WO2021035740A1 - Procédé de commande d'accès , serveur, dispositif d'accès et support de stockage - Google Patents

Procédé de commande d'accès , serveur, dispositif d'accès et support de stockage Download PDF

Info

Publication number
WO2021035740A1
WO2021035740A1 PCT/CN2019/103862 CN2019103862W WO2021035740A1 WO 2021035740 A1 WO2021035740 A1 WO 2021035740A1 CN 2019103862 W CN2019103862 W CN 2019103862W WO 2021035740 A1 WO2021035740 A1 WO 2021035740A1
Authority
WO
WIPO (PCT)
Prior art keywords
access device
sharing
server
access
local
Prior art date
Application number
PCT/CN2019/103862
Other languages
English (en)
Chinese (zh)
Inventor
吕小强
Original Assignee
Oppo广东移动通信有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Oppo广东移动通信有限公司 filed Critical Oppo广东移动通信有限公司
Priority to CN201980095168.6A priority Critical patent/CN113678127B/zh
Priority to PCT/CN2019/103862 priority patent/WO2021035740A1/fr
Publication of WO2021035740A1 publication Critical patent/WO2021035740A1/fr

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication

Definitions

  • the present invention relates to the Internet of Things (IoT) technology, and in particular to an access control method, server, access device and storage medium.
  • IoT Internet of Things
  • devices that are not in the same local network can communicate with each other through the cloud, and the cloud groups the devices belonging to the same user under the same user ID created in the cloud. All devices registered to the cloud and belonging to the same user ID can communicate according to the device authorization cloud permission policy (for example: ACE2 policy).
  • devices in the same local network can communicate with each other through the local network. Therefore, cloud communication and local network communication are isolated from each other, and the device can only be accessed by one user, which cannot meet the application scenario of multiple users.
  • the embodiments of the present invention provide an access control method, a server, an access device, and a storage medium, which can share the access authority of the device with other users, and realize multi-user access.
  • an embodiment of the present invention provides an access control method, including:
  • the server establishes a sharing record between the first device identification of the first access device, the second device identification of the second access device, and the target device identification of the target device associated with the second access device, and the sharing record is used to share Sharing the access permission of the target device to the first access device;
  • the server transmits a local shared credential between the first access device and the second access device, and the local shared credential is used for establishing a local connection between the first access device and the target device.
  • an embodiment of the present invention provides an access control method, including:
  • the first access device acquires the second device identifier of the second access device
  • the first access device sends the first device ID and the second device ID of the first access device to the server, and the first device ID and the second device ID are used by the server in the server.
  • a sharing record is established between the first device identifier, the second device identifier, and the target device identifier of the target device associated with the second access device, and the sharing record is used to share the access permission of the target device to The first access device;
  • the first access device and the server transmit a local shared credential, and the local shared credential is used for the first access device to establish a local connection with the target device.
  • an embodiment of the present invention provides an access control method, including:
  • the second access device acquires the first device identifier of the first access device
  • the second access device sends the first device identification and the second device identification of the second access device to the server, and the first device identification and the second device identification are used by the server in the A sharing record is established between the first device identifier, the second device identifier, and the target device identifier of the target device associated with the second access device, and the sharing record is used to share the access permission of the target device to The first access device;
  • the second access device transmits a local shared credential with the server, and the local shared credential is used for the first access device to establish a local connection with the target device.
  • an embodiment of the present invention provides a server, including:
  • the establishment unit is configured to establish a sharing record among the first device identification of the first access device, the second device identification of the second access device, and the target device identification of the target device associated with the second access device, the sharing The record is used to share the access permission of the target device to the first access device;
  • the transmission unit is configured to transmit a local shared credential between the first access device and the second access device, and the local shared credential is used for the first access device to establish a local connection with the target device.
  • an embodiment of the present invention provides an access device, including:
  • the first obtaining unit is configured to obtain the second device identifier of the second access device
  • the first sending unit is configured to send the first device identifier and the second device identifier of the first access device to the server, where the first device identifier and the second device identifier are used when the server is located at the server.
  • a sharing record is established between the first device identifier, the second device identifier, and the target device identifier of the target device associated with the second access device, and the sharing record is used to share the access authority of the target device To the first access device;
  • the first transmission unit is configured to transmit a local shared credential with the server, and the local shared credential is used for the first access device to establish a local connection with the target device.
  • an embodiment of the present invention provides an access device, including:
  • the second acquiring unit is configured to acquire the first device identifier of the first access device
  • the second sending unit is configured to send the first device ID and the second device ID of the second access device to the server, where the first device ID and the second device ID are used when the server is A sharing record is established between the first device identifier, the second device identifier, and the target device identifier of the target device associated with the second access device, and the sharing record is used to share the access authority of the target device To the first access device;
  • the second transmission unit is configured to transmit a local shared credential with the server, and the local shared credential is used for the first access device to establish a local connection with the target device.
  • an embodiment of the present invention provides a server, including: a processor and a memory for storing a computer program that can run on the processor, wherein the processor is configured to execute the server when the computer program is running. The steps of the access control method performed.
  • an embodiment of the present invention provides an access device, including: a processor and a memory configured to store a computer program that can run on the processor, wherein the processor is configured to execute the above-mentioned computer program when the computer program is running. Steps of the access control method executed by the first access device.
  • an embodiment of the present invention provides an access device, including: a processor and a memory configured to store a computer program that can run on the processor, wherein the processor is configured to execute the above-mentioned computer program when the computer program is running. Steps of the access control method executed by the second access device.
  • an embodiment of the present invention provides a storage medium storing an executable program, and when the executable program is executed by a processor, the access control method executed by the server is implemented.
  • an embodiment of the present invention provides a storage medium that stores an executable program, and when the executable program is executed by a processor, it implements the access control method executed by the first access device.
  • an embodiment of the present invention provides a storage medium storing an executable program, and when the executable program is executed by a processor, the above-mentioned access control method executed by the second access device is implemented.
  • the access control method provided by the embodiment of the present invention includes: the server is configured to select the first device identifier of the first access device, the second device identifier of the second access device, and the target device identifier of the target device associated with the second access device.
  • a sharing record is established between the target device, and the sharing record is used to share the access permission of the target device to the first access device; the server performs local operations between the first access device and the second access device.
  • the local shared credentials are used for the first access device to establish a local connection with the target device; thereby achieving access to the target access device by the first access device that is not associated with the target device based on the shared record, and Performing a local sharing credential that enables the first access device to perform local access to the target device between the first access device and the second access device corresponding to the shared record can prevent the target device from being accessed by a user ID that only has a binding relationship To achieve multi-user access, and the first access device's access to the target device is not restricted by the network.
  • FIG. 1 is an optional structural diagram of an Internet of Things system provided by an embodiment of the present invention
  • FIG. 2 is an optional flowchart of an access control method provided by an embodiment of the present invention.
  • FIG. 3 is an optional structural diagram of the Internet of Things system provided by an embodiment of the present invention.
  • FIG. 4A is an optional flowchart of an access control method provided by an embodiment of the present invention.
  • 4B is an optional flowchart of an access control method provided by an embodiment of the present invention.
  • 4C is an optional flowchart of an access control method provided by an embodiment of the present invention.
  • FIG. 5 is an optional flowchart of an access control method provided by an embodiment of the present invention.
  • FIG. 6 is an optional flowchart of an access control method provided by an embodiment of the present invention.
  • FIG. 7 is an optional flowchart of an access control method provided by an embodiment of the present invention.
  • FIG. 8 is a schematic diagram of an optional structure of a server provided by an embodiment of the present invention.
  • FIG. 9 is a schematic diagram of an optional structure of an access device provided by an embodiment of the present invention.
  • FIG. 10 is a schematic diagram of an optional structure of an access device provided by an embodiment of the present invention.
  • FIG. 11 is a schematic diagram of an optional structure of an electronic device provided by an embodiment of the present invention.
  • the access control of the Internet of Things system includes local access based on the home network and remote access based on the cloud.
  • the IoT device needs to be registered in the cloud after entering the Internet of Things.
  • the IoT device will get a corresponding user ID (UserID) during registration, and the IoT device will be in a remotely operable state after being registered in the cloud. If the IoT device is not registered in the cloud, remote operations cannot be performed, but operations can be performed locally.
  • UserID is the user ID of the IoT device in the cloud, not the device ID (device ID).
  • the local operation of the IoT device is related to the access policy of the IoT device, but not the UserID.
  • the configuration work is done by OBT. During the configuration process, you need to set the Owner ID of the IoT device to the Device ID of the OBT device. In addition, you need to configure the access credential of the IoT device.
  • the access credential is used for the two devices. Two-way authentication is performed when the connection is established.
  • the access credential can be a symmetric key, asymmetric key, certificate, etc.
  • the two parties can establish a secure communication connection, that is, they can interconnect and interoperate.
  • the structure of the cloud-based Internet of Things system is shown in Fig. 1, and includes: a client 101, a server 102, and a cloud 103.
  • the client 101 accesses resources of the server 102, and the server 102 provides the resources accessed by the client 101.
  • the client 101 and the server 102 communicate with each other through the cloud 103.
  • the client 101 When the client 101 requests a CRUDN operation to the resource referenced by the resource Links carried by the cloud 103, the client 101 sends a CRUDN request to the cloud 103, and the cloud 103 forwards the CRUDN request of the client 101 to the server 102 that actually carries the resource.
  • the client 102 responds to the CRUDN request of the cloud 103, and the cloud 103 forwards the response of the server 102 to the client 101, that is, the communication path is client 101->cloud 103->server 102->cloud 103->client 101.
  • the cloud 103 may include three functional entities:
  • Cloud interface 1031 Anchor on the cloud, responsible for server access management, and message routing for remote communication between the client and server.
  • the cloud interface provides a unified address and port number, such as coaps+tcp://example.com: 443.
  • Authorization server 1032 Responsible for server registration and authentication of the client and server.
  • Resource catalog 1033 the index of the server resources, the client can obtain the resources of the target device by retrieving the resource catalog.
  • authorization server 1032 and the cloud may be the same physical entity, or may be different physical entities.
  • each device can be a client, a server, or both a client and a server.
  • Step S201 The configurator obtains the user's access token (Access Token) from the authorization server.
  • Access Token Access Token
  • the mediator function is provided in the user APP to configure the device to connect to the cloud.
  • the configurator is configured with a uniform resource locator (URL) for cloud access, and the user has registered a user name and password, so that the authorization server can authorize the user and return an access token to the configurator.
  • the user APP can be located on the device as the client.
  • Step S202 The configurator is registered in the cloud.
  • the configurator provides an access token to the cloud for configurator registration, and the cloud verifies the Access Token provided by the configurator and assigns a user ID.
  • the authorization server will provide different Access Tokens, but any configurator used by the same user is associated with the same User ID.
  • Step S203 The configurator is connected to the device, and the device is configured.
  • the configurator connects to the device through the normal device discovery process, and then requests an Access Token from the cloud for the configured device.
  • the configurator uses the Access Token authorized from the cloud, the Uniform Resource Identifier (URI) and the Universal Unique Identifier (UUID) of the cloud to update the cloud configuration resources on the device for cloud information configuration, such as: "Oic.r.coapcloudconf" resource.
  • the Access Token provided by the cloud is used when the device performs initial registration with the cloud.
  • Step S204 The device establishes a Transport Layer Security (TLS) connection with the cloud.
  • TLS Transport Layer Security
  • the device uses a preset digital certificate to establish a TLS connection with the cloud.
  • the preset digital certificates include: the manufacturer's certificate of the device and the trust anchor certificate.
  • Step S205 the device is registered in the cloud.
  • the device To register in the cloud, the device needs to send an update (UPDATE) operation request to the account resource on the cloud.
  • the resource update request includes the Access Token and User ID configured in the cloud configuration resource.
  • the cloud maintains a unique instance of account resources for each device. Among them, the account resource can be the "/oic/sec/account" resource.
  • Step S206 to step S207 the cloud verifies the Access Token provided by the device.
  • the cloud sends the User ID and Access Token provided by the device to the authorization server. After the authorization server successfully verifies the update operation request, the cloud responds to the update operation. The response will provide the device with an updated Access Token and the validity period of the Access Token. In addition, the cloud also records the User ID that is associated with this device, that is, has a binding relationship.
  • step S201 is completed between the cloud and the configurator, and step S207 is not required.
  • the device needs to log in to the cloud to transfer data between the device and the cloud, and the device sends an update (UPDATE) operation request to the cloud session resource.
  • UPDATE update
  • the cloud session resource can be a "/oic/sec/session" resource.
  • the device in Figure 2 can be a client or a server. If the device is used as a server, after the device establishes a TLS connection with the cloud, the device will disclose the resources it carries in the resource directory of the cloud to facilitate remote access to these resources of the client.
  • Devices that are not in the same local network can communicate with each other through the cloud using the Limited Application (CoAP over TCP) protocol based on the Transmission Control Protocol (Transmission Control Protocol, TCP).
  • the cloud groups devices belonging to the same User ID under the same User ID. All devices registered to the cloud and belonging to the same User ID can communicate according to the ACE2 policy of the device authorization cloud.
  • a device under a User ID is referred to as a device that has a binding relationship with the User ID.
  • the access control entry method of the embodiment of the present invention can be applied to the Internet of Things system 300 shown in FIG. 3, including: a first access device 301, a second access device 302, and a target Device 303 and server 304; among them, the first access device 301 and the second access device are clients, the target device is the server, and the server 304 is the cloud.
  • the client accesses the resources of the server based on the cloud.
  • the first access device 301 logs in to the server 304 with the first user ID
  • the second access device 302 logs in to the server 304 with the second user ID.
  • the first user ID is not associated with the target device
  • the second user ID is associated with the target device, that is, the first access device and the target device are not devices under the same user ID, and the second access device and the target device are under the same user ID device of.
  • the client, server, and cloud in the Internet of Things system 300 can communicate based on various communication systems, such as: Global System of Mobile Communication (GSM) system, Code Division Multiple Access (CDMA) System, Wideband Code Division Multiple Access (WCDMA) system, General Packet Radio Service (GPRS), Long Term Evolution (LTE) system, LTE Frequency Division Duplex (Frequency Division) Duplex (FDD) system, LTE Time Division Duplex (TDD), Universal Mobile Telecommunication System (UMTS), Worldwide Interoperability for Microwave Access (WiMAX) communication system or 5G system Wait.
  • GSM Global System of Mobile Communication
  • CDMA Code Division Multiple Access
  • WCDMA Wideband Code Division Multiple Access
  • GPRS General Packet Radio Service
  • LTE Long Term Evolution
  • LTE Frequency Division Duplex Frequency Division
  • FDD Frequency Division Duplex
  • TDD Time Division Duplex
  • UMTS Universal Mobile Telecommunication System
  • WiMAX Worldwide Interoperability for Microwave Access
  • the first access device 301 and the second access device 302 may be terminal devices, which may refer to access terminals, user equipment (UE), user units, user stations, mobile stations, mobile stations, remote stations, and remote terminals , Mobile equipment, user terminal, terminal, wireless communication device, user agent or user device.
  • the access terminal can be a cellular phone, a cordless phone, a Session Initiation Protocol (SIP) phone, a wireless local loop (Wireless Local Loop, WLL) station, a personal digital processing (Personal Digital Assistant, PDA), with wireless communication Functional handheld devices, computing devices or other processing devices connected to wireless modems, in-vehicle devices, wearable devices, terminal devices in 5G networks, or terminal devices in the future evolution of PLMN, etc.
  • SIP Session Initiation Protocol
  • WLL Wireless Local Loop
  • PDA Personal Digital Assistant
  • the target device 303 may be IoT devices such as sensors, laser scanning systems, and smart home appliances.
  • Figure 3 exemplarily shows one server and two clients.
  • the IoT system 300 may include multiple servers and clients that have a binding relationship with the server or do not have a binding relationship with the server. Clients that define a relationship are not limited in this embodiment of the present invention.
  • An optional processing flow of the access control method provided by the embodiment of the present invention, as shown in FIG. 4A, includes the following steps:
  • Step S401 The server establishes a sharing record between the first device identification of the first access device, the second device identification of the second access device, and the target device identification of the target device associated with the second access device.
  • the server may receive the first device identification and the second device identification sent by the first access device or the second access device, and based on the acquired first device identification and second device identification
  • the second access device is associated with the target device of the same user ID to establish a correspondence between the target device identifiers, and the established correspondence is called a sharing record, and the sharing record is used to share the access permission of the target device to all the target devices.
  • the first access device is used to determine to share the access permission of at least one target device associated with the second access device to the first access device that is not associated with the target device.
  • the first access device and the target device are not associated with the same user identity, that is, the first access device is not associated with the target device, and the second access device and the target device are associated with the same user identity, that is, the second access device is associated with the target device.
  • the server receives the first device identification and the second device identification sent by the first access device, the first access device initiates the registration of device sharing to the server.
  • the second access device initiates the registration of device sharing to the server.
  • the server receives a registration request sent by the first access device or the second access device; the registration request carries the first device identifier and the second device identifier.
  • the registration request does not carry the target device identifier of the target device.
  • the server searches for all target devices associated with the second access device according to the second device identifier and/or the second user identifier corresponding to the second device identifier.
  • a sharing record is established between the target device identifiers of all target devices, the first device identifier, and the second device identifier. Among them, one sharing record can be established corresponding to all target device identifiers, or corresponding sharing records can be established respectively based on different target device identifiers.
  • the registration request also carries: the target device identifier.
  • the server establishes a sharing record among the first device identification, the second device identification, and the target device identification carried in the registration request.
  • the registration request may carry at least one target device identifier, and the server may establish a sharing record corresponding to all target device identifiers carried in the registration request, or may establish corresponding sharing records based on different target device identifiers.
  • the server stores the sharing record through an independent resource.
  • the resource storing the sharing record is referred to as a device share resource.
  • the server After the server establishes a new sharing record, it adds the established sharing record to the device's shared resources.
  • the registration request also carries one of the following information:
  • the first user identification of the first access device, the second user identification of the second access device, and sharing restriction conditions; correspondingly, the sharing record further includes one of the following information: the first access device The first user identification of the second access device, the second user identification of the second access device, and the sharing restriction conditions.
  • Sharing restriction conditions are used to restrict the access rights of the first access device to the target device.
  • Sharing restriction conditions can include: Only one time (Only One Time), which signifies permanent access, and Always, which signifies permission Sharing time period or other conditional content for a period of access.
  • different sharing restriction conditions can be represented by different sharing identifiers.
  • Step S402 The server transmits the local shared credential between the first access device and the second access device.
  • the local shared credential is used for the first access device to establish a local connection with the target device, so that the first shared credential and the target device can establish a local connection based on the local network after accessing the local network, and the first access device is based on The established local connection accesses the target device.
  • the transmission of the local shared credential is performed between the first access device, the second access device and the server.
  • the server sends the local sharing credentials to the first access device and the second access device respectively.
  • the server receives the local sharing credential sent by the first access device, and sends the received local sharing credential to the second access device.
  • the server receives the local sharing credential sent by the second access device, and sends the received local sharing credential to the first access device.
  • the local sharing credential can be generated by the server, the first access device, or the second access device.
  • the server sends the generated local sharing credential to the first access device and the second access device respectively, so that the second access device configures the local sharing credential to the target device.
  • the first access device and the target device have the same local shared credential, and local access is realized.
  • the first access device sends the generated local sharing credential to the server, and the server sends the received local sharing credential to the second access device, so that the second access device
  • the access device configures the local shared credential to the target device. In this way, the first access device and the target device have the same local shared credential, and local access is realized.
  • the second access device sends the generated local sharing credential to the server, and the server sends the received local sharing credential to the first access device, and the second access device
  • the access device configures the generated local shared credential to the target device. In this way, the first access device and the target device have the same local shared credential, and local access is realized.
  • the second access device configures the generated local sharing credential to the target device, the target device sends the generated local sharing credential to the server, and the server will receive the The local sharing certificate is sent to the first access device.
  • the first access device and the target device have the same local shared credential, and local access is realized.
  • the transmission of the local sharing credential and the creation of the sharing record can be performed interactively, or the creation of the sharing record can be performed first and then the transmission of the local sharing credential can be performed.
  • the process of the server establishing a sharing record may be as shown in FIG. 4B, including:
  • Step S4011a the first access device obtains the second device identifier of the second access device.
  • the first access device may obtain the second device identification of the second access device through out-of-band methods such as device discovery and identification scanning.
  • the scanned identification includes a two-dimensional code.
  • the embodiment of the present invention does not impose any limitation on the manner and way for the first access device to obtain the identification of the second device.
  • Step S4012a the first access device sends the first device identification of the first access device and the second device identification to the server.
  • the first device identifier and the second device identifier are used by the server to determine between the first device identifier, the second device identifier, and the target device identifier of the target device associated with the second access device
  • a sharing record is established, and the sharing record is used to share the access permission of the target device to the first access device.
  • step S4012a includes: the first access device sends the registration request to the server.
  • the first access device sends the first device identification and the second device identification to the server by sending a registration request to the server.
  • the target device identifier is not carried in the registration request.
  • the target device identifier is carried in the registration request.
  • the first access device may obtain the target device identification of the target device based on out-of-band methods such as device discovery and identification scanning.
  • the scanned identification includes a two-dimensional code.
  • the registration request also carries one of the following information:
  • the first user identification of the first access device, the second user identification of the second access device, and sharing restriction conditions; correspondingly, the sharing record further includes one of the following information: The first user identification, the second user identification of the second access device, and the sharing restriction condition.
  • the server after receiving the registration request sent by the first access device, the server creates a sharing record according to the information carried in the registration request, as shown in FIG. 4B, and executes step S4013a and step S4014a:
  • Step S4013a The server sends a first confirmation request to the second access device.
  • Step S4014a the server receives the first response of the second access device in response to the first confirmation request, and sets the sharing record to an active state.
  • step S4013a the sharing record established by the server is in an unavailable and inactive state.
  • the server receives the first response from the second access device, it sets the established sharing record to an available active state. At this time, the sharing record can be used to control the access of the first access device to the target device.
  • the second access device after receiving the first confirmation request sent by the server, the second access device confirms whether to approve sharing the access rights of the target device with the first access device, and when approved, returns the first response to the server .
  • the first confirmation request may carry the first device identification and the target device identification
  • the second access device sets the same in the second access device When the second access device establishes the same sharing record, it means that the second access device approves sharing the access rights of the target device to the first access device, and responds to the server with the first response.
  • step S4015a-1 may be executed:
  • Step S4015a-1 the server sends a first sharing completion notification to the first access device.
  • the first sharing completion notification is used to instruct the first access device to locally set the sharing record on the first access device.
  • the first access device performs step S4015a-1 and step S4015a-2:
  • Step S4015a-1 the first access device receives the first sharing completion notification sent by the server.
  • step S4015a-2 the first access is triggered based on the first sharing completion notification, and the sharing record is set.
  • the first sharing completion notification is used to notify the first access device that the server has shared the access permission of the target device to the first access device.
  • the first access device can synchronize the server to establish a sharing record locally.
  • the first sharing completion notification carries the sharing record.
  • the first sharing completion notification does not carry the sharing record.
  • step S4016a may be performed: the server sends a second sharing completion notification to the target device.
  • the second sharing completion notification is used to instruct the target device to set the sharing record locally on the target device.
  • the target device receives the second sharing completion notification sent by the server, and sets the sharing record based on the trigger of the second sharing completion notification.
  • the second sharing completion notification is used to notify the target device server that the access permission of the target device has been shared to the first access device.
  • the target device can synchronize the server to establish a sharing record locally.
  • the second sharing completion notification carries the sharing record.
  • the second sharing completion notification does not carry the sharing record.
  • the process for the server to establish a sharing record may be as shown in FIG. 4C, including:
  • Step S4011b the second access device obtains the first device identifier of the first access device.
  • the second access device may obtain the first device identification of the first access device through out-of-band methods such as device discovery and identification scanning.
  • the scanned identification includes a two-dimensional code.
  • the embodiment of the present invention does not impose any limitation on the manner and way for the second access device to obtain the identification of the first device.
  • Step S4012b the second access device sends the first device identifier and the second device identifier of the second access device to the server.
  • the first device identifier and the second device identifier are used by the server to determine between the first device identifier, the second device identifier, and the target device identifier of the target device associated with the second access device
  • a sharing record is established, and the sharing record is used to share the access permission of the target device to the first access device.
  • step S4012b includes: the second access device sends the registration request to the server.
  • the second access device sends the first device identification and the second device identification to the server by sending a registration request to the server.
  • the target device identifier is not carried in the registration request.
  • the target device identifier is carried in the registration request.
  • the registration request also carries one of the following information:
  • the first user identification of the first access device, the second user identification of the second access device, and sharing restriction conditions; correspondingly, the sharing record further includes one of the following information: The first user identification, the second user identification of the second access device, and the sharing restriction condition.
  • the server after receiving the registration request sent by the second access device, the server creates a sharing record according to the information carried in the registration request, as shown in FIG. 4C, and executes step S4013b and step S4014b:
  • Step S4013b the server sends a second confirmation request and a third confirmation request to the first access device and the target device respectively.
  • step S4013b includes:
  • Step S4013b-1 the server sends a second confirmation request to the first access device.
  • Step S4013b-2 the server sends a third confirmation request to the target device.
  • Step S4014b the server receives the second response of the first access device in response to the second confirmation request, and receives the third response of the target device in response to the third confirmation request, and records the sharing Set to active state.
  • step S4014b includes:
  • Step S4014b-1 the server receives a second response of the first access device in response to the second confirmation request.
  • Step S4014b-2 the server receives a third response of the target device in response to the third confirmation request.
  • step S4014b-3 the server sets the sharing record to an active state.
  • the sharing record established by the server Before performing step S4013b, the sharing record established by the server is in an unavailable and inactive state. After the server receives the second response from the first access device and the third response from the target device, it sets the created sharing record Active state is available. At this time, the sharing record can be used to control the access of the first access device to the target device.
  • the first access device after receiving the second confirmation request sent by the server, the first access device confirms whether to approve sharing the access rights of the target device with the first access device, and when approved, returns a second response to the server .
  • the second confirmation request may carry the second device identification and the target device identification, and after receiving the second device identification and the target device identification carried in the second confirmation request, the first access device sets the same in the first access device When the first access device establishes the same sharing record, it means that the first access device approves sharing the access rights of the target device to the first access device, and responds to the server with a second response.
  • the target device after receiving the third confirmation request sent by the server, the target device confirms whether to approve sharing the access permission of the target device with the first access device, and when approved, returns a third response to the server.
  • the third confirmation request may carry the first device identification and the second device identification, and after receiving the first device identification and the second device identification carried in the third confirmation request, the target device sets the same share in the target device Record, when the target device establishes the same sharing record, it indicates that the target device approves sharing the access permission of the target device to the first access device, and responds to the server with a third response.
  • step S4015b-1 may be executed:
  • step S4015b-1 the server sends a third sharing completion notification to the second access device.
  • the third sharing completion notification is used to instruct the second access device to locally set the sharing record on the second access device.
  • the second access device performs step S4015b-1 and step S4015b-2:
  • Step S4015b-1 the second access device receives the third sharing completion notification sent by the server.
  • step S4015b-2 the second access device sets the sharing record based on the trigger of the third sharing completion notification.
  • the third sharing completion notification is used to notify the second access device that the server has shared the access permission of the target device to the first access device.
  • the second access device can synchronize the server to establish a sharing record locally.
  • the third sharing completion notification carries the sharing record.
  • the third sharing completion notification does not carry the sharing record.
  • step S402 in the case that the local sharing credential is generated by the server, step S402 can complete the transmission between the first access device and the second access device through the information interaction in FIG. 4B or FIG. 4C.
  • step S402 the server performs the transmission of the local sharing credential between the first access device and the second access device includes : The server sends the local sharing credential to the second access device through the first confirmation request carrying the local sharing credential; the server sends the first sharing completion notification that carries the local sharing credential The local sharing credential is sent to the first access device.
  • the first confirmation request in step S4013a and the first sharing completion notification in step S4015a-1 shown in FIG. 4B respectively carry the local sharing credentials sent to the second access device and the first access device.
  • the transmission of the local sharing credential between the first access device and the server includes: the first access device receives the local share sent by the server through the first sharing completion notification carrying the local sharing credential Sharing credentials, and the local sharing credentials are generated by the server.
  • the second access device receives the local sharing credential sent by the server through the first confirmation request.
  • step S402 the server performs the transmission of the local sharing credential between the first access device and the second access device includes : The server sends the local sharing credential to the first access device through a second confirmation request that carries the local sharing credential; the server sends the local sharing credential to the first access device through a third sharing completion notification that carries the local sharing credential The local sharing credential is sent to the second access device.
  • the second confirmation request in step S4013b-1 and the third sharing completion in step S4015b-1 shown in FIG. 4C respectively carry the local sharing credentials sent to the first access device and the second access device.
  • the transmission of the local sharing credential between the second access device and the server includes: the second access device receives the local share sent by the server through the third sharing completion notification carrying the local sharing credential. Sharing credentials, and the local sharing credentials are generated by the server. The first access device requests to receive the local sharing credential sent by the server through the second confirmation.
  • the transmission of the local sharing credential between the first access device and the server includes: the first access device generates the local sharing credential; the first access The device sends the local sharing credential to the server, so that the server sends the local sharing credential to the second access device.
  • the server performing the transmission of the local shared credential between the first access device and the second access device includes: the server receives the local shared credential sent by the first access device; the server Sending the local sharing credential to the second access device.
  • the transmission of the local shared credential between the second access device and the server includes: the second access device receives the local shared credential generated by the first access device and sent by the server.
  • the transmission of the local sharing credential between the second access device and the server includes: the second access device generates the local sharing credential; the second access The device configures the local sharing credential to the target server, so that the server sends the local sharing credential to the first access device.
  • the second access device directly sends the local sharing credential to the server.
  • the second access device configures the local sharing credential to the target device, and the target device sends it to the server.
  • the second access device configures the local shared credential to the target device and the target device sends it to the server
  • the server is connected to the first access device and the server.
  • the transmission of the local shared credential between the second access devices includes: the server receives the local shared credential sent by the target device; and the server sends the local shared credential to the first access device.
  • the transmission of the local shared credential between the first access device and the server includes: the first access device receives the local shared credential generated by the second access device and sent by the server.
  • the local sharing credential received by the server is sent by the first access device
  • the local sharing credential is generated by the first access device; or on the server
  • the local sharing credential is generated by the second access device.
  • the first access device configures an access policy for the first access device to access the target device according to the local shared credential.
  • the second access device configures an access policy for the second access device to access the target device according to the local shared credential.
  • the first access device generates an access request based on the target device identifier, sends the access request to a server, and the server forwards the access request to For the target device, at this time, the server receives an access request sent by the first access device to access the target device; if the sharing record exists, the server forwards the access request to all The target device.
  • the first access device can initiate an access request to access the target device based on the target device identifier, and send the access request to the server, and the server determines based on the shared record that the target device’s If the access permission is shared to the first access device, the access request is sent to the target device.
  • the first access device may establish a local connection with the target device based on the local shared credential to access the target device.
  • the target device is Device A
  • OBT A is the client that has an association relationship with Device A, that is, the second access device, Device A and OBT A have the same User ID: User ID A
  • OBT B is a client that does not have an association relationship with Device A That is, the first access device, OBT B has User ID: User ID B.
  • Example 1 OBTA is used as the initiator of device sharing registration and the generator of local sharing credentials.
  • Step S501 OBTA obtains the device information of OBTB.
  • the device information of the OBTB may include: device identification and/or user identification.
  • Step S501 can be performed in an out-of-band manner, for example, OBTA scans the two-dimensional code generated by OBTB.
  • the embodiment of the present invention does not impose any limitation on the way and method for the OBTA to obtain the device information of the OBTB.
  • Step S502 The OBTA initiates a registration request to the cloud.
  • the information that OBTA sends to the cloud through the registration request includes: User ID A (optional), Device ID of OBTA, Device ID of Device A, User ID B (optional), Device ID of OBTB, etc.,
  • the registration request can also carry sharing restrictions: Only One Time ⁇ Always, etc. Sharing restrictions can also be time restrictions, such as from 8:00-10:00, and more complex restrictions.
  • the cloud platform generates a sharing record based on the information sent by the registration request. It should be noted that the sharing record is still available without being activated at this time.
  • a device share (deviceshare) resource can be set, and the deviceshare resource can be saved in the cloud and the device side at the same time, and its purpose is to save the sharing record.
  • the associated UserID for example: User ID A or User ID B
  • User ID A or User ID B can be accessed for the saved records saved in the cloud.
  • the cloud platform When the cloud platform receives an access request, it will check the deviceshare resource. If the access target specified in the message is a device that has a sharing relationship based on the sharing record, the cloud platform should forward the access request.
  • the content of the sharing record can be as shown in Table 1.
  • Step S503-Step S504 the cloud confirms the approval of Device A and OBT B.
  • Step S503 includes: step S503-1 and step S503-2.
  • step S503-1 the cloud sends a confirmation request to Device A to confirm whether the above registration request is approved by Device A.
  • Step S503-2 Device A sends a sharing confirmation to the cloud.
  • Device A When Device A approves the above registration request, it sends the sharing confirmation corresponding to the confirmation request to the cloud platform, which is the third response.
  • step S504-1 the cloud sends a confirmation request to OBT B to confirm whether the above registration request is approved by OBT B.
  • the way of confirmation is to add the same content as step S502 to the deviceshare resource saved on OBT B.
  • step S504-2 OBT B sends a sharing confirmation to the cloud.
  • OBT B approves the above registration request, it sends the sharing confirmation corresponding to the confirmation request to the cloud platform, which is the third response.
  • the way of confirmation is to add the same content as step S502 to the deviceshare resource saved on Device A.
  • step S505 the cloud changes the sharing attribute of the saved sharing record to true.
  • the cloud platform After the cloud platform is approved by Device A and OBTB, it changes the shareenabled of the saved sharing record to true to activate the sharing record.
  • the cloud sends a request to Device A and OBTB to modify the share enabled of the sharing records saved on Device A and OBTB to true.
  • step S506 the cloud sends a sharing completion notification to the OBTA.
  • OBT B and Device A have established a connection at the application layer, and OBT B can remotely access Device A.
  • step S505 the cloud platform can update the aforementioned sharing record to the deviceshare resource stored on OBT A, that is to say, the same sharing record is stored on all the aforementioned devices.
  • step S507 the OBTA generates a local sharing certificate.
  • OBTA After receiving the notification of completion of sharing from the cloud platform, OBTA initiates a local sharing process and generates a local sharing certificate. Two devices with locally shared credentials can be connected.
  • Local shared credentials may include various forms of credentials such as pin codes, shared keys, certificates, etc.
  • Step S508 OBT A configures Device A's access policy.
  • OBT A uses the local shared credential generated in step S506 to configure the access policy of Device A.
  • the shared key is saved as an access policy of Device A, and the credential is used to confirm both parties when the connection is subsequently established.
  • step S508 includes: step S508-1 and step S508-2.
  • step S508-1 OBT A configures the generated local shared credential to Device A.
  • Step S508-2 Device A sends a configuration complete message to OBT A.
  • step S509 OBT A shares the local sharing certificate to OBTB through the cloud.
  • OBT A After OBT A completes the configuration of Device A's access policy, it can share the local shared credentials to OBTB through the cloud platform.
  • step S509 includes: step S509-1, step S509-2, step 509-3, step S509-4, and step S509-5.
  • step S509-1 Device A notifies the cloud to update Device A's local sharing certificate.
  • step S509-2 the cloud notifies OBTB to update Device A's local sharing certificate.
  • Step S509-3 OBTB completes self-configuration according to Device A's local shared credentials.
  • step S509-4 the OBTB sends a self-configuration complete message to the cloud.
  • Step S509-5 the cloud forwards the self-configuration complete message sent by OBTB to Device A.
  • both Device A and OBTB have a local shared certificate, and Device A and OBTB can establish a connection locally.
  • OBT B is used as the initiator of the registration of device sharing and the generator of the local sharing credential.
  • Step S601 OBT B obtains device information of OBT A.
  • the device information of OBT A may include: device identification and/or user identification.
  • Step S601 may be performed in an out-of-band manner, for example, OBT B scans the two-dimensional code generated by OBT A.
  • the embodiment of the present invention does not impose any limitation on the way and method for the OBT B to obtain the device information of the OBT A.
  • Step S602 OBTB initiates a registration request to the cloud.
  • the information that OBT B sends to the cloud platform through the registration request includes: User ID A (optional), Device ID of OBTA, Device ID of Device A, User ID B (optional), Device ID of OBTB, etc.,
  • the registration request can also carry sharing restrictions: Only One Time ⁇ Always, etc. Sharing restrictions can also be time restrictions, such as from 8:00-10:00, and more complex restrictions.
  • the cloud platform generates a sharing record based on the information sent by the registration request, and the sharing limit in the sharing record can be modified by OBT. It should be noted that at this time, the sharing record is not available if it has not been activated.
  • a device share (deviceshare) resource can be set, and the deviceshare resource can be saved in the cloud and the device side at the same time, and its purpose is to save the sharing record.
  • the associated UserID for example: User ID A or User ID B
  • User ID A or User ID B can be accessed for the saved records saved in the cloud.
  • the cloud platform When the cloud platform receives an access request, it will check the deviceshare resource. If the access target specified in the message is a device that has a sharing relationship based on the sharing record, the cloud platform should forward the access request.
  • step S603 the cloud confirms the approval of OBT A.
  • Step S603 includes: step S603-1 and step S603-2.
  • step S603-1 the cloud sends a confirmation request to OBT A to confirm whether the above registration request is approved by OBT A.
  • Step S603-2 OBT A sends a sharing confirmation to the cloud.
  • OBT A approves the above registration request, it sends the sharing confirmation corresponding to the confirmation request to the cloud platform, which is the first response.
  • step S604 the sharing attribute of the sharing record saved in the cloud is changed to true.
  • Step S605 The cloud sends a sharing notification to Device A.
  • the cloud platform sends a sharing notification to Device A, and Device A saves the sharing record on it and changes the shareenabled attribute to true.
  • step S606 the cloud sends a sharing completion notification to OBT B.
  • the cloud platform sends a sharing completion notification for the registration request in step S602 to the OBTB.
  • OBTB After OBTB receives the notification of completion of sharing, it can also modify the shareenabled attribute of the corresponding shared record it saved to become true.
  • OBT B and Device A have established a connection at the application layer, and OBT B can remotely access Device A.
  • step S607 OBT B generates a local sharing certificate.
  • OBTB After receiving the notification of completion of sharing from the cloud platform, OBTB initiates a local sharing process and generates a local sharing certificate. Two devices with locally shared credentials can be connected.
  • Local shared credentials may include various forms of credentials such as pin codes, shared keys, certificates, etc.
  • Step S608 OBT B completes self-configuration according to Device A's local shared credential.
  • step S609 OBT B notifies the cloud to update Device A's local sharing certificate.
  • step S610 the cloud notifies OBT A to update Device A's local sharing certificate.
  • Step S611 OBT A configures Device A's access policy.
  • OBT A uses the local shared credential received in step S610 to configure the access policy of Device A.
  • step S611 includes: step S6011-1 and step S6011-2.
  • step S611-1 OBT A configures the received local shared credential to Device A.
  • step S611-2 Device A sends a configuration complete message to OBT A.
  • Step S612 OBT A sends a self-configuration complete message to the cloud.
  • step S613 the cloud forwards the self-configuration completion message sent by OBT A to OBT B.
  • both Device A and OBTB have a local shared certificate, and Device A and OBTB can establish a connection locally.
  • Example 3 the cloud is the generator of the local shared credential.
  • Step S701 OBTA obtains the device information of OBTB.
  • Step S702 OBTA initiates a registration request to the cloud.
  • Step S703-Step S704 the cloud confirms the approval of Device A and OBT B.
  • Step S703 includes: step S703-1 and step S703-2.
  • step S703-1 the cloud sends a confirmation request to Device A to confirm whether the above registration request is approved by Device A.
  • Step S703-2 Device A sends a sharing confirmation to the cloud.
  • Step 704-1 The cloud sends a confirmation request to OBT B to confirm whether the above registration request is approved by OBT B.
  • the cloud platform may carry the local sharing certificate in the confirmation request sent to the OBTB.
  • step S704-2 OBT B sends a sharing confirmation to the cloud.
  • step S705 the sharing attribute of the sharing record saved in the cloud is changed to true.
  • step S706 the cloud sends a sharing completion notification to the OBTA.
  • OBTA After OBTA receives the above request, it can also modify the shareenabled attribute of the corresponding shared record it saves to become true. At the same time, the sharing completion notification sent by the cloud platform to OBTA carries the local sharing credentials.
  • OBT B and Device A have established a connection at the application layer, and OBT B can remotely access Device A.
  • Step S707 OBT B completes self-configuration according to the received local sharing credential.
  • step S708-1 OBT A configures the received local shared credential to Device A.
  • Step S708-2 Device A sends a configuration complete message to OBT A.
  • both Device A and OBTB have a local shared certificate, and Device A and OBTB can establish a connection locally.
  • Example 1 and Example 2 can be cross-combined.
  • the OBTA identifier can be carried in the registration request, and the identifier of Device A does not need to be carried, which means that all devices associated with the OBTA can be shared with OBTB.
  • it can also be extended to share multiple devices at once.
  • an embodiment of the present invention further provides a server 800, as the server 304 in FIG. 3, the composition structure of the server 800, as shown in FIG. 8, the server 800 includes:
  • the establishing unit 801 is configured to establish a sharing record between the first device identifier of the first access device, the second device identifier of the second access device, and the target device identifier of the target device associated with the second access device, the The sharing record is used to share the access permission of the target device to the first access device;
  • the credential transmission unit 802 is configured to transmit a local shared credential between the first access device and the second access device, and the local shared credential is used to establish a local connection between the first access device and the target device. connection.
  • the server 800 further includes:
  • the receiving unit is configured to receive a registration request sent by the first access device or the second access device; the registration request carries the first device identifier and the second device identifier.
  • the registration request also carries: the target device identifier.
  • the registration request also carries one of the following information:
  • the first user identification of the first access device the second user identification of the second access device, and sharing restriction conditions;
  • the sharing record also includes one of the following information: the first user identification of the first access device, the second user identification of the second access device, and sharing restriction conditions.
  • the server 800 further includes:
  • the first confirmation unit is configured as:
  • the registration request is sent by the first access device, sending a first confirmation request to the second access device;
  • the first response of the second access device in response to the first confirmation request is received, and the sharing record is set to an active state.
  • the server 800 further includes: a first notification unit configured to send a first sharing completion notification to the first access device, where the first sharing completion notification is used to indicate that the first access device is in the place
  • the first access device locally sets the sharing record.
  • the server 800 further includes:
  • the second notification unit is configured to send a second sharing completion notification to the target device, where the second sharing completion notification is used to instruct the target device to locally set the sharing record on the target device.
  • the server 800 further includes: a second confirmation unit configured to:
  • the registration request is sent by the second access device, sending a second confirmation request and a third confirmation request to the first access device and the target device respectively;
  • the second response of the first access device in response to the second confirmation request is received, and the third response of the target device in response to the third confirmation request is received, and the sharing record is set to an active state.
  • the server 800 further includes:
  • the server sends a third sharing completion notification to the second access device, where the third sharing completion notification is used to instruct the second access device to locally set the sharing record on the second access device.
  • the credential transmission unit 802 is further configured to:
  • the local sharing credential is sent to the first access device through the first sharing completion notification carrying the local sharing credential.
  • the credential transmission unit 802 is further configured to: when the server generates the local shared credential,
  • the local sharing credential is sent to the second access device through a third sharing completion notification carrying the local sharing credential.
  • the credential transmission unit 802 is further configured to:
  • the local sharing credential is generated by the first access device
  • the local sharing credential is generated by the second access device.
  • the server 800 further includes:
  • the first access unit is configured as:
  • An embodiment of the present invention also provides a server, including a processor and a memory for storing a computer program that can run on the processor, wherein the processor is used to execute the access control performed by the server when the computer program is running. Method steps.
  • the embodiment of the present invention also provides an access device 900, as the first access device 301 in FIG. 3, a schematic diagram of the composition structure of the access device 900, as shown in FIG. 9, includes:
  • the first obtaining unit 901 is configured to obtain the second device identifier of the second access device
  • the first sending unit 902 is configured to send the first device identifier and the second device identifier of the first access device to the server, where the first device identifier and the second device identifier are used by the server when the server is A sharing record is established between the first device identifier, the second device identifier, and the target device identifier of the target device associated with the second access device, and the sharing record is used to use the access authority of the target device Share to the first access device;
  • the first transmission unit 903 is configured to transmit a local shared credential with the server, and the local shared credential is used for the first access device to establish a local connection with the target device.
  • the access device 900 further includes:
  • a first generating unit configured to generate a registration request according to the first device identifier and the second device identifier
  • the first sending unit is configured to send the registration request to the server.
  • the registration request also carries: the target device identifier.
  • the registration request also carries one of the following information:
  • the first user identification of the first access device the second user identification of the second access device, and sharing restriction conditions;
  • the sharing record further includes one of the following information: the first user identification of the first access device, the second user identification of the second access device, and sharing restriction conditions.
  • the access device 900 further includes: a first setting unit configured to:
  • the sharing record is set.
  • the first transmission unit 903 is further configured to receive a local sharing credential sent by the server through the first sharing completion notification carrying the local sharing credential, and the local sharing credential is the server Generated.
  • the first transmission unit 903 is further configured to:
  • the first transmission unit 903 is further configured to receive the local sharing credential generated by the second access device and sent by the server.
  • the access device 900 further includes:
  • the second access unit is configured to generate an access request based on the target device identifier, send the access request to a server, and if the sharing record exists, the server forwards the access request to the target device .
  • the access device 900 further includes:
  • the first configuration unit is configured to configure an access policy for the access device to access the target device according to the local shared credential.
  • An embodiment of the present invention also provides an access device, including a processor and a memory for storing a computer program that can run on the processor.
  • the access device 900 executes The steps of the access control method.
  • the embodiment of the present invention also provides an access device 1000, as the second access device 302 in FIG. 3, a schematic diagram of the composition structure of the access device 1000, as shown in FIG. 10, includes:
  • the second obtaining unit 1001 is configured to obtain the first device identifier of the first access device
  • the second sending unit 1002 is configured to send the first device identification and the second device identification of the second access device to a server, where the first device identification and the second device identification are used by the server to A sharing record is established between the first device identifier, the second device identifier, and the target device identifier of the target device associated with the second access device, and the sharing record is used to use the access authority of the target device Share to the first access device;
  • the second transmission unit 1003 is configured to transmit a local shared credential with the server, and the local shared credential is used for the first access device to establish a local connection with the target device.
  • the access device 1000 further includes:
  • a second generating unit configured to generate a registration request according to the first device identifier and the second device identifier
  • the second sending unit is configured to send the registration request to the server.
  • the registration request also carries: the target device identifier.
  • the registration request also carries one of the following information:
  • the first user identification of the first access device the second user identification of the second access device, and sharing restriction conditions;
  • the sharing record further includes one of the following information: the first user identification of the first access device, the second user identification of the second access device, and sharing restriction conditions.
  • the access device 1000 further includes: a second setting unit configured to:
  • the sharing record is set.
  • the second transmission unit 1003 is further configured to receive the local sharing credential sent by the server through the third sharing completion notification carrying the local sharing credential, and the local sharing credential is The server generated.
  • the second transmission unit 1003 is further configured to:
  • the second transmission unit 1003 is further configured to receive the local sharing credential generated by the first access device and sent by the server.
  • the access device 1000 further includes:
  • the second configuration unit is configured to configure an access policy for the second access device to access the target device according to the local shared credential.
  • An embodiment of the present invention also provides an access device, including a processor and a memory for storing a computer program that can run on the processor, wherein, when the processor is used to run the computer program, the access device 1000 executes The steps of the access control method.
  • the electronic device 1100 includes: at least one processor 1101, a memory 1102, and at least one network interface 1104.
  • the various components in the electronic device 1100 are coupled together through the bus system 1105.
  • the bus system 1105 is used to implement connection and communication between these components.
  • the bus system 1105 also includes a power bus, a control bus, and a status signal bus.
  • various buses are marked as the bus system 1105 in FIG. 11.
  • the memory 1102 may be a volatile memory or a non-volatile memory, and may also include both volatile and non-volatile memory.
  • non-volatile memory can be ROM, Programmable Read-Only Memory (PROM), Erasable Programmable Read-Only Memory (EPROM), and electrically erasable Programmable read-only memory (EEPROM, Electrically Erasable Programmable Read-Only Memory), magnetic random access memory (FRAM, ferromagnetic random access memory), flash memory (Flash Memory), magnetic surface memory, optical disk, or CD-ROM -ROM, Compact Disc Read-Only Memory); Magnetic surface memory can be disk storage or tape storage.
  • the volatile memory may be a random access memory (RAM, Random Access Memory), which is used as an external cache.
  • RAM random access memory
  • SRAM static random access memory
  • SSRAM synchronous static random access memory
  • Synchronous Static Random Access Memory Synchronous Static Random Access Memory
  • DRAM Dynamic Random Access Memory
  • SDRAM Synchronous Dynamic Random Access Memory
  • DDRSDRAM Double Data Rate Synchronous Dynamic Random Access Memory
  • ESDRAM Enhanced Synchronous Dynamic Random Access Memory
  • SLDRAM synchronous connection dynamic random access memory
  • DRRAM Direct Rambus Random Access Memory
  • the memory 1102 described in the embodiment of the present invention is intended to include, but is not limited to, these and any other suitable types of memory.
  • the memory 1102 in the embodiment of the present invention is used to store various types of data to support the operation of the electronic device 1100. Examples of such data include: any computer program used to operate on the electronic device 1100, such as an application program 11021.
  • the program for implementing the method of the embodiment of the present invention may be included in the application program 11021.
  • the method disclosed in the foregoing embodiment of the present invention may be applied to the processor 1101 or implemented by the processor 1101.
  • the processor 1101 may be an integrated circuit chip with signal processing capabilities. In the implementation process, the steps of the foregoing method can be completed by an integrated logic circuit of hardware in the processor 1101 or instructions in the form of software.
  • the aforementioned processor 1101 may be a general-purpose processor, a digital signal processor (DSP, Digital Signal Processor), or other programmable logic devices, discrete gates or transistor logic devices, discrete hardware components, and the like.
  • the processor 1101 may implement or execute various methods, steps, and logical block diagrams disclosed in the embodiments of the present invention.
  • the general-purpose processor may be a microprocessor or any conventional processor or the like.
  • the steps of the method disclosed in the embodiments of the present invention may be directly embodied as being executed and completed by a hardware decoding processor, or executed and completed by a combination of hardware and software modules in the decoding processor.
  • the software module may be located in a storage medium, and the storage medium is located in the memory 1102.
  • the processor 1101 reads the information in the memory 1102, and completes the steps of the foregoing method in combination with its hardware.
  • the electronic device 1100 may be used by one or more application specific integrated circuits (ASIC, Application Specific Integrated Circuit), DSP, programmable logic device (PLD, Programmable Logic Device), and complex programmable logic device (CPLD). , Complex Programmable Logic Device), FPGA, general-purpose processor, controller, MCU, MPU, or other electronic components to implement the foregoing method.
  • ASIC Application Specific Integrated Circuit
  • DSP digital signal processor
  • PLD programmable logic device
  • CPLD complex programmable logic device
  • FPGA field-programmable Logic Device
  • controller MCU
  • MPU or other electronic components to implement the foregoing method.
  • the embodiment of the present invention also provides a storage medium for storing computer programs.
  • the storage medium may be applied to the server in the embodiment of the present invention, and the computer program causes the computer to execute the corresponding process in each method of the embodiment of the present invention.
  • the computer program causes the computer to execute the corresponding process in each method of the embodiment of the present invention.
  • the storage medium can be applied to the access device in the embodiment of the present invention, and the computer program causes the computer to execute the corresponding process in each method of the embodiment of the present invention.
  • the computer program causes the computer to execute the corresponding process in each method of the embodiment of the present invention.
  • These computer program instructions can also be stored in a computer-readable memory that can guide a computer or other programmable data processing equipment to work in a specific manner, so that the instructions stored in the computer-readable memory produce an article of manufacture including the instruction device.
  • the device implements the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.
  • These computer program instructions can also be loaded on a computer or other programmable data processing equipment, so that a series of operation steps are executed on the computer or other programmable equipment to produce computer-implemented processing, so as to execute on the computer or other programmable equipment.
  • the instructions provide steps for implementing the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

L'invention concerne un procédé de commande d'accès, comprenant les étapes suivantes : un serveur (304) établit un enregistrement de partage parmi un premier identifiant de dispositif d'un premier dispositif d'accès (301), un second identifiant de dispositif d'un second dispositif d'accès (302) et un identifiant de dispositif cible d'un dispositif cible (303) associé au second dispositif d'accès (302), l'enregistrement de partage étant utilisé pour partager le droit d'accès au dispositif cible (303) au premier dispositif d'accès (301) (S401) ; et le serveur (304) transmet des informations de partage local entre le premier dispositif d'accès (301) et le second dispositif d'accès (302), les informations de partage local étant utilisé pour que le premier dispositif d'accès (301) établisse une connexion locale avec le dispositif cible (303) (S402).
PCT/CN2019/103862 2019-08-30 2019-08-30 Procédé de commande d'accès , serveur, dispositif d'accès et support de stockage WO2021035740A1 (fr)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201980095168.6A CN113678127B (zh) 2019-08-30 2019-08-30 访问控制方法、服务器、访问设备及存储介质
PCT/CN2019/103862 WO2021035740A1 (fr) 2019-08-30 2019-08-30 Procédé de commande d'accès , serveur, dispositif d'accès et support de stockage

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2019/103862 WO2021035740A1 (fr) 2019-08-30 2019-08-30 Procédé de commande d'accès , serveur, dispositif d'accès et support de stockage

Publications (1)

Publication Number Publication Date
WO2021035740A1 true WO2021035740A1 (fr) 2021-03-04

Family

ID=74684447

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/103862 WO2021035740A1 (fr) 2019-08-30 2019-08-30 Procédé de commande d'accès , serveur, dispositif d'accès et support de stockage

Country Status (2)

Country Link
CN (1) CN113678127B (fr)
WO (1) WO2021035740A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2023240587A1 (fr) * 2022-06-17 2023-12-21 Oppo广东移动通信有限公司 Procédé et appareil de configuration de permissions de dispositif, et dispositif terminal

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105187377A (zh) * 2015-06-25 2015-12-23 联想(北京)有限公司 一种数据处理方法及其装置、数据访问方法及其装置
CN106468886A (zh) * 2016-09-30 2017-03-01 海尔优家智能科技(北京)有限公司 一种第三方控制设备的方法和装置
US20170366558A1 (en) * 2015-03-07 2017-12-21 Huawei Technologies Co., Ltd. Verification method, apparatus, and system used for network application access
CN108595941A (zh) * 2018-03-30 2018-09-28 联想(北京)有限公司 一种数据处理方法、系统及电子设备

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012095854A1 (fr) * 2011-01-13 2012-07-19 Infosys Technologies Limited Système et procédé d'accès à des applications intégrées dans une solution d'entreprise adaptée à la signature unique

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170366558A1 (en) * 2015-03-07 2017-12-21 Huawei Technologies Co., Ltd. Verification method, apparatus, and system used for network application access
CN105187377A (zh) * 2015-06-25 2015-12-23 联想(北京)有限公司 一种数据处理方法及其装置、数据访问方法及其装置
CN106468886A (zh) * 2016-09-30 2017-03-01 海尔优家智能科技(北京)有限公司 一种第三方控制设备的方法和装置
CN108595941A (zh) * 2018-03-30 2018-09-28 联想(北京)有限公司 一种数据处理方法、系统及电子设备

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2023240587A1 (fr) * 2022-06-17 2023-12-21 Oppo广东移动通信有限公司 Procédé et appareil de configuration de permissions de dispositif, et dispositif terminal

Also Published As

Publication number Publication date
CN113678127B (zh) 2024-05-31
CN113678127A (zh) 2021-11-19

Similar Documents

Publication Publication Date Title
CN108476226B (zh) 应用程序授权方法、终端及服务器
CN107637011B (zh) 用于物联网网络的自配置密钥管理系统
KR101202671B1 (ko) 사용자가 가입자 단말에서 단말 장치에 원격으로 접속할 수있게 하기 위한 원격 접속 시스템 및 방법
US11568083B2 (en) User-controlled access to data in a communication network
JP2020527914A (ja) ネットワークセキュリティ管理方法および装置
WO2020248284A1 (fr) Procédé et appareil de commande d'accès et support d'informations
US10148651B2 (en) Authentication system
TW201345217A (zh) 具區域功能性身份管理
TW201234904A (en) Client and server group SSO with local OpenID
CN109344628B (zh) 区块链网络中可信节点的管理方法,节点及存储介质
WO2021197347A1 (fr) Système, procédé et appareil de communication
WO2020094914A1 (fr) Communication inter-réseau mobile sécurisée
WO2021047403A1 (fr) Procédé et dispositif d'autorisation dans une pluralité de scénarios de nrf
EP2741465B1 (fr) Procédé et dispositif pour gérer des communications sécurisées dans des environnements de réseau dynamique
CN116368833A (zh) 针对边缘计算服务的安全连接的建立和认证的方法和系统
WO2021035740A1 (fr) Procédé de commande d'accès , serveur, dispositif d'accès et support de stockage
US20230300622A1 (en) Communication system, communication method, and communication apparatus
WO2016090927A1 (fr) Procédé et système de gestion pour le partage du réseau local sans fil (wlan) et serveur d'enregistrement de partage du réseau wlan
CN114640992B (zh) 更新用户身份标识的方法和装置
WO2022110836A1 (fr) Procédé et appareil de communication
WO2022116695A1 (fr) Procédé et appareil d'envoi d'identifiant d'utilisateur
WO2021136511A1 (fr) Procédé et appareil de communication
WO2021079023A1 (fr) Sécurité de communication de réseau inter-mobile
WO2018120150A1 (fr) Procédé et appareil de connexion entre des entités de réseau
WO2024065453A1 (fr) Procédé et appareil d'appel de ressources

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19943544

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19943544

Country of ref document: EP

Kind code of ref document: A1