WO2023280009A1 - Access control method and apparatus, device, and storage medium - Google Patents
Access control method and apparatus, device, and storage medium Download PDFInfo
- Publication number
- WO2023280009A1 WO2023280009A1 PCT/CN2022/101766 CN2022101766W WO2023280009A1 WO 2023280009 A1 WO2023280009 A1 WO 2023280009A1 CN 2022101766 W CN2022101766 W CN 2022101766W WO 2023280009 A1 WO2023280009 A1 WO 2023280009A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- authentication
- access
- account
- identity
- media data
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 57
- 238000004590 computer program Methods 0.000 claims description 6
- 238000004891 communication Methods 0.000 description 18
- 238000010586 diagram Methods 0.000 description 13
- 238000013475 authorization Methods 0.000 description 11
- 230000001815 facial effect Effects 0.000 description 5
- 235000019580 granularity Nutrition 0.000 description 5
- 230000006870 function Effects 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2137—Time limited access, e.g. to a computer or data
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Definitions
- the present application relates to the technical field of terminals, and in particular to an access control method, device, device, and storage medium.
- HyperTerminal supports functions such as distributed file search, distributed file browsing, and distributed file editing.
- Figure 1a is a schematic diagram of a distributed file global search performed by a hyper terminal in the prior art.
- the user can enter the keyword "examination materials" in the file search box, and the search results can include the corresponding files of the machine and the same account Corresponding files stored in other devices under .
- the hyperterminal can be a shared device.
- the shared device can be a terminal that has no password or can be unlocked by multiple people, and the login account of the shared device is the same as the login account of another or more devices. If the same, the person using the shared device can view the media data stored on the private device logged in with the same account as the shared device through the shared device. The privacy and security of the data stored on the private device cannot be guaranteed, which reduces the user experience. .
- Embodiments of the present invention provide an access control method, device, device, and storage medium.
- the secondary authentication interface can be pulled up in real time according to the access timing of the accessing user, and the user can only access the target after passing the secondary authentication.
- Media data thereby ensuring the privacy and security of media data stored on devices logged in with the same account, and improving user experience.
- an embodiment of the present application provides a cross-device access control method, which is executed on the first device, and the method includes: when requesting to access cross-device media data, if it is determined that the first device has exceeded the authentication time limit, then The current user performs secondary authentication, and updates the authentication timeliness after the secondary authentication is passed; and sends cross-device access request information to the second device after the secondary authentication is passed, and the cross-device access request information includes the cross-device access request information passed through the The authentication account for the second authentication, so as to obtain the first access authority through the authentication account, and access the target media data stored in the second device across devices based on the first access authority.
- the determining that the first device has currently exceeded the authentication time limit includes: determining whether the first device is currently within the latest authentication time limit, wherein the latest authentication includes the first authentication or the second authentication, the First-time authentication includes screen unlock authentication.
- performing secondary authentication on the current user includes: if it is determined that the first device is currently out of the authentication time limit, and determining the second access based on the authentication identity
- performing secondary authentication on the current user includes: if it is determined that the first device is currently out of the authentication time limit, and determining the second access based on the authentication identity
- the authority access fails, perform secondary authentication on the current user, and update the authentication time limit after the secondary authentication is passed; and obtain the first access according to the authentication account that has passed the secondary authentication after the secondary authentication is passed permission, and based on the access permission, cross-device access to the target media data stored in the second device.
- the determination that the access to the second access right corresponding to the authentication identity fails after the determination that the first device has expired the authentication time limit, it further includes: sending cross-device access request information to the second device, the The cross-device access request information includes an authentication identity, so as to obtain a second access right through the authentication identity, and access the target media data stored in the second device across devices based on the second access right, and determine whether it is successful Target media data stored in the second device is accessed.
- the authentication identity before obtaining the second access right through the authentication identity, it also includes: marking the identity that has passed the latest authentication as the authentication identity.
- marking the authenticated identity as the authenticated identity includes: acquiring current user identity information during the authentication phase, and marking the authenticated identity as matching the current user identity information The authentication ID.
- the method further includes: clearing the authentication time limit and the authentication identity if a lock screen event is detected.
- the determining whether to successfully access the target media data stored in the second device includes: obtaining an authentication result sent by the second device, and determining whether the access is successful according to the authentication result; wherein, if the access fails , the authentication result includes: access failure prompt information and access failure reasons.
- another embodiment of the present application provides an access control method executed on a second device.
- the method includes: acquiring cross-device access request information sent by the first device, if the cross-device access request information includes If the authentication account of the secondary authentication is used, then the authentication account is authenticated to determine the files or folders that the authentication account can access and the operation authority to the files or folders; wherein, in determining the first When the target file requested by the device exceeds the access authority of the account corresponding to the account information sent by the first device, the authentication fails, and the access result of the first device is fed back to the first device according to the authentication result. equipment.
- the first device performs cross-device access to the second device, it also includes: configuring device accounts and user identities that can access the media data of the second device, so as to obtain one or more authorized accounts and One or more authorized identities; and configure the media data accessible by the authorized account and authorized identities, and configure the operation permissions of the authorized accounts and authorized identities on the accessible media data, the operation permissions include only Read permission or read and write permission.
- the configuring the media data accessible by the authorized account includes: configuring the access rights at the granularity of individual media data; or configuring the access rights at the granularity of media data groups; wherein, the single media data is A single file, the media data set is a single folder.
- the cross-device access request information includes an authentication identity
- access authentication is performed on the authentication account to determine the files or folders accessible by the authentication identity and the access to the files or folders.
- Operation authority wherein, when it is determined that the target file requested by the first device exceeds the access authority of the account corresponding to the account information sent by the first device, the authentication fails, and the second The access result of a device is fed back to the first device.
- an access control device including: a processor and a memory, the memory is used to store at least one instruction, and when the instruction is loaded and executed by the processor, the first The cross-device access control method provided by the aspect or the access control method provided by the second aspect.
- the access control device may be a component (such as a chip) of a device.
- another embodiment of the present application further provides a device, which may include a device body and the access control apparatus provided in the fourth aspect.
- another embodiment of the present application further provides a computer-readable storage medium on which a computer program is stored, and when the computer program is executed by a processor, the cross-device access control method provided in the first aspect or the second The access control method provided by the aspect.
- Fig. 1a is a schematic diagram of a global search of distributed files performed by a hyper terminal in the prior art
- Figure 1b is a schematic diagram of device data security risks in a home scenario in the prior art
- Figure 1c is a schematic diagram of sharing files through airdrop in the prior art
- FIG. 2 provides a schematic diagram of a distributed architecture according to an embodiment of the present application
- FIG. 3 is a flow chart of cross-device access to media data provided by an embodiment of the present application.
- Fig. 4a is a flow chart of personal device authorization provided by another embodiment of the present application.
- FIG. 4b is a flowchart of a cross-device access control method according to another embodiment of the present application.
- Fig. 4c is a flow chart of secondary authentication provided by another embodiment of the present application.
- Figure 4d is a schematic diagram of the authentication time limit provided by an embodiment of the present application.
- FIG. 4e is a flowchart of a cross-device access control method according to another embodiment of the present application.
- Figure 4f is a schematic diagram of the timeliness of the authentication identity mark provided by the present application in one embodiment
- Fig. 4g is a schematic diagram of secondary authentication provided by the present application in an embodiment after the authentication identity mark acquisition authorization fails;
- Fig. 5 is a flow chart of an apparatus for cross-device access control provided by another embodiment of the present application.
- terminal devices logged in with the same account can be used to form a hyperterminal, and the hyperterminal may include several shared devices and several personal devices.
- Personnel who can use the shared device for example, can unlock the shared device
- can perform operations such as distributed file search, distributed file browsing, and distributed file editing on other personal devices logged in with the same account through the shared device.
- the privacy and security of media data is violated.
- Fig. 1b is a schematic diagram of device data security risks in a family scenario in the prior art. As shown in Fig. 1b, this scenario may include shared devices logged in with account A and personal devices logged in with account A (logged in with the same account).
- the shared device may be a large screen and/or a tablet computer (PAD), and the personal device may be a private terminal such as a mobile phone.
- PAD tablet computer
- the media data stored in the personal device logged in with account A can be accessed through the media library of the shared device.
- family members may include: grandpa, grandma, dad, mom, kids.
- Devices such as tablets and large screens in the family usually log in with the account of a certain family member (such as dad), and the whole family members use them together, and the login accounts of devices such as tablets and large screens are rarely switched.
- the non-account corresponding user (dad) is using the shared device, the non-account corresponding user may conduct distributed query files through the shared device and query important files in the personal device of the account corresponding user (dad), which may cause errors. The operation caused the problem that the data in the personal device (mobile phone) of the account corresponding to the user (dad) was damaged or lost.
- family members can access personal devices logged in with the same account through shared devices, which poses potential data privacy and data security risks for devices under the same account.
- the shared device can be a large conference screen, and the large conference screen is usually logged into the personal account of a certain secretary, and the personal device of the secretary is also logged in through the personal account, and the large conference screen is shared by all colleagues in the department , and the big screen of the meeting seldom switches the login account.
- the private terminal can be the mobile phone or personal computer of each member in the department.
- a shared device logged into account A cannot directly access media data of a personal device logged into account B.
- the shared device needs to enable cross-device access by enabling the cloud album function. Specifically, the shared device logs in to the cloud account before cross-device access, transfers through the cloud, and realizes cross-device access to media data. After the access, it can be closed. Cloud photo album function.
- the screen of the user's personal device can be projected to the public device by scanning the code or entering the verification code, etc. After the sharing is completed, the connection is disconnected and the connection relationship is clear. If you need to share again, you need to scan the code again or enter the verification code to cast the screen.
- Figure 1c is a schematic diagram of sharing files through airdrop in the prior art.
- the user can click the "Share” button; or press and hold the "control” button in “Access”.
- an embodiment of the present application provides an access control method. Before the user accesses the media data in the personal device logged in with the same account or logged in with the authorized account through the shared device, it is determined that the current state information satisfies the trigger authentication condition , perform secondary authentication on the current user of the shared device to ensure the privacy and security of the media data in the accessed personal device.
- FIG. 2 is a schematic diagram of a distributed architecture according to an embodiment of the present application.
- the distributed architecture may include a shared device 21 and a personal device group 22 .
- the personal device group may include personal devices logged in through the same account and personal devices logged in through different accounts, wherein the shared device may log in to the corresponding account of any personal device in the personal device group, and the shared device may be a or multiple devices that do not have a password or that can be unlocked by multiple people.
- the shared device 21 may be a large-screen device
- the personal device group 22 may include a mobile phone, a tablet computer, and a notebook computer.
- the mobile phone and tablet computer use account A to log in, the laptop computer uses account B to log in, and the large-screen device and the mobile phone and tablet computer use the same account (account A) to log in.
- the distributed architecture of the embodiment shown in FIG. 2 is an implementation manner in this application, and is not limited thereto. There can also be other implementations, for example, both the large screen and the tablet computer are used as the shared device 21, multiple mobile phones can be included in the personal device group 22, and the login account of each mobile phone is not the same, and the large screen or tablet computer can log in to multiple mobile phones.
- FIG. 3 is a flow chart of cross-device access to media data provided by another embodiment of the present application.
- authorized media data in a device logged in with an authorized account can be accessed through a shared device.
- the authorized account may include an account that is the same as and/or different from the account logged into the shared device, that is, a device that the accessed device (target device) can discover (compared with the login account of the device, the login account of the same device and/or a device logged in with a different account) to perform authorization, and the authorized device can access the authorized media data in the accessed device (target device) across devices.
- the authorized media data may include media data of different granularities authorized and accessible in the target device (accessed device), and the media data may include document data, image data, video data, and the like.
- the HyperTerminal the first device
- the HyperTerminal the second device
- an access request needs to be sent through the media library of the accessing device
- the media library of the accessed device can authenticate the cross-device access request of the accessing device, so the media library (Media Library) is the only global access control point of the HyperTerminal.
- the media library of the personal device can perform access authorization to the devices in the distributed architecture, that is, the device authorized to log in to the set account can access the authorized media data stored locally (in the personal device).
- the user When a user uses other devices (such as a shared device) to access a personal device across devices, the user first unlocks the shared device (unlock the screen) to complete the first authentication. Further, the user operates on the cross-device access interface of the shared device to request access to the media data of the target personal device, and the media library of the shared device undergoes secondary authentication, and the target personal device can only be authorized for access after the secondary authentication is passed. Media data for access operations.
- the above specific operation of sending the cross-device access request includes: the application in the shared device that logs in account A sends cross-device access request information to the media library of the shared device, and the cross-device access request information may include target device information and target media data information,
- the target device information is a personal device logged in account B
- the target media data information is a photo album in the personal device.
- the identification information of the target device may be carried in the cross-device access request information to accurately indicate the target device that the user wants to access.
- the media library of the shared device can determine whether secondary authentication is currently required. If secondary authentication is not required, the media library of the shared device initiates a connection to the target device through the communication bus. And after the connection is successful, the cross-device access request information is sent to the target device through the communication bus, wherein the cross-device access request information may carry the authentication result of the latest authentication. If secondary authentication is required, the media library of the shared device starts secondary authentication, and after the authentication is successful, the media library of the shared device initiates a connection to the target device through the communication bus, and after the connection is successful, the cross-device The access request information is sent to the target device, wherein the cross-device access request information may carry the current secondary authentication authentication result.
- the authentication result carried in the above cross-device access request information may include authentication account information.
- the media library of the target device can determine whether the corresponding account has access rights according to the authentication account information in the cross-device access request information. Determine the specific permissions of the account corresponding to the authentication account information. Furthermore, the media library of the target device can send the obtained authentication account information corresponding to the specific authority of the account to the distributed file system of the target device, and the distributed file system of the target device provides corresponding access services for the shared device according to the specific authority.
- the media library of the target device can determine that the corresponding account does not have access rights according to the authentication account information in the cross-device access request information, the media library of the target device can feed back the authentication result to the sharing device through the communication bus.
- the corresponding account does not have access rights may include that the account does not have access rights to any media data of the target device, or the account does not have access rights to the target media data information to be accessed this time.
- the media library of the target device determines that the shared device has access rights, it can also transmit the target media data that the shared device wants to access this time to the shared device through the communication bus, so that the shared device can transfer the target media to the shared device.
- the data is cached in the distributed file system of the shared device. If the shared device accesses the target media data again within the effective cache time period, there is no need to perform cross-device access again, and the target cached in the distributed file system of the shared device can be directly accessed media data.
- Personal devices can pre-authorize access to devices in the distributed architecture, where the authorization operation can include authorizing a login account that can access local media data (that is, the account logged in by the authorized device), authorizing the corresponding device (the device that logs in to the authorized account) ) can be accessed by local applications (system applications, third-party applications), and authorize the corresponding device (the device that logs in to the authorized account) to operate the local media data (read-only, read-write).
- the authorization operation can include authorizing a login account that can access local media data (that is, the account logged in by the authorized device), authorizing the corresponding device (the device that logs in to the authorized account) ) can be accessed by local applications (system applications, third-party applications), and authorize the corresponding device (the device that logs in to the authorized account) to operate the local media data (read-only, read-write).
- FIG. 4a is a flow chart of personal device authorization provided by another embodiment of the present application.
- the media data sharing permission can be configured through the media library of the personal device, wherein.
- the configuration mode of the media sharing authority may include batch configuration and individual configuration.
- one or more groups of media data can be configured for sharing rights, wherein the group of media data can be the data stored in the target folder. That is, you can configure sharing permissions for a folder.
- the sharing permission configuration can be performed at the granularity of a single media data, where the granularity of a single media data can be a certain picture, a current segment of video, or a certain text file. That is, you can configure sharing permissions for a picture, a video or a text file.
- At least an account that can access the target media data is configured.
- the login accounts included in the device group under the distributed architecture include account A, account B, account C . . .
- the account that can access the local media data among the above-mentioned multiple accounts can be configured through the media library of the personal device.
- the target account (such as account A and account B) can be used as the authorized account, and the login account A Or the corresponding device logged in account B can access the device across devices.
- some users do not have their own accounts, but such users can use the shared device to access other devices across devices.
- you can configure The user of can only access the shareable data in the local media data, and the shareable data can be a shared album in an album, a shared video in a video application, and a shared contact in an address book.
- the sharing authority of the shared data can be pre-configured.
- account A of the tablet computer is logged in as an account registered by "dad” in the family member, and both "mother” and “child” in the family member can unlock the tablet computer. If the tablet computer recognizes the current user information "child” in the unlocking stage, and marks the “child” identity) as the authentication identity ("child" identity) after the user passes the unlock authentication.
- the applications that can be accessed by devices that log in to the authorized account are also possible.
- system applications such as photo album, memo, etc.
- third-party applications such as video APP, music APP, online class APP, WPS, etc.
- the operation authority of the device that logs in the authorized account to the accessible media data.
- the operation authority includes read-only and read-write.
- different permissions can be configured for different accounts. That is, when devices logged in with different accounts access a certain personal device, the media data that can be accessed may be different, and the operation rights to the media data may be different. For example, in a distributed architecture, when a device logged in with account A and a device logged in with account B access a device logged in with account C, the account The device logged in by A can access the data in the system application in the login account C, and the device in the login account B can access the data in the system application in the login account C and the data of some third-party applications.
- different permissions can be configured for different users who log in to the device with the same account. That is, when a user using a device logged in with the same account accesses a personal device logged in with the same account, the accessible media data may be different. For example, user x (the elderly or a child) can use the shared device (large screen or tablet) logged in with account A to access the personal device (the mobile phone of the child's father) logged in with account A.
- the privacy and security of data in can be configured by users (each family member) of the shared device (big screen or tablet) logged in with account A to the personal device (the child’s father’s) logged in with account A mobile phone) access.
- the current user identity can be identified when the user of the shared device logged in with account A unlocks the device, and then the corresponding cross-device access permission can be determined according to the user identity obtained during unlocking when the user performs cross-device access.
- Fig. 4b is a flowchart of a cross-device access control method provided by an embodiment of the present application. As shown in Fig. 4b, the cross-device access control method may include the following steps:
- Step 301 When device A requests to access cross-device media data, the media library of device A can determine whether device A is currently within the authentication time limit. If it is within the authentication time limit, perform step 302; if it exceeds the authentication time limit, perform step 303 .
- Step 302 The media library of device A obtains access rights through the authentication account, and accesses target cross-device media data based on the access rights.
- Step 303 The media library of device A performs secondary authentication, updates the authentication time limit after the secondary authentication is passed, and executes step 302 after the secondary authentication is passed.
- Fig. 4c is a flow chart of secondary authentication provided by another embodiment of the present application.
- device A serves as the accessing device
- device B serves as the accessed device.
- the device A and the device B may be devices logged in with the same account, or devices logged in with different accounts.
- the device A can be a shared device or a personal device, and device B is pre-configured with local media data sharing permissions.
- the user first unlocks device A (unlock the screen) to complete the first authentication.
- the authentication methods of the first authentication may include but not limited to scan code, password, face, fingerprint, voice and other authentication methods.
- the identity information of the user who unlocks the device A can be determined through the first authentication operation. After the user passes the first authentication (unlocking the screen), obtain and save the authentication account information.
- the embodiment of the present application provides an authentication operation of secondary authentication.
- the application of device A calls the media library interface to access the cross-device media data ( media data of device B), the media library can determine whether a second authentication is currently required, and cross-device access can only be performed after the current authentication is valid or passed.
- determining whether to perform secondary authentication may specifically include the above step 301 . In the specific implementation of step 301, it may be determined whether it is still within the authentication time limit.
- Figure 4d is a schematic diagram of the authentication time limit provided by an embodiment of the present application. As shown in Figure 4d, in one of the scenarios, device A is successfully unlocked at time t 0 , that is, the user's first authentication operation is completed at time t 0 , and the first time During authentication, the user confirmed to be used is the owner of the machine (that is, the dad in the family). Time t 0 to time t e is the authentication valid period (t 0 ⁇ t e ) for the user's first authentication.
- the moment when device A requests cross-device access to device B’s media data is within the above authentication valid period (t 0 ⁇ t e ); in another scenario, device A has performed one or more secondary
- the duration of the authentication validity period of the first authentication and the authentication validity period of the second authentication may be the same or different.
- the media library of device A can initiate a connection to device B through the communication bus within the authentication time limit, and send a cross-device access request (distributed access request) to device B, wherein , the cross-device access request (distributed access request) may include authentication account information that can prove that device A is currently within the authentication time limit.
- the media library of device B can query the corresponding account according to the authentication account information in the cross-device access request (distributed access request) (identify the current user as device owner, the corresponding account information is the access authority of device A’s login account) in device B, and the media library of device B feeds back the queried access authority information to the distributed file system of device B, and then the distribution of device B
- the file system can provide corresponding cross-device access services for the device A to access the corresponding authorized media data in the device B according to the access rights of the login account of the device A in the device B.
- device A requests cross-device access to device B's media data at time t 1 , and the media library of device A determines that time t 1 is in the authentication valid period (t 0 ⁇ t In e ), it is determined that no secondary authentication is required, and device A initiates a connection to device B through the communication bus, and after the connection is successful, sends access request information to device B to access the photo album of device B, and the access request information may include Authentication account information of device A.
- the media library of device B can perform access authentication according to the authentication account corresponding to the authentication account information in the distributed file access information sent by device A, and feed back the authentication result to the distributed file system of device B.
- the authentication process of the media library of device B includes: confirming whether the media data that device A requests to access is within the access authority of the authentication account corresponding to the authentication account information in the distributed file access information sent by device A, if it is within the access authority If the access authority is exceeded, the authentication fails.
- the authentication account of device A can access the photo album and memo of device B, and the authentication account of device A only has read-only operation permission for the photo album and memo of device B, and the target media file to be accessed by device A If it is an album, the authentication is passed, and the media library of device B will feed back the authentication result to the distributed file system of device B, where the authentication result may include the authentication account information corresponding to the authentication account information in the distributed file access information sent by device A
- the account authentication is passed, and the access rights of the authentication account include that the authentication account of device A can access the photo album and memo of device B, and the authentication account of device A only has read-only operation permission for the photo album and memo of device B.
- the distributed file system of device B can allow device A to read only device B's photo album.
- step 303 if the media library of device A determines that the time when device A requests cross-device access to the media data of device B exceeds the above authentication valid period (t 0 ⁇ t e ), it is determined that the previous authentication (first time authentication or secondary authentication), the media library of device A can perform secondary authentication.
- the authentication method of the secondary authentication may include but not limited to code scanning, password, facial recognition, fingerprint, voice and other authentication methods.
- the media library of device A can update the authentication time limit, and the media library of device A can initiate a connection to device B through the communication bus, and send a cross-device access request (distributed access request) to device B,
- the cross-device access request may include an authentication result that can prove that the device A has passed the secondary authentication, and the authentication result includes the account information of the device A that has passed the authentication this time.
- the account information that has passed the authentication this time may be the identity account information of the user currently using the device A.
- the validity period of the authentication account can be updated, and step 302 is executed after the second authentication is passed, that is, the access right is obtained through the authentication account, and the target media data of the device B is accessed based on the access right.
- the media library of device B After receiving the cross-device access request (distributed access request) sent by device A, the media library of device B can perform access authentication according to the authentication result in the cross-device access request (distributed access request) to query the corresponding account (The account information that has passed the authentication this time) access rights in device B, the media library of device B will feed back the queried access rights information to the distributed file system of device B, and then the distributed file system of device B can be based on this The access authority of the account information that passes the authentication for the second time in the device B authorizes the device A to access the corresponding authorized media data in the device B.
- device A requests cross-device access to device B's media data at time t2 , and the media library of device A determines that time t2 has exceeded the authentication valid period (t 0 ⁇ t e ), the media library of device A determines that the user needs to perform secondary authentication, and cross-device access can only be performed after the authentication is passed.
- device A can perform fingerprint identification and authentication on the current user. After the user passes fingerprint identification and authentication, device A initiates a connection to device B through the communication bus, and after the connection is successful, sends a request to device B to access the distribution of device B's album.
- Type file access information and the distributed file access information includes an authentication result that can prove that device A has passed the secondary authentication (fingerprint identification authentication), and the authentication result includes the account information that has passed the authentication this time.
- the media library of device B finds that the account that has passed the authentication can access device B's photo album and memo, and device A only has exclusive rights to device B's photo album and memo. Read operation permission, and then device B can authorize device A to read only device B's photo album.
- Fig. 4e is a flowchart of a cross-device access control method provided by another embodiment of the present application. As shown in Fig. 4e, the cross-device access control method may include the following steps:
- Step 411 When the media library of the access device requests access to cross-device media data, the media library of the access device can determine whether the access device is currently within the authentication time limit, if it is within the authentication time limit, then execute step 412, if it exceeds the authentication time limit, then Execute step 413.
- Step 412 The media library of the access device obtains the first access authority through the authentication account, and accesses the target cross-device media data based on the first access authority.
- Step 413 The media library of the access device obtains the second access right through the authentication identity, and accesses the target media data based on the second access right.
- Step 414 Determine whether the target media data is successfully accessed across devices based on the second access authority corresponding to the authentication identity. If the access is not successful, perform step 415, and if the access is successful, perform step 416.
- Step 415 Perform secondary authentication, and update the authentication time limit after the authentication is passed.
- Step 416 Update the authentication time limit of the authentication ID.
- the user after the user passes the first authentication (unlocks the screen), the user obtains an identity, and can mark the authenticated identity as an authentication identity.
- step 411 when device A requests to access cross-device media data, the media library of device A can determine whether device A is currently within the authentication time limit, and if it is within the authentication time limit, perform step 412.
- step 412 is similar to the specific implementation of step 302 in the above-mentioned embodiment shown in FIG. 4 b , and will not be repeated here.
- step 413 if the media library of device A determines that the time when device A requests cross-device access to the media data of device B exceeds the authentication validity period (t 0 ⁇ t e ) of the previous authentication, it is determined that the current authentication time limit has expired , the media library of device A can obtain the authorization of device B for the authentication identity through the authentication identity. Specifically, the file system media library of device A can initiate a connection to device B through the communication bus, and send a cross-device access request (distributed access request) to device B, wherein, in the cross-device access request (distributed access request) The above-mentioned authentication identity can be included.
- the identity of the user currently using device A can be determined in the authentication stage (such as fingerprint identification), and after the user passes this authentication, the authentication result contains The identity information of the device A that has passed the authentication this time is the authentication identity of the "child".
- the media library of device B After receiving the cross-device access request (distributed access request) sent by device A, the media library of device B can perform access authentication according to the authentication identity in the cross-device access request (distributed access request) to query the To authenticate the access rights of the ID in device B, the media library of device B feeds back the access rights information of the queried authentication ID in device B to the distributed file system of device B, and then the distributed file system of device B can The device A is authorized to access the corresponding authorized media data in the device B according to the access right identified in the device B according to the current authentication identity. Wherein, after the distributed file system of device B determines that the target media data to be accessed by device A exceeds the access authority of the authentication identity, it feeds back the authentication result (access failure) to the media library of device A through the communication bus.
- step 414 after the media library of device B determines whether the authentication identity sent by device A has access rights, it can feed back the authentication result to device A through the communication bus, and the media library of device A can The authentication result fed back by the media library determines whether the access is successful. If the access fails (that is, the authority corresponding to the authentication ID has no right to access), the secondary authentication is performed. If the access is successful, the time limit of the authentication ID is updated.
- step 415 is similar to the specific implementation of step 303 in the embodiment shown in FIG. 4b , and will not be repeated here.
- step 416 if the access based on the authority corresponding to the authentication identity is successful, then update the timeliness of the authentication identity, that is, start counting after confirming that the access is successful.
- the time limit for authentication after the second authentication is the same.
- device A requests cross-device access to device B's media data at time t3 , and the media library of device A determines that time t3 has exceeded the valid authentication period, and device A's The media library can obtain the authorization of the device B for the authentication identity through the authentication identity.
- Device A initiates a connection to device B through the communication bus, and after the connection is successful, sends a cross-device access request message to device B requesting access to the photo album of device B, and the cross-device access request message includes the authentication identity of the current user of device A .
- the media library of device B performs access authentication according to the authentication identity in the cross-device access request information sent by device A to query the access authorization corresponding to the authentication identity, and according to the authentication identity in the cross-device access request information sent by device A
- the identification performs access authentication, and the authentication result is fed back to the distributed file system of device B.
- the authentication process of device B's media library includes: confirming whether the media data that device A requests to access is within the access authority (second access authority) of the authentication identity identifier in the distributed file access information sent by device A, if If it is within the second access authority, the authentication will pass, and if it exceeds the second access authority, the authentication will fail.
- the authentication identity of device A can access the photo album of device B, and device A only has read-only operation permission for the photo album of device B, and the target media file to be accessed by device A is the photo album, then the authentication is passed.
- the media library of device B feeds back the authentication result to the distributed file system of device B, where the authentication result may include that the authentication identity in the distributed file access information sent by device A passes the authentication, and the access of the authentication identity Permissions include that the current user of device A can access device B's photo album, and device A only has read-only operation permission for device B's photo album.
- the distributed file system of device B determines the access rights of device A to device B, it releases corresponding media data to device A according to the access rights, so that device A can perform cross-device access.
- the media library of device A determines that the time when device A requests cross-device access to the media data of device B exceeds the authentication validity period of the previous authentication (t 0 ⁇ t e ), and the access fails through the authentication identity of device A (The media library of device A obtains the authentication failure message sent by the media library of device B, that is, the target media data cannot be accessed based on the authority corresponding to the authentication identity), and the media library of device A can perform secondary authentication.
- the authentication method of the secondary authentication may include but not limited to code scanning, password, facial recognition, fingerprint, voice and other authentication methods.
- the media library of device A can update the authentication time limit, and the media library of device A can initiate a connection to device B through the communication bus, and send a cross-device access request (distributed access request) to device B,
- the cross-device access request may include an authentication result that can prove that device A has passed the secondary authentication, and the authentication result includes account information that has passed the authentication this time.
- the media library of device B receives the cross-device access request (distributed access request) sent by device A, and then the media library of device B can perform access authentication according to the authentication result in the cross-device access request (distributed access request) , to query the access rights of the corresponding account (the current user's authentication identity after the second authentication) in device B, and feed back the queried access rights information to the distributed file system of device B, and then the distributed file system of device B
- the file system can authorize device A to access the corresponding authorized media data in device B according to the current authentication ID's access rights in device B.
- the accessed device (device B) configures the access rights of the access device (device A)
- the first access right of the authentication account of device A and the second access right of the authentication identity of device B can be configured respectively. access rights, and the first access rights and the second access rights may be different.
- the first access rights of the authentication account are higher than the second access rights of the authentication ID.
- the media library of device A can perform Second authentication, and after the user passes the second authentication, obtain the first access authority of the authentication account authorized by device B through the authentication result, and access the authorized media data of device B after obtaining the first access authority of the authentication account.
- device A requests cross-device access to device B's media data at time t3 , the media library of device A determines that time t3 has exceeded the authentication valid period, and device A The media library obtained the second access authority through the authentication identity, but failed to access the target file through the second access authority.
- the media library of device A may perform secondary authentication to obtain the first access authority with higher authority.
- device A can perform facial recognition authentication on the current user. After the user passes facial recognition authentication, device A initiates a connection to device B through the communication bus, and after the connection is successful, sends a third-party request to device B to access device B.
- the distributed file access information of the video is cached in the video APP, and the distributed file access information includes the authentication result that can prove that device A has passed the second authentication (facial recognition authentication), and the authentication result includes the account that passed the authentication this time information.
- the media library of device B finds that device A can access device B's photo album, memo, all third-party video apps and all third-party online class apps, and device A
- the above-mentioned authorized media data in device B has read and write operation permissions, and then device B can authorize device A to access the cached video in the target video APP of device B.
- the media library of device A may clear the authentication account.
- the user unlocks device A again, he passes the authentication and updates the authentication time limit.
- the authentication result triggered by any application is valid for other applications, and there is no need for repeated authentication to ensure a good user experience.
- the user requests cross-device access to the media data of device B, and device A is within the authentication time limit (within the first authentication time limit or the second authentication time limit), and in the social APP Complete cross-device access.
- the user switches to the calendar program of device A and requests cross-device access to the media data of device B again, if device A is still within the authentication time limit at this time, there is no need to re-authenticate because device A switches applications.
- Fig. 5 is a flow chart of an apparatus for cross-device access control provided by another embodiment of the present application.
- the apparatus may include a processor 501 and a memory 502, and the memory 502 is used to store at least one instruction, which is determined by When loaded and executed by the processor 501, the cross-device access control method provided by the embodiment shown in FIG. 4b or 4e is implemented.
- Another embodiment of the present application also provides a device, which may include a device body and the cross-device access control apparatus provided in the embodiment shown in FIG. 5 .
- the system may include at least two devices described above, and in an implementation manner, the at least two devices may use the same account to log in. In another implementation manner, the accounts logged in by the at least two devices may be different.
- the architecture diagram of the system may be as shown in FIG. 2 , but is not limited to the structure shown in FIG. 2 .
- Another embodiment of the present application also provides a computer-readable storage medium, on which a computer program is stored, and when the computer program is executed by a processor, the cross-device access control method provided by the embodiment shown in FIG. 4b or 4e is implemented.
- terminals involved in the embodiments of the present invention may include, but are not limited to, personal computers (Personal Computer, PC), personal digital assistants (Personal Digital Assistant, PDA), wireless handheld devices, tablet computers (Tablet Computer), Mobile phones, MP3 players, MP4 players, etc.
- PC Personal Computer
- PDA Personal Digital Assistant
- Tablett Computer Tablet Computer
- Mobile phones MP3 players, MP4 players, etc.
- the application may be an application program (nativeApp) installed on the terminal, or may also be a webpage program (webApp) of a browser on the terminal, which is not limited in this embodiment of the present invention.
- the disclosed systems, devices and methods can be implemented in other ways.
- the device embodiments described above are only illustrative.
- the division of the units is only a logical function division. In actual implementation, there may be other division methods.
- multiple units or components can be combined Or it can be integrated into another system, or some features can be ignored, or not implemented.
- the mutual coupling or direct coupling or communication connection shown or discussed may be through some interfaces, and the indirect coupling or communication connection of devices or units may be in electrical, mechanical or other forms.
- the units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in one place, or may be distributed to multiple network units. Part or all of the units can be selected according to actual needs to achieve the purpose of the solution of this embodiment.
- each functional unit in each embodiment of the present invention may be integrated into one processing unit, each unit may exist separately physically, or two or more units may be integrated into one unit.
- the above-mentioned integrated units can be implemented in the form of hardware, or in the form of hardware plus software functional units.
- the above-mentioned integrated units implemented in the form of software functional units may be stored in a computer-readable storage medium.
- the above-mentioned software functional units are stored in a storage medium, and include several instructions to make a computer device (which may be a personal computer, server, or network device, etc.) or a processor (Processor) execute the methods described in various embodiments of the present invention. partial steps.
- the aforementioned storage media include: U disk, mobile hard disk, read-only memory (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), magnetic disk or optical disc and other media that can store program codes. .
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Health & Medical Sciences (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Bioethics (AREA)
- Databases & Information Systems (AREA)
- Automation & Control Theory (AREA)
- Storage Device Security (AREA)
Abstract
Embodiments of the present application provide an access control method and apparatus, a device, and a storage medium. The method comprises: when it is requested to access cross-device media data, if it is determined that a first device currently has exceeded the effectiveness of authentication, performing second authentication on the current user, and updating the effectiveness of authentication after second authentication is passed; and, after second authentication is passed, obtaining an access permission according to the authenticated account that has passed second authentication, and, on the basis of the access permission, accessing target media data of a target device across devices. According to the access occasion of accessing a user, a second authentication interface can be pulled up in real time based on need, and the user can access target media data only after second authentication is passed, thereby ensuring the privacy and security of media data stored on devices on which the same account is logged in, and improving user experience.
Description
本申请涉及终端技术领域,尤其涉及一种访问控制方法及装置、设备、存储介质。The present application relates to the technical field of terminals, and in particular to an access control method, device, device, and storage medium.
超级终端支持分布式文件搜索、分布式文件浏览、分布式文件编辑等功能。图1a为现有技术中超级终端进行分布式文件全局搜索的示意图,如图1a所示,用户可以在文件搜索框中输入关键词“考试资料”,搜索结果可以包括本机对应文件以及同一账号下的其他设备中存储的对应文件。在一些应用场景中,超级终端可以为一台共享设备,该共享设备可以为一台无密码或多人可以解锁的终端,且该共享设备的登陆账号与另一台或多台设备的登录账号相同,则使用该共享设备的人员可以通过共享设备查看与共享设备同账号登录的私人设备上存储的媒体数据,该私人设备上存储数据的隐私性、安全性难以得到保证,降低了用户体验感。HyperTerminal supports functions such as distributed file search, distributed file browsing, and distributed file editing. Figure 1a is a schematic diagram of a distributed file global search performed by a hyper terminal in the prior art. As shown in Figure 1a, the user can enter the keyword "examination materials" in the file search box, and the search results can include the corresponding files of the machine and the same account Corresponding files stored in other devices under . In some application scenarios, the hyperterminal can be a shared device. The shared device can be a terminal that has no password or can be unlocked by multiple people, and the login account of the shared device is the same as the login account of another or more devices. If the same, the person using the shared device can view the media data stored on the private device logged in with the same account as the shared device through the shared device. The privacy and security of the data stored on the private device cannot be guaranteed, which reduces the user experience. .
申请内容application content
本发明实施例提供一种访问控制方法及装置、设备、存储介质,通过该方法可以根据访问用户的访问时机,按需实时拉起二次认证界面,用户在通过二次认证后才能访问到目标媒体数据,从而保证了同账号登录的设备上存储的媒体数据的隐私性和安全性,并提高用户体验感。Embodiments of the present invention provide an access control method, device, device, and storage medium. Through this method, the secondary authentication interface can be pulled up in real time according to the access timing of the accessing user, and the user can only access the target after passing the secondary authentication. Media data, thereby ensuring the privacy and security of media data stored on devices logged in with the same account, and improving user experience.
第一方面,本申请一个实施例提供一种跨设备访问控制方法,执行于第一设备,该方法包括:在请求访问跨设备媒体数据时,若确定第一设备当前已超出认证时效,则对当前用户进行二次认证,并在所述二次认证通过后更新认证时效;以及在所述二次认证通过后发送跨设备访问请求信息给第二设备,所述跨设备访问请求信息包括通过所述二次认证的认证账号,以通过所述认证账号获取第一访问权限,并基于所述第一访问权限跨设备访问所述第二设备中存储的目标媒体数据。In the first aspect, an embodiment of the present application provides a cross-device access control method, which is executed on the first device, and the method includes: when requesting to access cross-device media data, if it is determined that the first device has exceeded the authentication time limit, then The current user performs secondary authentication, and updates the authentication timeliness after the secondary authentication is passed; and sends cross-device access request information to the second device after the secondary authentication is passed, and the cross-device access request information includes the cross-device access request information passed through the The authentication account for the second authentication, so as to obtain the first access authority through the authentication account, and access the target media data stored in the second device across devices based on the first access authority.
进一步地,所述确定第一设备当前已超出认证时效包括:确定第一设备当前是否处于最近一次认证的认证时效内,其中,所述最近一次认证包括首次认证或所述二次认证,所述首次认证包括屏幕解锁认证。Further, the determining that the first device has currently exceeded the authentication time limit includes: determining whether the first device is currently within the latest authentication time limit, wherein the latest authentication includes the first authentication or the second authentication, the First-time authentication includes screen unlock authentication.
进一步地,所述若确定第一设备当前已超出认证时效,则对当前用户进行二次认证包括:若确定所述第一设备当前已超出认证时效,并确定基于认证身份标识对应的第二访问权限访问失败时,则对当前用户进行二次认证,并在所述二次认证通过后更新认证时效;以及在所述二次认证通过后根据通过所述二次认证的认证账号获取第一访问权限,并基于所述访问权限跨设备访问第二设备中存储的目标媒体数据。Further, if it is determined that the first device is currently out of the authentication time limit, performing secondary authentication on the current user includes: if it is determined that the first device is currently out of the authentication time limit, and determining the second access based on the authentication identity When the authority access fails, perform secondary authentication on the current user, and update the authentication time limit after the secondary authentication is passed; and obtain the first access according to the authentication account that has passed the secondary authentication after the secondary authentication is passed permission, and based on the access permission, cross-device access to the target media data stored in the second device.
进一步地,在所述确定基于认证身份标识对应的第二访问权限访问失败之前,所述确定第一设备当前已超出认证时效之后,还包括:发送跨设备访问请求信息给第二设备, 所述跨设备访问请求信息包括认证身份标识,以通过所述认证身份标识获取第二访问权限,并基于所述第二访问权限跨设备访问所述第二设备中存储的目标媒体数据,并确定是否成功访问所述第二设备中存储的目标媒体数据。Further, before the determination that the access to the second access right corresponding to the authentication identity fails, after the determination that the first device has expired the authentication time limit, it further includes: sending cross-device access request information to the second device, the The cross-device access request information includes an authentication identity, so as to obtain a second access right through the authentication identity, and access the target media data stored in the second device across devices based on the second access right, and determine whether it is successful Target media data stored in the second device is accessed.
进一步地,所述通过认证身份标识获取第二访问权限之前,还包括:将通过最近一次认证的身份标识标记为所述认证身份标识。Further, before obtaining the second access right through the authentication identity, it also includes: marking the identity that has passed the latest authentication as the authentication identity.
进一步地,所述将通过认证的身份标识标记为所述认证身份标识包括:在认证阶段获取当前用户身份信息,并将所述通过认证的身份标识标记为与所述当前用户身份信息相匹配的所述认证身份标识。Further, marking the authenticated identity as the authenticated identity includes: acquiring current user identity information during the authentication phase, and marking the authenticated identity as matching the current user identity information The authentication ID.
进一步地,在所述将通过所述最近一次认证的身份标识标记为所述认证身份标识之后,还包括:若监听到锁屏事件,则清空所述认证时效和所述认证身份标识。Further, after marking the identity that passed the latest authentication as the authentication identity, the method further includes: clearing the authentication time limit and the authentication identity if a lock screen event is detected.
进一步地,所述确定是否成功访问所述第二设备中存储的目标媒体数据包括:获取所述第二设备发送的鉴权结果,根据所述鉴权结果确定是否访问成功;其中,若访问失败,所述鉴权结果包括:访问失败的提示信息以及访问失败原因。Further, the determining whether to successfully access the target media data stored in the second device includes: obtaining an authentication result sent by the second device, and determining whether the access is successful according to the authentication result; wherein, if the access fails , the authentication result includes: access failure prompt information and access failure reasons.
第二方面,本申请再一个实施例提供一种访问控制方法,执行于第二设备,该方法包括:获取第一设备发送的跨设备访问请求信息,若所述跨设备访问请求信息包括通过所述二次认证的认证账号,则对所述认证账号进行访问鉴权,以确定所述认证账号可访问的文件或文件夹以及对所述文件或文件夹的操作权限;其中,在确定第一设备请求访问的目标文件超出所述第一设备发送的账号信息对应的账号的访问权限时,鉴权失败,并根据所述鉴权结果将所述第一设备的访问结果反馈给所述第一设备。In the second aspect, another embodiment of the present application provides an access control method executed on a second device. The method includes: acquiring cross-device access request information sent by the first device, if the cross-device access request information includes If the authentication account of the secondary authentication is used, then the authentication account is authenticated to determine the files or folders that the authentication account can access and the operation authority to the files or folders; wherein, in determining the first When the target file requested by the device exceeds the access authority of the account corresponding to the account information sent by the first device, the authentication fails, and the access result of the first device is fed back to the first device according to the authentication result. equipment.
进一步地,在第一设备对所述第二设备进行跨设备访问之前,还包括:配置可访问所述第二设备的媒体数据的设备账号和用户身份,以得到一个或多个的授权账号以及一个或多个授权身份标识;以及配置所述授权账号和授权身份标识可访问的媒体数据,并配置所述授权账号和授权身份标识对可访问的媒体数据的操作权限,所述操作权限包括只读权限或读写权限。Further, before the first device performs cross-device access to the second device, it also includes: configuring device accounts and user identities that can access the media data of the second device, so as to obtain one or more authorized accounts and One or more authorized identities; and configure the media data accessible by the authorized account and authorized identities, and configure the operation permissions of the authorized accounts and authorized identities on the accessible media data, the operation permissions include only Read permission or read and write permission.
进一步地,所述配置所述授权账号可访问的媒体数据包括:以单个媒体数据为粒度进行可访问权限配置;或者以媒体数据组为粒度进行可访问权限配置;其中,所述单个媒体数据为单个文件,所述媒体数据组为单个文件夹。Further, the configuring the media data accessible by the authorized account includes: configuring the access rights at the granularity of individual media data; or configuring the access rights at the granularity of media data groups; wherein, the single media data is A single file, the media data set is a single folder.
进一步地,若所述跨设备访问请求信息包括认证身份标识,则对所述认证账号进行访问鉴权,以确定所述认证身份标识可访问的文件或文件夹以及对所述文件或文件夹的操作权限;其中,在确定所述第一设备请求访问的目标文件超出所述第一设备发送的账号信息对应的账号的访问权限时,鉴权失败,并根据所述鉴权结果将所述第一设备的访问结果反馈给所述第一设备。Further, if the cross-device access request information includes an authentication identity, access authentication is performed on the authentication account to determine the files or folders accessible by the authentication identity and the access to the files or folders. Operation authority; Wherein, when it is determined that the target file requested by the first device exceeds the access authority of the account corresponding to the account information sent by the first device, the authentication fails, and the second The access result of a device is fed back to the first device.
第三方面,本申请再一个实施例提供一种访问控制装置,包括:处理器和存储器,所述存储器用于存储至少一条指令,所述指令由所述处理器加载并执行时以实现第一方面提供的跨设备访问控制方法或第二方面提供的访问控制方法。在一种实施方式中,该访问控制装置可以为设备的组成元件(如芯片)。In the third aspect, another embodiment of the present application provides an access control device, including: a processor and a memory, the memory is used to store at least one instruction, and when the instruction is loaded and executed by the processor, the first The cross-device access control method provided by the aspect or the access control method provided by the second aspect. In an implementation manner, the access control device may be a component (such as a chip) of a device.
第四方面,本申请再一个实施例还提供一种设备,该设备可以包括设备本体以及第四方面提供的访问控制装置。In a fourth aspect, another embodiment of the present application further provides a device, which may include a device body and the access control apparatus provided in the fourth aspect.
第五方面,本申请再一个实施例还提供一种计算机可读存储介质,其上存储有计算机程序,所述计算机程序被处理器执行时实现第一方面提供的跨设备访问控制方法或第二方面提供的访问控制方法。In the fifth aspect, another embodiment of the present application further provides a computer-readable storage medium on which a computer program is stored, and when the computer program is executed by a processor, the cross-device access control method provided in the first aspect or the second The access control method provided by the aspect.
通过上述技术方案,可以在访问跨设备媒体数据时,确定是否需要进行二次认证,其中通过二次认证解决公共设备访问分布式设备媒体资源的安全风险。Through the above technical solution, it is possible to determine whether secondary authentication is required when accessing cross-device media data, wherein the security risk of public devices accessing distributed device media resources is solved through secondary authentication.
为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作一简单地介绍,显而易见地,下面描述中的附图是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动性的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the following will briefly introduce the drawings that need to be used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description These are some embodiments of the present invention. For those skilled in the art, other drawings can also be obtained according to these drawings without any creative effort.
图1a为现有技术中超级终端进行分布式文件全局搜索的示意图;Fig. 1a is a schematic diagram of a global search of distributed files performed by a hyper terminal in the prior art;
图1b为现有技术中家庭场景中设备数据安全风险示意图;Figure 1b is a schematic diagram of device data security risks in a home scenario in the prior art;
图1c为现有技术中通过隔空投送共享文件的示意图;Figure 1c is a schematic diagram of sharing files through airdrop in the prior art;
图2为本申请一个实施例提供一种分布式架构示意图;FIG. 2 provides a schematic diagram of a distributed architecture according to an embodiment of the present application;
图3为本申请一个实施例提供的跨设备访问媒体数据的流程图;FIG. 3 is a flow chart of cross-device access to media data provided by an embodiment of the present application;
图4a为本申请再一个实施例提供的个人设备授权流程图;Fig. 4a is a flow chart of personal device authorization provided by another embodiment of the present application;
图4b为本申请再一个实施例跨设备访问控制方法的流程图;FIG. 4b is a flowchart of a cross-device access control method according to another embodiment of the present application;
图4c为本申请再一个实施例提供的二次认证流程图;Fig. 4c is a flow chart of secondary authentication provided by another embodiment of the present application;
图4d为本申请一个实施例提供的认证时效示意图;Figure 4d is a schematic diagram of the authentication time limit provided by an embodiment of the present application;
图4e为本申请再一个实施例跨设备访问控制方法的流程图;FIG. 4e is a flowchart of a cross-device access control method according to another embodiment of the present application;
图4f为本申请在一个实施例提供的认证身份标识时效示意图;Figure 4f is a schematic diagram of the timeliness of the authentication identity mark provided by the present application in one embodiment;
图4g为本申请在一个实施例提供的认证身份标识获取授权失败后二次认证的示意图;Fig. 4g is a schematic diagram of secondary authentication provided by the present application in an embodiment after the authentication identity mark acquisition authorization fails;
图5为本申请再一个实施例提供的跨设备访问控制装置的流程图。Fig. 5 is a flow chart of an apparatus for cross-device access control provided by another embodiment of the present application.
为使本发明实施例的目的、技术方案和优点更加清楚,下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。In order to make the purpose, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below in conjunction with the drawings in the embodiments of the present invention. Obviously, the described embodiments It is a part of embodiments of the present invention, but not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without creative efforts fall within the protection scope of the present invention.
在现有技术中,可以通过使用同一账号登录的终端设备组成超级终端,该超级终端中可以包括若干个共享设备和若干个个人设备。可以使用共享设备的人员(例如,可以解锁该共享设备)可以通过共享设备对使用同一账号登录的其他个人设备进行分布式文件搜索、分布式文件浏览、分布式文件编辑等操作,个人设备中存储的媒体数据的隐私性和安全性得到侵犯。In the prior art, terminal devices logged in with the same account can be used to form a hyperterminal, and the hyperterminal may include several shared devices and several personal devices. Personnel who can use the shared device (for example, can unlock the shared device) can perform operations such as distributed file search, distributed file browsing, and distributed file editing on other personal devices logged in with the same account through the shared device. The privacy and security of media data is violated.
图1b为现有技术中家庭场景中设备数据安全风险示意图,如图1b所示,该场景中可以包括使用账号A登录的共享设备和使用账号A登录(使用同一账号登录)的个人设备。其中该共享设备可以为大屏和/或平板电脑(PAD),该个人设备可以为手机等私人终端。Fig. 1b is a schematic diagram of device data security risks in a family scenario in the prior art. As shown in Fig. 1b, this scenario may include shared devices logged in with account A and personal devices logged in with account A (logged in with the same account). The shared device may be a large screen and/or a tablet computer (PAD), and the personal device may be a private terminal such as a mobile phone.
当前可以通过共享设备的媒体库访问使用账号A登录的个人设备中存储的媒体数据。Currently, the media data stored in the personal device logged in with account A can be accessed through the media library of the shared device.
在一些场景中,家庭成员可以包括:爷爷、奶奶、爸爸、妈妈、孩子。家庭中的平板电脑、大屏等设备,通常登录某位家庭成员(例如爸爸)的账号,全家成员共同使用,并且平板电脑、大屏等设备的登录账号很少进行切换。在非账号对应用户(爸爸)在使用共享设备时,可能存在非账号对应用户通过共享设备进行分布式查询文件,并查询到账号对应用户(爸爸)的个人设备中的重要文件,可能会出现误操作导致账号对应用户(爸爸)的个人设备(手机)中的资料损坏、丢失的问题。In some scenarios, family members may include: grandpa, grandma, dad, mom, kids. Devices such as tablets and large screens in the family usually log in with the account of a certain family member (such as dad), and the whole family members use them together, and the login accounts of devices such as tablets and large screens are rarely switched. When the non-account corresponding user (dad) is using the shared device, the non-account corresponding user may conduct distributed query files through the shared device and query important files in the personal device of the account corresponding user (dad), which may cause errors. The operation caused the problem that the data in the personal device (mobile phone) of the account corresponding to the user (dad) was damaged or lost.
因此,在家庭场景中,家庭成员可以通过共享设备访问使用同一账号登录的个人设备,存在同账号下设备的数据隐私隐患和数据安全隐患。Therefore, in a family scenario, family members can access personal devices logged in with the same account through shared devices, which poses potential data privacy and data security risks for devices under the same account.
在办公场景中也可以包括共享设备以及可连接该共享设备的私人终端。其中,该共享设备可以为会议大屏,且该会议大屏通常登录某位部分秘书的个人账号,并且该秘书的个人设备同样通过该个人账号登录,该会议大屏供部门内所有同事共同使用,并且该会议大屏很少切换登录账号,由于该部门秘书的私人终端的登录账号与会议大屏的登录账号相同,该私人终端可以为部门内各成员的手机或个人电脑,因此,在使用共享设备举行部门会议过程中,若该使用共享设备的员工在共享设备上进行文件搜索操作,在搜索结果中可以查看到使用同一账号登录的部门秘书的私人终端中存储的相关文件,可能导致该部门秘书的私人终端存储的私人数据遭到泄露。In an office scene, a shared device and a private terminal that can be connected to the shared device may also be included. Wherein, the shared device can be a large conference screen, and the large conference screen is usually logged into the personal account of a certain secretary, and the personal device of the secretary is also logged in through the personal account, and the large conference screen is shared by all colleagues in the department , and the big screen of the meeting seldom switches the login account. Since the login account of the personal terminal of the secretary of the department is the same as that of the big screen of the meeting, the private terminal can be the mobile phone or personal computer of each member in the department. Therefore, when using During a departmental meeting on a shared device, if the employee who uses the shared device searches for files on the shared device, the relevant files stored in the private terminal of the department secretary who logged in with the same account can be found in the search results, which may cause the The private data stored in the private terminal of the department secretary was leaked.
因此,在办公场景中,也存在同账号下设备的数据隐私隐患和数据安全隐患。Therefore, in office scenarios, there are also hidden dangers of data privacy and data security of devices under the same account.
需要说明的是,现有技术中,仅支持登录相同账号的终端设备组成超级终端(分布式),然而通过不同账号登录的两个设备并不能进行跨设备访问对方设备的媒体数据。It should be noted that, in the prior art, only terminal devices logged in with the same account are supported to form a hyper terminal (distributed), but two devices logged in through different accounts cannot access the media data of the other device across devices.
在现有技术中,若想实现登录不同账号的设备之间进行跨设备访问数据或登录不同账号的设备之间进行跨设备共享数据包括以下非分布式方案:In the prior art, if you want to achieve cross-device access to data between devices logged in with different accounts or cross-device sharing of data between devices logged in with different accounts, the following non-distributed solutions are included:
1、云方案1. Cloud solution
由于登录不同账号的设备之间不能直接跨设备访问,即,登录A账号的共享设备不能直接访问登录B账号的个人设备的媒体数据。而共享设备需要通过开启云相册功能实现跨设备访问,具体地,共享设备在进行跨设备访问之前登录云账号,通过云做中转,实现媒体数据的跨设备访问,并可以在访问结束后,关闭云相册功能。Since devices logged into different accounts cannot directly access across devices, that is, a shared device logged into account A cannot directly access media data of a personal device logged into account B. The shared device needs to enable cross-device access by enabling the cloud album function. Specifically, the shared device logs in to the cloud account before cross-device access, transfers through the cloud, and realizes cross-device access to media data. After the access, it can be closed. Cloud photo album function.
2、投屏方案2. Projection scheme
可以通过扫码或输入验证码等方式,将用户个人设备屏幕投射到公共设备上,分享结束后,断开连接,清楚连接关系。若需要再次分享,则需要再次扫码或输入验证码进行投屏。The screen of the user's personal device can be projected to the public device by scanning the code or entering the verification code, etc. After the sharing is completed, the connection is disconnected and the connection relationship is clear. If you need to share again, you need to scan the code again or enter the verification code to cast the screen.
3、隔空投送3. Airdrop
图1c为现有技术中通过隔空投送共享文件的示意图,如图1c所示,用户在打开想要发送的文件A后,可以点击“共享”按钮;或者在“访问”中长按“control”一定时间(如长按2s)选择需要共享的文件A,然后从快捷键惨淡中选取“共享”。进而可以从 列出的共享选项中,选取“隔空投送”,并在“隔空投送”的列表中选择对应的接收者(目标用户),完成跨设备数据共享。Figure 1c is a schematic diagram of sharing files through airdrop in the prior art. As shown in Figure 1c, after opening the file A to be sent, the user can click the "Share" button; or press and hold the "control" button in "Access". "Select the file A to be shared for a certain period of time (such as long press for 2s), and then select "Share" from the shortcut keys. Then you can select "AirDrop" from the sharing options listed in , and select the corresponding recipient (target user) in the "AirDrop" list to complete cross-device data sharing.
上述各个非分布式方案中,依赖云做中转,并且用户操作步骤繁杂,导致用户体验感不强。In each of the above non-distributed solutions, relying on the cloud for transit, and the user's operation steps are complicated, resulting in a poor user experience.
基于上述问题,本申请实施例提供一种访问控制方法,在用户通过共享设备访问登录相同账号的个人设备或者登录被授权账号的个人设备中的媒体数据之前,确定当前状态信息满足触发认证条件时,对共享设备的当前用户进行二次认证,以保证被访问的个人设备中媒体数据的隐私性和安全性。Based on the above problems, an embodiment of the present application provides an access control method. Before the user accesses the media data in the personal device logged in with the same account or logged in with the authorized account through the shared device, it is determined that the current state information satisfies the trigger authentication condition , perform secondary authentication on the current user of the shared device to ensure the privacy and security of the media data in the accessed personal device.
图2为本申请一个实施例提供一种分布式架构示意图,如图2所示,该分布式架构中可以包括共享设备21和个人设备组22。其中,该个人设备组可以包括通过相同账号登录的个人设备和通过不同账号登录的个人设备,其中该共享设备可以登录个人设备组中任一个人设备的相应账号,并且该共享设备可以为一台或多台无密码或者多人可解锁的设备。举例来说,如图2所示,该共享设备21可以为大屏设备,该个人设备组22中可以包括手机、平板电脑、笔记本电脑。其中该手机和平板电脑使用账号A登录,笔记本电脑登录账号B,大屏设备与手机和平板电脑使用同一账号登录(账号A)。图2所示实施例的分布式架构为本申请中的一种实现方式,并不以此作为限定。还可以有其他实现方式,例如,大屏和平板电脑均作为共享设备21,个人设备组22中可以包括多个手机,且每个手机登录账号均不相同,大屏或平板电脑登录多个手机的其中一个手机的账号,或者登录个人设备组22以外设备的相应账号。即,共享设备的数量和登录账号不做限定,个人设备的数量和登录账号也不做限定。换言之,支持登录不同账号的终端设备组成超级终端。FIG. 2 is a schematic diagram of a distributed architecture according to an embodiment of the present application. As shown in FIG. 2 , the distributed architecture may include a shared device 21 and a personal device group 22 . Wherein, the personal device group may include personal devices logged in through the same account and personal devices logged in through different accounts, wherein the shared device may log in to the corresponding account of any personal device in the personal device group, and the shared device may be a or multiple devices that do not have a password or that can be unlocked by multiple people. For example, as shown in FIG. 2 , the shared device 21 may be a large-screen device, and the personal device group 22 may include a mobile phone, a tablet computer, and a notebook computer. The mobile phone and tablet computer use account A to log in, the laptop computer uses account B to log in, and the large-screen device and the mobile phone and tablet computer use the same account (account A) to log in. The distributed architecture of the embodiment shown in FIG. 2 is an implementation manner in this application, and is not limited thereto. There can also be other implementations, for example, both the large screen and the tablet computer are used as the shared device 21, multiple mobile phones can be included in the personal device group 22, and the login account of each mobile phone is not the same, and the large screen or tablet computer can log in to multiple mobile phones. The account of one of the mobile phones, or the corresponding account for logging in to devices other than the personal device group 22. That is, the number of shared devices and login accounts are not limited, and the number of personal devices and login accounts are not limited either. In other words, terminal devices that support logging in with different accounts form a HyperTerminal.
图3为本申请再一个实施例提供的跨设备访问媒体数据的流程图,如图3所示,通过共享设备可以对登录已授权账号的设备中的授权媒体数据进行访问。其中,已授权账号可以包括与共享设备所登录的账号相同和/或不同的账号,即,被访问设备(目标设备)可以对其发现的设备(相比于本设备的登陆账号,登录相同账号的设备和/或登录不同账号的设备)进行授权,被授权的设备可以跨设备访问被访问设备(目标设备)中的授权媒体数据。授权媒体数据可以包括目标设备(被访问设备)中授权可访问的不同粒度的媒体数据,媒体数据可以包括文档数据、图像数据、视频数据等。FIG. 3 is a flow chart of cross-device access to media data provided by another embodiment of the present application. As shown in FIG. 3 , authorized media data in a device logged in with an authorized account can be accessed through a shared device. Wherein, the authorized account may include an account that is the same as and/or different from the account logged into the shared device, that is, a device that the accessed device (target device) can discover (compared with the login account of the device, the login account of the same device and/or a device logged in with a different account) to perform authorization, and the authorized device can access the authorized media data in the accessed device (target device) across devices. The authorized media data may include media data of different granularities authorized and accessible in the target device (accessed device), and the media data may include document data, image data, video data, and the like.
如图3所示,当前作为访问设备的超级终端(第一设备)对当前作为被访问设备的超级终端(第二设备)进行跨设备访问时,需要通过访问设备的媒体库发出访问请求,而被访问设备的媒体库可以对访问设备的跨设备访问请求进行鉴权,因此媒体库(Media Library)作为超级终端全局唯一的访问控制点。具体地,个人设备的媒体库可以对分布式架构中的设备进行访问授权,即授权登录设定账号的设备可以访问(个人设备)本地存储的授权媒体数据。用户使用其他设备(如共享设备)跨设备访问个人设备时,用户首先解锁共享设备(解锁屏幕)完成首次认证。进一步地,用户在共享设备的跨设备访问的界面进行操作请求访问目标个人设备的媒体数据,共享设备的媒体库进行二次认证,在该二次认证通过后才能对目标个人设备的授权可访问的媒体数据进行访问操作。As shown in Figure 3, when the HyperTerminal (the first device) currently serving as the accessing device performs cross-device access to the HyperTerminal (the second device) currently serving as the accessed device, an access request needs to be sent through the media library of the accessing device, and The media library of the accessed device can authenticate the cross-device access request of the accessing device, so the media library (Media Library) is the only global access control point of the HyperTerminal. Specifically, the media library of the personal device can perform access authorization to the devices in the distributed architecture, that is, the device authorized to log in to the set account can access the authorized media data stored locally (in the personal device). When a user uses other devices (such as a shared device) to access a personal device across devices, the user first unlocks the shared device (unlock the screen) to complete the first authentication. Further, the user operates on the cross-device access interface of the shared device to request access to the media data of the target personal device, and the media library of the shared device undergoes secondary authentication, and the target personal device can only be authorized for access after the secondary authentication is passed. Media data for access operations.
上述发送跨设备访问请求的具体操作包括:登录账号A的共享设备中的应用向共享设备的媒体库发送跨设备访问请求信息,该跨设备访问请求信息可以包括目标设备信息和目标媒体数据信息,例如,目标设备信息为登录账号B的个人设备,以及该目标媒体数据 信息为该个人设备中的相册。其中,若存在多台登录账号B的个人设备,则可以将目标设备的标识信息携带在所述跨设备访问请求信息中,以准确表明用户想要访问的目标设备。The above specific operation of sending the cross-device access request includes: the application in the shared device that logs in account A sends cross-device access request information to the media library of the shared device, and the cross-device access request information may include target device information and target media data information, For example, the target device information is a personal device logged in account B, and the target media data information is a photo album in the personal device. Wherein, if there are multiple personal devices logged into the account B, the identification information of the target device may be carried in the cross-device access request information to accurately indicate the target device that the user wants to access.
共享设备的媒体库在接收到应用发送的跨设备访问请求信息后,可以确定当前是否需要进行二次认证,若不需要进行二次认证,共享设备的媒体库通过通信总线向目标设备发起连接,并在连接成功后,通过通信总线将跨设备访问请求信息发送给目标设备,其中,该跨设备访问请求信息中可以携带最近一次认证的认证结果。若需要进行二次认证,则共享设备的媒体库启动二次认证,并在认证成功后,共享设备的媒体库通过通信总线向目标设备发起连接,并在连接成功后,通过通信总线将跨设备访问请求信息发送给目标设备,其中,该跨设备访问请求信息中可以携带当前二次认证的认证结果。After receiving the cross-device access request information sent by the application, the media library of the shared device can determine whether secondary authentication is currently required. If secondary authentication is not required, the media library of the shared device initiates a connection to the target device through the communication bus. And after the connection is successful, the cross-device access request information is sent to the target device through the communication bus, wherein the cross-device access request information may carry the authentication result of the latest authentication. If secondary authentication is required, the media library of the shared device starts secondary authentication, and after the authentication is successful, the media library of the shared device initiates a connection to the target device through the communication bus, and after the connection is successful, the cross-device The access request information is sent to the target device, wherein the cross-device access request information may carry the current secondary authentication authentication result.
其中,上述跨设备访问请求信息中携带的认证结果可以包括认证账号信息。Wherein, the authentication result carried in the above cross-device access request information may include authentication account information.
目标设备通过通信总线接收到共享设备发送的跨设备访问请求信息后,目标设备的媒体库可以根据跨设备访问请求信息中的认证账号信息确定对应账号是否具有访问权限,若具有访问权限,则进一步确定认证账号信息对应账号的具体权限。进而目标设备的媒体库可以将获取到的认证账号信息对应账号的具体权限发送给目标设备的分布式文件系统,目标设备的分布式文件系统根据该具体权限为该共享设备提供相应访问服务。After the target device receives the cross-device access request information sent by the shared device through the communication bus, the media library of the target device can determine whether the corresponding account has access rights according to the authentication account information in the cross-device access request information. Determine the specific permissions of the account corresponding to the authentication account information. Furthermore, the media library of the target device can send the obtained authentication account information corresponding to the specific authority of the account to the distributed file system of the target device, and the distributed file system of the target device provides corresponding access services for the shared device according to the specific authority.
其中,若目标设备的媒体库可以根据跨设备访问请求信息中的认证账号信息确定对应账号不具有访问权限,则目标设备的媒体库可以通过通信总线将该鉴权结果反馈给共享设备。具体地,该对应账号不具有访问权限可以包括该账号对目标设备的任何媒体数据都不具有访问权限,或者该账号对本次想要访问的目标媒体数据信息不具有访问权限。Wherein, if the media library of the target device can determine that the corresponding account does not have access rights according to the authentication account information in the cross-device access request information, the media library of the target device can feed back the authentication result to the sharing device through the communication bus. Specifically, the corresponding account does not have access rights may include that the account does not have access rights to any media data of the target device, or the account does not have access rights to the target media data information to be accessed this time.
在一种实施方式中,若目标设备的媒体库确定共享设备具有访问权限时,还可以通过通信总线将共享设备本次想要访问的目标媒体数据传输给共享设备,以使共享设备将目标媒体数据缓存在共享设备的分布式文件系统中,若共享设备在有效缓存时间段内再次访问该目标媒体数据,则无需再次进行跨设备访问,可以直接访问缓存在共享设备的分布式文件系统中目标媒体数据。In one embodiment, if the media library of the target device determines that the shared device has access rights, it can also transmit the target media data that the shared device wants to access this time to the shared device through the communication bus, so that the shared device can transfer the target media to the shared device. The data is cached in the distributed file system of the shared device. If the shared device accesses the target media data again within the effective cache time period, there is no need to perform cross-device access again, and the target cached in the distributed file system of the shared device can be directly accessed media data.
个人设备可以预先对分布式架构中的设备进行访问授权,其中授权操作可以包括授权可以访问本地媒体数据的登录账号(即,被授权设备所登录的账号)、授权相应设备(登录授权账号的设备)可以被访问的本地应用(系统应用、三方应用),授权相应设备(登录授权账号的设备)对本地媒体数据的操作权限(只读、读写)。Personal devices can pre-authorize access to devices in the distributed architecture, where the authorization operation can include authorizing a login account that can access local media data (that is, the account logged in by the authorized device), authorizing the corresponding device (the device that logs in to the authorized account) ) can be accessed by local applications (system applications, third-party applications), and authorize the corresponding device (the device that logs in to the authorized account) to operate the local media data (read-only, read-write).
图4a为本申请再一个实施例提供的个人设备授权流程图,如图3所示,可以通过个人设备的媒体库配置媒体数据分享权限,其中。该媒体分享权限的配置方式可以包括批量配置和单个配置。FIG. 4a is a flow chart of personal device authorization provided by another embodiment of the present application. As shown in FIG. 3 , the media data sharing permission can be configured through the media library of the personal device, wherein. The configuration mode of the media sharing authority may include batch configuration and individual configuration.
在采用批量配置的方式下,可以对一组或多组媒体数据进行分享权限配置,其中该一组媒体数据可以为目标文件夹内存储的数据。即,可以对一个文件夹进行分享权限配置。In the mode of batch configuration, one or more groups of media data can be configured for sharing rights, wherein the group of media data can be the data stored in the target folder. That is, you can configure sharing permissions for a folder.
在采用单个配置的方式下,可以以单个媒体数据粒度进行分享权限配置,其中,单个媒体数据粒度可以为某张图片、当段视频或某个文本文件等。即,可以对某张图片、当段视频或某个文本文件进行分享权限配置。In the way of single configuration, the sharing permission configuration can be performed at the granularity of a single media data, where the granularity of a single media data can be a certain picture, a current segment of video, or a certain text file. That is, you can configure sharing permissions for a picture, a video or a text file.
在采用批量配置或单个配置的方式下,在一种实施方式中,至少配置可以访问目标媒体数据(文件夹或单粒度文件)的账号。举例来说,在分布式架构下的设备群体包含的登录账号包括账号A、账号B、账号C…。可以通过个人设备的媒体库配置上述多个账号 中可以访问本地媒体数据的账号,具体地,针对上述多个账号,可以将目标账号(如账号A和账号B)作为授权账号,则登录账号A或者登录账号B的相应设备可以对本设备进行跨设备访问。In the mode of batch configuration or individual configuration, in one embodiment, at least an account that can access the target media data (folder or single-grained file) is configured. For example, the login accounts included in the device group under the distributed architecture include account A, account B, account C . . . The account that can access the local media data among the above-mentioned multiple accounts can be configured through the media library of the personal device. Specifically, for the above-mentioned multiple accounts, the target account (such as account A and account B) can be used as the authorized account, and the login account A Or the corresponding device logged in account B can access the device across devices.
在一种实施方式中,一些用户(例如家中的老人和小孩)并不具有自己的账号,但该类用户可以使用共享设备对其他设备进行跨设备访问。为实现对该类用户进行跨设备访问授权,可以通过个人设备的媒体库分别配置该类用户所具有的身份标识的访问权限,以得到相应的授权身份标识,例如,可以配置具有该授权身份标识的用户仅可访问本地媒体数据中的可共享数据,该可共享数据可以为相册中共享相册、视频应用中的共享视频、通讯录中的共享联系人。需要说明的是该共享数据的共享权限可预先配置。In one embodiment, some users (such as the elderly and children at home) do not have their own accounts, but such users can use the shared device to access other devices across devices. In order to implement cross-device access authorization for this type of user, you can configure the access rights of the identity of this type of user through the media library of the personal device to obtain the corresponding authorization identity. For example, you can configure The user of , can only access the shareable data in the local media data, and the shareable data can be a shared album in an album, a shared video in a video application, and a shared contact in an address book. It should be noted that the sharing authority of the shared data can be pre-configured.
举例来说,在家庭场景中,平板电脑的使用账号A登录为家庭成员中“爸爸”注册的账号,并且家庭成员中“妈妈”和“孩子”均可解锁该平板电脑。若平板电脑在解锁阶段识别当前用户信息“孩子”,并在用户通过解锁认证后将该“孩子”身份标识)标记为认证身份标识(“孩子”身份)。For example, in a family scenario, account A of the tablet computer is logged in as an account registered by "dad" in the family member, and both "mother" and "child" in the family member can unlock the tablet computer. If the tablet computer recognizes the current user information "child" in the unlocking stage, and marks the "child" identity) as the authentication identity ("child" identity) after the user passes the unlock authentication.
在其他实施方式中,还可以配置登录授权账号的设备可访问的应用。其中,个人设备中安装有若干个系统应用(例如相册、备忘录等)以及若干个三方应用(例如视频APP、音乐APP、网课APP、WPS等)。可以通过个人设备的媒体库配置登录授权账号的设备可访问的应用。In other implementation manners, it is also possible to configure the applications that can be accessed by devices that log in to the authorized account. Among them, several system applications (such as photo album, memo, etc.) and several third-party applications (such as video APP, music APP, online class APP, WPS, etc.) are installed in the personal device. You can configure the apps that can be accessed by devices that log in to the authorized account through the media library of the personal device.
在其他实施方式中,还可以配置登录授权账号的设备对可访问媒体数据的操作权限。其中,该操作权限包括只读和读写。In other implementation manners, it is also possible to configure the operation authority of the device that logs in the authorized account to the accessible media data. Wherein, the operation authority includes read-only and read-write.
在一些实施方式中,可以对不同的账号配置不同的权限。即,登录不同账号的设备在访问某个个人设备时,可访问的媒体数据可以不同,对媒体数据的操作权限可以不同。举例来说,在分布式架构下,使用账号A登录的设备和登录账号B的设备在访问登录账号C的设备时,根据登录账号C的设备对账号A和账号B配置的不同权限,使用账号A登录的设备可以访问登录账号C中系统应用中的数据,而登录账号B的设备可以访问登录账号C中系统应用中的数据以及部分三方应用的数据。In some implementations, different permissions can be configured for different accounts. That is, when devices logged in with different accounts access a certain personal device, the media data that can be accessed may be different, and the operation rights to the media data may be different. For example, in a distributed architecture, when a device logged in with account A and a device logged in with account B access a device logged in with account C, the account The device logged in by A can access the data in the system application in the login account C, and the device in the login account B can access the data in the system application in the login account C and the data of some third-party applications.
在一些实施方式中,还可以对使用登录相同账号设备的不同用户配置不同的权限。即,使用登录同账号设备的用户在访问登录同账号的个人设备时,可访问的媒体数据可以不同。举例来说,用户x(老人或小孩)可以使用账号A登录的共享设备(大屏或平板电脑)访问使用账号A登录的个人设备(小孩爸爸的手机),为保证使用账号A登录的个人设备(小孩爸爸的手机)中数据的隐私性和安全性,可以配置使用账号A登录的共享设备(大屏或平板电脑)的用户(各个家庭成员)对使用账号A登录的个人设备(小孩爸爸的手机)的访问权限。其中,可以在使用账号A登录的共享设备的用户解锁设备时识别当前用户身份,进而可以在该用户进行跨设备访问时根据解锁是获取到的用户身份确定相应的跨设备访问权限。In some implementations, different permissions can be configured for different users who log in to the device with the same account. That is, when a user using a device logged in with the same account accesses a personal device logged in with the same account, the accessible media data may be different. For example, user x (the elderly or a child) can use the shared device (large screen or tablet) logged in with account A to access the personal device (the mobile phone of the child's father) logged in with account A. To ensure that the personal device logged in with account A The privacy and security of data in (the mobile phone of the child’s father) can be configured by users (each family member) of the shared device (big screen or tablet) logged in with account A to the personal device (the child’s father’s) logged in with account A mobile phone) access. Among them, the current user identity can be identified when the user of the shared device logged in with account A unlocks the device, and then the corresponding cross-device access permission can be determined according to the user identity obtained during unlocking when the user performs cross-device access.
图4b为本申请一个实施例提供的跨设备访问控制方法的流程图,如图4b所示,该跨设备访问控制方法可以包括以下步骤:Fig. 4b is a flowchart of a cross-device access control method provided by an embodiment of the present application. As shown in Fig. 4b, the cross-device access control method may include the following steps:
步骤301:在设备A请求访问跨设备媒体数据时,设备A的媒体库可以确定设备A当前是否处于认证时效内,若处于认证时效内,则执行步骤302,若超出认证时效,则执行步骤303。Step 301: When device A requests to access cross-device media data, the media library of device A can determine whether device A is currently within the authentication time limit. If it is within the authentication time limit, perform step 302; if it exceeds the authentication time limit, perform step 303 .
步骤302:设备A的媒体库通过认证账号获取访问权限,并基于访问权限访问目标跨设备媒体数据。Step 302: The media library of device A obtains access rights through the authentication account, and accesses target cross-device media data based on the access rights.
步骤303:设备A的媒体库执行二次认证,在二次认证通过后更新认证时效,并在二次认证通过后执行步骤302。Step 303: The media library of device A performs secondary authentication, updates the authentication time limit after the secondary authentication is passed, and executes step 302 after the secondary authentication is passed.
图4c为本申请再一个实施例提供的二次认证流程图,如图4c所示,在分布式架构下的设备群体中,设备A作为访问设备,设备B作为被访问设备。其中,该设备A和设备B可以为登录相同账号的设备,也可以为登录不同账号设备。在此情况下(设备A、B为登录相同账号的设备或登录不同账号的设备),该设备A可以为共享设备也可以为个人设备,并且设备B预先配置了本地媒体数据分享权限。Fig. 4c is a flow chart of secondary authentication provided by another embodiment of the present application. As shown in Fig. 4c, in the device group under the distributed architecture, device A serves as the accessing device, and device B serves as the accessed device. Wherein, the device A and the device B may be devices logged in with the same account, or devices logged in with different accounts. In this case (device A and B are devices logged in with the same account or devices logged in with different accounts), the device A can be a shared device or a personal device, and device B is pre-configured with local media data sharing permissions.
用户首先解锁设备A(解锁屏幕)完成首次认证,该首次认证的认证方式可以包括但不限于扫码、密码、刷脸、指纹、声音等认证方式。其中,可以通过该首次认证操作确定解锁设备A的用户的身份信息。用户在通过首次认证(解锁屏幕)后,获取并保存认证账号信息。The user first unlocks device A (unlock the screen) to complete the first authentication. The authentication methods of the first authentication may include but not limited to scan code, password, face, fingerprint, voice and other authentication methods. Wherein, the identity information of the user who unlocks the device A can be determined through the first authentication operation. After the user passes the first authentication (unlocking the screen), obtain and save the authentication account information.
为保证被访问设备(设备B)的媒体数据的隐私性和安全性,本申请实施例提供二次认证的认证操作,具体地,设备A的应用通过调用媒体库接口以访问跨设备媒体数据(设备B的媒体数据)后,媒体库可以判断当前是否需要进行二次认证,并且在当前认证有效或者认证通过后才能进行跨设备访问。In order to ensure the privacy and security of the media data of the accessed device (device B), the embodiment of the present application provides an authentication operation of secondary authentication. Specifically, the application of device A calls the media library interface to access the cross-device media data ( media data of device B), the media library can determine whether a second authentication is currently required, and cross-device access can only be performed after the current authentication is valid or passed.
在图4b所示实施例中,确定是否需要进行二次认证具体可以包括上述步骤301。在步骤301的具体实施中,可以确定当前是否仍处于认证时效内。图4d为本申请一个实施例提供的认证时效示意图,如图4d所示,在其中一种场景中,设备A在t
0时刻解锁成功,即,在t
0时刻完成用户首次认证操作,并且首次认证时确认使用的用户为机主(即,家庭成员中的爸爸)。t
0时刻至t
e时刻为用户首次认证的认证有效时段(t
0~t
e)。进一步地,可以确定设备A请求跨设备访问设备B的媒体数据的时刻是否处于上述认证有效时段(t
0~t
e)内;在另一种场景中,设备A执行过一次或多次二次认证,进一步地,可以确定设备A请求跨设备访问设备B的媒体数据的时刻是否处于上述二次认证的认证有效时段(t
0~t
e)内。需要说明的是,上述首次认证的认证有效时段和二次认证的认证有效时段的时长可以相同也可以不相同。根据是否处于上述认证有效时段(t
0~t
e)内的确定结果,若处于上述认证有效时段(t
0~t
e)内,确定当前处于认证时效内,则无需进行二次认证,设备A可以在该认证有效时段内访问设备B对设备A的授权媒体数据。
In the embodiment shown in FIG. 4 b , determining whether to perform secondary authentication may specifically include the above step 301 . In the specific implementation of step 301, it may be determined whether it is still within the authentication time limit. Figure 4d is a schematic diagram of the authentication time limit provided by an embodiment of the present application. As shown in Figure 4d, in one of the scenarios, device A is successfully unlocked at time t 0 , that is, the user's first authentication operation is completed at time t 0 , and the first time During authentication, the user confirmed to be used is the owner of the machine (that is, the dad in the family). Time t 0 to time t e is the authentication valid period (t 0 ~ t e ) for the user's first authentication. Further, it can be determined whether the moment when device A requests cross-device access to device B’s media data is within the above authentication valid period (t 0 ~ t e ); in another scenario, device A has performed one or more secondary For authentication, further, it may be determined whether the moment when device A requests cross-device access to device B's media data is within the validity period (t 0 -t e ) of the above-mentioned secondary authentication. It should be noted that, the duration of the authentication validity period of the first authentication and the authentication validity period of the second authentication may be the same or different. According to the determination result of whether it is within the above authentication valid period (t 0 ~t e ), if it is within the above authentication valid period (t 0 ~t e ), it is determined that it is currently within the authentication time limit, and there is no need for secondary authentication. Device A The media data authorized by device B to device A can be accessed within the validity period of the authentication.
在步骤302的具体实施中,如图3所示,设备A的媒体库可以在认证时效内通过通信总线向设备B发起连接,并向设备B发送跨设备访问请求(分布式访问请求),其中,该跨设备访问请求(分布式访问请求)中可以包括可以证明设备A当前处于认证时效内的认证账号信息。设备B的媒体库在接收到设备A发送的跨设备访问请求(分布式访问请求)后,可以根据该跨设备访问请求(分布式访问请求)中的认证账号信息查询相应账号(认定当前用户为机主,则对应的账号信息为设备A的登录账号)在设备B中的访问权限,设备B的媒体库将查询到的访问权限信息反馈给设备B的分布式文件系统,进而设备B的分布式文件系统可以根据设备A的登录账号在设备B中的访问权限,为设备A对设备B中的相应授权媒体数据访问提供相应的跨设备访问服务。In the specific implementation of step 302, as shown in Figure 3, the media library of device A can initiate a connection to device B through the communication bus within the authentication time limit, and send a cross-device access request (distributed access request) to device B, wherein , the cross-device access request (distributed access request) may include authentication account information that can prove that device A is currently within the authentication time limit. After receiving the cross-device access request (distributed access request) sent by device A, the media library of device B can query the corresponding account according to the authentication account information in the cross-device access request (distributed access request) (identify the current user as device owner, the corresponding account information is the access authority of device A’s login account) in device B, and the media library of device B feeds back the queried access authority information to the distributed file system of device B, and then the distribution of device B The file system can provide corresponding cross-device access services for the device A to access the corresponding authorized media data in the device B according to the access rights of the login account of the device A in the device B.
举例来说,如图3、图4c和图4d所示,设备A在t
1时刻请求跨设备访问设备B的媒体数据,设备A的媒体库确定t
1时刻处于认证有效时段(t
0~t
e)内,判定无需进行二次认证,设备A的通过通信总线向设备B发起连接,并在连接成功后,向设备B发送访问设备B相册的访问请求信息,且该访问请求信息中可以包括设备A的认证账号信息。设备B的媒体库可以根据设备A发送的分布式文件访问信息中的认证账号信息对应的认证账号的进行访问鉴权,并将鉴权结果反馈给设备B的分布式文件系统。其中,设备B媒体库的鉴权过程包括:确认设备A请求访问的媒体数据是否在设备A发送的分布式文件访问信息中的认证账号信息对应的认证账号的访问权限内,若在访问权限内则鉴权通过,若超出访问权限则鉴权失败。具体地,若设备A的该认证账号可以访问设备B的相册和备忘录,并且设备A的该认证账号仅对设备B的相册和备忘录具有只读操作权限,且设备A的要访问的目标媒体文件为相册,则鉴权通过,设备B媒体库将鉴权结果反馈给设备B的分布式文件系统,其中鉴权结果可以包括,设备A发送的分布式文件访问信息中的认证账号信息对应的认证账号鉴权通过,且该认证账号的访问权限包括设备A的该认证账号可以访问设备B的相册和备忘录,并且设备A的该认证账号仅对设备B的相册和备忘录具有只读操作权限。设备B的分布式文件系统可以允许设备A只读设备B的相册。
For example, as shown in Figure 3, Figure 4c and Figure 4d, device A requests cross-device access to device B's media data at time t 1 , and the media library of device A determines that time t 1 is in the authentication valid period (t 0 ~ t In e ), it is determined that no secondary authentication is required, and device A initiates a connection to device B through the communication bus, and after the connection is successful, sends access request information to device B to access the photo album of device B, and the access request information may include Authentication account information of device A. The media library of device B can perform access authentication according to the authentication account corresponding to the authentication account information in the distributed file access information sent by device A, and feed back the authentication result to the distributed file system of device B. Among them, the authentication process of the media library of device B includes: confirming whether the media data that device A requests to access is within the access authority of the authentication account corresponding to the authentication account information in the distributed file access information sent by device A, if it is within the access authority If the access authority is exceeded, the authentication fails. Specifically, if the authentication account of device A can access the photo album and memo of device B, and the authentication account of device A only has read-only operation permission for the photo album and memo of device B, and the target media file to be accessed by device A If it is an album, the authentication is passed, and the media library of device B will feed back the authentication result to the distributed file system of device B, where the authentication result may include the authentication account information corresponding to the authentication account information in the distributed file access information sent by device A The account authentication is passed, and the access rights of the authentication account include that the authentication account of device A can access the photo album and memo of device B, and the authentication account of device A only has read-only operation permission for the photo album and memo of device B. The distributed file system of device B can allow device A to read only device B's photo album.
在步骤303的具体实施中,若设备A的媒体库确定设备A请求跨设备访问设备B的媒体数据的时刻超出上述认证有效时段(t
0~t
e),确定当前已超出前一次认证(首次认证或二次认证)的认证时效,设备A的媒体库则可以执行二次认证。其中,该二次认证的认证方式可以包括但不限于扫码、密码、刷脸、指纹、声音等认证方式。在用户通过二次认证后,设备A的媒体库可以更新认证时效,并且设备A的媒体库可以通过通信总线向设备B发起连接,并向设备B发送跨设备访问请求(分布式访问请求),其中,该跨设备访问请求(分布式访问请求)中可以包括可以证明设备A通过二次认证的认证结果,且该认证结果中包含设备A的本次通过认证的账号信息。其中,该本次通过认证的账号信息可以为当前使用设备A的用户的身份账号信息。在二次认证通过后,可以更新认证账号时效,并且在二次认证通过后执行步骤302,即,通过认证账号获取访问权限,并基于访问权限访问设备B的目标媒体数据。
In the specific implementation of step 303, if the media library of device A determines that the time when device A requests cross-device access to the media data of device B exceeds the above authentication valid period (t 0 ~t e ), it is determined that the previous authentication (first time authentication or secondary authentication), the media library of device A can perform secondary authentication. Wherein, the authentication method of the secondary authentication may include but not limited to code scanning, password, facial recognition, fingerprint, voice and other authentication methods. After the user passes the secondary authentication, the media library of device A can update the authentication time limit, and the media library of device A can initiate a connection to device B through the communication bus, and send a cross-device access request (distributed access request) to device B, Wherein, the cross-device access request (distributed access request) may include an authentication result that can prove that the device A has passed the secondary authentication, and the authentication result includes the account information of the device A that has passed the authentication this time. Wherein, the account information that has passed the authentication this time may be the identity account information of the user currently using the device A. After the second authentication is passed, the validity period of the authentication account can be updated, and step 302 is executed after the second authentication is passed, that is, the access right is obtained through the authentication account, and the target media data of the device B is accessed based on the access right.
设备B的媒体库在接收到设备A发送的跨设备访问请求(分布式访问请求)后,可以根据该跨设备访问请求(分布式访问请求)中的认证结果进行访问鉴权,以查询相应账号(本次通过认证的账号信息)在设备B中的访问权限,设备B的媒体库将查询到的访问权限信息反馈给设备B的分布式文件系统,进而设备B的分布式文件系统可以根据本次通过认证的账号信息在设备B中的访问权限授权设备A访问设备B中的相应授权媒体数据。After receiving the cross-device access request (distributed access request) sent by device A, the media library of device B can perform access authentication according to the authentication result in the cross-device access request (distributed access request) to query the corresponding account (The account information that has passed the authentication this time) access rights in device B, the media library of device B will feed back the queried access rights information to the distributed file system of device B, and then the distributed file system of device B can be based on this The access authority of the account information that passes the authentication for the second time in the device B authorizes the device A to access the corresponding authorized media data in the device B.
举例来说,如图3、图4c和图4d所示,设备A在t
2时刻请求跨设备访问设备B的媒体数据,设备A的媒体库确定t
2时刻已超出认证有效时段(t
0~t
e),设备A的媒体库判定用户需要进行二次认证,并在认证通过后才能进行跨设备访问。具体地,设备A可以对当前用户进行指纹识别认证,在用户通过指纹识别认证后,设备A通过通信总线向设备B发起连接,并在连接成功后,向设备B发送请求访问设备B相册的分布式文件访问信息,且该分布式文件访问信息中包括可以证明设备A通过二次认证(指纹识别认证)的认证结果,且该认证结果中包含本次通过认证的账号信息。设备B的媒体库根据设备A发送的分布式文件访问信息中的认证结果信息查询到本次通过认证的账号可以访问设备B的相册和备 忘录,并且设备A仅对设备B的相册和备忘录具有只读操作权限,进而设备B可以授权设备A只读设备B的相册。
For example, as shown in Figure 3, Figure 4c and Figure 4d, device A requests cross-device access to device B's media data at time t2 , and the media library of device A determines that time t2 has exceeded the authentication valid period (t 0 ~ t e ), the media library of device A determines that the user needs to perform secondary authentication, and cross-device access can only be performed after the authentication is passed. Specifically, device A can perform fingerprint identification and authentication on the current user. After the user passes fingerprint identification and authentication, device A initiates a connection to device B through the communication bus, and after the connection is successful, sends a request to device B to access the distribution of device B's album. Type file access information, and the distributed file access information includes an authentication result that can prove that device A has passed the secondary authentication (fingerprint identification authentication), and the authentication result includes the account information that has passed the authentication this time. According to the authentication result information in the distributed file access information sent by device A, the media library of device B finds that the account that has passed the authentication can access device B's photo album and memo, and device A only has exclusive rights to device B's photo album and memo. Read operation permission, and then device B can authorize device A to read only device B's photo album.
图4e为本申请另一个实施例提供的跨设备访问控制方法的流程图,如图4e所示,该跨设备访问控制方法可以包括以下步骤:Fig. 4e is a flowchart of a cross-device access control method provided by another embodiment of the present application. As shown in Fig. 4e, the cross-device access control method may include the following steps:
步骤411:在访问设备的媒体库请求访问跨设备媒体数据时,访问设备的媒体库可以确定访问设备当前是否处于认证时效内,若处于认证时效内,则执行步骤412,若超出认证时效,则执行步骤413。Step 411: When the media library of the access device requests access to cross-device media data, the media library of the access device can determine whether the access device is currently within the authentication time limit, if it is within the authentication time limit, then execute step 412, if it exceeds the authentication time limit, then Execute step 413.
步骤412:访问设备的媒体库通过认证账号获取第一访问权限,并基于第一访问权限访问目标跨设备媒体数据。Step 412: The media library of the access device obtains the first access authority through the authentication account, and accesses the target cross-device media data based on the first access authority.
步骤413:访问设备的媒体库通过认证身份标识获取第二访问权限,并基于第二访问权限访问目标媒体数据。Step 413: The media library of the access device obtains the second access right through the authentication identity, and accesses the target media data based on the second access right.
步骤414:确定基于认证身份标识对应的第二访问权限是否成功跨设备访问目标媒体数据,若未访问成功,则执行步骤415,若访问成功则执行步骤416。Step 414: Determine whether the target media data is successfully accessed across devices based on the second access authority corresponding to the authentication identity. If the access is not successful, perform step 415, and if the access is successful, perform step 416.
步骤415:执行二次认证,并在认证通过后更新认证时效。Step 415: Perform secondary authentication, and update the authentication time limit after the authentication is passed.
步骤416:更新认证身份标识的认证时效。Step 416: Update the authentication time limit of the authentication ID.
在图4e所示实施例中,用户在通过首次认证(解锁屏幕)后,获取身份标识,并可以将该通过认证的身份标识标记为认证身份标识。In the embodiment shown in FIG. 4e, after the user passes the first authentication (unlocks the screen), the user obtains an identity, and can mark the authenticated identity as an authentication identity.
在步骤411的具体实施中,可以在设备A请求访问跨设备媒体数据时,设备A的媒体库可以确定设备A当前是否处于认证时效内,若处于认证时效内,则执行步骤412。In the specific implementation of step 411, when device A requests to access cross-device media data, the media library of device A can determine whether device A is currently within the authentication time limit, and if it is within the authentication time limit, perform step 412.
步骤412的具体实施与上述图4b所示实施例中的步骤302的具体实施类似,在此不再赘述。The specific implementation of step 412 is similar to the specific implementation of step 302 in the above-mentioned embodiment shown in FIG. 4 b , and will not be repeated here.
在步骤413的具体实施中,若设备A的媒体库确定设备A请求跨设备访问设备B的媒体数据的时刻超出前一次认证的认证有效时段(t
0~t
e),确定当前已超出认证时效,设备A的媒体库可以通过上述认证身份标识获取设备B对认证身份标识的授权。具体地,设备A的文件系统媒体库可以通过通信总线向设备B发起连接,并向设备B发送跨设备访问请求(分布式访问请求),其中,该跨设备访问请求(分布式访问请求)中可以包括上述认证身份标识。例如,当前使用设备A的用户为家庭成员中的小孩,在认证阶段(如指纹识别)即可确定当前使用设备A的用户身份,并在该用户通过本次认证后,其认证结果中所包含的设备A的本次通过认证的身份标识信息为“小孩”的认证身份标识。设备B的媒体库在接收到设备A发送的跨设备访问请求(分布式访问请求)后,可以根据该跨设备访问请求(分布式访问请求)中的认证身份标识进行访问鉴权,以查询该认证身份标识在设备B中的访问权限,设备B的媒体库将查询到的认证身份标识在设备B中的访问权限信息反馈给设备B的分布式文件系统,进而设备B的分布式文件系统可以根据当前的认证身份标识在设备B中的访问权限授权设备A访问设备B中的相应授权媒体数据。其中,设备B的分布式文件系统确定设备A要访问的目标媒体数据超出认证身份标识的访问权限后,将鉴权结果(访问失败)通过通信总线反馈给设备A的媒体库。
In the specific implementation of step 413, if the media library of device A determines that the time when device A requests cross-device access to the media data of device B exceeds the authentication validity period (t 0 ~t e ) of the previous authentication, it is determined that the current authentication time limit has expired , the media library of device A can obtain the authorization of device B for the authentication identity through the authentication identity. Specifically, the file system media library of device A can initiate a connection to device B through the communication bus, and send a cross-device access request (distributed access request) to device B, wherein, in the cross-device access request (distributed access request) The above-mentioned authentication identity can be included. For example, if the user currently using device A is a child in a family member, the identity of the user currently using device A can be determined in the authentication stage (such as fingerprint identification), and after the user passes this authentication, the authentication result contains The identity information of the device A that has passed the authentication this time is the authentication identity of the "child". After receiving the cross-device access request (distributed access request) sent by device A, the media library of device B can perform access authentication according to the authentication identity in the cross-device access request (distributed access request) to query the To authenticate the access rights of the ID in device B, the media library of device B feeds back the access rights information of the queried authentication ID in device B to the distributed file system of device B, and then the distributed file system of device B can The device A is authorized to access the corresponding authorized media data in the device B according to the access right identified in the device B according to the current authentication identity. Wherein, after the distributed file system of device B determines that the target media data to be accessed by device A exceeds the access authority of the authentication identity, it feeds back the authentication result (access failure) to the media library of device A through the communication bus.
在步骤414的具体实施中,设备B的媒体库在确定设备A发送的认证身份标识是否具有访问权限后,可以通过通信总线将鉴权结果反馈给设备A,设备A的媒体库可以根据 设备B的媒体库反馈的鉴权结果确定是否访问成功,若访问失败(即,认证身份标识对应的权限无权访问)则执行二次认证,若访问成功则更新认证身份标识的时效。In the specific implementation of step 414, after the media library of device B determines whether the authentication identity sent by device A has access rights, it can feed back the authentication result to device A through the communication bus, and the media library of device A can The authentication result fed back by the media library determines whether the access is successful. If the access fails (that is, the authority corresponding to the authentication ID has no right to access), the secondary authentication is performed. If the access is successful, the time limit of the authentication ID is updated.
步骤415的具体实施与图4b所示实施例中的步骤303的具体实施类似,在此不再赘述。The specific implementation of step 415 is similar to the specific implementation of step 303 in the embodiment shown in FIG. 4b , and will not be repeated here.
在步骤416的具体实施中,若基于认证身份标识对应的权限访问成功,则更新认证身份标识的时效,即,在确认访问成功后开始计时,计时时长可以与上述首次认证后的认证时效或者上述二次认证后的认证时效相同。In the specific implementation of step 416, if the access based on the authority corresponding to the authentication identity is successful, then update the timeliness of the authentication identity, that is, start counting after confirming that the access is successful. The time limit for authentication after the second authentication is the same.
举例来说,如图3、图4c和图4f所示,设备A在t
3时刻请求跨设备访问设备B的媒体数据,设备A的媒体库确定t
3时刻已超出认证有效时段,设备A的媒体库可以通过认证身份标识获取设备B对认证身份标识的授权。设备A通过通信总线向设备B发起连接,并在连接成功后,向设备B发送请求访问设备B相册的跨设备访问请求信息,且该跨设备访问请求信息中包括设备A当前用户的认证身份标识。
For example, as shown in Figure 3, Figure 4c and Figure 4f, device A requests cross-device access to device B's media data at time t3 , and the media library of device A determines that time t3 has exceeded the valid authentication period, and device A's The media library can obtain the authorization of the device B for the authentication identity through the authentication identity. Device A initiates a connection to device B through the communication bus, and after the connection is successful, sends a cross-device access request message to device B requesting access to the photo album of device B, and the cross-device access request message includes the authentication identity of the current user of device A .
设备B的媒体库根据设备A发送的跨设备访问请求信息中的认证身份标识进行访问鉴权,以查询认证身份标识对应的访问授权,并根据设备A发送的跨设备访问请求信息中的认证身份标识进行访问鉴权,并将鉴权结果反馈给设备B的分布式文件系统。其中,设备B媒体库的鉴权过程包括:确认设备A请求访问的媒体数据是否在设备A发送的分布式文件访问信息中的认证身份标识的访问权限(第二访问权限)内,若在第二访问权限内则鉴权通过,若超出第二访问权限则鉴权失败。具体地,若设备A的认证身份标识可以访问设备B的相册,并且设备A仅对设备B的相册具有只读操作权限,且设备A的要访问的目标媒体文件为相册,则鉴权通过,设备B媒体库将鉴权结果反馈给设备B的分布式文件系统,其中鉴权结果可以包括,设备A发送的分布式文件访问信息中的认证身份标识鉴权通过,且该认证身份标识的访问权限包括设备A的当前用户可以访问设备B的相册,并且设备A仅对设备B的相册具有只读操作权限。设备B的分布式文件系统确定设备A对设备B的访问权限后,根据该访问权限对设备A开放相应媒体数据,以使设备A可以进行跨设备访问。The media library of device B performs access authentication according to the authentication identity in the cross-device access request information sent by device A to query the access authorization corresponding to the authentication identity, and according to the authentication identity in the cross-device access request information sent by device A The identification performs access authentication, and the authentication result is fed back to the distributed file system of device B. Wherein, the authentication process of device B's media library includes: confirming whether the media data that device A requests to access is within the access authority (second access authority) of the authentication identity identifier in the distributed file access information sent by device A, if If it is within the second access authority, the authentication will pass, and if it exceeds the second access authority, the authentication will fail. Specifically, if the authentication identity of device A can access the photo album of device B, and device A only has read-only operation permission for the photo album of device B, and the target media file to be accessed by device A is the photo album, then the authentication is passed. The media library of device B feeds back the authentication result to the distributed file system of device B, where the authentication result may include that the authentication identity in the distributed file access information sent by device A passes the authentication, and the access of the authentication identity Permissions include that the current user of device A can access device B's photo album, and device A only has read-only operation permission for device B's photo album. After the distributed file system of device B determines the access rights of device A to device B, it releases corresponding media data to device A according to the access rights, so that device A can perform cross-device access.
若设备A的媒体库确定设备A请求跨设备访问设备B的媒体数据的时刻超出前一次认证的认证有效时段(t
0~t
e),并且通过设备A的认证身份标识访问失败的情况下(设备A的媒体库获取到设备B的媒体库发送的鉴权失败的消息,即,基于认证身份标识对应的权限无法访问目标媒体数据),设备A的媒体库则可以执行二次认证。其中,该二次认证的认证方式可以包括但不限于扫码、密码、刷脸、指纹、声音等认证方式。在用户通过二次认证后,设备A的媒体库可以更新认证时效,并且设备A的媒体库可以通过通信总线向设备B发起连接,并向设备B发送跨设备访问请求(分布式访问请求),其中,该跨设备访问请求(分布式访问请求)中可以包括可以证明设备A通过二次认证的认证结果,且该认证结果中包含本次通过认证的账号信息。设备B的媒体库在接收到设备A发送的跨设备访问请求(分布式访问请求),进而设备B的媒体库可以根据该跨设备访问请求(分布式访问请求)中的认证结果进行访问鉴权,以查询相应账号(当前用户通过二次认证后的认证身份标识)在设备B中的访问权限,并将查询到的访问权限信息反馈给设备B的分布式文件系统,进而设备B的分布式文件系统可以根据当前的认证身份标识在设备B中的访问权限授权设备A访问设备B中的相应授权媒体数据。
If the media library of device A determines that the time when device A requests cross-device access to the media data of device B exceeds the authentication validity period of the previous authentication (t 0 ~t e ), and the access fails through the authentication identity of device A ( The media library of device A obtains the authentication failure message sent by the media library of device B, that is, the target media data cannot be accessed based on the authority corresponding to the authentication identity), and the media library of device A can perform secondary authentication. Wherein, the authentication method of the secondary authentication may include but not limited to code scanning, password, facial recognition, fingerprint, voice and other authentication methods. After the user passes the secondary authentication, the media library of device A can update the authentication time limit, and the media library of device A can initiate a connection to device B through the communication bus, and send a cross-device access request (distributed access request) to device B, Wherein, the cross-device access request (distributed access request) may include an authentication result that can prove that device A has passed the secondary authentication, and the authentication result includes account information that has passed the authentication this time. The media library of device B receives the cross-device access request (distributed access request) sent by device A, and then the media library of device B can perform access authentication according to the authentication result in the cross-device access request (distributed access request) , to query the access rights of the corresponding account (the current user's authentication identity after the second authentication) in device B, and feed back the queried access rights information to the distributed file system of device B, and then the distributed file system of device B The file system can authorize device A to access the corresponding authorized media data in device B according to the current authentication ID's access rights in device B.
其中,需要说明的是,由于被访问设备(设备B)配置访问设备(设备A)的访问权限时,可以分别配置设备A的认证账号的第一访问权限和设备B的认证身份标识的第二访问权限,并且该第一访问权限和第二访问权限可以不相同,在一些实施方式中,认证账号的第一访问权限高于认证身份标识的第二访问权限。因此,设备A在超出认证时效后通过认证身份标识获取到第二访问权限并访问设备B时,可能存在访问目标文件失败的可能,进而在访问失败后,设备A的媒体库可以对当前用户进行二次认证,并在用户通过二次认证后通过认证结果获取设备B授权的认证账号的第一访问权限,并在获取到该认证账号的第一访问权限后访问设备B的授权媒体数据。Among them, it should be noted that when the accessed device (device B) configures the access rights of the access device (device A), the first access right of the authentication account of device A and the second access right of the authentication identity of device B can be configured respectively. access rights, and the first access rights and the second access rights may be different. In some implementations, the first access rights of the authentication account are higher than the second access rights of the authentication ID. Therefore, when device A obtains the second access authority through the authentication identity and accesses device B after the expiration of the authentication time limit, there may be a possibility of failure to access the target file, and then after the access fails, the media library of device A can perform Second authentication, and after the user passes the second authentication, obtain the first access authority of the authentication account authorized by device B through the authentication result, and access the authorized media data of device B after obtaining the first access authority of the authentication account.
举例来说,如图3、图4c和图4g所示,设备A在t
3时刻请求跨设备访问设备B的媒体数据,设备A的媒体库确定t
3时刻已超出认证有效时段,并且设备A的媒体库通过认证身份标识获取第二访问权限,通过第二访问权限访问目标文件失败。在上述访问失败的情况下,设备A的媒体库则可以执行二次认证,以获取权限更高的第一访问权限。具体地,设备A可以对当前用户进行面部识别认证,在用户通过面部识别认证后,设备A通过通信总线向设备B发起连接,并在连接成功后,向设备B发送请求访问设备B的第三方视频APP中缓存视频的分布式文件访问信息,且该分布式文件访问信息中包括可以证明设备A通过二次认证(面部识别认证)的认证结果,且该认证结果中包含本次通过认证的账号信息。设备B的媒体库根据设备A发送的分布式文件访问信息中的认证结果信息查询到设备A可以访问设备B的相册、备忘录、所有第三方视频APP和所有第三方网课APP,并且设备A对设备B中的上述授权媒体数据具有读写操作权限,进而设备B可以授权设备A访问设备B的目标视频APP中的缓存视频。
For example, as shown in Figure 3, Figure 4c and Figure 4g, device A requests cross-device access to device B's media data at time t3 , the media library of device A determines that time t3 has exceeded the authentication valid period, and device A The media library obtained the second access authority through the authentication identity, but failed to access the target file through the second access authority. In the case of the failure of the above access, the media library of device A may perform secondary authentication to obtain the first access authority with higher authority. Specifically, device A can perform facial recognition authentication on the current user. After the user passes facial recognition authentication, device A initiates a connection to device B through the communication bus, and after the connection is successful, sends a third-party request to device B to access device B. The distributed file access information of the video is cached in the video APP, and the distributed file access information includes the authentication result that can prove that device A has passed the second authentication (facial recognition authentication), and the authentication result includes the account that passed the authentication this time information. According to the authentication result information in the distributed file access information sent by device A, the media library of device B finds that device A can access device B's photo album, memo, all third-party video apps and all third-party online class apps, and device A The above-mentioned authorized media data in device B has read and write operation permissions, and then device B can authorize device A to access the cached video in the target video APP of device B.
在本申请的任意实施例中,设备A在监听到锁屏事件后,设备A的媒体库可以清空认证账号。用户再次解锁设备A后,通过认证并更新认证时效。进一步地,为了避免频繁拉起二次认证界面,在设备A的认证时效内,任意一个应用触发的认证结果,都其他应用均有效,无需重复认证,以保障用户的良好体验。举例来说,用户在使用设备A中的即时通讯APP时请求跨设备访问设备B的媒体数据,且设备A在认证时效内(首次认证时效内或二次认证时效内),并在社交APP中完成跨设备访问。用户切换至设备A的日历程序并再次请求跨设备访问设备B的媒体数据时,若此时设备A仍在认证时效内,则无需因设备A切换应用而再次二次认证。In any embodiment of the present application, after device A monitors the lock screen event, the media library of device A may clear the authentication account. After the user unlocks device A again, he passes the authentication and updates the authentication time limit. Furthermore, in order to avoid frequently pulling up the secondary authentication interface, within the authentication time limit of device A, the authentication result triggered by any application is valid for other applications, and there is no need for repeated authentication to ensure a good user experience. For example, when using the instant messaging APP in device A, the user requests cross-device access to the media data of device B, and device A is within the authentication time limit (within the first authentication time limit or the second authentication time limit), and in the social APP Complete cross-device access. When the user switches to the calendar program of device A and requests cross-device access to the media data of device B again, if device A is still within the authentication time limit at this time, there is no need to re-authenticate because device A switches applications.
图5为本申请再一个实施例提供的跨设备访问控制装置的流程图,如图5所示,该装置可以包括处理器501和存储器502,存储器502用于存储至少一条指令,所述指令由处理器501加载并执行时以实现图4b或图4e所示实施例提供的跨设备访问控制方法。Fig. 5 is a flow chart of an apparatus for cross-device access control provided by another embodiment of the present application. As shown in Fig. 5, the apparatus may include a processor 501 and a memory 502, and the memory 502 is used to store at least one instruction, which is determined by When loaded and executed by the processor 501, the cross-device access control method provided by the embodiment shown in FIG. 4b or 4e is implemented.
本申请再一个实施例还提供一种设备,该设备可以包括设备本体和图5所示实施例提供的跨设备访问控制装置。Another embodiment of the present application also provides a device, which may include a device body and the cross-device access control apparatus provided in the embodiment shown in FIG. 5 .
本申请在于给实施例还提供一种系统,该系统可以包括至少两台上述设备,在一种实施方式中,所述至少两台设备可以使用同一账号登录。在另一种实施方式中,所述至少两个设备所登录的账号可以不同。该系统的架构图可以如图2所示,但并不限于图2所示的结构。The purpose of the present application is to provide an embodiment of a system, the system may include at least two devices described above, and in an implementation manner, the at least two devices may use the same account to log in. In another implementation manner, the accounts logged in by the at least two devices may be different. The architecture diagram of the system may be as shown in FIG. 2 , but is not limited to the structure shown in FIG. 2 .
本申请再一个实施例还提供一种计算机可读存储介质,其上存储有计算机程序,所述计算机程序被处理器执行时实现图4b或图4e所示实施例提供的跨设备访问控制方法。Another embodiment of the present application also provides a computer-readable storage medium, on which a computer program is stored, and when the computer program is executed by a processor, the cross-device access control method provided by the embodiment shown in FIG. 4b or 4e is implemented.
需要说明的是,本发明实施例中所涉及的终端可以包括但不限于个人计算机(Personal Computer,PC)、个人数字助理(Personal Digital Assistant,PDA)、无线手持设备、平板电脑(Tablet Computer)、手机、MP3播放器、MP4播放器等。It should be noted that the terminals involved in the embodiments of the present invention may include, but are not limited to, personal computers (Personal Computer, PC), personal digital assistants (Personal Digital Assistant, PDA), wireless handheld devices, tablet computers (Tablet Computer), Mobile phones, MP3 players, MP4 players, etc.
可以理解的是,所述应用可以是安装在终端上的应用程序(nativeApp),或者还可以是终端上的浏览器的一个网页程序(webApp),本发明实施例对此不进行限定。It can be understood that the application may be an application program (nativeApp) installed on the terminal, or may also be a webpage program (webApp) of a browser on the terminal, which is not limited in this embodiment of the present invention.
所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的系统,装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。Those skilled in the art can clearly understand that for the convenience and brevity of description, the specific working process of the above-described system, device and unit can refer to the corresponding process in the foregoing method embodiment, which will not be repeated here.
在本发明所提供的几个实施例中,应该理解到,所揭露的系统,装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如,多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。In the several embodiments provided by the present invention, it should be understood that the disclosed systems, devices and methods can be implemented in other ways. For example, the device embodiments described above are only illustrative. For example, the division of the units is only a logical function division. In actual implementation, there may be other division methods. For example, multiple units or components can be combined Or it can be integrated into another system, or some features can be ignored, or not implemented. In another point, the mutual coupling or direct coupling or communication connection shown or discussed may be through some interfaces, and the indirect coupling or communication connection of devices or units may be in electrical, mechanical or other forms.
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。The units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in one place, or may be distributed to multiple network units. Part or all of the units can be selected according to actual needs to achieve the purpose of the solution of this embodiment.
另外,在本发明各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用硬件加软件功能单元的形式实现。In addition, each functional unit in each embodiment of the present invention may be integrated into one processing unit, each unit may exist separately physically, or two or more units may be integrated into one unit. The above-mentioned integrated units can be implemented in the form of hardware, or in the form of hardware plus software functional units.
上述以软件功能单元的形式实现的集成的单元,可以存储在一个计算机可读取存储介质中。上述软件功能单元存储在一个存储介质中,包括若干指令用以使得一台计算机装置(可以是个人计算机,服务器,或者网络装置等)或处理器(Processor)执行本发明各个实施例所述方法的部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(Read-Only Memory,ROM)、随机存取存储器(Random Access Memory,RAM)、磁碟或者光盘等各种可以存储程序代码的介质。The above-mentioned integrated units implemented in the form of software functional units may be stored in a computer-readable storage medium. The above-mentioned software functional units are stored in a storage medium, and include several instructions to make a computer device (which may be a personal computer, server, or network device, etc.) or a processor (Processor) execute the methods described in various embodiments of the present invention. partial steps. The aforementioned storage media include: U disk, mobile hard disk, read-only memory (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), magnetic disk or optical disc and other media that can store program codes. .
以上所述仅为本发明的较佳实施例而已,并不用以限制本发明,凡在本发明的精神和原则之内,所做的任何修改、等同替换、改进等,均应包含在本发明保护的范围之内。The above descriptions are only preferred embodiments of the present invention, and are not intended to limit the present invention. Any modifications, equivalent replacements, improvements, etc. made within the spirit and principles of the present invention shall be included in the present invention. within the scope of protection.
最后应说明的是:以上各实施例仅用以说明本发明的技术方案,而非对其限制;尽管参照前述各实施例对本发明进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分或者全部技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本发明各实施例技术方案的范围。Finally, it should be noted that: the above embodiments are only used to illustrate the technical solutions of the present invention, rather than limiting them; although the present invention has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that: It is still possible to modify the technical solutions described in the foregoing embodiments, or perform equivalent replacements for some or all of the technical features; and these modifications or replacements do not make the essence of the corresponding technical solutions deviate from the technical solutions of the various embodiments of the present invention. scope.
Claims (15)
- 一种跨设备访问控制方法,执行于第一设备,其特征在于,所述方法包括:A method for cross-device access control, executed on a first device, characterized in that the method includes:在请求访问跨设备媒体数据时,若确定所述第一设备当前已超出认证时效,则对当前用户进行二次认证,并在所述二次认证通过后更新认证时效;以及When requesting access to cross-device media data, if it is determined that the first device has exceeded the authentication expiration date, then perform secondary authentication on the current user, and update the authentication expiration date after the second authentication is passed; and在所述二次认证通过后发送跨设备访问请求信息给第二设备,所述跨设备访问请求信息包括通过所述二次认证的认证账号,以通过所述认证账号获取第一访问权限,并基于所述第一访问权限跨设备访问所述第二设备中存储的目标媒体数据。Send cross-device access request information to the second device after the second authentication is passed, the cross-device access request information includes an authentication account that has passed the second authentication, so as to obtain the first access right through the authentication account, and The target media data stored in the second device is accessed across devices based on the first access right.
- 根据权利要求1所述的方法,其特征在于,所述确定所述第一设备当前已超出认证时效包括:The method according to claim 1, wherein the determining that the first device has exceeded the authentication time limit currently comprises:确定所述第一设备当前是否处于最近一次认证的认证时效内,其中,所述最近一次认证包括首次认证或所述二次认证,所述首次认证包括屏幕解锁认证。Determine whether the first device is currently within the authentication time limit of the latest authentication, where the latest authentication includes first authentication or the second authentication, and the first authentication includes screen unlock authentication.
- 根据权利要求2所述的跨设备访问控制方法,其特征在于,所述若确定所述第一设备当前已超出认证时效,则对当前用户进行二次认证包括:The cross-device access control method according to claim 2, wherein if it is determined that the first device has exceeded the authentication time limit, performing secondary authentication on the current user includes:若确定所述第一设备当前已超出认证时效,并确定基于认证身份标识对应的第二访问权限访问失败时,则对当前用户进行二次认证,并在所述二次认证通过后更新认证时效;以及If it is determined that the first device is currently out of the authentication time limit, and it is determined that the second access right based on the authentication identity fails to access, perform secondary authentication on the current user, and update the authentication time limit after the secondary authentication is passed ;as well as在所述二次认证通过后根据通过所述二次认证的认证账号获取第一访问权限,并基于所述第一访问权限跨设备访问第二设备中存储的目标媒体数据。After the second authentication is passed, the first access right is obtained according to the authentication account that has passed the second authentication, and the target media data stored in the second device is accessed across devices based on the first access right.
- 根据权利要求3所述的方法,其特征在于,在所述确定基于认证身份标识对应的访问权限访问失败之前,所述确定所述第一设备当前已超出认证时效之后,还包括:The method according to claim 3, characterized in that before the determination is based on the failure of the access right corresponding to the authentication identity, after the determination that the first device is currently out of the authentication time limit, further comprising:发送跨设备访问请求信息给第二设备,所述跨设备访问请求信息包括认证身份标识,以通过所述认证身份标识获取第二访问权限,并基于所述第二访问权限跨设备访问所述第二设备中存储的目标媒体数据,并确定是否成功访问所述第二设备中存储的目标媒体数据。Send cross-device access request information to the second device, where the cross-device access request information includes an authentication identity, so as to obtain a second access right through the authentication identity, and access the second access across devices based on the second access right. target media data stored in the second device, and determine whether the target media data stored in the second device is accessed successfully.
- 根据权利要求3所述的方法,其特征在于,所述通过认证身份标识获取第二访问权限之前,还包括:The method according to claim 3, characterized in that before obtaining the second access right through the authentication identity, further comprising:将通过所述最近一次认证的身份标识标记为所述认证身份标识。Mark the identity that has passed the latest authentication as the authenticated identity.
- 根据权利要求5所述的方法,其特征在于,所述将通过所述最近一次认证的身份标识标记为所述认证身份标识包括:The method according to claim 5, wherein marking the identity that has passed the latest authentication as the authentication identity includes:在认证阶段获取当前用户身份信息,并将通过所述最近一次认证的身份标识标记为与所述当前用户身份信息相匹配的所述认证身份标识。In the authentication phase, the current user identity information is obtained, and the identity that passed the latest authentication is marked as the authentication identity that matches the current user identity information.
- 根据权利要求5所述的方法,其特征在于,在所述将通过所述最近一次认证的身份标识标记为所述认证身份标识之后,还包括:The method according to claim 5, further comprising: after marking the identity that passed the latest authentication as the authentication identity:若监听到锁屏事件,则清空所述认证时效和所述认证身份标识。If the lock screen event is monitored, then clear the authentication time limit and the authentication identity.
- 根据权利要求4所述的方法,其特征在于,所述确定是否成功访问所述第二设备中存储的目标媒体数据包括:The method according to claim 4, wherein the determining whether to successfully access the target media data stored in the second device comprises:获取所述第二设备发送的鉴权结果,根据所述鉴权结果确定是否访问成功;Obtain the authentication result sent by the second device, and determine whether the access is successful according to the authentication result;其中,若访问失败,所述鉴权结果包括:访问失败的提示信息以及访问失败原因。Wherein, if the access fails, the authentication result includes: prompt information of the access failure and reasons for the access failure.
- 一种访问控制方法,执行于第二设备,其特征在于,所述方法包括:An access control method, executed on a second device, characterized in that the method includes:获取第一设备发送的跨设备访问请求信息,若所述跨设备访问请求信息包括通过所述二次认证的认证账号,则对所述认证账号进行访问鉴权,以确定所述认证账号可访问的文件或文件夹以及对所述文件或文件夹的操作权限;Obtain cross-device access request information sent by the first device, and if the cross-device access request information includes an authentication account that has passed the secondary authentication, perform access authentication on the authentication account to determine that the authentication account can access files or folders and the operation permissions on said files or folders;其中,在确定所述第一设备请求访问的目标文件超出所述第一设备发送的账号信息对应的账号的访问权限时,鉴权失败,并根据所述鉴权结果将所述第一设备的访问结果反馈给所述第一设备。Wherein, when it is determined that the target file that the first device requests to access exceeds the access authority of the account corresponding to the account information sent by the first device, the authentication fails, and the first device's The access result is fed back to the first device.
- 根据权利要求9所述的方法,其特征在于,在第一设备对所述第二设备进行跨设备访问之前,还包括:The method according to claim 9, further comprising: before the first device performs cross-device access to the second device:配置可访问所述第二设备的媒体数据的设备账号和用户身份,以得到一个或多个的授权账号以及一个或多个授权身份标识;以及Configuring device accounts and user identities that can access the media data of the second device to obtain one or more authorized accounts and one or more authorized identities; and配置所述授权账号和授权身份标识可访问的媒体数据,并配置所述授权账号和授权身份标识对可访问的媒体数据的操作权限,所述操作权限包括只读权限或读写权限。Configure the media data accessible by the authorized account and the authorized identity, and configure the operation authority of the authorized account and the authorized identity on the accessible media data, the operation authority includes read-only authority or read-write authority.
- 根据权利要求10所述的方法,其特征在于,所述配置所述授权账号可访问的媒体数据包括:The method according to claim 10, wherein the configuring the media data accessible to the authorized account comprises:以单个媒体数据为粒度进行可访问权限配置;或者Configure access rights at the granularity of individual media data; or以媒体数据组为粒度进行可访问权限配置;Configure access rights at the granularity of media data groups;其中,所述单个媒体数据为单个文件,所述媒体数据组为单个文件夹。Wherein, the single media data is a single file, and the media data group is a single folder.
- 根据权利要求11所述的方法,其特征在于,若所述跨设备访问请求信息包括认证身份标识,则对所述认证账号进行访问鉴权,以确定所述认证身份标识可访问的文件或文件夹以及对所述文件或文件夹的操作权限;The method according to claim 11, wherein if the cross-device access request information includes an authentication identity, access authentication is performed on the authentication account to determine the files or files accessible by the authentication identity folders and the operating permissions on said files or folders;其中,在确定所述第一设备请求访问的目标文件超出所述第一设备发送的账号信息对应的账号的访问权限时,鉴权失败,并根据所述鉴权结果将所述第一设备的访问结果反馈给所述第一设备。Wherein, when it is determined that the target file that the first device requests to access exceeds the access authority of the account corresponding to the account information sent by the first device, the authentication fails, and the first device's The access result is fed back to the first device.
- 一种访问控制装置,其特征在于,所述装置包括:An access control device, characterized in that the device comprises:处理器和存储器,所述存储器用于存储至少一条指令,所述指令由所述处理器加载并执行时以实现如权利要求1-8中任意一项所述的跨设备访问控制方法或权利要求9-12中任意一项所述的访问控制方法。A processor and a memory, the memory is used to store at least one instruction, and when the instruction is loaded and executed by the processor, the cross-device access control method or claim according to any one of claims 1-8 can be realized The access control method described in any one of 9-12.
- 一种设备,其特征在于,所述设备包括权利要求13所述的访问控制装置。A device, characterized in that the device comprises the access control device according to claim 13.
- 一种计算机可读存储介质,其上存储有计算机程序,其特征在于,所述计算机程序被处理器执行时实现如权利要求1-8中任意一项所述的跨设备访问控制方法或权利要求9-12中任意一项所述的访问控制方法。A computer-readable storage medium on which a computer program is stored, wherein when the computer program is executed by a processor, the cross-device access control method or claim according to any one of claims 1-8 is implemented The access control method described in any one of 9-12.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110778214.1 | 2021-07-09 | ||
CN202110778214.1A CN115600236A (en) | 2021-07-09 | 2021-07-09 | Access control method and device, equipment and storage medium |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2023280009A1 true WO2023280009A1 (en) | 2023-01-12 |
Family
ID=84801243
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2022/101766 WO2023280009A1 (en) | 2021-07-09 | 2022-06-28 | Access control method and apparatus, device, and storage medium |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN115600236A (en) |
WO (1) | WO2023280009A1 (en) |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105518642A (en) * | 2013-08-20 | 2016-04-20 | 三星电子株式会社 | System, apparatus, and method for sharing electronic device |
CN107979571A (en) * | 2016-10-25 | 2018-05-01 | 中国移动通信有限公司研究院 | A kind of file uses processing method, terminal and server |
US10007779B1 (en) * | 2015-09-29 | 2018-06-26 | Amazon Technologies, Inc. | Methods and systems for gradual expiration of credentials |
US20180288041A1 (en) * | 2017-03-30 | 2018-10-04 | At&T Intellectual Property I, L.P. | Seamless Authentication Device |
-
2021
- 2021-07-09 CN CN202110778214.1A patent/CN115600236A/en active Pending
-
2022
- 2022-06-28 WO PCT/CN2022/101766 patent/WO2023280009A1/en active Application Filing
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105518642A (en) * | 2013-08-20 | 2016-04-20 | 三星电子株式会社 | System, apparatus, and method for sharing electronic device |
US10007779B1 (en) * | 2015-09-29 | 2018-06-26 | Amazon Technologies, Inc. | Methods and systems for gradual expiration of credentials |
CN107979571A (en) * | 2016-10-25 | 2018-05-01 | 中国移动通信有限公司研究院 | A kind of file uses processing method, terminal and server |
US20180288041A1 (en) * | 2017-03-30 | 2018-10-04 | At&T Intellectual Property I, L.P. | Seamless Authentication Device |
Also Published As
Publication number | Publication date |
---|---|
CN115600236A (en) | 2023-01-13 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11704393B2 (en) | Self-owned authentication and identity framework | |
US10541806B2 (en) | Authorizing account access via blinded identifiers | |
US10212143B2 (en) | Authorizing an untrusted client device for access on a content management system | |
US9596232B2 (en) | Managing sharing of wireless network login passwords | |
US11394715B2 (en) | Proxy authorization of a network device | |
US9571494B2 (en) | Authorization server and client apparatus, server cooperative system, and token management method | |
US20190268155A1 (en) | Method for Ensuring Terminal Security and Device | |
US11888856B2 (en) | Secure resource authorization for external identities using remote principal objects | |
US10237255B2 (en) | Data synchronizing system, control method thereof, authorization server, and storage medium thereof | |
WO2017143879A1 (en) | File permission management method and device | |
US11233800B2 (en) | Secure resource authorization for external identities using remote principal objects | |
CN105659558A (en) | Multiple resource servers with single, flexible, pluggable OAuth server and OAuth-protected RESTful OAuth consent management service, and mobile application single sign on OAuth service | |
JP2016535902A (en) | System for accessing data from multiple devices | |
US9971901B2 (en) | Content management apparatus and content management method | |
TW202018558A (en) | Method for authentication and authorization and authentication server using the same | |
CN112352411B (en) | Registration of the same domain with different cloud service networks | |
US12069177B2 (en) | Multi-level access distributed ledger system | |
US20230275886A1 (en) | Critical event triggers for continuous access evaluations during communication sessions | |
WO2023280009A1 (en) | Access control method and apparatus, device, and storage medium | |
US9479492B1 (en) | Authored injections of context that are resolved at authentication time | |
JP6154683B2 (en) | Computer system | |
CN115943623A (en) | Techniques for managing telephone number-based user accounts | |
WO2022252912A1 (en) | User data management method and related device | |
CN116112233A (en) | Identity authentication method, device, equipment and storage medium | |
KR20070067274A (en) | Method of managing password information via communication terminal and communication terminal and security management server of enabling the method |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 22836763 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 22836763 Country of ref document: EP Kind code of ref document: A1 |