WO2021147442A1 - Access control method and apparatus, terminal device, and storage medium - Google Patents

Access control method and apparatus, terminal device, and storage medium Download PDF

Info

Publication number
WO2021147442A1
WO2021147442A1 PCT/CN2020/125522 CN2020125522W WO2021147442A1 WO 2021147442 A1 WO2021147442 A1 WO 2021147442A1 CN 2020125522 W CN2020125522 W CN 2020125522W WO 2021147442 A1 WO2021147442 A1 WO 2021147442A1
Authority
WO
WIPO (PCT)
Prior art keywords
token
party
access
target
access control
Prior art date
Application number
PCT/CN2020/125522
Other languages
French (fr)
Chinese (zh)
Inventor
周冲
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2021147442A1 publication Critical patent/WO2021147442A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules

Definitions

  • This application belongs to the field of computer technology, and in particular relates to an access control method, device, terminal device, and storage medium.
  • Android applications generally define User Identification (UID) and permission lists in the Manifest file, and grant corresponding permissions when the application is installed or when resources are used.
  • UID User Identification
  • permission lists in the Manifest file, and grant corresponding permissions when the application is installed or when resources are used.
  • an application subject When an application subject accesses an object resource, it usually finds the corresponding permission from the permission list through the UID of the application subject, so as to decide whether to allow the application subject to access the object resource to achieve access control.
  • the embodiments of the present application provide an access control method, device, terminal device, and storage medium, which can improve the security of access control.
  • an access control method including:
  • the request information for accessing the accessed party sent by the accessing party When receiving the request information for accessing the accessed party sent by the accessing party, it is determined whether the request information carries a target token, and the target token is used to determine that the accessing party has the authority to access the accessed party. At the time, search from the pre-built token resource pool and assign it to the accessing party;
  • the visiting party is allowed to access the visited party.
  • the corresponding token Before the visitor visits the visited party, the corresponding token will be assigned to the visitor according to the visitor's authority. Later, when the visitor visits the visited party, it only needs to verify the validity of the token carried by the visitor. , So as to achieve token-based access control. Through this setting, even if the application subject (visiting party) tampered with the corresponding authority information when accessing the object resource (accessed party), the application subject still needs a legal token to access the object resource, which can effectively reduce the number of applications. Illegal access to various services or resources improves the security of access control.
  • the request information may further include:
  • the target token is searched from the token resource pool, and the found target token is allocated to the access party.
  • the request information does not carry the target token, which may be because the visitor has accessed the visited party for the first time and has not applied for the target token.
  • the target token can be searched from the token resource pool, and the searched target token can be allocated to the access party.
  • the set access control authority policy if the access party has access authority, the corresponding target token can be found from the token resource pool; if the access party does not have access authority, the token resource cannot be retrieved The corresponding target token is found in the pool.
  • the legality verification of the target token may further include:
  • the target token can be generated in the following manner and added to the token resource pool:
  • the access control authority policy and the flow control policy of the accessed party are obtained.
  • the access control authority policy is used to limit the access authority of the accessed party, and the flow control The policy is used to limit the data flow when the visited party is accessed;
  • the target token is generated according to the access control authority policy and the flow control policy, wherein the type of the target token generated is determined according to the access control authority policy, and the number of target tokens generated is determined according to the access control authority policy.
  • the flow control strategy is determined.
  • the token is usually generated by the accessed party.
  • the terminal system detects that the accessed party (such as an object service resource) is started, it can obtain the access control authority policy and flow control policy of the accessed party, where the access control authority The policy is used to limit the access authority of the accessed party, and the flow control policy is used to limit the data flow when the accessed party is accessed; then, the access control authority policy and the flow control policy are used to generate the The target token.
  • the target token may further include:
  • the target token that has been generated in the token resource pool is deleted.
  • each target token that has been generated in the token resource pool can be deleted to prevent each access party from continuing to apply for tokens to the accessed party. Invalid operation caused by access.
  • the target token can be generated in the following manner and added to the token resource pool:
  • the access control authority policy and the flow control policy of the accessed party are acquired.
  • the access control authority policy is used to limit the accessing party's authority to access the accessed party.
  • the flow control strategy is used to limit the data flow when the visited party is accessed;
  • the target token is generated according to the access control authority policy and the flow control policy, wherein the type of the target token generated is determined according to the access control authority policy, and the number of target tokens generated is determined according to the access control authority policy.
  • the flow control strategy is determined.
  • the token is usually generated by the accessed party, some tokens are also restricted to the access party, and this part of the token can be generated by the access party.
  • the terminal system detects that an accessing party (such as an application) is started, it determines the accessees that it can access according to the accessing party's authority, and then can trigger each accessed party to generate corresponding tokens.
  • the target token may further include:
  • the target token that has been generated in the token resource pool is deleted.
  • the target token can be obtained from the token resource pool in the following manner:
  • Each visitor or visited party can have its own unique identification, such as ID, name, etc.
  • this part of the information can be included to establish the corresponding relationship between the token and the accessing party and the accessed party. Therefore, a token whose token information contains the unique identification of the accessing party and the unique identification of the accessed party can be searched from the token resource pool as the corresponding target token.
  • the target token can be obtained from the token resource pool in the following manner:
  • token index information records the accessing party information and the accessed party information corresponding to each token in the token resource pool;
  • a token corresponding to the accessing party information of the accessing party and the accessed party information of the accessed party is searched from the token resource pool as the target token.
  • the token itself may not contain the corresponding accessor information and the accessed party information.
  • the corresponding relationship between each token and the accessor and the accessed party can be recorded by constructing the token index information.
  • a token corresponding to the accessing party information of the accessing party and the accessed party information of the accessed party can be searched from the token resource pool as the corresponding target token.
  • a token resource library can be constructed to store the token index information, but it consumes a lot of system resources.
  • the verification of the legality of the target token may include, but is not limited to:
  • an access control device including:
  • the access request receiving module is used to determine whether the request information carries a target token when receiving the request information for accessing the visited party sent by the accessing party, and the target token is used to determine whether the accessing party has access When the authority of the accessed party is searched from a pre-built token resource pool and allocated to the access party;
  • a token verification module configured to verify the validity of the target token if the request information carries a target token
  • the access permission module is used to allow the visiting party to access the visited party after the legality verification is passed.
  • an embodiment of the present application provides a terminal device, including a memory, a processor, and a computer program stored in the memory and running on the processor.
  • the processor executes the computer program, Implement the access control method as proposed in the first aspect of the embodiments of the present application.
  • an embodiment of the present application provides a computer-readable storage medium, the computer-readable storage medium stores a computer program, and when the computer program is executed by a processor, the implementation as proposed in the first aspect of the embodiments of the present application Access control method.
  • the embodiments of the present application provide a computer program product, which when the computer program product runs on a terminal device, causes the terminal device to execute the access control method described in any one of the above-mentioned first aspects.
  • the embodiments of the present application have the beneficial effects that the security of access control can be improved, and they have better practicability and ease of use.
  • FIG. 1 is a schematic diagram of the hardware structure of a mobile phone to which the access control method provided by an embodiment of the present application is applicable;
  • FIG. 2 is a flowchart of an access control method provided by an embodiment of the present application.
  • FIG. 3 is a flowchart of another access control method provided by an embodiment of the present application.
  • FIG. 4 is a flowchart of another access control method provided by an embodiment of the present application.
  • FIG. 5 is a schematic diagram of an access control method provided by an embodiment of the present application in an actual application scenario
  • FIG. 6 is a schematic diagram of a method of generating tokens in the token resource pool shown in FIG. 5;
  • FIG. 7 is a schematic diagram of verifying the legitimacy of the token in the process of the APP carrying the token to access the service/resource as shown in FIG. 5;
  • FIG. 8 is a schematic diagram of access control for the APP shown in FIG. 5 to access services/resources for the first time;
  • FIG. 9 is a schematic diagram of access control for the APP shown in FIG. 5 to access services/resources again;
  • FIG. 10 is a structural diagram of an access control device provided by an embodiment of the present application.
  • FIG. 11 is a schematic diagram of a terminal device provided by an embodiment of the present application.
  • the access control method provided by the embodiments of this application can be applied to mobile phones, tablet computers, wearable devices, vehicle-mounted devices, augmented reality (AR)/virtual reality (VR) devices, notebook computers, and super mobile personal computers
  • AR augmented reality
  • VR virtual reality
  • terminal devices or servers such as (ultra-mobile personal computer, UMPC), netbooks, and personal digital assistants (personal digital assistant, PDA)
  • PDA personal digital assistant
  • the terminal device may be a station (STAION, ST) in a WLAN, a cellular phone, a cordless phone, a Session Initiation Protocol (SIP) phone, a wireless local loop (Wireless Local Loop, WLL) station, Personal Digital Assistant (PDA) devices, handheld devices with wireless communication functions, computing devices or other processing devices connected to wireless modems, in-vehicle devices, car networking terminals, computers, laptop computers, handheld communication devices , Handheld computing equipment, satellite wireless equipment, wireless modem cards, TV set top boxes (STB), customer premise equipment (customer premise equipment, CPE), and/or other equipment used to communicate on wireless devices, and download
  • a first-generation communication device for example, a mobile terminal in a 5G network or a mobile terminal in a public land mobile network (PLMN) network that will evolve in the future.
  • PLMN public land mobile network
  • the wearable device can also be a general term for applying wearable technology to intelligently design daily wear and develop wearable devices, such as glasses, gloves, Watches, clothing and shoes, etc.
  • a wearable device is a portable device that is directly worn on the body or integrated into the user's clothes or accessories.
  • Wearable devices are not only a kind of hardware device, but also realize powerful functions through software support, data interaction, and cloud interaction.
  • wearable smart devices include full-featured, large-sized, complete or partial functions that can be implemented without relying on smart phones, such as smart watches or smart glasses, and only focus on a certain type of application function, and need to be used in conjunction with other devices such as smart phones. , Such as all kinds of smart bracelets and smart jewelry for physical sign monitoring.
  • Fig. 1 shows a block diagram of a part of the structure of a mobile phone provided in an embodiment of the present application.
  • the mobile phone includes: a radio frequency (RF) circuit 110, a memory 120, an input unit 130, a display unit 140, a sensor 150, an audio circuit 160, a wireless fidelity (WiFi) module 170, and a processor 180 , And power supply 190 and other components.
  • RF radio frequency
  • the structure of the mobile phone shown in FIG. 1 does not constitute a limitation on the mobile phone, and may include more or fewer components than those shown in the figure, or a combination of some components, or different component arrangements.
  • the RF circuit 110 can be used for receiving and sending signals during the process of sending and receiving information or talking. In particular, after receiving the downlink information of the base station, it is processed by the processor 180; in addition, the designed uplink data is sent to the base station.
  • the RF circuit includes, but is not limited to, an antenna, at least one amplifier, a transceiver, a coupler, a low noise amplifier (LNA), a duplexer, and the like.
  • the RF circuit 110 can also communicate with the network and other devices through wireless communication.
  • the above-mentioned wireless communication can use any communication standard or protocol, including but not limited to Global System of Mobile Communication (GSM), General Packet Radio Service (GPRS), Code Division Multiple Access (Code Division) Multiple Access (CDMA), Wideband Code Division Multiple Access (WCDMA), Long Term Evolution (LTE)), Email, Short Messaging Service (SMS), etc.
  • GSM Global System of Mobile Communication
  • GPRS General Packet Radio Service
  • CDMA Code Division Multiple Access
  • WCDMA Wideband Code Division Multiple Access
  • LTE Long Term Evolution
  • Email Short Messaging Service
  • the memory 120 may be used to store software programs and modules.
  • the processor 180 executes various functional applications and data processing of the mobile phone by running the software programs and modules stored in the memory 120.
  • the memory 120 may mainly include a storage program area and a storage data area.
  • the storage program area may store an operating device, an application program required by at least one function (such as a sound playback function, an image playback function, etc.), etc.; Data created by the use of mobile phones (such as audio data, phone book, etc.), etc.
  • the memory 120 may include a high-speed random access memory, and may also include a non-volatile memory, such as at least one magnetic disk storage device, a flash memory device, or other volatile solid-state storage devices.
  • the input unit 130 may be used to receive inputted numeric or character information, and generate key signal input related to user settings and function control of the mobile phone 100.
  • the input unit 130 may include a touch panel 131 and other input devices 132.
  • the touch panel 131 also known as a touch screen, can collect user touch operations on or near it (for example, the user uses any suitable objects or accessories such as fingers, stylus, etc.) on the touch panel 131 or near the touch panel 131. Operation), and drive the corresponding connection device according to the preset program.
  • the touch panel 131 may include two parts: a touch detection device and a touch controller.
  • the touch detection device detects the user's touch position, detects the signal brought by the touch operation, and transmits the signal to the touch controller; the touch controller receives the touch information from the touch detection device, converts it into contact coordinates, and then sends it To the processor 180, and can receive and execute the commands sent by the processor 180.
  • the touch panel 131 can be implemented in multiple types such as resistive, capacitive, infrared, and surface acoustic wave.
  • the input unit 130 may also include other input devices 132.
  • the other input device 132 may include, but is not limited to, one or more of a physical keyboard, function keys (such as volume control buttons, switch buttons, etc.), trackball, mouse, and joystick.
  • the display unit 140 may be used to display information input by the user or information provided to the user and various menus of the mobile phone.
  • the display unit 140 may include a display panel 141.
  • the display panel 141 may be configured in the form of a liquid crystal display (LCD), an organic light-emitting diode (OLED), etc.
  • the touch panel 131 can cover the display panel 141. When the touch panel 131 detects a touch operation on or near it, it transmits it to the processor 180 to determine the type of the touch event, and then the processor 180 responds to the touch event. The type provides corresponding visual output on the display panel 141.
  • the touch panel 131 and the display panel 141 are used as two independent components to implement the input and input functions of the mobile phone, but in some embodiments, the touch panel 131 and the display panel 141 can be integrated Realize the input and output functions of mobile phones.
  • the mobile phone 100 may also include at least one sensor 150, such as a light sensor, a motion sensor, and other sensors.
  • the light sensor may include an ambient light sensor and a proximity sensor.
  • the ambient light sensor can adjust the brightness of the display panel 141 according to the brightness of the ambient light.
  • the proximity sensor can close the display panel 141 and/or when the mobile phone is moved to the ear. Or backlight.
  • the accelerometer sensor can detect the magnitude of acceleration in various directions (usually three-axis), and can detect the magnitude and direction of gravity when it is stationary.
  • the audio circuit 160, the speaker 161, and the microphone 162 can provide an audio interface between the user and the mobile phone.
  • the audio circuit 160 can transmit the electrical signal converted from the received audio data to the speaker 161, which is converted into a sound signal for output by the speaker 161; on the other hand, the microphone 162 converts the collected sound signal into an electrical signal, which is then output by the audio circuit 160. After being received, it is converted into audio data, and then processed by the audio data output processor 180, and then sent to, for example, another mobile phone via the RF circuit 110, or the audio data is output to the memory 120 for further processing.
  • WiFi is a short-distance wireless transmission technology.
  • the mobile phone can help users send and receive e-mails, browse web pages, and access streaming media through the WiFi module 170. It provides users with wireless broadband Internet access.
  • FIG. 1 shows the WiFi module 170, it is understandable that it is not a necessary component of the mobile phone 100, and can be omitted as needed without changing the essence of the invention.
  • the processor 180 is the control center of the mobile phone. It uses various interfaces and lines to connect various parts of the entire mobile phone. It executes by running or executing software programs and/or modules stored in the memory 120 and calling data stored in the memory 120. Various functions and processing data of the mobile phone can be used to monitor the mobile phone as a whole.
  • the processor 180 may include one or more processing units; preferably, the processor 180 may integrate an application processor and a modem processor, where the application processor mainly processes operating devices, user interfaces, application programs, etc. , The modem processor mainly deals with wireless communication. It can be understood that the foregoing modem processor may not be integrated into the processor 180.
  • the mobile phone 100 also includes a power source 190 (such as a battery) for supplying power to various components.
  • a power source 190 such as a battery
  • the power source may be logically connected to the processor 180 through a power management device, so that functions such as charging, discharging, and power consumption management can be managed by the power management device.
  • the mobile phone 100 may also include a camera.
  • the position of the camera on the mobile phone 100 may be front-mounted or rear-mounted, which is not limited in the embodiment of the present application.
  • the mobile phone 100 may include a single camera, a dual camera, or a triple camera, etc., which is not limited in the embodiment of the present application.
  • the mobile phone 100 may include three cameras, of which one is a main camera, one is a wide-angle camera, and one is a telephoto camera.
  • the multiple cameras may be all front-mounted, or all rear-mounted, or partly front-mounted and some rear-mounted, which is not limited in the embodiment of the present application.
  • the mobile phone 100 may also include a Bluetooth module, etc., which will not be repeated here.
  • the various access control methods proposed in this application are not only suitable for terminal devices to access local resources, but also for terminal devices to access network resources.
  • the execution subject of the access control method is the terminal device; for scenarios where a terminal device accesses network resources, the execution subject of the access control method is the server or terminal device where the network resource is located.
  • the terminal device where the accessing party is located and the server (terminal device) where the accessed party is located should have the same token mechanism and authority management mechanism.
  • the various access control methods proposed in this application can also be used for access control of various systems such as centralized systems or distributed systems, networks, and WEB services.
  • FIG. 2 shows a flow chart of an access control method provided by this application, including:
  • the accessing party When receiving the request information sent by the accessing party to access the accessed party, it will detect whether the request information carries the target token.
  • the visitor here is the subject of the access operation, which can be an application, a process, or a service, etc.; the visited party is the object of the access operation, which can be a software and hardware resource, a file, or a service Wait.
  • the accessing party When the accessing party performs an access operation to the accessed party, it will first send a request message, and after obtaining the request information, the terminal system will detect whether the request message carries the target token.
  • the target token may be a token specifically applicable to the accessing party's access to the accessed party, that is, different accessing parties access the same accessed party, the same accessing party accesses different accessed parties, and different accesses When the party visits different visited parties, the tokens carried by each visitor can be different in these cases.
  • the target token is searched from a pre-built token resource pool and allocated to the accessing party when it is determined that the accessing party has the authority to access the accessed party.
  • the terminal system presets an access control authority policy, that is, limits which subjects are allowed to perform what operations on which objects. Before the accessing party accesses the accessed party, if the access control authority policy determines that the accessing party has the corresponding access authority, you can The target token is found from the token resource pool and assigned to the access party. If it is determined according to the access control authority policy that the accessor does not have the corresponding access rights, the corresponding target token will not be found from the token resource pool, that is, the accessor cannot be allocated a token at this time, and there is no token. Then the visited party cannot be accessed.
  • the token resource pool can be shared by the entire access control system, that is, different tokens used by different access parties to access different accessed parties can be generated and added to the token resource pool for preparation. Assigned to different access parties.
  • steps 202-203 are executed; if the request information does not carry the target token, then step 205 is directly executed.
  • the target token can be generated in the following manner and added to the token resource pool:
  • the access control authority policy and the flow control policy of the accessed party are obtained.
  • the access control authority policy is used to limit the access authority of the accessed party.
  • the flow control policy is used to limit the data flow when the visited party is accessed;
  • tokens must limit the object (tokens that do not limit the object are valid tokens based on the entire system and have no meaning for actual control authority), and can limit specific functional features, APIs, or specific operations.
  • the token can only limit the object, or it can limit both the subject and the object, where the subject refers to the visiting party, and the object refers to the visited party.
  • a public service provides service availability status query. All applications have this permission. In this case, there is no need to limit the subject and the number of accesses. This is a practical application scenario where the token only limits the object.
  • the token is usually generated by the accessed party.
  • the terminal system detects that the accessed party (such as an object service resource) is started, it can obtain the access control authority policy and flow control policy of the accessed party, where the access control authority The policy is used to limit the access authority of the accessed party, and the flow control policy is used to limit the data flow when the accessed party is accessed; then, according to the access control authority policy and the traffic control policy, all data flows are generated.
  • the target token wherein the type of generated target token is determined according to the access control authority policy, and the number of generated target tokens is determined according to the flow control policy. There can be many types of tokens.
  • one-time tokens with limited objects can be generated.
  • tokens such as one-time tokens of the subject, multiple tokens that limit the object and subject, and time-sensitive tokens.
  • the corresponding flow control strategy can be set according to the service capability of the accessed party and the network condition to determine the number of tokens generated. For example, if the visited party is a blockchain service, its performance is poor, and traffic can be restricted when the service is provided, such as 10 visits per second, and only 5 applications can be accessed. If 3 applications are currently running, 10 tokens for each application can be generated, a total of 30 tokens, when the application applies for tokens, only up to 10 orders per second will be issued according to the flow control policy Card.
  • the target token may further include:
  • the target token that has been generated in the token resource pool is deleted.
  • each target token that has been generated in the token resource pool can be deleted to prevent each access party from continuing to apply for tokens to the accessed party. Invalid operation caused by access.
  • the target token can be generated in the following manner and added to the token resource pool:
  • the access control authority policy and the flow control policy of the accessed party are obtained, and the access control authority policy is used to limit the accessing authority of the accessing party to the accessed party ,
  • the flow control policy is used to limit the data flow when the visited party is accessed;
  • the token is usually generated by the accessed party, some tokens are also restricted to the access party, and this part of the token can be generated by the access party.
  • the terminal system detects that an accessing party (such as an application) is started, it determines each accessed party that it can access according to the accessing party's authority, and then can trigger each accessed party to generate a corresponding token.
  • the method of generating tokens can be the same as the method of generating tokens led by the visited party as described above, that is, obtaining their respective access control authority policies and Flow control strategy, and then determine the type and quantity of generated tokens, and finally each token generated can be added to the token resource pool.
  • the target token may further include:
  • the target token that has been generated in the token resource pool is deleted.
  • each target token that has been generated in the token resource pool is deleted, so that the processing can avoid malicious access to a certain extent.
  • the above two token generation methods are to trigger the generation of tokens when the visited party is detected and when the visitor is detected. In some cases, it can also be used in advance when the visitor has not started or the visited party has not started. Generate a certain number of tokens as a performance optimization plan.
  • the visitor carries the target token, and at this time, the legality of the target token is further verified. Specifically, the integrity of the target token itself can be verified, and it can be verified whether the target token is a valid token generated and allocated to the accessed party in the token resource pool.
  • step 204 is executed, otherwise, step 205 is executed.
  • the validity verification of the target token carried by the accessing party indicates that the accessing party has the proper authority to access the accessed party. At this time, the accessing party is allowed to access the accessed party.
  • the accessing party does not carry the target token, or the validity verification of the target token carried by the accessing party fails, both of which indicate that the accessing party may be accessing illegally, so the accessing party is denied access to the accessed party access.
  • the corresponding token Before the visitor visits the visited party, the corresponding token will be assigned to the visitor according to the visitor's authority. Later, when the visitor visits the visited party, it only needs to verify the validity of the token carried by the visitor. , So as to achieve token-based access control. Through this setting, even if the application subject (visiting party) tampered with the corresponding authority information when accessing the object resource (accessed party), the application subject still needs a legal token to access the object resource, which can effectively reduce the number of applications. Illegal access to various services or resources improves the security of access control.
  • FIG. 3 shows a flow chart of another access control method provided by this application, including:
  • the target token is searched from a pre-built token resource pool and allocated to the accessing party when it is determined that the accessing party has the authority to access the accessed party; if the request information carries For the target token, perform steps 302-303; if the request information does not carry the target token, perform step 306 directly.
  • step 304 is executed, otherwise, step 305 is executed.
  • Steps 301-304 are the same as steps 201-204. For details, please refer to the relevant descriptions of steps 201-204.
  • the validity verification of the target token carried by the accessing party fails, indicating that the accessing party may be accessing illegally, so the accessing party is denied access to the accessed party.
  • the request information does not carry the target token, which may be because the visitor has accessed the visited party for the first time and has not applied for the target token.
  • the target token can be searched from the token resource pool, and the searched target token can be allocated to the access party.
  • the set access control authority policy if the access party has access authority, the corresponding target token can be found from the token resource pool; if the access party does not have access authority, the token resource cannot be retrieved The corresponding target token is found in the pool.
  • step 305 can be directly executed, that is, access is denied.
  • the target token can be obtained from the token resource pool in the following manner:
  • Each visitor or visited party can have its own unique identification, such as ID, name, etc.
  • this part of the information can be included to establish the corresponding relationship between the token and the accessing party and the accessed party. Therefore, a token whose token information contains the unique identification of the accessing party and the unique identification of the accessed party can be searched from the token resource pool as the corresponding target token.
  • the target token can be obtained from the token resource pool in the following manner:
  • the token index information the token corresponding to the accessing party information of the accessing party and the accessed party information of the accessed party is searched from the token resource pool as the target command Card.
  • the token itself may not contain the corresponding accessing party information and the accessed party information.
  • the corresponding relationship between each token and the accessing party and the accessed party can be recorded by constructing the token index information. Then, a token corresponding to the accessing party information of the accessing party and the accessed party information of the accessed party can be searched from the token resource pool as the corresponding target token.
  • a token resource library can be constructed to store the token index information, but it consumes a lot of system resources, so relatively speaking, it is better to adopt a method in which the token contains the information of the corresponding visitor and the visited party.
  • the target token will be searched from the token resource pool, and the found target token will be allocated to the accessing party, and then the target token will continue to be executed.
  • the steps of token legality verification can be applied to the scenario where the visitor visits the visited party for the first time, which further improves the practicability.
  • FIG. 4 shows a flowchart of another access control method provided by the present application, including:
  • the target token is searched from a pre-built token resource pool and allocated to the accessing party when it is determined that the accessing party has the authority to access the accessed party; if the request information carries For the target token, steps 402-403 are executed; if the request information does not carry the target token, step 407 is executed directly.
  • the request information carries a target token
  • Many tokens are time-sensitive, so before verifying the validity of the token, it is possible to check whether the target token carried by the accessing party has expired, so as to determine whether a new target token needs to be obtained. If the target token has expired, steps 403-404 are executed; if the target token has not expired, step 404 is executed directly.
  • a new target token can be found from the token resource pool to replace the invalid target token. This process usually corresponds to the visitor's access to the visited party again condition.
  • the token can contain but not limited to the following information: unique identification of the accessing party, unique identification of the accessed party (supporting extensions, such as multiple API interfaces of the object to distinguish), access actions (such as CRUD, that is, creating, Read, modify, delete, etc.), time stamp and valid window, key-based signature.
  • the verification of the validity of the target token may include, but is not limited to, the following verifications:
  • the public key is used to verify (encrypt, decrypt or sign) the integrity of the target token. If the target token is complete, this part of the verification is passed.
  • the token When the token is generated, it can include the timestamp of the generated token, and limit the validity time of the token, such as valid within 1 minute, and then verify whether the target token is currently in the validity period according to the timestamp and the validity time Within the validity period, this part of the verification is passed.
  • the unique identification of the accessing party contained in the target token is consistent with the unique identification of the accessing party, and whether the unique identification of the accessed party contained in the target token is consistent with the unique identification of the accessed party, etc., that is, Verify whether the subject and object declared by the token are consistent with the current situation. If they are consistent, it means that this part of the verification is passed.
  • step 406 is executed, otherwise, step 407 is executed.
  • Steps 405-407 are the same as steps 203-205. For details, please refer to the relevant descriptions of steps 203-205.
  • the access control method can be applied to the scenario where the visitor visits the visited party again, and the practicability is further improved.
  • the accessing party is an APP
  • the access control authority of the APP has been pre-set during the installation process
  • the accessed party is a service/resource.
  • the APP can apply for a token. If the APP has the authority to access the service/resource, the corresponding token can be found from the token resource pool and allocated to the APP. In the process that the APP carries the token to access the service/resource, the legitimacy of the token is verified. If the verification is passed, the APP is allowed to access the service/resource; otherwise, the APP is denied access to the service/resource.
  • FIG. 6 is a schematic diagram of a method of generating tokens in the token resource pool shown in FIG. 5.
  • the access control module is a functional module used to implement the access control mechanism in the terminal system.
  • the token generation process is triggered.
  • the access control module obtains a preset permission policy for the visitor to access the visited party from the permission policy library, and obtains the current flow control policy of the visited party from the flow control policy library.
  • a corresponding number and type of tokens are generated.
  • the type of token generated is mainly determined according to the acquired access control authority policy.
  • Figure 6 shows four different types of tokens (one-time tokens that only limit objects, and multiple-time tokens that only limit objects).
  • a one-time token that limits the subject and object, and a multiple-time token that limits the subject and object); the number of generated tokens is mainly determined according to the acquired flow control strategy. Obviously, you can modify the access control authority policy or modify the flow control policy to change the token generation policy.
  • the generated token may contain the unique identification of the accessing party and the unique identification of the accessed party, as well as other related information. Finally, the generated token is added to the token resource pool for the accessing party to use when accessing the accessed party.
  • the access control module can also manage the life cycle of the token. For example, when it is detected that a certain accessing party has been closed, the token resource can be found through the unique identification of the accessing party or the unique identification of the related accessed party. The corresponding token in the pool, delete this part of the generated token.
  • Fig. 7 is a schematic diagram of verifying the legitimacy of the token during the process in which the APP shown in Fig. 5 carries the token to access the service/resource.
  • the access control module is a functional module used to implement the access control mechanism in the terminal system.
  • the access control module will verify the legitimacy of the token. Specific verification methods may include: verifying the integrity of the token, verifying the valid window of the timestamp, verifying the unique identification of the object, verifying the unique identification of the subject, and verifying the access action. If the validity of the token is verified, the APP is allowed to access the service/resource; otherwise, the APP is denied access to the service/resource.
  • Fig. 8 is a schematic diagram of access control for the APP shown in Fig. 5 to access the service/resource for the first time
  • Fig. 9 is a schematic diagram of access control for the APP shown in Fig. 5 to access the service/resource again.
  • the APP is accessing the service/resource for the first time, so the APP does not carry a token. At this time, it needs to pass through the access control module, according to the unique identifier of the APP and the unique identifier of the service/resource from the token. Find the corresponding token in the resource pool. Then, the access control module allocates the found token to the APP, and the APP carries the token to access the service/resource, and then executes the token verification process shown in FIG. 7.
  • the APP is to access the service/resource again, so the APP already carries a token.
  • FIG. 10 shows a structural block diagram of an access control device provided by an embodiment of the present application. For ease of description, only the parts related to the embodiment of the present application are shown.
  • the device includes:
  • the access request receiving module 501 is configured to determine whether the request information carries a target token when receiving the request information for accessing the visited party sent by the accessing party, and the target token is used to determine whether the accessing party has When accessing the authority of the accessed party, search for and allocate to the accessing party from the pre-built token resource pool;
  • the token verification module 502 is configured to verify the validity of the target token if the request information carries a target token
  • the access permission module 503 is configured to allow the visiting party to access the visited party after the legality verification is passed.
  • the access control device may further include:
  • the token search module is configured to search for the target token from the token resource pool if the request information does not carry the target token, and allocate the found target token to the access party.
  • the access control device may further include:
  • the token validity check module is used to check whether the target token is invalid
  • the token replacement module is configured to, if the target token is invalid, search for a new target token from the token resource pool to replace the invalid target token.
  • the access control device may further include:
  • the first policy obtaining module is configured to obtain the access control authority policy and the flow control policy of the accessed party when it is detected that the accessed party is activated, and the access control authority policy is used to limit the access control authority policy of the accessed party. Access authority, the flow control policy is used to limit the data flow when the accessed party is accessed;
  • the first token generation module is configured to generate the target token according to the access control authority policy and the flow control policy, wherein the type of the target token generated is determined according to the access control authority policy, and generates The number of the target tokens is determined according to the flow control strategy.
  • the access control device may further include:
  • the second policy acquisition module is configured to acquire the access control authority policy and the flow control policy of the accessed party when the accessing party is detected to be activated, and the access control authority policy is used to restrict the accessing party's access to the The authority of the visited party, the flow control policy is used to limit the data flow when the visited party is accessed;
  • the second token generation module is configured to generate the target token according to the access control authority policy and the flow control policy, wherein the type of the generated target token is determined according to the access control authority policy, and generates The number of the target tokens is determined according to the flow control strategy.
  • the access control device may further include:
  • the token deletion module is used to delete the generated target token in the token resource pool when it is detected that the access party is closed.
  • the access control device may further include:
  • An identification acquiring module which is used to acquire the unique identification of the visiting party and the unique identification of the visited party;
  • the first token search module is configured to search for a token whose token information includes the unique identifier of the accessing party and the unique identifier of the accessed party from the token resource pool, as the target token.
  • the access control device may further include:
  • a token index obtaining module configured to obtain pre-stored token index information, where the token index information records the accessing party information and the accessed party information corresponding to each token in the token resource pool;
  • the second token search module is used to search the token resource pool corresponding to the accessor information of the accessing party and the accessed party information of the accessed party according to the token index information , As the target token.
  • the token verification module may include:
  • An integrity verification unit for verifying the integrity of the target token
  • a timestamp acquiring unit for acquiring the timestamp of the target token
  • the validity period verification unit is configured to verify whether the target token is within the validity period according to the timestamp
  • the visitor information verification unit is used to verify whether the visitor information contained in the target token is consistent with the visitor
  • the accessed party information verification unit is used to verify whether the accessed party information contained in the target token is consistent with the accessed party;
  • the action verification unit is used to verify whether the access action corresponding to the target token is consistent with the access action corresponding to the request information.
  • the embodiments of the present application also provide a computer-readable storage medium that stores a computer program that, when executed by a processor, implements the steps of each access control method as proposed in the present application.
  • the embodiments of the present application also provide a computer program product, which when the computer program product runs on a terminal device, causes the terminal device to execute the steps of each access control method proposed in this application.
  • FIG. 11 is a schematic structural diagram of a terminal device provided by an embodiment of this application.
  • the terminal device 6 of this embodiment includes: at least one processor 60 (only one is shown in FIG. 11), a processor, a memory 61, and a processor that is stored in the memory 61 and can be processed in the at least one processor.
  • a computer program 62 running on the processor 60 when the processor 60 executes the computer program 62, the steps in any of the foregoing access control method embodiments are implemented.
  • the terminal device 6 may be a computing device such as a desktop computer, a notebook, a palmtop computer, and a cloud server.
  • the terminal device may include, but is not limited to, a processor 60 and a memory 61.
  • FIG. 11 is only an example of the terminal device 6 and does not constitute a limitation on the terminal device 6. It may include more or less components than shown in the figure, or a combination of certain components, or different components. , For example, can also include input and output devices, network access devices, and so on.
  • the so-called processor 60 may be a central processing unit (Central Processing Unit, CPU), and the processor 60 may also be other general-purpose processors, digital signal processors (Digital Signal Processors, DSPs), and application specific integrated circuits (Application Specific Integrated Circuits). , ASIC), ready-made programmable gate array (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gates or transistor logic devices, discrete hardware components, etc.
  • the general-purpose processor may be a microprocessor or the processor may also be any conventional processor or the like.
  • the memory 61 may be an internal storage unit of the terminal device 6 in some embodiments, such as a hard disk or a memory of the terminal device 6. In other embodiments, the memory 61 may also be an external storage device of the terminal device 6, such as a plug-in hard disk equipped on the terminal device 6, a smart media card (SMC), a secure digital (Secure Digital, SD) card, Flash Card, etc. Further, the memory 61 may also include both an internal storage unit of the terminal device 6 and an external storage device.
  • the memory 61 is used to store an operating device, an application program, a boot loader (BootLoader), data, and other programs, such as the program code of the computer program. The memory 61 can also be used to temporarily store data that has been output or will be output.
  • the disclosed device and method may be implemented in other ways.
  • the device embodiments described above are merely illustrative.
  • the division of the modules or units is only a logical function division. In actual implementation, there may be other division methods, for example, multiple units or components may be divided. It can be combined or integrated into another device, or some features can be omitted or not implemented.
  • the displayed or discussed mutual coupling or direct coupling or communication connection may be indirect coupling or communication connection through some interfaces, devices or units, and may be in electrical, mechanical or other forms.
  • the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place, or they may be distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the solutions of the embodiments.
  • the functional units in the various embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units may be integrated into one unit.
  • the above-mentioned integrated unit can be implemented in the form of hardware or software functional unit.
  • the integrated unit is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a computer readable storage medium.
  • the computer program can be stored in a computer-readable storage medium.
  • the computer program can be stored in a computer-readable storage medium.
  • the steps of the foregoing method embodiments can be implemented.
  • the computer program includes computer program code, and the computer program code may be in the form of source code, object code, executable file, or some intermediate forms.
  • the computer-readable medium may at least include: any entity or device capable of carrying computer program code to a terminal device, a recording medium, a computer memory, a read-only memory (ROM, Read-Only Memory), and a random access memory (RAM, Random Access Memory), electric carrier signal, telecommunications signal and software distribution medium.
  • ROM read-only memory
  • RAM random access memory
  • electric carrier signal telecommunications signal and software distribution medium.
  • U disk mobile hard disk, floppy disk or CD-ROM, etc.
  • computer-readable media cannot be electrical carrier signals and telecommunication signals.

Abstract

An access control method and apparatus, a terminal device, and a storage medium. The method comprises: upon receipt of request information, sent by an accessing part, of accessing an accessed party, determining whether the request information carries a target token, the target token being found from a pre-constructed token resource pool and allocated for the accessing part when it is determined that the accessing party has the permission of accessing the accessed party; if the request information carries the target token, performing validity verification on the target token; and after the validity verification is successful, permitting the access of the accessing party to the accessed party. By using this configuration, even if an application subject tampers with permission information when accessing an object resource, the application subject still needs a valid token to access the object resource, and therefore, illegal accesses of an application to various services or resources are effectively reduced, and the security of access control is improved.

Description

访问控制方法、装置、终端设备和存储介质Access control method, device, terminal equipment and storage medium
本申请要求于2020年1月22日提交国家知识产权局、申请号为202010075429.2、申请名称为“访问控制方法、装置、终端设备和存储介质”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of a Chinese patent application filed with the State Intellectual Property Office on January 22, 2020, the application number is 202010075429.2, and the application name is "Access control methods, devices, terminal equipment and storage media", the entire content of which is incorporated by reference Incorporated in this application.
技术领域Technical field
本申请属于计算机技术领域,尤其涉及一种访问控制方法、装置、终端设备和存储介质。This application belongs to the field of computer technology, and in particular relates to an access control method, device, terminal device, and storage medium.
背景技术Background technique
Android应用一般会在Manifest文件里定义好用户身份证明(User Identification,UID)和权限列表,应用安装时或使用资源时授予对应的权限。Android applications generally define User Identification (UID) and permission lists in the Manifest file, and grant corresponding permissions when the application is installed or when resources are used.
当应用主体访问客体资源的时候,通常会通过该应用主体的UID,从权限列表中查找相应的权限,从而决策是否允许该应用主体对客体资源进行访问,以实现访问控制。When an application subject accesses an object resource, it usually finds the corresponding permission from the permission list through the UID of the application subject, so as to decide whether to allow the application subject to access the object resource to achieve access control.
然而,如果应用篡改自己的UID,或者篡改UID对应的权限,则很可能产生越权访问的问题,故采用这种方式进行访问控制的安全性较低。However, if the application tampered with its own UID or tampered with the permissions corresponding to the UID, it is likely to cause the problem of unauthorized access. Therefore, the security of access control in this way is low.
发明内容Summary of the invention
有鉴于此,本申请实施例提供了一种访问控制方法、装置、终端设备和存储介质,可以提高访问控制的安全性。In view of this, the embodiments of the present application provide an access control method, device, terminal device, and storage medium, which can improve the security of access control.
第一方面,本申请实施例提供了一种访问控制方法,包括:In the first aspect, an embodiment of the present application provides an access control method, including:
在接收到访问方发送的访问被访问方的请求信息时,判断所述请求信息中是否携带有目标令牌,所述目标令牌是在确定所述访问方具备访问所述被访问方的权限时,从预先构建的令牌资源池中查找并分配给所述访问方的;When receiving the request information for accessing the accessed party sent by the accessing party, it is determined whether the request information carries a target token, and the target token is used to determine that the accessing party has the authority to access the accessed party. At the time, search from the pre-built token resource pool and assign it to the accessing party;
若所述请求信息中携带有目标令牌,则对所述目标令牌进行合法性验证;If the request information carries a target token, verify the validity of the target token;
在所述合法性验证通过后,允许所述访问方对所述被访问方进行访问。After the legality verification is passed, the visiting party is allowed to access the visited party.
在访问方访问被访问方之前,会根据访问方的权限给访问方分配相应的令牌,之后当访问方访问被访问方的时候,只需对访问方携带的令牌进行合法性验证即可,从而实现基于令牌的访问控制。通过这样设置,即便应用主体(访问方)在访问客体资源(被访问方)时篡改相应的权限信息,该应用主体仍然需要一个合法的令牌才可以对客体资源进行访问,故能够有效减少应用对各种服务或资源的非法访问,提高访问控制的安全性。Before the visitor visits the visited party, the corresponding token will be assigned to the visitor according to the visitor's authority. Later, when the visitor visits the visited party, it only needs to verify the validity of the token carried by the visitor. , So as to achieve token-based access control. Through this setting, even if the application subject (visiting party) tampered with the corresponding authority information when accessing the object resource (accessed party), the application subject still needs a legal token to access the object resource, which can effectively reduce the number of applications. Illegal access to various services or resources improves the security of access control.
进一步的,在判断所述请求信息中是否携带有目标令牌之后,还可以包括:Further, after determining whether the request information carries the target token, it may further include:
若所述请求信息中未携带有目标令牌,则从所述令牌资源池中查找目标令牌,并将查找到的目标令牌分配给所述访问方。If the request information does not carry the target token, the target token is searched from the token resource pool, and the found target token is allocated to the access party.
所述请求信息中未携带有目标令牌,可能是由于该访问方首次访问该被访问方,尚未申请到目标令牌。此时可以从所述令牌资源池中查找目标令牌,并将查找到的目标令牌分配给所述访问方。根据设定的访问控制权限策略,如果该访问方具备访问权 限,则可以从该令牌资源池中查找到相应的目标令牌;如果该访问方不具备访问权限,则无法从该令牌资源池中查找到相应的目标令牌。The request information does not carry the target token, which may be because the visitor has accessed the visited party for the first time and has not applied for the target token. At this time, the target token can be searched from the token resource pool, and the searched target token can be allocated to the access party. According to the set access control authority policy, if the access party has access authority, the corresponding target token can be found from the token resource pool; if the access party does not have access authority, the token resource cannot be retrieved The corresponding target token is found in the pool.
进一步的,在对所述目标令牌进行合法性验证之前,还可以包括:Further, before the legality verification of the target token is performed, it may further include:
检验所述目标令牌是否失效;Check whether the target token is invalid;
若所述目标令牌已失效,则从所述令牌资源池中查找新的目标令牌替换所述失效的目标令牌。If the target token has expired, searching for a new target token from the token resource pool to replace the invalid target token.
很多令牌都是具有时效性的,故在对令牌进行合法性验证之前,可以先检验该访问方携带的目标令牌是否已失效,从而确定是否需要获取新的目标令牌。Many tokens are time-sensitive, so before verifying the validity of the token, it is possible to check whether the target token carried by the accessing party has expired, so as to determine whether a new target token needs to be obtained.
可选的,所述目标令牌可以通过以下方式生成,并添加到所述令牌资源池中:Optionally, the target token can be generated in the following manner and added to the token resource pool:
当检测到所述被访问方启动时,获取所述被访问方的访问控制权限策略以及流量控制策略,所述访问控制权限策略用于限定所述被访问方被访问的权限,所述流量控制策略用于限定所述被访问方被访问时的数据流量;When it is detected that the accessed party is activated, the access control authority policy and the flow control policy of the accessed party are obtained. The access control authority policy is used to limit the access authority of the accessed party, and the flow control The policy is used to limit the data flow when the visited party is accessed;
根据所述访问控制权限策略以及所述流量控制策略,生成所述目标令牌,其中,生成所述目标令牌的种类根据所述访问控制权限策略确定,生成所述目标令牌的数量根据所述流量控制策略确定。The target token is generated according to the access control authority policy and the flow control policy, wherein the type of the target token generated is determined according to the access control authority policy, and the number of target tokens generated is determined according to the access control authority policy. The flow control strategy is determined.
令牌通常是由被访问方主导生成的,终端系统在检测到被访问方(比如一个客体服务资源)启动时,可以获取该被访问方的访问控制权限策略以及流量控制策略,其中访问控制权限策略用于限定所述被访问方被访问的权限,流量控制策略用于限定所述被访问方被访问时的数据流量;然后,根据所述访问控制权限策略以及所述流量控制策略生成所述目标令牌。The token is usually generated by the accessed party. When the terminal system detects that the accessed party (such as an object service resource) is started, it can obtain the access control authority policy and flow control policy of the accessed party, where the access control authority The policy is used to limit the access authority of the accessed party, and the flow control policy is used to limit the data flow when the accessed party is accessed; then, the access control authority policy and the flow control policy are used to generate the The target token.
进一步的,在生成所述目标令牌之后,还可以包括:Further, after generating the target token, it may further include:
当检测到所述被访问方关闭时,删除所述令牌资源池中已生成的所述目标令牌。When it is detected that the accessed party is closed, the target token that has been generated in the token resource pool is deleted.
当检测到该被访问方关闭时,说明其不再提供访问的服务,此时可以删除令牌资源池中已生成的各个目标令牌,以避免各个访问方继续申请令牌对该被访问方进行访问而产生的无效操作。When it is detected that the accessed party is closed, it means that it no longer provides access services. At this time, each target token that has been generated in the token resource pool can be deleted to prevent each access party from continuing to apply for tokens to the accessed party. Invalid operation caused by access.
可选的,所述目标令牌可以通过以下方式生成,并添加到所述令牌资源池中:Optionally, the target token can be generated in the following manner and added to the token resource pool:
当检测到所述访问方启动时,获取所述被访问方的访问控制权限策略以及流量控制策略,所述访问控制权限策略用于限定所述访问方访问所述被访问方的权限,所述流量控制策略用于限定所述被访问方被访问时的数据流量;When it is detected that the accessing party is activated, the access control authority policy and the flow control policy of the accessed party are acquired. The access control authority policy is used to limit the accessing party's authority to access the accessed party. The flow control strategy is used to limit the data flow when the visited party is accessed;
根据所述访问控制权限策略以及所述流量控制策略,生成所述目标令牌,其中,生成所述目标令牌的种类根据所述访问控制权限策略确定,生成所述目标令牌的数量根据所述流量控制策略确定。The target token is generated according to the access control authority policy and the flow control policy, wherein the type of the target token generated is determined according to the access control authority policy, and the number of target tokens generated is determined according to the access control authority policy. The flow control strategy is determined.
虽然令牌通常是由被访问方主导生成的,但某些令牌同样是限定访问方的,这部分令牌可以由访问方主导生成。终端系统在检测到访问方(比如一个应用程序)启动时,根据该访问方的权限确定其能够访问的各个被访问方,然后可以触发各个被访问方生成相应的令牌。Although the token is usually generated by the accessed party, some tokens are also restricted to the access party, and this part of the token can be generated by the access party. When the terminal system detects that an accessing party (such as an application) is started, it determines the accessees that it can access according to the accessing party's authority, and then can trigger each accessed party to generate corresponding tokens.
进一步的,在生成所述目标令牌之后,还可以包括:Further, after generating the target token, it may further include:
当检测到所述访问方关闭时,删除所述令牌资源池中已生成的所述目标令牌。When it is detected that the access party is closed, the target token that has been generated in the token resource pool is deleted.
当检测到该访问方关闭(停止运行)时,删除该令牌资源池中已生成的各个目标 令牌,这样处理可以在一定程度上避免恶意访问。When it is detected that the access party is closed (stop running), delete each target token that has been generated in the token resource pool, so that the processing can avoid malicious access to a certain extent.
具体的,所述目标令牌可以通过以下方式从所述令牌资源池中查找获得:Specifically, the target token can be obtained from the token resource pool in the following manner:
获取所述访问方的唯一标识和所述被访问方的唯一标识;Acquiring the unique identifier of the visiting party and the unique identifier of the visited party;
从所述令牌资源池中查找令牌信息包含所述访问方的唯一标识和所述被访问方的唯一标识的令牌,作为所述目标令牌。Search for a token whose token information includes the unique identifier of the accessing party and the unique identifier of the accessed party from the token resource pool as the target token.
每个访问方或者被访问方都可以具备各自的唯一标识,比如ID、名称等。令牌在生成时,可以包含这部分信息,从而建立令牌和访问方、被访问方的对应关系。因此,可以从所述令牌资源池中查找令牌信息包含所述访问方的唯一标识和所述被访问方的唯一标识的令牌,作为相应的目标令牌。Each visitor or visited party can have its own unique identification, such as ID, name, etc. When the token is generated, this part of the information can be included to establish the corresponding relationship between the token and the accessing party and the accessed party. Therefore, a token whose token information contains the unique identification of the accessing party and the unique identification of the accessed party can be searched from the token resource pool as the corresponding target token.
具体的,所述目标令牌可以通过以下方式从所述令牌资源池中查找获得:Specifically, the target token can be obtained from the token resource pool in the following manner:
获取预存储的令牌索引信息,所述令牌索引信息记录所述令牌资源池中每个令牌分别对应的访问方信息和被访问方信息;Acquiring pre-stored token index information, where the token index information records the accessing party information and the accessed party information corresponding to each token in the token resource pool;
根据所述令牌索引信息,从所述令牌资源池中查找对应于所述访问方的访问方信息和所述被访问方的被访问方信息的令牌,作为所述目标令牌。According to the token index information, a token corresponding to the accessing party information of the accessing party and the accessed party information of the accessed party is searched from the token resource pool as the target token.
令牌本身也可以不包含相应的访问方信息和被访问方信息,此时可以通过构建令牌索引信息来记录各个令牌和访问方、被访问方的对应关系。然后,可以从所述令牌资源池中查找对应于所述访问方的访问方信息和所述被访问方的被访问方信息的令牌,作为相应的目标令牌。具体的,可以构建一个令牌资源库来保存该令牌索引信息,但对系统的资源消耗较大。The token itself may not contain the corresponding accessor information and the accessed party information. In this case, the corresponding relationship between each token and the accessor and the accessed party can be recorded by constructing the token index information. Then, a token corresponding to the accessing party information of the accessing party and the accessed party information of the accessed party can be searched from the token resource pool as the corresponding target token. Specifically, a token resource library can be constructed to store the token index information, but it consumes a lot of system resources.
具体的,所述对所述目标令牌进行合法性验证可以包括但不限于:Specifically, the verification of the legality of the target token may include, but is not limited to:
验证所述目标令牌的完整性;Verify the integrity of the target token;
和/或and / or
获取所述目标令牌的时间戳;Acquiring the timestamp of the target token;
根据所述时间戳验证所述目标令牌是否处于有效期内;Verifying whether the target token is within the validity period according to the timestamp;
和/或and / or
验证所述目标令牌包含的访问方信息和所述访问方是否一致;Verifying whether the access party information contained in the target token is consistent with the access party;
验证所述目标令牌包含的被访问方信息和所述被访问方是否一致;Verifying whether the accessed party information contained in the target token is consistent with the accessed party;
和/或and / or
验证所述目标令牌对应的访问动作和所述请求信息对应的访问动作是否一致。It is verified whether the access action corresponding to the target token is consistent with the access action corresponding to the request information.
第二方面,本申请实施例提供了一种访问控制装置,包括:In the second aspect, an embodiment of the present application provides an access control device, including:
访问请求接收模块,用于在接收到访问方发送的访问被访问方的请求信息时,判断所述请求信息中是否携带有目标令牌,所述目标令牌是在确定所述访问方具备访问所述被访问方的权限时,从预先构建的令牌资源池中查找并分配给所述访问方的;The access request receiving module is used to determine whether the request information carries a target token when receiving the request information for accessing the visited party sent by the accessing party, and the target token is used to determine whether the accessing party has access When the authority of the accessed party is searched from a pre-built token resource pool and allocated to the access party;
令牌验证模块,用于若所述请求信息中携带有目标令牌,则对所述目标令牌进行合法性验证;A token verification module, configured to verify the validity of the target token if the request information carries a target token;
访问允许模块,用于在所述合法性验证通过后,允许所述访问方对所述被访问方进行访问。The access permission module is used to allow the visiting party to access the visited party after the legality verification is passed.
第三方面,本申请实施例提供了一种终端设备,包括存储器、处理器以及存储在所述存储器中并可在所述处理器上运行的计算机程序,所述处理器执行所述计算机程 序时实现如本申请实施例第一方面提出的访问控制方法。In the third aspect, an embodiment of the present application provides a terminal device, including a memory, a processor, and a computer program stored in the memory and running on the processor. When the processor executes the computer program, Implement the access control method as proposed in the first aspect of the embodiments of the present application.
第四方面,本申请实施例提供了一种计算机可读存储介质,所述计算机可读存储介质存储有计算机程序,所述计算机程序被处理器执行时实现如本申请实施例第一方面提出的访问控制方法。In a fourth aspect, an embodiment of the present application provides a computer-readable storage medium, the computer-readable storage medium stores a computer program, and when the computer program is executed by a processor, the implementation as proposed in the first aspect of the embodiments of the present application Access control method.
第五方面,本申请实施例提供了一种计算机程序产品,当计算机程序产品在终端设备上运行时,使得终端设备执行上述第一方面中任一项所述的访问控制方法。In a fifth aspect, the embodiments of the present application provide a computer program product, which when the computer program product runs on a terminal device, causes the terminal device to execute the access control method described in any one of the above-mentioned first aspects.
本申请实施例与现有技术相比存在的有益效果是:可以提高访问控制的安全性,且具有较好的实用性和易用性。Compared with the prior art, the embodiments of the present application have the beneficial effects that the security of access control can be improved, and they have better practicability and ease of use.
附图说明Description of the drawings
图1是本申请实施例提供的访问控制方法所适用于的手机的硬件结构示意图;FIG. 1 is a schematic diagram of the hardware structure of a mobile phone to which the access control method provided by an embodiment of the present application is applicable;
图2是本申请实施例提供的一种访问控制方法的流程图;Figure 2 is a flowchart of an access control method provided by an embodiment of the present application;
图3是本申请实施例提供的另一种访问控制方法的流程图;Figure 3 is a flowchart of another access control method provided by an embodiment of the present application;
图4是本申请实施例提供的另一种访问控制方法的流程图;Figure 4 is a flowchart of another access control method provided by an embodiment of the present application;
图5是本申请实施例提供的访问控制方法在一个实际应用场景下的示意图;FIG. 5 is a schematic diagram of an access control method provided by an embodiment of the present application in an actual application scenario;
图6是图5所示的令牌资源池中令牌的生成方式示意图;FIG. 6 is a schematic diagram of a method of generating tokens in the token resource pool shown in FIG. 5;
图7是图5所示的APP携带令牌对服务/资源进行访问的过程中,对令牌的合法性进行验证的示意图;FIG. 7 is a schematic diagram of verifying the legitimacy of the token in the process of the APP carrying the token to access the service/resource as shown in FIG. 5;
图8是图5所示的APP首次访问服务/资源的访问控制示意图;FIG. 8 is a schematic diagram of access control for the APP shown in FIG. 5 to access services/resources for the first time;
图9是图5所示的APP再次访问服务/资源的访问控制示意图;FIG. 9 is a schematic diagram of access control for the APP shown in FIG. 5 to access services/resources again;
图10是本申请实施例提供的一种访问控制装置的结构图;FIG. 10 is a structural diagram of an access control device provided by an embodiment of the present application;
图11是本申请实施例提供的一种终端设备的示意图。FIG. 11 is a schematic diagram of a terminal device provided by an embodiment of the present application.
具体实施方式Detailed ways
以下描述中,为了说明而不是为了限定,提出了诸如特定装置结构、技术之类的具体细节,以便透彻理解本申请实施例。然而,本领域的技术人员应当清楚,在没有这些具体细节的其它实施例中也可以实现本申请。在其它情况中,省略对众所周知的装置、装置、电路以及方法的详细说明,以免不必要的细节妨碍本申请的描述。In the following description, for the purpose of illustration rather than limitation, specific details such as a specific device structure and technology are proposed for a thorough understanding of the embodiments of the present application. However, it should be clear to those skilled in the art that the present application can also be implemented in other embodiments without these specific details. In other cases, detailed descriptions of well-known devices, devices, circuits, and methods are omitted to avoid unnecessary details from obstructing the description of this application.
以下实施例中所使用的术语只是为了描述特定实施例的目的,而并非旨在作为对本申请的限制。如在本申请的说明书和所附权利要求书中所使用的那样,单数表达形式“一个”、“一种”、“所述”、“上述”、“该”和“这一”旨在也包括例如“一个或多个”这种表达形式,除非其上下文中明确地有相反指示。还应当理解,在本申请实施例中,“一个或多个”是指一个、两个或两个以上;“和/或”,描述关联对象的关联关系,表示可以存在三种关系;例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B的情况,其中A、B可以是单数或者复数。字符“/”一般表示前后关联对象是一种“或”的关系。The terms used in the following embodiments are only for the purpose of describing specific embodiments, and are not intended to limit the application. As used in the specification and appended claims of this application, the singular expressions "a", "an", "said", "above", "the" and "this" are intended to also This includes expressions such as "one or more" unless the context clearly indicates to the contrary. It should also be understood that in the embodiments of the present application, "one or more" refers to one, two, or more than two; "and/or" describes the association relationship of associated objects, indicating that three relationships may exist; for example, A and/or B can mean the situation where A exists alone, A and B exist at the same time, and B exists alone, where A and B can be singular or plural. The character "/" generally indicates that the associated objects are in an "or" relationship.
本申请实施例提供的访问控制方法可以应用于手机、平板电脑、可穿戴设备、车载设备、增强现实(augmented reality,AR)/虚拟现实(virtual reality,VR)设备、笔记本电脑、超级移动个人计算机(ultra-mobile personal computer,UMPC)、上网本、个人数 字助理(personal digital assistant,PDA)等终端设备或者服务器上,本申请实施例对终端设备和服务器的具体类型不作任何限制。The access control method provided by the embodiments of this application can be applied to mobile phones, tablet computers, wearable devices, vehicle-mounted devices, augmented reality (AR)/virtual reality (VR) devices, notebook computers, and super mobile personal computers On terminal devices or servers such as (ultra-mobile personal computer, UMPC), netbooks, and personal digital assistants (personal digital assistant, PDA), the embodiments of this application do not impose any restrictions on the specific types of terminal devices and servers.
例如,所述终端设备可以是WLAN中的站点(STAION,ST),可以是蜂窝电话、无绳电话、会话启动协议(Session InitiationProtocol,SIP)电话、无线本地环路(Wireless Local Loop,WLL)站、个人数字处理(Personal Digital Assistant,PDA)设备、具有无线通信功能的手持设备、计算设备或连接到无线调制解调器的其它处理设备、车载设备、车联网终端、电脑、膝上型计算机、手持式通信设备、手持式计算设备、卫星无线设备、无线调制解调器卡、电视机顶盒(set top box,STB)、用户驻地设备(customer premise equipment,CPE)和/或用于在无线装置上进行通信的其它设备以及下一代通信装置,例如,5G网络中的移动终端或者未来演进的公共陆地移动网络(Public Land Mobile Network,PLMN)网络中的移动终端等。For example, the terminal device may be a station (STAION, ST) in a WLAN, a cellular phone, a cordless phone, a Session Initiation Protocol (SIP) phone, a wireless local loop (Wireless Local Loop, WLL) station, Personal Digital Assistant (PDA) devices, handheld devices with wireless communication functions, computing devices or other processing devices connected to wireless modems, in-vehicle devices, car networking terminals, computers, laptop computers, handheld communication devices , Handheld computing equipment, satellite wireless equipment, wireless modem cards, TV set top boxes (STB), customer premise equipment (customer premise equipment, CPE), and/or other equipment used to communicate on wireless devices, and download A first-generation communication device, for example, a mobile terminal in a 5G network or a mobile terminal in a public land mobile network (PLMN) network that will evolve in the future.
作为示例而非限定,当所述终端设备为可穿戴设备时,该可穿戴设备还可以是应用穿戴式技术对日常穿戴进行智能化设计、开发出可以穿戴的设备的总称,如眼镜、手套、手表、服饰及鞋等。可穿戴设备即直接穿在身上,或是整合到用户的衣服或配件的一种便携式设备。可穿戴设备不仅仅是一种硬件设备,更是通过软件支持以及数据交互、云端交互来实现强大的功能。广义穿戴式智能设备包括功能全、尺寸大、可不依赖智能手机实现完整或者部分的功能,如智能手表或智能眼镜等,以及只专注于某一类应用功能,需要和其它设备如智能手机配合使用,如各类进行体征监测的智能手环、智能首饰等。As an example and not a limitation, when the terminal device is a wearable device, the wearable device can also be a general term for applying wearable technology to intelligently design daily wear and develop wearable devices, such as glasses, gloves, Watches, clothing and shoes, etc. A wearable device is a portable device that is directly worn on the body or integrated into the user's clothes or accessories. Wearable devices are not only a kind of hardware device, but also realize powerful functions through software support, data interaction, and cloud interaction. In a broad sense, wearable smart devices include full-featured, large-sized, complete or partial functions that can be implemented without relying on smart phones, such as smart watches or smart glasses, and only focus on a certain type of application function, and need to be used in conjunction with other devices such as smart phones. , Such as all kinds of smart bracelets and smart jewelry for physical sign monitoring.
以所述终端设备为手机为例。图1示出的是与本申请实施例提供的手机的部分结构的框图。参考图1,手机包括:射频(Radio Frequency,RF)电路110、存储器120、输入单元130、显示单元140、传感器150、音频电路160、无线保真(wireless fidelity,WiFi)模块170、处理器180、以及电源190等部件。本领域技术人员可以理解,图1中示出的手机结构并不构成对手机的限定,可以包括比图示更多或更少的部件,或者组合某些部件,或者不同的部件布置。Take the terminal device as a mobile phone as an example. Fig. 1 shows a block diagram of a part of the structure of a mobile phone provided in an embodiment of the present application. 1, the mobile phone includes: a radio frequency (RF) circuit 110, a memory 120, an input unit 130, a display unit 140, a sensor 150, an audio circuit 160, a wireless fidelity (WiFi) module 170, and a processor 180 , And power supply 190 and other components. Those skilled in the art can understand that the structure of the mobile phone shown in FIG. 1 does not constitute a limitation on the mobile phone, and may include more or fewer components than those shown in the figure, or a combination of some components, or different component arrangements.
下面结合图1对手机的各个构成部件进行具体的介绍:The following describes the components of the mobile phone in detail with reference to Figure 1:
RF电路110可用于收发信息或通话过程中,信号的接收和发送,特别地,将基站的下行信息接收后,给处理器180处理;另外,将设计上行的数据发送给基站。通常,RF电路包括但不限于天线、至少一个放大器、收发信机、耦合器、低噪声放大器(Low Noise Amplifier,LNA)、双工器等。此外,RF电路110还可以通过无线通信与网络和其他设备通信。上述无线通信可以使用任一通信标准或协议,包括但不限于全球移动通讯装置(Global System of Mobile communication,GSM)、通用分组无线服务(General Packet Radio Service,GPRS)、码分多址(Code Division Multiple Access,CDMA)、宽带码分多址(Wideband Code Division Multiple Access,WCDMA)、长期演进(Long Term Evolution,LTE))、电子邮件、短消息服务(Short Messaging Service,SMS)等。The RF circuit 110 can be used for receiving and sending signals during the process of sending and receiving information or talking. In particular, after receiving the downlink information of the base station, it is processed by the processor 180; in addition, the designed uplink data is sent to the base station. Generally, the RF circuit includes, but is not limited to, an antenna, at least one amplifier, a transceiver, a coupler, a low noise amplifier (LNA), a duplexer, and the like. In addition, the RF circuit 110 can also communicate with the network and other devices through wireless communication. The above-mentioned wireless communication can use any communication standard or protocol, including but not limited to Global System of Mobile Communication (GSM), General Packet Radio Service (GPRS), Code Division Multiple Access (Code Division) Multiple Access (CDMA), Wideband Code Division Multiple Access (WCDMA), Long Term Evolution (LTE)), Email, Short Messaging Service (SMS), etc.
存储器120可用于存储软件程序以及模块,处理器180通过运行存储在存储器120的软件程序以及模块,从而执行手机的各种功能应用以及数据处理。存储器120可主要包括存储程序区和存储数据区,其中,存储程序区可存储操作装置、至少一个功能 所需的应用程序(比如声音播放功能、图像播放功能等)等;存储数据区可存储根据手机的使用所创建的数据(比如音频数据、电话本等)等。此外,存储器120可以包括高速随机存取存储器,还可以包括非易失性存储器,例如至少一个磁盘存储器件、闪存器件、或其他易失性固态存储器件。The memory 120 may be used to store software programs and modules. The processor 180 executes various functional applications and data processing of the mobile phone by running the software programs and modules stored in the memory 120. The memory 120 may mainly include a storage program area and a storage data area. The storage program area may store an operating device, an application program required by at least one function (such as a sound playback function, an image playback function, etc.), etc.; Data created by the use of mobile phones (such as audio data, phone book, etc.), etc. In addition, the memory 120 may include a high-speed random access memory, and may also include a non-volatile memory, such as at least one magnetic disk storage device, a flash memory device, or other volatile solid-state storage devices.
输入单元130可用于接收输入的数字或字符信息,以及产生与手机100的用户设置以及功能控制有关的键信号输入。具体地,输入单元130可包括触控面板131以及其他输入设备132。触控面板131,也称为触摸屏,可收集用户在其上或附近的触摸操作(比如用户使用手指、触笔等任何适合的物体或附件在触控面板131上或在触控面板131附近的操作),并根据预先设定的程式驱动相应的连接装置。可选的,触控面板131可包括触摸检测装置和触摸控制器两个部分。其中,触摸检测装置检测用户的触摸方位,并检测触摸操作带来的信号,将信号传送给触摸控制器;触摸控制器从触摸检测装置上接收触摸信息,并将它转换成触点坐标,再送给处理器180,并能接收处理器180发来的命令并加以执行。此外,可以采用电阻式、电容式、红外线以及表面声波等多种类型实现触控面板131。除了触控面板131,输入单元130还可以包括其他输入设备132。具体地,其他输入设备132可以包括但不限于物理键盘、功能键(比如音量控制按键、开关按键等)、轨迹球、鼠标、操作杆等中的一种或多种。The input unit 130 may be used to receive inputted numeric or character information, and generate key signal input related to user settings and function control of the mobile phone 100. Specifically, the input unit 130 may include a touch panel 131 and other input devices 132. The touch panel 131, also known as a touch screen, can collect user touch operations on or near it (for example, the user uses any suitable objects or accessories such as fingers, stylus, etc.) on the touch panel 131 or near the touch panel 131. Operation), and drive the corresponding connection device according to the preset program. Optionally, the touch panel 131 may include two parts: a touch detection device and a touch controller. Among them, the touch detection device detects the user's touch position, detects the signal brought by the touch operation, and transmits the signal to the touch controller; the touch controller receives the touch information from the touch detection device, converts it into contact coordinates, and then sends it To the processor 180, and can receive and execute the commands sent by the processor 180. In addition, the touch panel 131 can be implemented in multiple types such as resistive, capacitive, infrared, and surface acoustic wave. In addition to the touch panel 131, the input unit 130 may also include other input devices 132. Specifically, the other input device 132 may include, but is not limited to, one or more of a physical keyboard, function keys (such as volume control buttons, switch buttons, etc.), trackball, mouse, and joystick.
显示单元140可用于显示由用户输入的信息或提供给用户的信息以及手机的各种菜单。显示单元140可包括显示面板141,可选的,可以采用液晶显示器(Liquid Crystal Display,LCD)、有机发光二极管(Organic Light-Emitting Diode,OLED)等形式来配置显示面板141。进一步的,触控面板131可覆盖显示面板141,当触控面板131检测到在其上或附近的触摸操作后,传送给处理器180以确定触摸事件的类型,随后处理器180根据触摸事件的类型在显示面板141上提供相应的视觉输出。虽然在图1中,触控面板131与显示面板141是作为两个独立的部件来实现手机的输入和输入功能,但是在某些实施例中,可以将触控面板131与显示面板141集成而实现手机的输入和输出功能。The display unit 140 may be used to display information input by the user or information provided to the user and various menus of the mobile phone. The display unit 140 may include a display panel 141. Optionally, the display panel 141 may be configured in the form of a liquid crystal display (LCD), an organic light-emitting diode (OLED), etc. Further, the touch panel 131 can cover the display panel 141. When the touch panel 131 detects a touch operation on or near it, it transmits it to the processor 180 to determine the type of the touch event, and then the processor 180 responds to the touch event. The type provides corresponding visual output on the display panel 141. Although in FIG. 1, the touch panel 131 and the display panel 141 are used as two independent components to implement the input and input functions of the mobile phone, but in some embodiments, the touch panel 131 and the display panel 141 can be integrated Realize the input and output functions of mobile phones.
手机100还可包括至少一种传感器150,比如光传感器、运动传感器以及其他传感器。具体地,光传感器可包括环境光传感器及接近传感器,其中,环境光传感器可根据环境光线的明暗来调节显示面板141的亮度,接近传感器可在手机移动到耳边时,关闭显示面板141和/或背光。作为运动传感器的一种,加速计传感器可检测各个方向上(一般为三轴)加速度的大小,静止时可检测出重力的大小及方向,可用于识别手机姿态的应用(比如横竖屏切换、相关游戏、磁力计姿态校准)、振动识别相关功能(比如计步器、敲击)等;至于手机还可配置的陀螺仪、气压计、湿度计、温度计、红外线传感器等其他传感器,在此不再赘述。The mobile phone 100 may also include at least one sensor 150, such as a light sensor, a motion sensor, and other sensors. Specifically, the light sensor may include an ambient light sensor and a proximity sensor. The ambient light sensor can adjust the brightness of the display panel 141 according to the brightness of the ambient light. The proximity sensor can close the display panel 141 and/or when the mobile phone is moved to the ear. Or backlight. As a kind of motion sensor, the accelerometer sensor can detect the magnitude of acceleration in various directions (usually three-axis), and can detect the magnitude and direction of gravity when it is stationary. It can be used to identify mobile phone posture applications (such as horizontal and vertical screen switching, related Games, magnetometer posture calibration), vibration recognition related functions (such as pedometer, percussion), etc.; as for other sensors such as gyroscopes, barometers, hygrometers, thermometers, infrared sensors, etc., which can also be configured in mobile phones, I will not here Go into details.
音频电路160、扬声器161,传声器162可提供用户与手机之间的音频接口。音频电路160可将接收到的音频数据转换后的电信号,传输到扬声器161,由扬声器161转换为声音信号输出;另一方面,传声器162将收集的声音信号转换为电信号,由音频电路160接收后转换为音频数据,再将音频数据输出处理器180处理后,经RF电路110以发送给比如另一手机,或者将音频数据输出至存储器120以便进一步处理。The audio circuit 160, the speaker 161, and the microphone 162 can provide an audio interface between the user and the mobile phone. The audio circuit 160 can transmit the electrical signal converted from the received audio data to the speaker 161, which is converted into a sound signal for output by the speaker 161; on the other hand, the microphone 162 converts the collected sound signal into an electrical signal, which is then output by the audio circuit 160. After being received, it is converted into audio data, and then processed by the audio data output processor 180, and then sent to, for example, another mobile phone via the RF circuit 110, or the audio data is output to the memory 120 for further processing.
WiFi属于短距离无线传输技术,手机通过WiFi模块170可以帮助用户收发电子 邮件、浏览网页和访问流式媒体等,它为用户提供了无线的宽带互联网访问。虽然图1示出了WiFi模块170,但是可以理解的是,其并不属于手机100的必须构成,完全可以根据需要在不改变发明的本质的范围内而省略。WiFi is a short-distance wireless transmission technology. The mobile phone can help users send and receive e-mails, browse web pages, and access streaming media through the WiFi module 170. It provides users with wireless broadband Internet access. Although FIG. 1 shows the WiFi module 170, it is understandable that it is not a necessary component of the mobile phone 100, and can be omitted as needed without changing the essence of the invention.
处理器180是手机的控制中心,利用各种接口和线路连接整个手机的各个部分,通过运行或执行存储在存储器120内的软件程序和/或模块,以及调用存储在存储器120内的数据,执行手机的各种功能和处理数据,从而对手机进行整体监控。可选的,处理器180可包括一个或多个处理单元;优选的,处理器180可集成应用处理器和调制解调处理器,其中,应用处理器主要处理操作装置、用户界面和应用程序等,调制解调处理器主要处理无线通信。可以理解的是,上述调制解调处理器也可以不集成到处理器180中。The processor 180 is the control center of the mobile phone. It uses various interfaces and lines to connect various parts of the entire mobile phone. It executes by running or executing software programs and/or modules stored in the memory 120 and calling data stored in the memory 120. Various functions and processing data of the mobile phone can be used to monitor the mobile phone as a whole. Optionally, the processor 180 may include one or more processing units; preferably, the processor 180 may integrate an application processor and a modem processor, where the application processor mainly processes operating devices, user interfaces, application programs, etc. , The modem processor mainly deals with wireless communication. It can be understood that the foregoing modem processor may not be integrated into the processor 180.
手机100还包括给各个部件供电的电源190(比如电池),优选的,电源可以通过电源管理装置与处理器180逻辑相连,从而通过电源管理装置实现管理充电、放电、以及功耗管理等功能。The mobile phone 100 also includes a power source 190 (such as a battery) for supplying power to various components. Preferably, the power source may be logically connected to the processor 180 through a power management device, so that functions such as charging, discharging, and power consumption management can be managed by the power management device.
尽管未示出,手机100还可以包括摄像头。可选地,摄像头在手机100的上的位置可以为前置的,也可以为后置的,本申请实施例对此不作限定。Although not shown, the mobile phone 100 may also include a camera. Optionally, the position of the camera on the mobile phone 100 may be front-mounted or rear-mounted, which is not limited in the embodiment of the present application.
可选地,手机100可以包括单摄像头、双摄像头或三摄像头等,本申请实施例对此不作限定。Optionally, the mobile phone 100 may include a single camera, a dual camera, or a triple camera, etc., which is not limited in the embodiment of the present application.
例如,手机100可以包括三摄像头,其中,一个为主摄像头、一个为广角摄像头、一个为长焦摄像头。For example, the mobile phone 100 may include three cameras, of which one is a main camera, one is a wide-angle camera, and one is a telephoto camera.
可选地,当手机100包括多个摄像头时,这多个摄像头可以全部前置,或者全部后置,或者一部分前置、另一部分后置,本申请实施例对此不作限定。Optionally, when the mobile phone 100 includes multiple cameras, the multiple cameras may be all front-mounted, or all rear-mounted, or partly front-mounted and some rear-mounted, which is not limited in the embodiment of the present application.
另外,尽管未示出,手机100还可以包括蓝牙模块等,在此不再赘述。In addition, although not shown, the mobile phone 100 may also include a Bluetooth module, etc., which will not be repeated here.
需要指出的是,本申请提出的各个访问控制方法,既适用于终端设备访问本地资源,也适用于终端设备访问网络资源。对于终端设备访问本地资源的场景,则该访问控制方法的执行主体为终端设备;对于终端设备访问网络资源的场景,则该访问控制方法的执行主体为该网络资源所处的服务器或者终端设备,此时访问方所处的终端设备和被访问方所处的服务器(终端设备)应当具有相同的令牌机制和权限管理机制。It should be pointed out that the various access control methods proposed in this application are not only suitable for terminal devices to access local resources, but also for terminal devices to access network resources. For scenarios where a terminal device accesses local resources, the execution subject of the access control method is the terminal device; for scenarios where a terminal device accesses network resources, the execution subject of the access control method is the server or terminal device where the network resource is located. At this time, the terminal device where the accessing party is located and the server (terminal device) where the accessed party is located should have the same token mechanism and authority management mechanism.
另外,本申请提出的各个访问控制方法也可以用于集中式系统或者分布式系统,网络、WEB服务等各类系统的权限访问控制。In addition, the various access control methods proposed in this application can also be used for access control of various systems such as centralized systems or distributed systems, networks, and WEB services.
图2示出了本申请提供的一种访问控制方法的流程图,包括:Figure 2 shows a flow chart of an access control method provided by this application, including:
201、在接收到访问方发送的访问被访问方的请求信息时,判断所述请求信息中是否携带有目标令牌;201. When receiving request information for accessing an visited party sent by an accessing party, determine whether the request information carries a target token;
当接收到访问方发送的访问被访问方的请求信息时,会检测该请求信息中是否携带有目标令牌。这里的访问方是访问操作的主体,可以是某个应用程序、某个进程或者某个服务等;被访问方是访问操作的客体,可以是某个软硬件资源、某个文件或者某个服务等。当访问方执行对被访问方的访问操作时,首先会发出一个请求信息,终端系统在获取到该请求信息之后,会检测该请求信息中是否携带有目标令牌。该目标令牌可以是专门适用于该访问方对该被访问方进行访问的令牌,也即不同的访问方访问相同的被访问方,相同的访问方访问不同的被访问方,不同的访问方访问不同的被 访问方,这几种情况下各个访问方携带的令牌可以是不同的。When receiving the request information sent by the accessing party to access the accessed party, it will detect whether the request information carries the target token. The visitor here is the subject of the access operation, which can be an application, a process, or a service, etc.; the visited party is the object of the access operation, which can be a software and hardware resource, a file, or a service Wait. When the accessing party performs an access operation to the accessed party, it will first send a request message, and after obtaining the request information, the terminal system will detect whether the request message carries the target token. The target token may be a token specifically applicable to the accessing party's access to the accessed party, that is, different accessing parties access the same accessed party, the same accessing party accesses different accessed parties, and different accesses When the party visits different visited parties, the tokens carried by each visitor can be different in these cases.
另外,该目标令牌是在确定所述访问方具备访问所述被访问方的权限时,从预先构建的令牌资源池中查找并分配给所述访问方的。终端系统预先设置访问控制权限策略,即限定允许哪些主体对哪些客体执行怎样的操作,在该访问方访问被访问方之前,若根据访问控制权限策略确定该访问方具备相应的访问权限,则可以从令牌资源池中查找到该目标令牌,并分配给该访问方。若根据访问控制权限策略确定该访问方不具备相应的访问权限,则从该令牌资源池中将查找不到相应的目标令牌,即此时无法为该访问方分配令牌,没有令牌则无法对被访问方进行访问。该令牌资源池可以是整个访问控制系统共用的,也即各个不同的访问方访问各个不同的被访问方所采用的不同令牌,都可以生成并添加到该令牌资源池中,以备分配给各个不同的访问方。In addition, the target token is searched from a pre-built token resource pool and allocated to the accessing party when it is determined that the accessing party has the authority to access the accessed party. The terminal system presets an access control authority policy, that is, limits which subjects are allowed to perform what operations on which objects. Before the accessing party accesses the accessed party, if the access control authority policy determines that the accessing party has the corresponding access authority, you can The target token is found from the token resource pool and assigned to the access party. If it is determined according to the access control authority policy that the accessor does not have the corresponding access rights, the corresponding target token will not be found from the token resource pool, that is, the accessor cannot be allocated a token at this time, and there is no token. Then the visited party cannot be accessed. The token resource pool can be shared by the entire access control system, that is, different tokens used by different access parties to access different accessed parties can be generated and added to the token resource pool for preparation. Assigned to different access parties.
若所述请求信息中携带有目标令牌,则执行步骤202-203;若所述请求信息中未携带有目标令牌,则直接执行步骤205。If the request information carries the target token, steps 202-203 are executed; if the request information does not carry the target token, then step 205 is directly executed.
可选的,所述目标令牌可以通过以下方式生成,并添加到所述令牌资源池中:Optionally, the target token can be generated in the following manner and added to the token resource pool:
(1)当检测到所述被访问方启动时,获取所述被访问方的访问控制权限策略以及流量控制策略,所述访问控制权限策略用于限定所述被访问方被访问的权限,所述流量控制策略用于限定所述被访问方被访问时的数据流量;(1) When it is detected that the accessed party is activated, the access control authority policy and the flow control policy of the accessed party are obtained. The access control authority policy is used to limit the access authority of the accessed party. The flow control policy is used to limit the data flow when the visited party is accessed;
(2)根据所述访问控制权限策略以及所述流量控制策略,生成所述目标令牌,其中,生成所述目标令牌的种类根据所述访问控制权限策略确定,生成所述目标令牌的数量根据所述流量控制策略确定。(2) Generate the target token according to the access control authority policy and the flow control policy, wherein the type of the target token generated is determined according to the access control authority policy, and the target token is generated The number is determined according to the flow control strategy.
一般情况下,令牌一定是限定客体的(不限定客体的令牌,就是基于整个系统有效的令牌,没有实际管控权限的意义),可以是限定具体的功能特性、API或者特定的操作。令牌可以只限定客体,也可以对主体和客体都限定,这里的主体指访问方,客体指被访问方。例如一个公共服务,提供服务可用状态查询,所有应用都具备此权限,这种情况下就没必要限定主体和访问次数,此为令牌只限定客体的一个实际应用场景。如果是查询钱包余额的服务,那就要限定哪些应用可以访问,甚至于为了安全性,完成一次交互就需要新的令牌,避免令牌的滥用,此为令牌对主体和客体都限定的一个实际应用场景。In general, tokens must limit the object (tokens that do not limit the object are valid tokens based on the entire system and have no meaning for actual control authority), and can limit specific functional features, APIs, or specific operations. The token can only limit the object, or it can limit both the subject and the object, where the subject refers to the visiting party, and the object refers to the visited party. For example, a public service provides service availability status query. All applications have this permission. In this case, there is no need to limit the subject and the number of accesses. This is a practical application scenario where the token only limits the object. If it is a service for querying the wallet balance, it is necessary to limit which applications can be accessed, and even for security, a new token is required to complete an interaction to avoid the abuse of the token. This is the token that limits both the subject and the object. A practical application scenario.
令牌通常是由被访问方主导生成的,终端系统在检测到被访问方(比如一个客体服务资源)启动时,可以获取该被访问方的访问控制权限策略以及流量控制策略,其中访问控制权限策略用于限定所述被访问方被访问的权限,流量控制策略用于限定所述被访问方被访问时的数据流量;然后,根据所述访问控制权限策略以及所述流量控制策略,生成所述目标令牌,其中,生成所述目标令牌的种类根据所述访问控制权限策略确定,生成所述目标令牌的数量根据所述流量控制策略确定。令牌的种类可以有很多,根据该访问控制权限策略,结合被访问方提供服务的安全级别要求,可以生成只限定客体的单次性令牌、只限定客体的多次性令牌、限定客体和主体的单次性令牌、限定客体和主体的多次性令牌以及带有时效性的令牌等不同类别的令牌。另一方面,可以根据被访问方自身的服务能力以及网络状况,设置相应的流量控制策略,以确定生成令牌的数量。比如,被访问方为区块链服务,本身性能很差,提供服务时可以进行流量限制,如1秒提供10次访问,且限定只有5个应用程序可以访问。如果当前有 3个应用程序处于运行状态,则可生成每个应用程序10个令牌,共30个令牌,应用程序申请令牌时,根据流量控制策略一秒钟只分发出最多10个令牌。The token is usually generated by the accessed party. When the terminal system detects that the accessed party (such as an object service resource) is started, it can obtain the access control authority policy and flow control policy of the accessed party, where the access control authority The policy is used to limit the access authority of the accessed party, and the flow control policy is used to limit the data flow when the accessed party is accessed; then, according to the access control authority policy and the traffic control policy, all data flows are generated. The target token, wherein the type of generated target token is determined according to the access control authority policy, and the number of generated target tokens is determined according to the flow control policy. There can be many types of tokens. According to the access control authority policy, combined with the security level requirements of the service provided by the accessed party, one-time tokens with limited objects, multiple tokens with limited objects, and limited objects can be generated. There are different types of tokens such as one-time tokens of the subject, multiple tokens that limit the object and subject, and time-sensitive tokens. On the other hand, the corresponding flow control strategy can be set according to the service capability of the accessed party and the network condition to determine the number of tokens generated. For example, if the visited party is a blockchain service, its performance is poor, and traffic can be restricted when the service is provided, such as 10 visits per second, and only 5 applications can be accessed. If 3 applications are currently running, 10 tokens for each application can be generated, a total of 30 tokens, when the application applies for tokens, only up to 10 orders per second will be issued according to the flow control policy Card.
进一步的,在生成所述目标令牌之后,还可以包括:Further, after generating the target token, it may further include:
当检测到所述被访问方关闭时,删除所述令牌资源池中已生成的所述目标令牌。When it is detected that the accessed party is closed, the target token that has been generated in the token resource pool is deleted.
当检测到该被访问方关闭时,说明其不再提供访问的服务,此时可以删除令牌资源池中已生成的各个目标令牌,以避免各个访问方继续申请令牌对该被访问方进行访问而产生的无效操作。When it is detected that the accessed party is closed, it means that it no longer provides access services. At this time, each target token that has been generated in the token resource pool can be deleted to prevent each access party from continuing to apply for tokens to the accessed party. Invalid operation caused by access.
可选的,所述目标令牌可以通过以下方式生成,并添加到所述令牌资源池中:Optionally, the target token can be generated in the following manner and added to the token resource pool:
(1)当检测到所述访问方启动时,获取所述被访问方的访问控制权限策略以及流量控制策略,所述访问控制权限策略用于限定所述访问方访问所述被访问方的权限,所述流量控制策略用于限定所述被访问方被访问时的数据流量;(1) When it is detected that the accessing party is activated, the access control authority policy and the flow control policy of the accessed party are obtained, and the access control authority policy is used to limit the accessing authority of the accessing party to the accessed party , The flow control policy is used to limit the data flow when the visited party is accessed;
(2)根据所述访问控制权限策略以及所述流量控制策略,生成所述目标令牌,其中,生成所述目标令牌的种类根据所述访问控制权限策略确定,生成所述目标令牌的数量根据所述流量控制策略确定。(2) Generate the target token according to the access control authority policy and the flow control policy, wherein the type of the target token generated is determined according to the access control authority policy, and the target token is generated The number is determined according to the flow control strategy.
虽然令牌通常是由被访问方主导生成的,但某些令牌同样是限定访问方的,这部分令牌可以由访问方主导生成。终端系统在检测到访问方(比如一个应用程序)启动时,根据该访问方的权限确定其能够访问的各个被访问方,然后可以触发各个被访问方生成相应的令牌。对于该访问方能够访问的任意一个被访问方来说,其生成令牌的方式可以和上文所述的由被访问方主导生成令牌的方式相同,也即获取各自的访问控制权限策略以及流量控制策略,然后确定生成的令牌的种类和数量,最终生成的各个令牌都可以添加到该令牌资源池中。Although the token is usually generated by the accessed party, some tokens are also restricted to the access party, and this part of the token can be generated by the access party. When the terminal system detects that an accessing party (such as an application) is started, it determines each accessed party that it can access according to the accessing party's authority, and then can trigger each accessed party to generate a corresponding token. For any visited party that the visitor can access, the method of generating tokens can be the same as the method of generating tokens led by the visited party as described above, that is, obtaining their respective access control authority policies and Flow control strategy, and then determine the type and quantity of generated tokens, and finally each token generated can be added to the token resource pool.
进一步的,在生成所述目标令牌之后,还可以包括:Further, after generating the target token, it may further include:
当检测到所述访问方关闭时,删除所述令牌资源池中已生成的所述目标令牌。When it is detected that the access party is closed, the target token that has been generated in the token resource pool is deleted.
当检测到该访问方关闭(停止运行)时,删除该令牌资源池中已生成的各个目标令牌,这样处理可以在一定程度上避免恶意访问。When it is detected that the access party is closed (stop running), each target token that has been generated in the token resource pool is deleted, so that the processing can avoid malicious access to a certain extent.
上述两种令牌生成方式分别是检测到被访问方启动和检测到访问方启动时触发生成令牌,而在某些情况下,还可以在访问方未启动或者被访问方未启动时即预先生成一定数量的令牌,作为性能优化方案。The above two token generation methods are to trigger the generation of tokens when the visited party is detected and when the visitor is detected. In some cases, it can also be used in advance when the visitor has not started or the visited party has not started. Generate a certain number of tokens as a performance optimization plan.
202、对所述目标令牌进行合法性验证;202. Perform legality verification on the target token;
该访问方携带有目标令牌,此时进一步对该目标令牌进行合法性验证。具体的,可以校验该目标令牌自身的完整性,验证该目标令牌是否为该令牌资源池中针对该被访问方生成且分配的有效令牌。The visitor carries the target token, and at this time, the legality of the target token is further verified. Specifically, the integrity of the target token itself can be verified, and it can be verified whether the target token is a valid token generated and allocated to the accessed party in the token resource pool.
203、判断所述合法性验证是否通过;203. Judge whether the legality verification is passed;
若所述目标令牌的合法性验证通过,则执行步骤204,否则执行步骤205。If the legality verification of the target token is passed, step 204 is executed, otherwise, step 205 is executed.
204、允许所述访问方对所述被访问方进行访问;204. Allow the visiting party to access the visited party;
该访问方携带的目标令牌的合法性验证通过,表明该访问方具有访问该被访问方的正当权限,此时允许该访问方对该被访问方进行访问。The validity verification of the target token carried by the accessing party indicates that the accessing party has the proper authority to access the accessed party. At this time, the accessing party is allowed to access the accessed party.
205、拒绝所述访问方对所述被访问方进行访问。205. Reject the visiting party from accessing the visited party.
该访问方未携带目标令牌,或者该访问方携带的目标令牌的合法性验证失败,这 两种情况都表明该访问方有可能是非法访问,故拒绝该访问方对该被访问方进行访问。The accessing party does not carry the target token, or the validity verification of the target token carried by the accessing party fails, both of which indicate that the accessing party may be accessing illegally, so the accessing party is denied access to the accessed party access.
在访问方访问被访问方之前,会根据访问方的权限给访问方分配相应的令牌,之后当访问方访问被访问方的时候,只需对访问方携带的令牌进行合法性验证即可,从而实现基于令牌的访问控制。通过这样设置,即便应用主体(访问方)在访问客体资源(被访问方)时篡改相应的权限信息,该应用主体仍然需要一个合法的令牌才可以对客体资源进行访问,故能够有效减少应用对各种服务或资源的非法访问,提高访问控制的安全性。Before the visitor visits the visited party, the corresponding token will be assigned to the visitor according to the visitor's authority. Later, when the visitor visits the visited party, it only needs to verify the validity of the token carried by the visitor. , So as to achieve token-based access control. Through this setting, even if the application subject (visiting party) tampered with the corresponding authority information when accessing the object resource (accessed party), the application subject still needs a legal token to access the object resource, which can effectively reduce the number of applications. Illegal access to various services or resources improves the security of access control.
图3示出了本申请提供的另一种访问控制方法的流程图,包括:Figure 3 shows a flow chart of another access control method provided by this application, including:
301、在接收到访问方发送的访问被访问方的请求信息时,判断所述请求信息中是否携带有目标令牌;301. When receiving request information for accessing an visited party sent by an accessing party, determine whether the request information carries a target token;
所述目标令牌是在确定所述访问方具备访问所述被访问方的权限时,从预先构建的令牌资源池中查找并分配给所述访问方的;若所述请求信息中携带有目标令牌,则执行步骤302-303;若所述请求信息中未携带有目标令牌,则直接执行步骤306。The target token is searched from a pre-built token resource pool and allocated to the accessing party when it is determined that the accessing party has the authority to access the accessed party; if the request information carries For the target token, perform steps 302-303; if the request information does not carry the target token, perform step 306 directly.
302、对所述目标令牌进行合法性验证;302. Perform legality verification on the target token.
303、判断所述合法性验证是否通过;303. Judge whether the legality verification is passed;
若所述合法性验证通过,则执行步骤304,否则执行步骤305。If the legality verification is passed, step 304 is executed, otherwise, step 305 is executed.
304、允许所述访问方对所述被访问方进行访问;304. Allow the visiting party to access the visited party;
步骤301-304与步骤201-204相同,具体可参照步骤201-204的相关说明。Steps 301-304 are the same as steps 201-204. For details, please refer to the relevant descriptions of steps 201-204.
305、拒绝所述访问方对所述被访问方进行访问;305. Reject the visiting party from accessing the visited party;
该访问方携带的目标令牌的合法性验证失败,表明该访问方有可能是非法访问,故拒绝该访问方对该被访问方进行访问。The validity verification of the target token carried by the accessing party fails, indicating that the accessing party may be accessing illegally, so the accessing party is denied access to the accessed party.
306、从令牌资源池中查找目标令牌,并将查找到的目标令牌分配给所述访问方。306. Find the target token from the token resource pool, and allocate the found target token to the access party.
所述请求信息中未携带有目标令牌,可能是由于该访问方首次访问该被访问方,尚未申请到目标令牌。此时可以从所述令牌资源池中查找目标令牌,并将查找到的目标令牌分配给所述访问方。根据设定的访问控制权限策略,如果该访问方具备访问权限,则可以从该令牌资源池中查找到相应的目标令牌;如果该访问方不具备访问权限,则无法从该令牌资源池中查找到相应的目标令牌。另外,在将查找到的目标令牌分配给所述访问方之后,返回执行步骤302,继续对该目标令牌进行合法性验证。而如果在该令牌资源池中查找不到目标令牌,则可以直接执行步骤305,即拒绝访问。The request information does not carry the target token, which may be because the visitor has accessed the visited party for the first time and has not applied for the target token. At this time, the target token can be searched from the token resource pool, and the searched target token can be allocated to the access party. According to the set access control authority policy, if the access party has access authority, the corresponding target token can be found from the token resource pool; if the access party does not have access authority, the token resource cannot be retrieved The corresponding target token is found in the pool. In addition, after allocating the found target token to the access party, return to step 302 to continue the legality verification of the target token. If the target token cannot be found in the token resource pool, step 305 can be directly executed, that is, access is denied.
可选的,所述目标令牌可以通过以下方式从所述令牌资源池中查找获得:Optionally, the target token can be obtained from the token resource pool in the following manner:
(1)获取所述访问方的唯一标识和所述被访问方的唯一标识;(1) Obtain the unique identifier of the visiting party and the unique identifier of the visited party;
(2)从所述令牌资源池中查找令牌信息包含所述访问方的唯一标识和所述被访问方的唯一标识的令牌,作为所述目标令牌。(2) Search for a token whose token information includes the unique identifier of the accessing party and the unique identifier of the accessed party from the token resource pool, as the target token.
每个访问方或者被访问方都可以具备各自的唯一标识,比如ID、名称等。令牌在生成时,可以包含这部分信息,从而建立令牌和访问方、被访问方的对应关系。因此,可以从所述令牌资源池中查找令牌信息包含所述访问方的唯一标识和所述被访问方的唯一标识的令牌,作为相应的目标令牌。Each visitor or visited party can have its own unique identification, such as ID, name, etc. When the token is generated, this part of the information can be included to establish the corresponding relationship between the token and the accessing party and the accessed party. Therefore, a token whose token information contains the unique identification of the accessing party and the unique identification of the accessed party can be searched from the token resource pool as the corresponding target token.
可选的,所述目标令牌可以通过以下方式从所述令牌资源池中查找获得:Optionally, the target token can be obtained from the token resource pool in the following manner:
(1)获取预存储的令牌索引信息,所述令牌索引信息记录所述令牌资源池中每个 令牌分别对应的访问方信息和被访问方信息;(1) Obtain pre-stored token index information, where the token index information records the accessing party information and the accessed party information corresponding to each token in the token resource pool;
(2)根据所述令牌索引信息,从所述令牌资源池中查找对应于所述访问方的访问方信息和所述被访问方的被访问方信息的令牌,作为所述目标令牌。(2) According to the token index information, the token corresponding to the accessing party information of the accessing party and the accessed party information of the accessed party is searched from the token resource pool as the target command Card.
另一种方式,令牌本身也可以不包含相应的访问方信息和被访问方信息,此时可以通过构建令牌索引信息来记录各个令牌和访问方、被访问方的对应关系。然后,可以从所述令牌资源池中查找对应于所述访问方的访问方信息和所述被访问方的被访问方信息的令牌,作为相应的目标令牌。具体的,可以构建一个令牌资源库来保存该令牌索引信息,但对系统的资源消耗较大,故相对来说采用令牌包含对应访问方、被访问方信息的方式较优。In another way, the token itself may not contain the corresponding accessing party information and the accessed party information. In this case, the corresponding relationship between each token and the accessing party and the accessed party can be recorded by constructing the token index information. Then, a token corresponding to the accessing party information of the accessing party and the accessed party information of the accessed party can be searched from the token resource pool as the corresponding target token. Specifically, a token resource library can be constructed to store the token index information, but it consumes a lot of system resources, so relatively speaking, it is better to adopt a method in which the token contains the information of the corresponding visitor and the visited party.
在本申请实施例中,如果访问方未携带目标令牌,则会从令牌资源池中查找目标令牌,并将查找到的目标令牌分配给所述访问方,然后再继续执行对目标令牌进行合法性验证的步骤。通过这样设置,可以使得该访问控制方法适用于访问方首次访问被访问方的场景,进一步提升实用性。In the embodiment of this application, if the accessing party does not carry the target token, the target token will be searched from the token resource pool, and the found target token will be allocated to the accessing party, and then the target token will continue to be executed. The steps of token legality verification. Through this setting, the access control method can be applied to the scenario where the visitor visits the visited party for the first time, which further improves the practicability.
图4示出了本申请提供的另一种访问控制方法的流程图,包括:Figure 4 shows a flowchart of another access control method provided by the present application, including:
401、在接收到访问方发送的访问被访问方的请求信息时,判断所述请求信息中是否携带有目标令牌;401. When receiving request information for accessing the visited party sent by the visiting party, determine whether the request information carries a target token;
所述目标令牌是在确定所述访问方具备访问所述被访问方的权限时,从预先构建的令牌资源池中查找并分配给所述访问方的;若所述请求信息中携带有目标令牌,则执行步骤402-403;若所述请求信息中未携带有目标令牌,则直接执行步骤407。The target token is searched from a pre-built token resource pool and allocated to the accessing party when it is determined that the accessing party has the authority to access the accessed party; if the request information carries For the target token, steps 402-403 are executed; if the request information does not carry the target token, step 407 is executed directly.
402、检验所述目标令牌是否失效;402. Check whether the target token is invalid.
若所述请求信息中携带有目标令牌,此时先检验该目标令牌是否失效。很多令牌都是具有时效性的,故在对令牌进行合法性验证之前,可以先检验该访问方携带的目标令牌是否已失效,从而确定是否需要获取新的目标令牌。若所述目标令牌已失效,则执行步骤403-404;若所述目标令牌未失效,则直接执行步骤404。If the request information carries a target token, first check whether the target token is invalid. Many tokens are time-sensitive, so before verifying the validity of the token, it is possible to check whether the target token carried by the accessing party has expired, so as to determine whether a new target token needs to be obtained. If the target token has expired, steps 403-404 are executed; if the target token has not expired, step 404 is executed directly.
403、从所述令牌资源池中查找新的目标令牌替换所述失效的目标令牌;403. Search for a new target token from the token resource pool to replace the invalid target token.
若该访问方当前携带的目标令牌已失效,可以从该令牌资源池中查找新的目标令牌替换该失效的目标令牌,这个过程通常对应于访问方再次对被访问方进行访问的情况。If the target token currently carried by the visitor is invalid, a new target token can be found from the token resource pool to replace the invalid target token. This process usually corresponds to the visitor's access to the visited party again condition.
404、对所述目标令牌进行合法性验证;404. Perform legality verification on the target token.
一般来说,令牌中可以包含但不限于以下信息:访问方唯一标识、被访问方唯一标识(可支持扩展,如客体的多个API接口进行区分)、访问动作(如CRUD,即创建、读取、修改、删除等)、时间戳和有效窗口、基于密钥的签名。Generally speaking, the token can contain but not limited to the following information: unique identification of the accessing party, unique identification of the accessed party (supporting extensions, such as multiple API interfaces of the object to distinguish), access actions (such as CRUD, that is, creating, Read, modify, delete, etc.), time stamp and valid window, key-based signature.
具体的,对所述目标令牌进行合法性验证可以包括但不限于以下几部分的验证:Specifically, the verification of the validity of the target token may include, but is not limited to, the following verifications:
(1)验证所述目标令牌的完整性;(1) Verify the integrity of the target token;
比如,采用公钥验证(加解密或签名)该目标令牌的完整性,若该目标令牌是完整的,则这部分的验证通过。For example, the public key is used to verify (encrypt, decrypt or sign) the integrity of the target token. If the target token is complete, this part of the verification is passed.
(2)获取所述目标令牌的时间戳;根据所述时间戳验证所述目标令牌是否处于有效期内;(2) Obtain the timestamp of the target token; verify whether the target token is within the validity period according to the timestamp;
令牌在生成的时候可以包含生成令牌的时间戳,并限定该令牌的有效时间,比如 1分钟内有效,然后即可根据该时间戳以及该有效时间验证该目标令牌当前是否处于有效期内,处于有效期内则这部分的验证通过。When the token is generated, it can include the timestamp of the generated token, and limit the validity time of the token, such as valid within 1 minute, and then verify whether the target token is currently in the validity period according to the timestamp and the validity time Within the validity period, this part of the verification is passed.
(3)验证所述目标令牌包含的访问方信息和所述访问方是否一致;验证所述目标令牌包含的被访问方信息和所述被访问方是否一致;(3) Verify whether the access party information contained in the target token is consistent with the access party; verify whether the accessed party information contained in the target token is consistent with the accessed party;
比如可以验证目标令牌包含的访问方的唯一标识和该访问方的唯一标识是否一致,以及目标令牌包含的被访问方的唯一标识和该被访问方的唯一标识是否一致等,也即为了验证令牌声明的主客体是否和当前情况一致,若一致则表示这部分的验证通过。For example, it can be verified whether the unique identification of the accessing party contained in the target token is consistent with the unique identification of the accessing party, and whether the unique identification of the accessed party contained in the target token is consistent with the unique identification of the accessed party, etc., that is, Verify whether the subject and object declared by the token are consistent with the current situation. If they are consistent, it means that this part of the verification is passed.
(4)验证所述目标令牌对应的访问动作和所述请求信息对应的访问动作是否一致。(4) Verify whether the access action corresponding to the target token is consistent with the access action corresponding to the request information.
验证目标令牌声明的访问动作和当前访问方请求的访问动作是否一致,若一致则表示这部分的验证通过。比如,访问方拿着查询操作的令牌,想对被访问方执行修改操作,则会验证失败。Verify whether the access action declared by the target token is consistent with the access action requested by the current visitor. If they are consistent, this part of the verification is passed. For example, if the visitor holds the token of the query operation and wants to perform the modification operation on the visited party, the verification will fail.
405、判断所述合法性验证是否通过;405. Judge whether the legality verification is passed;
若所述合法性验证通过,则执行步骤406,否则执行步骤407。If the legality verification is passed, step 406 is executed, otherwise, step 407 is executed.
406、允许所述访问方对所述被访问方进行访问;406. Allow the visiting party to access the visited party.
407、拒绝所述访问方对所述被访问方进行访问。407. Reject the visiting party from accessing the visited party.
步骤405-407与步骤203-205相同,具体可参照步骤203-205的相关说明。Steps 405-407 are the same as steps 203-205. For details, please refer to the relevant descriptions of steps 203-205.
在本申请实施例中,如果访问方携带的目标令牌已失效,则会从令牌资源池中查找新的目标令牌对该失效的目标令牌进行替换,然后再继续执行对目标令牌进行合法性验证的步骤。通过这样设置,可以使得该访问控制方法适用于访问方再次访问被访问方的场景,进一步提升实用性。In the embodiment of this application, if the target token carried by the accessing party has expired, a new target token will be searched from the token resource pool to replace the invalid target token, and then continue to execute the target token Steps for legality verification. Through this setting, the access control method can be applied to the scenario where the visitor visits the visited party again, and the practicability is further improved.
应理解,上述实施例中各步骤的序号的大小并不意味着执行顺序的先后,各过程的执行顺序应以其功能和内在逻辑确定,而不应对本申请实施例的实施过程构成任何限定。It should be understood that the size of the sequence number of each step in the foregoing embodiment does not mean the order of execution. The execution sequence of each process should be determined by its function and internal logic, and should not constitute any limitation on the implementation process of the embodiment of the present application.
为便于理解,下面以几个实际应用场景来说明本申请提出的访问控制方法。For ease of understanding, the following uses several practical application scenarios to illustrate the access control method proposed in this application.
如图5所示,为本申请提出的访问控制方法在一个实际应用场景下的示意图。As shown in Figure 5, a schematic diagram of the access control method proposed in this application in an actual application scenario.
在图5中,访问方为一个APP,该APP的访问控制权限在安装的过程中已经预先设置完毕,被访问方为一个服务/资源。在APP访问该服务/资源之前,该APP可以申请令牌,若该APP具有访问该服务/资源的权限,则可以从该令牌资源池中查找到相应的令牌,分配给该APP。在该APP携带令牌对该服务/资源进行访问的过程中,对该令牌的合法性进行验证,若验证通过则允许该APP访问该服务/资源,否则拒绝该APP访问该服务/资源。In Figure 5, the accessing party is an APP, the access control authority of the APP has been pre-set during the installation process, and the accessed party is a service/resource. Before the APP accesses the service/resource, the APP can apply for a token. If the APP has the authority to access the service/resource, the corresponding token can be found from the token resource pool and allocated to the APP. In the process that the APP carries the token to access the service/resource, the legitimacy of the token is verified. If the verification is passed, the APP is allowed to access the service/resource; otherwise, the APP is denied access to the service/resource.
图6是图5所示的令牌资源池中令牌的生成方式示意图。FIG. 6 is a schematic diagram of a method of generating tokens in the token resource pool shown in FIG. 5.
在图6中,访问控制模块是终端系统中用于执行访问控制机制的功能模块,当检测到访问方或者被访问方启动时,触发令牌生成的流程。首先,访问控制模块会从权限策略库中获取预先设置好的该访问方访问该被访问方的权限策略,以及从流控策略库中获取该被访问方当前的流量控制策略。然后,根据获取到的访问控制权限策略和流量控制策略生成相应数量和种类的令牌。其中,生成令牌的种类主要根据获取到的访问控制权限策略确定,图6中示出了4种不同类型的令牌(只限定客体的一次性令牌、只限定客体的多次性令牌、限定主体和客体的一次性令牌、限定主体和客体的多 次性令牌);生成令牌的数量主要根据获取到的流量控制策略确定。显然,可以通过修改访问控制权限策略,或者修改流量控制策略以改变令牌生成的策略。生成的令牌中可以包含该访问方的唯一标识和该被访问方的唯一标识,以及其它的相关信息。最终,生成的令牌添加到令牌资源池中,以供该访问方访问该被访问方时使用。In FIG. 6, the access control module is a functional module used to implement the access control mechanism in the terminal system. When the accessor or the accessed party is detected to be started, the token generation process is triggered. First, the access control module obtains a preset permission policy for the visitor to access the visited party from the permission policy library, and obtains the current flow control policy of the visited party from the flow control policy library. Then, according to the obtained access control authority policy and flow control policy, a corresponding number and type of tokens are generated. Among them, the type of token generated is mainly determined according to the acquired access control authority policy. Figure 6 shows four different types of tokens (one-time tokens that only limit objects, and multiple-time tokens that only limit objects). , A one-time token that limits the subject and object, and a multiple-time token that limits the subject and object); the number of generated tokens is mainly determined according to the acquired flow control strategy. Obviously, you can modify the access control authority policy or modify the flow control policy to change the token generation policy. The generated token may contain the unique identification of the accessing party and the unique identification of the accessed party, as well as other related information. Finally, the generated token is added to the token resource pool for the accessing party to use when accessing the accessed party.
另外,该访问控制模块还可以对令牌的生命周期进行管理,比如当检测到某个访问方已经关闭时,可以通过该访问方的唯一标识或者相关被访问方的唯一标识查找到令牌资源池中对应的令牌,将这部分已生成的令牌删除。In addition, the access control module can also manage the life cycle of the token. For example, when it is detected that a certain accessing party has been closed, the token resource can be found through the unique identification of the accessing party or the unique identification of the related accessed party. The corresponding token in the pool, delete this part of the generated token.
图7是图5所示的APP携带令牌对服务/资源进行访问的过程中,对令牌的合法性进行验证的示意图。在图7中,访问控制模块是终端系统中用于执行访问控制机制的功能模块,在该APP携带令牌对服务/资源进行访问的过程中,访问控制模块会验证该令牌的合法性,具体的验证方式可以包括:验证令牌完整性、验证时间戳有效窗口、验证客体唯一标识、验证主体唯一标识、验证访问动作等。若令牌的合法性验证通过,则允许该APP访问该服务/资源,否则拒绝该APP访问该服务/资源。Fig. 7 is a schematic diagram of verifying the legitimacy of the token during the process in which the APP shown in Fig. 5 carries the token to access the service/resource. In Figure 7, the access control module is a functional module used to implement the access control mechanism in the terminal system. In the process of the APP carrying a token to access services/resources, the access control module will verify the legitimacy of the token. Specific verification methods may include: verifying the integrity of the token, verifying the valid window of the timestamp, verifying the unique identification of the object, verifying the unique identification of the subject, and verifying the access action. If the validity of the token is verified, the APP is allowed to access the service/resource; otherwise, the APP is denied access to the service/resource.
图8是图5所示的APP首次访问该服务/资源的访问控制示意图,图9是图5所示的APP再次访问该服务/资源的访问控制示意图。Fig. 8 is a schematic diagram of access control for the APP shown in Fig. 5 to access the service/resource for the first time, and Fig. 9 is a schematic diagram of access control for the APP shown in Fig. 5 to access the service/resource again.
在图8中,该APP是首次访问该服务/资源,故该APP未携带有令牌,此时需要通过访问控制模块,根据该APP的唯一标识和该服务/资源的唯一标识从该令牌资源池中查找对应的令牌。然后,访问控制模块会将查找到的令牌分配给该APP,该APP携带令牌对该服务/资源进行访问,接下来执行图7所示的令牌验证过程。In Figure 8, the APP is accessing the service/resource for the first time, so the APP does not carry a token. At this time, it needs to pass through the access control module, according to the unique identifier of the APP and the unique identifier of the service/resource from the token. Find the corresponding token in the resource pool. Then, the access control module allocates the found token to the APP, and the APP carries the token to access the service/resource, and then executes the token verification process shown in FIG. 7.
在图9中,该APP是再次访问该服务/资源,故该APP已携带有令牌,此时首先检验该令牌是否已失效,若未失效则可以直接执行图7所示的令牌验证过程;若该令牌已失效,则同样需要通过访问控制模块,根据该APP的唯一标识和该服务/资源的唯一标识从该令牌资源池中查找新的令牌对该失效的令牌进行替换,然后再执行图7所示的令牌验证过程。In Figure 9, the APP is to access the service/resource again, so the APP already carries a token. At this time, first check whether the token has expired. If it has not expired, you can directly perform the token verification shown in Figure 7 Process; if the token has expired, you also need to use the access control module to find a new token from the token resource pool according to the unique identifier of the APP and the unique identifier of the service/resource to perform the invalidation of the token Replace, and then perform the token verification process shown in Figure 7.
图10示出了本申请实施例提供的访问控制装置的结构框图,为了便于说明,仅示出了与本申请实施例相关的部分。FIG. 10 shows a structural block diagram of an access control device provided by an embodiment of the present application. For ease of description, only the parts related to the embodiment of the present application are shown.
参照图10,该装置包括:Referring to Figure 10, the device includes:
访问请求接收模块501,用于在接收到访问方发送的访问被访问方的请求信息时,判断所述请求信息中是否携带有目标令牌,所述目标令牌是在确定所述访问方具备访问所述被访问方的权限时,从预先构建的令牌资源池中查找并分配给所述访问方的;The access request receiving module 501 is configured to determine whether the request information carries a target token when receiving the request information for accessing the visited party sent by the accessing party, and the target token is used to determine whether the accessing party has When accessing the authority of the accessed party, search for and allocate to the accessing party from the pre-built token resource pool;
令牌验证模块502,用于若所述请求信息中携带有目标令牌,则对所述目标令牌进行合法性验证;The token verification module 502 is configured to verify the validity of the target token if the request information carries a target token;
访问允许模块503,用于在所述合法性验证通过后,允许所述访问方对所述被访问方进行访问。The access permission module 503 is configured to allow the visiting party to access the visited party after the legality verification is passed.
进一步的,所述访问控制装置还可以包括:Further, the access control device may further include:
令牌查找模块,用于若所述请求信息中未携带有目标令牌,则从所述令牌资源池中查找目标令牌,并将查找到的目标令牌分配给所述访问方。The token search module is configured to search for the target token from the token resource pool if the request information does not carry the target token, and allocate the found target token to the access party.
进一步的,所述访问控制装置还可以包括:Further, the access control device may further include:
令牌有效性检验模块,用于检验所述目标令牌是否失效;The token validity check module is used to check whether the target token is invalid;
令牌替换模块,用于若所述目标令牌已失效,则从所述令牌资源池中查找新的目标令牌替换所述失效的目标令牌。The token replacement module is configured to, if the target token is invalid, search for a new target token from the token resource pool to replace the invalid target token.
进一步的,所述访问控制装置还可以包括:Further, the access control device may further include:
第一策略获取模块,用于当检测到所述被访问方启动时,获取所述被访问方的访问控制权限策略以及流量控制策略,所述访问控制权限策略用于限定所述被访问方被访问的权限,所述流量控制策略用于限定所述被访问方被访问时的数据流量;The first policy obtaining module is configured to obtain the access control authority policy and the flow control policy of the accessed party when it is detected that the accessed party is activated, and the access control authority policy is used to limit the access control authority policy of the accessed party. Access authority, the flow control policy is used to limit the data flow when the accessed party is accessed;
第一令牌生成模块,用于根据所述访问控制权限策略以及所述流量控制策略,生成所述目标令牌,其中,生成所述目标令牌的种类根据所述访问控制权限策略确定,生成所述目标令牌的数量根据所述流量控制策略确定。The first token generation module is configured to generate the target token according to the access control authority policy and the flow control policy, wherein the type of the target token generated is determined according to the access control authority policy, and generates The number of the target tokens is determined according to the flow control strategy.
进一步的,所述访问控制装置还可以包括:Further, the access control device may further include:
第二策略获取模块,用于当检测到所述访问方启动时,获取所述被访问方的访问控制权限策略以及流量控制策略,所述访问控制权限策略用于限定所述访问方访问所述被访问方的权限,所述流量控制策略用于限定所述被访问方被访问时的数据流量;The second policy acquisition module is configured to acquire the access control authority policy and the flow control policy of the accessed party when the accessing party is detected to be activated, and the access control authority policy is used to restrict the accessing party's access to the The authority of the visited party, the flow control policy is used to limit the data flow when the visited party is accessed;
第二令牌生成模块,用于根据所述访问控制权限策略以及所述流量控制策略,生成所述目标令牌,其中,生成所述目标令牌的种类根据所述访问控制权限策略确定,生成所述目标令牌的数量根据所述流量控制策略确定。The second token generation module is configured to generate the target token according to the access control authority policy and the flow control policy, wherein the type of the generated target token is determined according to the access control authority policy, and generates The number of the target tokens is determined according to the flow control strategy.
更进一步的,所述访问控制装置还可以包括:Furthermore, the access control device may further include:
令牌删除模块,用于当检测到所述访问方关闭时,删除所述令牌资源池中已生成的所述目标令牌。The token deletion module is used to delete the generated target token in the token resource pool when it is detected that the access party is closed.
进一步的,所述访问控制装置还可以包括:Further, the access control device may further include:
标识获取模块,用于获取所述访问方的唯一标识和所述被访问方的唯一标识;An identification acquiring module, which is used to acquire the unique identification of the visiting party and the unique identification of the visited party;
第一令牌查找模块,用于从所述令牌资源池中查找令牌信息包含所述访问方的唯一标识和所述被访问方的唯一标识的令牌,作为所述目标令牌。The first token search module is configured to search for a token whose token information includes the unique identifier of the accessing party and the unique identifier of the accessed party from the token resource pool, as the target token.
进一步的,所述访问控制装置还可以包括:Further, the access control device may further include:
令牌索引获取模块,用于获取预存储的令牌索引信息,所述令牌索引信息记录所述令牌资源池中每个令牌分别对应的访问方信息和被访问方信息;A token index obtaining module, configured to obtain pre-stored token index information, where the token index information records the accessing party information and the accessed party information corresponding to each token in the token resource pool;
第二令牌查找模块,用于根据所述令牌索引信息,从所述令牌资源池中查找对应于所述访问方的访问方信息和所述被访问方的被访问方信息的令牌,作为所述目标令牌。The second token search module is used to search the token resource pool corresponding to the accessor information of the accessing party and the accessed party information of the accessed party according to the token index information , As the target token.
进一步的,所述令牌验证模块可以包括:Further, the token verification module may include:
完整性验证单元,用于验证所述目标令牌的完整性;An integrity verification unit for verifying the integrity of the target token;
时间戳获取单元,用于获取所述目标令牌的时间戳;A timestamp acquiring unit for acquiring the timestamp of the target token;
有效期验证单元,用于根据所述时间戳验证所述目标令牌是否处于有效期内;The validity period verification unit is configured to verify whether the target token is within the validity period according to the timestamp;
访问方信息验证单元,用于验证所述目标令牌包含的访问方信息和所述访问方是否一致;The visitor information verification unit is used to verify whether the visitor information contained in the target token is consistent with the visitor;
被访问方信息验证单元,用于验证所述目标令牌包含的被访问方信息和所述被访问方是否一致;The accessed party information verification unit is used to verify whether the accessed party information contained in the target token is consistent with the accessed party;
动作验证单元,用于验证所述目标令牌对应的访问动作和所述请求信息对应的访问动作是否一致。The action verification unit is used to verify whether the access action corresponding to the target token is consistent with the access action corresponding to the request information.
本申请实施例还提供了一种计算机可读存储介质,所述计算机可读存储介质存储有计算机程序,所述计算机程序被处理器执行时实现如本申请提出的各个访问控制方法的步骤。The embodiments of the present application also provide a computer-readable storage medium that stores a computer program that, when executed by a processor, implements the steps of each access control method as proposed in the present application.
本申请实施例还提供了一种计算机程序产品,当计算机程序产品在终端设备上运行时,使得终端设备执行本申请提出的各个访问控制方法的步骤。The embodiments of the present application also provide a computer program product, which when the computer program product runs on a terminal device, causes the terminal device to execute the steps of each access control method proposed in this application.
图11为本申请一实施例提供的终端设备的结构示意图。如图11所示,该实施例的终端设备6包括:至少一个处理器60(图11中仅示出一个)处理器、存储器61以及存储在所述存储器61中并可在所述至少一个处理器60上运行的计算机程序62,所述处理器60执行所述计算机程序62时实现上述任意访问控制方法实施例中的步骤。FIG. 11 is a schematic structural diagram of a terminal device provided by an embodiment of this application. As shown in FIG. 11, the terminal device 6 of this embodiment includes: at least one processor 60 (only one is shown in FIG. 11), a processor, a memory 61, and a processor that is stored in the memory 61 and can be processed in the at least one processor. A computer program 62 running on the processor 60, when the processor 60 executes the computer program 62, the steps in any of the foregoing access control method embodiments are implemented.
所述终端设备6可以是桌上型计算机、笔记本、掌上电脑及云端服务器等计算设备。该终端设备可包括,但不仅限于,处理器60、存储器61。本领域技术人员可以理解,图11仅仅是终端设备6的举例,并不构成对终端设备6的限定,可以包括比图示更多或更少的部件,或者组合某些部件,或者不同的部件,例如还可以包括输入输出设备、网络接入设备等。The terminal device 6 may be a computing device such as a desktop computer, a notebook, a palmtop computer, and a cloud server. The terminal device may include, but is not limited to, a processor 60 and a memory 61. Those skilled in the art can understand that FIG. 11 is only an example of the terminal device 6 and does not constitute a limitation on the terminal device 6. It may include more or less components than shown in the figure, or a combination of certain components, or different components. , For example, can also include input and output devices, network access devices, and so on.
所称处理器60可以是中央处理单元(Central Processing Unit,CPU),该处理器60还可以是其他通用处理器、数字信号处理器(Digital Signal Processor,DSP)、专用集成电路(Application Specific Integrated Circuit,ASIC)、现成可编程门阵列(Field-Programmable Gate Array,FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。The so-called processor 60 may be a central processing unit (Central Processing Unit, CPU), and the processor 60 may also be other general-purpose processors, digital signal processors (Digital Signal Processors, DSPs), and application specific integrated circuits (Application Specific Integrated Circuits). , ASIC), ready-made programmable gate array (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gates or transistor logic devices, discrete hardware components, etc. The general-purpose processor may be a microprocessor or the processor may also be any conventional processor or the like.
所述存储器61在一些实施例中可以是所述终端设备6的内部存储单元,例如终端设备6的硬盘或内存。所述存储器61在另一些实施例中也可以是所述终端设备6的外部存储设备,例如所述终端设备6上配备的插接式硬盘,智能存储卡(Smart Media Card,SMC),安全数字(Secure Digital,SD)卡,闪存卡(Flash Card)等。进一步地,所述存储器61还可以既包括所述终端设备6的内部存储单元也包括外部存储设备。所述存储器61用于存储操作装置、应用程序、引导装载程序(BootLoader)、数据以及其他程序等,例如所述计算机程序的程序代码等。所述存储器61还可以用于暂时地存储已经输出或者将要输出的数据。The memory 61 may be an internal storage unit of the terminal device 6 in some embodiments, such as a hard disk or a memory of the terminal device 6. In other embodiments, the memory 61 may also be an external storage device of the terminal device 6, such as a plug-in hard disk equipped on the terminal device 6, a smart media card (SMC), a secure digital (Secure Digital, SD) card, Flash Card, etc. Further, the memory 61 may also include both an internal storage unit of the terminal device 6 and an external storage device. The memory 61 is used to store an operating device, an application program, a boot loader (BootLoader), data, and other programs, such as the program code of the computer program. The memory 61 can also be used to temporarily store data that has been output or will be output.
所属领域的技术人员可以清楚地了解到,为了描述的方便和简洁,仅以上述各功能单元、模块的划分进行举例说明,实际应用中,可以根据需要而将上述功能分配由不同的功能单元、模块完成,即将所述装置的内部结构划分成不同的功能单元或模块,以完成以上描述的全部或者部分功能。实施例中的各功能单元、模块可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中,上述集成的单元既可以采用硬件的形式实现,也可以采用软件功能单元的形式实现。另外,各功能单元、模块的具体名称也只是为了便于相互区分,并不用于限制本申请的保护范围。上述装置中单元、模块的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。Those skilled in the art can clearly understand that, for the convenience and conciseness of description, only the division of the above functional units and modules is used as an example. In practical applications, the above functions can be allocated to different functional units and modules as needed. Module completion, that is, the internal structure of the device is divided into different functional units or modules to complete all or part of the functions described above. The functional units and modules in the embodiments can be integrated into one processing unit, or each unit can exist alone physically, or two or more units can be integrated into one unit. The above-mentioned integrated units can be hardware-based Formal realization can also be realized in the form of a software functional unit. In addition, the specific names of the functional units and modules are only for the convenience of distinguishing each other, and are not used to limit the protection scope of the present application. For the specific working process of the units and modules in the above-mentioned device, reference may be made to the corresponding process in the foregoing method embodiment, which will not be repeated here.
在上述实施例中,对各个实施例的描述都各有侧重,某个实施例中没有详述或记载的部分,可以参见其它实施例的相关描述。In the above-mentioned embodiments, the description of each embodiment has its own focus. For parts that are not described in detail or recorded in an embodiment, reference may be made to related descriptions of other embodiments.
本领域普通技术人员可以意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,能够以电子硬件、或者计算机软件和电子硬件的结合来实现。这些功能究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本申请的范围。A person of ordinary skill in the art may realize that the units and algorithm steps of the examples described in combination with the embodiments disclosed herein can be implemented by electronic hardware or a combination of computer software and electronic hardware. Whether these functions are executed by hardware or software depends on the specific application and design constraint conditions of the technical solution. Professionals and technicians can use different methods for each specific application to implement the described functions, but such implementation should not be considered beyond the scope of this application.
在本申请所提供的实施例中,应该理解到,所揭露的装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述模块或单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个装置,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通讯连接可以是通过一些接口,装置或单元的间接耦合或通讯连接,可以是电性,机械或其它的形式。In the embodiments provided in this application, it should be understood that the disclosed device and method may be implemented in other ways. For example, the device embodiments described above are merely illustrative. For example, the division of the modules or units is only a logical function division. In actual implementation, there may be other division methods, for example, multiple units or components may be divided. It can be combined or integrated into another device, or some features can be omitted or not implemented. In addition, the displayed or discussed mutual coupling or direct coupling or communication connection may be indirect coupling or communication connection through some interfaces, devices or units, and may be in electrical, mechanical or other forms.
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。The units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place, or they may be distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the solutions of the embodiments.
另外,在本申请各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用软件功能单元的形式实现。In addition, the functional units in the various embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units may be integrated into one unit. The above-mentioned integrated unit can be implemented in the form of hardware or software functional unit.
所述集成的单元如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请实现上述实施例方法中的全部或部分流程,可以通过计算机程序来指令相关的硬件来完成,所述的计算机程序可存储于一计算机可读存储介质中,该计算机程序在被处理器执行时,可实现上述各个方法实施例的步骤。其中,所述计算机程序包括计算机程序代码,所述计算机程序代码可以为源代码形式、对象代码形式、可执行文件或某些中间形式等。所述计算机可读介质至少可以包括:能够将计算机程序代码携带到终端设备的任何实体或装置、记录介质、计算机存储器、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、电载波信号、电信信号以及软件分发介质。例如U盘、移动硬盘、磁碟或者光盘等。在某些司法管辖区,根据立法和专利实践,计算机可读介质不可以是电载波信号和电信信号。If the integrated unit is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a computer readable storage medium. Based on this understanding, the implementation of all or part of the processes in the above-mentioned embodiment methods in the present application can be accomplished by instructing relevant hardware through a computer program. The computer program can be stored in a computer-readable storage medium. The computer program can be stored in a computer-readable storage medium. When executed by the processor, the steps of the foregoing method embodiments can be implemented. Wherein, the computer program includes computer program code, and the computer program code may be in the form of source code, object code, executable file, or some intermediate forms. The computer-readable medium may at least include: any entity or device capable of carrying computer program code to a terminal device, a recording medium, a computer memory, a read-only memory (ROM, Read-Only Memory), and a random access memory (RAM, Random Access Memory), electric carrier signal, telecommunications signal and software distribution medium. For example, U disk, mobile hard disk, floppy disk or CD-ROM, etc. In some jurisdictions, according to legislation and patent practices, computer-readable media cannot be electrical carrier signals and telecommunication signals.
以上所述实施例仅用以说明本申请的技术方案,而非对其限制;尽管参照前述实施例对本申请进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本申请各实施例技术方案的精神和范围,均应包含在本申请的保护范围之内。The above-mentioned embodiments are only used to illustrate the technical solutions of the present application, not to limit them; although the present application has been described in detail with reference to the foregoing embodiments, a person of ordinary skill in the art should understand that it can still implement the foregoing The technical solutions recorded in the examples are modified, or some of the technical features are equivalently replaced; these modifications or replacements do not cause the essence of the corresponding technical solutions to deviate from the spirit and scope of the technical solutions of the embodiments of the application, and should be included in Within the scope of protection of this application.

Claims (12)

  1. 一种访问控制方法,其特征在于,包括:An access control method, characterized in that it comprises:
    在接收到访问方发送的访问被访问方的请求信息时,判断所述请求信息中是否携带有目标令牌,所述目标令牌是在确定所述访问方具备访问所述被访问方的权限时,从预先构建的令牌资源池中查找并分配给所述访问方的;When receiving the request information for accessing the accessed party sent by the accessing party, it is determined whether the request information carries a target token, and the target token is used to determine that the accessing party has the authority to access the accessed party. At the time, search from the pre-built token resource pool and assign it to the accessing party;
    若所述请求信息中携带有目标令牌,则对所述目标令牌进行合法性验证;If the request information carries a target token, verify the validity of the target token;
    在所述合法性验证通过后,允许所述访问方对所述被访问方进行访问。After the legality verification is passed, the visiting party is allowed to access the visited party.
  2. 如权利要求1所述的访问控制方法,其特征在于,在判断所述请求信息中是否携带有目标令牌之后,还包括:The access control method according to claim 1, wherein after determining whether the request information carries a target token, the method further comprises:
    若所述请求信息中未携带有目标令牌,则从所述令牌资源池中查找目标令牌,并将查找到的目标令牌分配给所述访问方。If the request information does not carry the target token, the target token is searched from the token resource pool, and the found target token is allocated to the access party.
  3. 如权利要求1所述的访问控制方法,其特征在于,在对所述目标令牌进行合法性验证之前,还包括:5. The access control method according to claim 1, characterized in that, before the legality verification of the target token, the method further comprises:
    检验所述目标令牌是否失效;Check whether the target token is invalid;
    若所述目标令牌已失效,则从所述令牌资源池中查找新的目标令牌替换所述失效的目标令牌。If the target token has expired, searching for a new target token from the token resource pool to replace the invalid target token.
  4. 如权利要求1所述的访问控制方法,其特征在于,所述目标令牌通过以下方式生成,并添加到所述令牌资源池中:The access control method according to claim 1, wherein the target token is generated in the following manner and added to the token resource pool:
    当检测到所述被访问方启动时,获取所述被访问方的访问控制权限策略以及流量控制策略,所述访问控制权限策略用于限定所述被访问方被访问的权限,所述流量控制策略用于限定所述被访问方被访问时的数据流量;When it is detected that the accessed party is activated, the access control authority policy and the flow control policy of the accessed party are obtained. The access control authority policy is used to limit the access authority of the accessed party, and the flow control The policy is used to limit the data flow when the visited party is accessed;
    根据所述访问控制权限策略以及所述流量控制策略,生成所述目标令牌,其中,生成所述目标令牌的种类根据所述访问控制权限策略确定,生成所述目标令牌的数量根据所述流量控制策略确定。The target token is generated according to the access control authority policy and the flow control policy, wherein the type of the target token generated is determined according to the access control authority policy, and the number of target tokens generated is determined according to the access control authority policy. The flow control strategy is determined.
  5. 如权利要求1所述的访问控制方法,其特征在于,所述目标令牌通过以下方式生成,并添加到所述令牌资源池中:The access control method according to claim 1, wherein the target token is generated in the following manner and added to the token resource pool:
    当检测到所述访问方启动时,获取所述被访问方的访问控制权限策略以及流量控制策略,所述访问控制权限策略用于限定所述访问方访问所述被访问方的权限,所述流量控制策略用于限定所述被访问方被访问时的数据流量;When it is detected that the accessing party is activated, the access control authority policy and the flow control policy of the accessed party are acquired. The access control authority policy is used to limit the accessing party's authority to access the accessed party. The flow control strategy is used to limit the data flow when the visited party is accessed;
    根据所述访问控制权限策略以及所述流量控制策略,生成所述目标令牌,其中,生成所述目标令牌的种类根据所述访问控制权限策略确定,生成所述目标令牌的数量根据所述流量控制策略确定。The target token is generated according to the access control authority policy and the flow control policy, wherein the type of the target token generated is determined according to the access control authority policy, and the number of target tokens generated is determined according to the access control authority policy. The flow control strategy is determined.
  6. 如权利要求5所述的访问控制方法,其特征在于,在生成所述目标令牌之后,还包括:The access control method according to claim 5, wherein after generating the target token, the method further comprises:
    当检测到所述访问方关闭时,删除所述令牌资源池中已生成的所述目标令牌。When it is detected that the access party is closed, the target token that has been generated in the token resource pool is deleted.
  7. 如权利要求1所述的访问控制方法,其特征在于,所述目标令牌通过以下方式从所述令牌资源池中查找获得:The access control method according to claim 1, wherein the target token is obtained from the token resource pool in the following manner:
    获取所述访问方的唯一标识和所述被访问方的唯一标识;Acquiring the unique identifier of the visiting party and the unique identifier of the visited party;
    从所述令牌资源池中查找令牌信息包含所述访问方的唯一标识和所述被访问方 的唯一标识的令牌,作为所述目标令牌。Search for a token whose token information includes the unique identifier of the accessing party and the unique identifier of the accessed party from the token resource pool as the target token.
  8. 如权利要求1所述的访问控制方法,其特征在于,所述目标令牌通过以下方式从所述令牌资源池中查找获得:The access control method according to claim 1, wherein the target token is obtained from the token resource pool in the following manner:
    获取预存储的令牌索引信息,所述令牌索引信息记录所述令牌资源池中每个令牌分别对应的访问方信息和被访问方信息;Acquiring pre-stored token index information, where the token index information records the accessing party information and the accessed party information corresponding to each token in the token resource pool;
    根据所述令牌索引信息,从所述令牌资源池中查找对应于所述访问方的访问方信息和所述被访问方的被访问方信息的令牌,作为所述目标令牌。According to the token index information, a token corresponding to the accessing party information of the accessing party and the accessed party information of the accessed party is searched from the token resource pool as the target token.
  9. 如权利要求1至8中任一项所述的访问控制方法,其特征在于,所述对所述目标令牌进行合法性验证包括:8. The access control method according to any one of claims 1 to 8, wherein said performing legality verification on said target token comprises:
    验证所述目标令牌的完整性;Verify the integrity of the target token;
    和/或and / or
    获取所述目标令牌的时间戳;Acquiring the timestamp of the target token;
    根据所述时间戳验证所述目标令牌是否处于有效期内;Verifying whether the target token is within the validity period according to the timestamp;
    和/或and / or
    验证所述目标令牌包含的访问方信息和所述访问方是否一致;Verifying whether the access party information contained in the target token is consistent with the access party;
    验证所述目标令牌包含的被访问方信息和所述被访问方是否一致;Verifying whether the accessed party information contained in the target token is consistent with the accessed party;
    和/或and / or
    验证所述目标令牌对应的访问动作和所述请求信息对应的访问动作是否一致。It is verified whether the access action corresponding to the target token is consistent with the access action corresponding to the request information.
  10. 一种访问控制装置,其特征在于,包括:An access control device is characterized in that it comprises:
    访问请求接收模块,用于在接收到访问方发送的访问被访问方的请求信息时,判断所述请求信息中是否携带有目标令牌,所述目标令牌是在确定所述访问方具备访问所述被访问方的权限时,从预先构建的令牌资源池中查找并分配给所述访问方的;The access request receiving module is used to determine whether the request information carries a target token when receiving the request information for accessing the visited party sent by the accessing party, and the target token is used to determine whether the accessing party has access When the authority of the accessed party is searched from a pre-built token resource pool and allocated to the access party;
    令牌验证模块,用于若所述请求信息中携带有目标令牌,则对所述目标令牌进行合法性验证;A token verification module, configured to verify the validity of the target token if the request information carries a target token;
    访问允许模块,用于在所述合法性验证通过后,允许所述访问方对所述被访问方进行访问。The access permission module is used to allow the visiting party to access the visited party after the legality verification is passed.
  11. 一种终端设备,包括存储器、处理器以及存储在所述存储器中并可在所述处理器上运行的计算机程序,其特征在于,所述处理器执行所述计算机程序时实现如权利要求1至9任一项所述的访问控制方法。A terminal device, comprising a memory, a processor, and a computer program stored in the memory and capable of running on the processor, wherein the processor executes the computer program as claimed in claims 1 to 9. Any of the access control methods.
  12. 一种计算机可读存储介质,所述计算机可读存储介质存储有计算机程序,其特征在于,所述计算机程序被处理器执行时实现如权利要求1至9任一项所述的访问控制方法。A computer-readable storage medium storing a computer program, wherein the computer program implements the access control method according to any one of claims 1 to 9 when the computer program is executed by a processor.
PCT/CN2020/125522 2020-01-22 2020-10-30 Access control method and apparatus, terminal device, and storage medium WO2021147442A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202010075429.2A CN113158198A (en) 2020-01-22 2020-01-22 Access control method, device, terminal equipment and storage medium
CN202010075429.2 2020-01-22

Publications (1)

Publication Number Publication Date
WO2021147442A1 true WO2021147442A1 (en) 2021-07-29

Family

ID=76881818

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/125522 WO2021147442A1 (en) 2020-01-22 2020-10-30 Access control method and apparatus, terminal device, and storage medium

Country Status (2)

Country Link
CN (1) CN113158198A (en)
WO (1) WO2021147442A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116015854A (en) * 2022-12-26 2023-04-25 支付宝(杭州)信息技术有限公司 Emergency treatment method and device for evidence leakage
CN117319096A (en) * 2023-12-01 2023-12-29 深圳市丰润达科技有限公司 Access right management method, access right management device, and readable storage medium
CN117319096B (en) * 2023-12-01 2024-04-23 深圳市丰润达科技有限公司 Access right management method, access right management device, and readable storage medium

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113660094B (en) * 2021-08-03 2023-02-24 珠海格力电器股份有限公司 Equipment control method and device, electronic equipment and storage medium
CN113781255A (en) * 2021-08-06 2021-12-10 广西电网有限责任公司 Block chain-based safe data storage method and system for electric power transaction system
CN113779545A (en) * 2021-08-27 2021-12-10 深圳市优必选科技股份有限公司 Data cross-process sharing method, terminal equipment and computer readable storage medium
CN114978733A (en) * 2022-05-30 2022-08-30 阿里巴巴(中国)有限公司 Access processing method based on light application, electronic device and storage medium
CN115913676B (en) * 2022-11-04 2023-06-02 上海申石软件有限公司 Access control method and device for cloud native application, electronic equipment and storage medium
CN117389752A (en) * 2023-12-07 2024-01-12 合芯科技(苏州)有限公司 Method and device for allocating accelerator resources, computer equipment and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108197480A (en) * 2017-12-12 2018-06-22 泰康保险集团股份有限公司 Access control method, device and computer readable storage medium
US20190156008A1 (en) * 2017-11-22 2019-05-23 Canon Kabushiki Kaisha Access control system, control method of access control system, and storage medium
CN110489957A (en) * 2019-08-05 2019-11-22 精硕科技(北京)股份有限公司 The management method and computer storage medium of access request
CN110546641A (en) * 2019-07-11 2019-12-06 深圳市鹰硕技术有限公司 access control method and device, intelligent device and storage medium
CN110598445A (en) * 2019-09-12 2019-12-20 金蝶蝶金云计算有限公司 Database access control method, system and related equipment

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103716326B (en) * 2013-12-31 2017-02-01 华为技术有限公司 Resource access method and URG
CN108417258A (en) * 2017-02-10 2018-08-17 深圳市理邦精密仪器股份有限公司 Right management method, device and patient monitor
CN108023831B (en) * 2017-12-04 2021-02-05 科大国创软件股份有限公司 Token pool-based method for controlling service access automation closed-loop dynamic congestion

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20190156008A1 (en) * 2017-11-22 2019-05-23 Canon Kabushiki Kaisha Access control system, control method of access control system, and storage medium
CN108197480A (en) * 2017-12-12 2018-06-22 泰康保险集团股份有限公司 Access control method, device and computer readable storage medium
CN110546641A (en) * 2019-07-11 2019-12-06 深圳市鹰硕技术有限公司 access control method and device, intelligent device and storage medium
CN110489957A (en) * 2019-08-05 2019-11-22 精硕科技(北京)股份有限公司 The management method and computer storage medium of access request
CN110598445A (en) * 2019-09-12 2019-12-20 金蝶蝶金云计算有限公司 Database access control method, system and related equipment

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116015854A (en) * 2022-12-26 2023-04-25 支付宝(杭州)信息技术有限公司 Emergency treatment method and device for evidence leakage
CN117319096A (en) * 2023-12-01 2023-12-29 深圳市丰润达科技有限公司 Access right management method, access right management device, and readable storage medium
CN117319096B (en) * 2023-12-01 2024-04-23 深圳市丰润达科技有限公司 Access right management method, access right management device, and readable storage medium

Also Published As

Publication number Publication date
CN113158198A (en) 2021-07-23

Similar Documents

Publication Publication Date Title
WO2021147442A1 (en) Access control method and apparatus, terminal device, and storage medium
CN107395343B (en) Certificate management method and system
CN111475841B (en) Access control method, related device, equipment, system and storage medium
WO2019042274A1 (en) Resource transfer method and apparatus, and storage medium
CN109472166A (en) A kind of electronic signature method, device, equipment and medium
WO2017041599A1 (en) Service processing method and electronic device
CN110826043B (en) Digital identity application system and method, identity authentication system and method
WO2021115113A1 (en) Data processing method and device, and storage medium
CN109416800B (en) Authentication method of mobile terminal and mobile terminal
WO2019061362A1 (en) Method and device for accessing device identifiers
WO2017211205A1 (en) Method and device for updating whitelist
CN108881103B (en) Network access method and device
CN108475304B (en) Method and device for associating application program and biological characteristics and mobile terminal
US11943256B2 (en) Link detection method and apparatus, electronic device, and storage medium
CN104376273A (en) Data access control method and device
EP3817322A1 (en) Method for upgrading service application range of electronic identity card, and terminal device
CN108874496A (en) Application management method, device, terminal, server and storage medium
WO2019057155A1 (en) Method and device for dynamically managing kernel node
CN109257336A (en) It is a kind of based on the encrypted message processing method of block chain, terminal device
CN107133794A (en) IFAA fingerprints payment mechanism, system, method and mobile terminal
WO2023151677A1 (en) Method and apparatus for determining file integrity in file system, and electronic device
CN109274635A (en) Method for managing security, client device, server, communication system and storage medium
CN111193724B (en) Authentication method, device, server and storage medium
WO2015014173A1 (en) Method, device and system for automatically locking service offline
CN111694892B (en) Resource transfer method, device, terminal, server and storage medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20915301

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20915301

Country of ref document: EP

Kind code of ref document: A1