;根据所述接入权限对应的允许启用的应用集合确定是否启用所述应用。
本实施例的其他技术方案细节和技术效果与上述与家庭网关相关实施例类似。
需要说明的是,在本文中,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、物品或者装置不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这类过程、方法、物品或者装置所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括该要素的过程、方法、物品或者装置中还存在另外的相同要素。
本领域普通技术人员可以理解,上文中所公开方法中的全部或某些步骤、系统、装置中的功能模块或单元可以被实施为软件、固件、硬件及其适当的组合。在硬件实施方式中,在以上描述中提及的功能模块或单元之间的划分不一定对应于物理组件的划分;例如,一个物理组件可以具有多个功能,或者一个功能或步骤可以由若干物理组件合作执行。某些组件或所有组件可以被实施为由处理器,如数字信号处理器或微处理器执行的软件,或者被实施为硬件,或者被实施为集成电路,如专用集成电路。这样的软件可以分布在计算机可读介质上,计算机可读介质可以包括计算机存储介质(或非暂时性介质)和通信介质(或暂时性介质)。如本领域普通技术人员公知的,术语计算机存储介质包括在用于存储信息(诸如计算机可读指令、数据结构、程序模块或其他数据)的任何方法或技术中实施的易失性和非易失性、可移除和不可移除介质。计算机存储介质包括但不限于RAM、ROM、EEPROM、 闪存或其他存储器技术、CD-ROM、数字多功能盘(DVD)或其他光盘存储、磁盒、磁带、磁盘存储或其他磁存储装置、或者可以用于存储期望的信息并且可以被计算机访问的任何其他的介质。此外,本领域普通技术人员公知的是,通信介质通常包含计算机可读指令、数据结构、程序模块或者诸如载波或其他传输机制之类的调制数据信号中的其他数据,并且可包括任何信息递送介质。
以上仅为本申请的示例性实施例,并非因此限制本申请的专利范围,凡是利用本申请说明书及附图内容所作的等效结构或等效流程变换,或直接或间接运用在其他相关的技术领域,均同理包括在本申请的专利保护范围内。
工业实用性
本申请实施例提供一种权限获取方法、装置、设备和存储介质,用户信息对应的可访问资源是由设置在网络侧的radius服务器根据用户信息和存储在radius服务器的权限数据认证获得的,而非法用户无法获取radius服务器上存储的权限数据,从而使得非法用户无法获取到资源设备上的资源。

Claims (17)

  1. 一种权限获取方法,包括:
    远程用户拨号认证系统radius客户端向radius服务器发送携带用户信息的权限获取请求(S101,S402,S603),所述权限获取请求用于获取所述用户信息对应的接入权限信息;
    接收所述radius服务器发送的携带所述接入权限信息的权限获取响应(S102,S403,S604)。
  2. 根据权利要求1所述的方法,在所述向radius服务器发送携带用户信息的权限获取请求之前,所述方法还包括:接收携带有所述用户信息的资源访问请求,所述资源访问请求用于获取所述用户信息在资源设备上对应的可访问资源;
    相应的,在所述接收所述radius服务器发送的携带所述接入权限信息的权限获取响应之后,所述方法还包括:根据所述接入权限信息确定所述用户信息在所述资源设备上对应的可访问资源。
  3. 根据权利要求2所述的方法,其中,所述资源设备为家庭网关,所述接收携带有所述用户信息的资源访问请求,包括:接收物联网终端发送的携带有所述用户信息的登陆请求(S401);所述登陆请求用于请求在所述家庭网关上与所述用户信息对应的可访问资源;
    所述根据所述接入权限信息确定所述用户信息在所述资源设备上对应的可访问资源,包括:根据所述接入权限信息确定所述物联网终端在所述家庭网关上对应的可访问资源(S404)。
  4. 根据权利要求3所述的方法,其中,所述用户信息包括物联网终端的媒体访问控制MAC地址和密码,同一MAC地址与不同密码的组合对应相同或不同的接入权限信息。
  5. 根据权利要求2所述的方法,所述资源设备为终端设备,所述可访问资源为允许启用的应用的集合,则在所述向radius服务器发送携带用户信息的权限获取请求(S603)之前,所述方法还包括:在接收到用于指示启动所述终端设备上的应用的启用操作后进入用户信息获取状态(S601);在所 述用户信息获取状态下,接收用户信息(S602);
    则在所述接收所述radius服务器发送的携带所述接入权限信息的权限获取响应(S604)之后,所述方法还包括:根据所述接入权限信息对应的允许启用的应用的集合确定是否启用所述应用(S605)。
  6. 根据权利要求1所述的方法,其中,所述用户信息包括用户名和密码,同一用户名与不同密码的组合对应不同的接入权限信息。
  7. 根据权利要求1所述的方法,其中,所述向远程用户拨号认证系统radius服务器发送携带用户信息的权限获取请求,包括:向radius服务器发送携带有所有用户信息和接入许可标识access-permission的接入请求报文Access-Request(S201,S301);
    所述接收所述radius服务器发送的携带所述接入权限信息的权限获取响应,包括:接收所述radius服务器发送的携带所述接入权限信息的接入成功回应报文Access-Accept(S202,S305)。
  8. 根据权利要求7所述的方法,在所述接收所述radius服务器发送的携带所述接入权限信息的接入成功回应报文Access-Accept之后,所述方法还包括:
    向radius服务器发送携带所述接入权限信息的计费请求报文Accounting-Request(S203,S306),所述计费请求报文用于请求所述radius服务器根据所述接入权限信息确定所述用户信息对应的计费方式和计费费率中至少一项。
  9. 根据权利要求7所述的方法,其中,所述接入请求报文包含类型号type表征所述接入许可标识的属性对AVP字段。
  10. 一种权限获取方法,包括:
    远程用户拨号认证系统radius服务器接收radius客户端发送的携带有用户信息权限获取请求,所述权限获取请求用于获取所述用户信息对应的接入权限信息;
    向所述radius客户端发送携带有所述用户信息对应的接入权限信息的权限获取响应。
  11. 根据权利要求10所述的方法,其中,所述radius服务器接收radius客户端发送的携带有所述用户信息的权限获取请求包括:所述radius服务器接收radius客户端发送携带有用户信息和接入许可标识的接入请求报文Access-Request(S504);
    所述向radius客户端发送携带有所述用户信息对应的接入权限信息的权限获取响应,包括:向radius客户端发送携带有所述用户信息对应的接入权限信息的接入成功回应报文Access-Accept(S506)。
  12. 根据权利要求11所述的方法,在所述向radius客户端发送携带有所述用户信息对应的接入权限信息的接入成功回应报文Access-Accept之后,所述方法还包括:接收radius客户端发送的携带所述接入权限信息的计费请求报文Accounting-Request;根据所述接入权限信息确定所述用户信息对应的计费方式和计费费率中至少一项(S307)。
  13. 一种权限获取装置,包括:
    第一发送模块(701),配置为向远程用户拨号认证系统radius服务器发送携带用户信息的权限获取请求,其中,所述权限获取请求用于获取所述用户信息对应的接入权限信息;
    第一接收模块(702),配置为接收所述radius服务器发送的携带所述接入权限信息的权限获取响应。
  14. 一种权限获取装置,包括:
    第二接收模块(801),配置为接收远程用户拨号认证系统radius客户端发送的携带有所述用户信息权限获取请求,其中,所述权限获取请求用于获取所述用户信息对应的接入权限信息;
    第二发送模块(802),配置为向radius客户端发送携带有所述用户信息对应的接入权限信息的权限获取响应。
  15. 一种资源设备,包括:存储器(903)、处理器(904)及存储在存储器(903)上并可在处理器(904)上运行的权限获取程序,
    所述处理器(904)执行所述程序时实现权利要求1至权利要求9中任一所述的权限获取方法。
  16. 一种远程用户拨号认证系统认证服务器,包括:存储器(1003)、处理器(1004)及存储在存储器(1003)上并可在处理器(1004)上运行的权限获取程序,
    所述处理器(1004)执行所述程序时实现权利要求10至权利要求12中任一所述的权限获取方法。
  17. 一种计算机可读存储介质,存储有权限获取程序,其中,所述权限获取程序被处理器执行时实现如权利要求1至12中任一项所述的权限获取方法的步骤。
PCT/CN2017/102299 2017-06-13 2017-09-19 一种权限获取方法、装置、设备和存储介质 WO2018227802A1 (zh)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201710444357.2A CN109150787A (zh) 2017-06-13 2017-06-13 一种权限获取方法、装置、设备和存储介质
CN201710444357.2 2017-06-13

Publications (1)

Publication Number Publication Date
WO2018227802A1 true WO2018227802A1 (zh) 2018-12-20

Family

ID=64660049

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/102299 WO2018227802A1 (zh) 2017-06-13 2017-09-19 一种权限获取方法、装置、设备和存储介质

Country Status (2)

Country Link
CN (1) CN109150787A (zh)
WO (1) WO2018227802A1 (zh)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112052479A (zh) * 2020-09-04 2020-12-08 广东小天才科技有限公司 一种终端应用权限管理方法、系统、电子设备及存储介质
CN113239377A (zh) * 2021-05-14 2021-08-10 北京百度网讯科技有限公司 权限控制方法、装置、设备以及存储介质
CN114157475A (zh) * 2021-11-30 2022-03-08 迈普通信技术股份有限公司 一种设备接入方法、装置,认证设备及接入设备

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110162982B (zh) * 2019-04-19 2024-06-04 中国平安人寿保险股份有限公司 检测非法权限的方法及装置、存储介质、电子设备
CN112532640B (zh) * 2020-12-02 2023-07-04 北京天融信网络安全技术有限公司 认证方法、装置、电子设备及计算机可读存储介质
CN113759883A (zh) * 2021-10-26 2021-12-07 深圳市元征科技股份有限公司 车辆诊断方法、车辆网关设备、服务器及存储介质

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101267304A (zh) * 2007-03-13 2008-09-17 华为技术有限公司 一种上网权限控制方法、装置及系统
CN101282254A (zh) * 2007-04-02 2008-10-08 华为技术有限公司 家庭网络设备管理方法、系统及装置
CN101697550A (zh) * 2009-10-30 2010-04-21 北京星网锐捷网络技术有限公司 一种双栈网络访问权限控制方法和系统
CN102143493A (zh) * 2011-01-26 2011-08-03 惠州Tcl移动通信有限公司 一种具有用户管理功能的移动通信终端及其用户管理方法
US20140123231A1 (en) * 2012-10-31 2014-05-01 International Business Machines Corporation Extending authentication and authorization capabilities of an application without code changes
CN105530224A (zh) * 2014-09-30 2016-04-27 中国电信股份有限公司 终端认证的方法和装置

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101453460A (zh) * 2007-12-07 2009-06-10 华为技术有限公司 一种访问控制方法及通讯系统以及相关设备
CN101582769B (zh) * 2009-07-03 2012-07-04 杭州华三通信技术有限公司 用户接入网络的权限设置方法和设备
US10237267B2 (en) * 2014-04-15 2019-03-19 Huawei Technologies Co., Ltd. Rights control method, client, and server

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101267304A (zh) * 2007-03-13 2008-09-17 华为技术有限公司 一种上网权限控制方法、装置及系统
CN101282254A (zh) * 2007-04-02 2008-10-08 华为技术有限公司 家庭网络设备管理方法、系统及装置
CN101697550A (zh) * 2009-10-30 2010-04-21 北京星网锐捷网络技术有限公司 一种双栈网络访问权限控制方法和系统
CN102143493A (zh) * 2011-01-26 2011-08-03 惠州Tcl移动通信有限公司 一种具有用户管理功能的移动通信终端及其用户管理方法
US20140123231A1 (en) * 2012-10-31 2014-05-01 International Business Machines Corporation Extending authentication and authorization capabilities of an application without code changes
CN105530224A (zh) * 2014-09-30 2016-04-27 中国电信股份有限公司 终端认证的方法和装置

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112052479A (zh) * 2020-09-04 2020-12-08 广东小天才科技有限公司 一种终端应用权限管理方法、系统、电子设备及存储介质
CN113239377A (zh) * 2021-05-14 2021-08-10 北京百度网讯科技有限公司 权限控制方法、装置、设备以及存储介质
CN113239377B (zh) * 2021-05-14 2024-05-17 北京百度网讯科技有限公司 权限控制方法、装置、设备以及存储介质
CN114157475A (zh) * 2021-11-30 2022-03-08 迈普通信技术股份有限公司 一种设备接入方法、装置,认证设备及接入设备
CN114157475B (zh) * 2021-11-30 2023-09-19 迈普通信技术股份有限公司 一种设备接入方法、装置,认证设备及接入设备

Also Published As

Publication number Publication date
CN109150787A (zh) 2019-01-04

Similar Documents

Publication Publication Date Title
WO2018227802A1 (zh) 一种权限获取方法、装置、设备和存储介质
US11122028B2 (en) Control method for authentication/authorization server, resource server, and authentication/authorization system
EP3691215B1 (en) Access token management method, terminal and server
US11063928B2 (en) System and method for transferring device identifying information
US11792203B2 (en) Systems and methods for controlling email access
EP2973166B1 (en) Systems and methods for identifying a secure application when connecting to a network
US10963554B2 (en) Access control system, control method of access control system, and storage medium
KR101614578B1 (ko) 정보 처리 장치, 그 제어 방법, 저장 매체, 및 화상 처리 장치
EP3462701B1 (en) Device, control method of the same, and program
US20140089661A1 (en) System and method for securing network traffic
US20140020062A1 (en) Techniques for protecting mobile applications
US11695747B2 (en) Multi-device single sign-on
CN115021991A (zh) 未经管理的移动设备的单点登录
US10491595B2 (en) Systems and methods for controlling email access
US20160050340A1 (en) Device hub system with resource access mechanism and method of operation thereof
JP2018502394A (ja) レガシー統合のためのコンピュータ読み取り可能な記憶媒体ならびにそれを使用するための方法およびシステム
JP2017097542A (ja) 認証制御プログラム、認証制御装置、及び認証制御方法
Tang et al. Multi-factor web API security for securing Mobile Cloud
US20130091355A1 (en) Techniques to Prevent Mapping of Internal Services in a Federated Environment
JP2009123207A (ja) ネットワークにアクセスする方法及び装置
KR101736157B1 (ko) 연합 인증 방법 및 장치
US11838327B1 (en) Cloud-based security service that includes external evaluation for accessing a third-party application
CN112565209B (zh) 一种网元设备访问控制方法及设备
US11477189B2 (en) Primary domain and secondary domain authentication
WO2023160632A1 (zh) 针对飞地实例的云服务访问权限设置方法和云管理平台

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17913705

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17913705

Country of ref document: EP

Kind code of ref document: A1