Specific implementation mode
Explain below to exemplary embodiment of the present invention, including the embodiment of the present invention various details to haveHelp understand, they should be thought to be only exemplary.It therefore, it will be appreciated by the person skilled in the art that can be to thisThe embodiment of text description makes various modifications and change, without departing from scope and spirit of the present invention.
In embodiment, it is illustrated by taking financial system as an example, however that present invention can also apply to other is any suitableThe system for being related to permission.
Fig. 1 shows the signal of the system 100 according to the ... of the embodiment of the present invention that temporary authority mandate is realized using P2P technologiesFigure.
1. establishing user right condition code and user's characteristic code
User 101 according to the current all permissions of user, generates a power at login system (as indicated by the arrow 111)Whole permissions that active user is possessed can be confirmed by the permission condition code in limit condition code.What the permission condition code generatedMethod is:According to the id ascending sorts of all permissions, when user possesses the permission, otherwise Q-character 1 is 0, such as a financeSystem 150 shares 1,2 two permissions, and when party A-subscriber possesses the two permissions, party A-subscriber's initial rights condition code is 11;Initial powerCondition code is limited after certain algorithm for encryption, final permission condition code is generated and returns to user.When the permission of user becomesWhen the type of change or permission has variation, permission condition code all will update.Meanwhile log in center will be according to a series of of userFeature, such as user name, MAC Address, IP address information, generate unique user's characteristic code to user's (as shown by arrow 112),User browser will store this permission condition code and user's characteristic code.
2. distributed storage user right condition code and user's characteristic code
User can get the authority recognition code of part other users after successful log system.All permissions are specialSign code is stored in client's the machine in a manner of encrypted.The permission and information characteristics for the other users that each user can getThe quantity of code will pass through certain formula dynamic generation according to the number of users of entirety and the number of users logged in the recent period.Also, it is everyThe identification table of the secondary other users obtained from verification system is all by the last data obtained of covering.
Acquisition portion also can be got other users and logged in by user while getting other users authority recognition codeThe client server list of situation, the service provided by client server 160 can get current positive access financial systemOther users IP lists (as indicated by arrows 113).Client server list can regularly update.
3. can be to the other users application for possessing the permission when user needs temporary authority
When user 101 needs temporary authority, client can by following steps to its possess the permission otherUser 102 (also referred to as real power limits the use of family, real power user, rights holder) application:
A. it by the client server list address being locally stored, fetches and is being currently used from client server 160Financial system 150 logs in IP lists;
B. mode is initiated to apply to other users there are two types of users 101, first, designated user, that is, directly input user's (exampleSuch as user 102) title, according to its IP logged in got, directly initiation application;Second is that being weighed by the local user storedCondition code is limited, the user list for possessing the permission is filtered out, user therein is selected to initiate application.In addition, after selecting permission,Applicant's client 101 can send out the identifying code of a string of permissions for identification, which will be passed by encrypted modeTo audit end (not shown).
C. when user 101 initiates to apply (as indicated by arrows 113), encrypted user's characteristic code can be sent to permission and gathered aroundThe person of having, owner's client is authenticated the identity of the user after decryption, after identity is correctly validated, rights holderWhether oneself possess the permission by the permission feature code check being locally stored.After this is verified, rights holder can selectSelect whether temporary Authorization.Once it is authorized (as indicated by the arrow 115), it can be in applicant user 101 and rights holder 102Between establish a communication port, be used for transmission data (as indicated by arrow 114).
4. the browser plug-in that temporary authority user limits the use of family by real power obtains data under the permission
After communication port foundation, the client access that temporary authority user 101 can limit the use of family 102 by real power shouldAll data under permission (as shown in arrow 114,116).Data return to temporary authority user 101 after encryption, work as realityPermission user 102, which cancels, to be authorized, or when disconnection client connection, which terminates.
It can be seen that installation browser plug-in on the client need to complete main task include:A. from serverThe permission condition code list of retrieval section user, and it is stored in local;B. obtain it is each have connected User IP list address, pass throughNetwork request is verified;C. the related permission for being verified user and identity information are obtained by network and decoded, the use of checking requestFamily authenticity;D. the communication port with other clients is established, data are used for transmission.
Fig. 2 is the flow chart for showing authority acquiring method 200 according to the ... of the embodiment of the present invention.Method 200 includes:Step201, obtain user list from user list server;Step 202, to related to the user for possessing the permission in user listThe terminal sending permission request message of connection;Step 203, if the permission is authorized to, communication port is established with the terminal;WithAnd step 204, via the communication port data are obtained from the terminal.
In one embodiment, user list includes user's characteristic information and user right information.
In one embodiment, the quantity of user is based on whole numbers of users and recent login user quantity in user listTo determine.
In one embodiment, method 200 further includes obtaining to be made of current online user from user list serverUser list.In one embodiment, selection possesses the permission from user list by way of specified or screeningUser.
In one embodiment, the authority request message includes the mark of capability identification and request user, and describedUser is asked to verify and authorized when being verified described in terminal-pair.
In one embodiment, method 200 further includes when the user cancels and authorizes or disconnect, described in terminationPermission.
Fig. 3 is the schematic block diagram for showing authority acquiring device 300 according to the ... of the embodiment of the present invention.Authority acquiring device 300Including:User list acquisition module 301 is configured as obtaining user list from user list server;Authority request module302, it is configured as to terminal sending permission request message associated with the user for possessing the permission in user list;CommunicationPath setup module 303, is configured as, if the permission is authorized to, communication port is established with the terminal;And data obtainModulus block 304 is configured as obtaining data from the terminal via the communication port.
In one embodiment, user list includes user's characteristic information and user right information.
In one embodiment, the quantity of user is based on whole numbers of users and recent login user quantity in user listTo determine.
In one embodiment, user list acquisition module 301 is additionally configured to obtain by working as from user list serverThe user list of preceding online user's composition.
In one embodiment, authority request module 302 is additionally configured to, and is arranged from user by way of specified or screeningSelection possesses the user of the permission in table.
In one embodiment, the authority request message includes the mark of capability identification and request user, and describedUser is asked to verify and authorized when being verified described in terminal-pair.
In one embodiment, authority acquiring device 300 further includes terminating 305 (not shown) of module, is configured as working as instituteWhen stating user's cancellation mandate or disconnecting, the permission is terminated.
It should be noted that the foregoing is merely a prefered embodiment of the invention and principle.It will be understood by those within the art thatThe present invention is not limited to specific embodiments here.Those skilled in the art can make various significant changes, adjustment and replacement,Without departing from protection scope of the present invention.The scope of the present invention is defined by the following claims.