A kind of SaaS management systemTechnical field
The invention belongs to Internet technical field, more particularly to a kind of SaaS manages system.
Background technology
Currently, SaaS is the abbreviation of Software-as-a-Service (software services), with the hair of Internet technologyThe maturation of exhibition and application software, in a kind of software application pattern innovated completely that 21 century starts to rise.It is with " on-(ASP, application service provide demand software " (on-demand software), the application service providerQuotient), hosted software (Hosted Software) have similar meaning.It is a kind of by Internet offer softwaresPattern, by application software unified plan on the server of oneself, client can pass through interconnection according to oneself actual demand for manufacturerNet orders required application software service to manufacturer, by the service ordered how much and time long short manufacturer payment expense, and lead toIt crosses internet and obtains the service that manufacturer provides.User does not have to buy software again, and uses instead and rented to provider based on the soft of WebPart, to manage business operation, and without being safeguarded to software, service provider understands full powers management and safeguards software, softPart manufacturer also provides off-line operation and the local datastore of software, allows user while providing the Internet, applications to clientThe software and services that it can be used to order whenever and wherever possible.For many small business, SaaS is sophisticationPreferred approach, it eliminates enterprise's purchase, builds and safeguard the needs of infrastructure and application program.
But SaaS using software be service pattern, although providing the facility of high degree, save greatly atThis, but to using for enterprise, there is great data risks, and there is the risks of leakage for the use information of user.
Therefore, it in view of said program in actual fabrication and in place of implementing using upper missing, and corrected, improved, togetherWhen in line with the spirit and theory asked, and by the knowledge of profession, the auxiliary of experience, and after multi-party clever thought, experiment, just foundGo out the present invention, spy provides a kind of SaaS management system, the solicited message of user can be encrypted, and to the process of decryption againLegal verification is carried out, the leakage of user's use information is avoided.
Invention content
The present invention proposes that a kind of SaaS manages system, solves the problems of the prior art.
The technical proposal of the invention is realized in this way:A kind of SaaS management system, including view layer, control layer, serviceLayer and data Layer,
View layer, the user terminal page logic of each function module for controlling the management system, and with page formatIt is presented to the user terminal page;
Control layer, the request for receiving view layer, and the logical process of service layer's finishing service is called, and finally forwardTo the user terminal page of each function module;
Service layer, the data for calling data Layer, and the logical process of the calling finishing service according to control layer;
Data Layer, including database, LD and system file, for storing user information and business datum.
As a preferred embodiment, the view layer includes presentation layer and front end assemblies, the front end assemblies are usedIn the user terminal page logic that the presentation layer is interacted and controlled with control layer, the presentation layer is for showing user's end pageFace.
As a preferred embodiment, being controlled using synchronization call between the control layer and the presentation layer, instituteIt states and is controlled using asynchronous call between control layer and the front end assemblies.
As a preferred embodiment, first order fire wall is provided between the control layer and presentation layer, it is describedIt is provided with second level fire wall between service layer and control layer, third level fire prevention is provided between the service layer and data LayerWall.
As a preferred embodiment, the first order fire wall is specifically used for control layer according to from image layerAfter user fills in document, document is on the one hand filled according to user and generates random number and working key generation eap-message digest, another partyFace then carries out sensitive field encryption to document using public key, then generates signature file using private key to eap-message digest, and will labelName file and the sensitive encrypted document of field are submitted after being packaged.
As a preferred embodiment, the third level fire wall is used to the encapsulation of data that encapsulation is submitted being decomposed intoThen signature file and encrypted document are verified encrypted document serial number, document has been returned to after by verificationExistence information determines user right, and verifies user and pass through.
As a preferred embodiment, after user searches by control layer and decrypts document, sends modification document and askIt asks, on the one hand generates the eap-message digest of document, generate signature file through private key, on the other hand sensitive field is added through public keyIt is close, document after encryption is generated, document after original modification document is requested to generate signature file and encrypted, then carry out data encapsulationAfter submit.
As a preferred embodiment, the encapsulation of data that encapsulation is submitted is decomposed into signature file by third level fire wallWith encrypted document, including by service layer call web services decryption, and in advance verification web services it is whether legal, if verificationBy rear, calling private key decrypts signature file, and public key decryptions is called to go out sensitive field.
As a preferred embodiment, web services decryption is called by service layer, when verification web services are illegal,Illegal decryption error information is returned, decrypting process is terminated.
As a preferred embodiment, user terminal is each equipped with session key with server, when user terminal and serviceWhen being communicated between device, session private key is generated in advance to session encryption, and destroys session private after both sides' conversation endKey.
After using above-mentioned technical proposal, the beneficial effects of the invention are as follows:Data store confidentiality adding using databaseClose mode, in order to ensure the runnability of system platform, the data encryption of platform is using sensitive field level Encryption Granularity, enterprise's connectionThe database of alliance is equivalent in the safety box for being stored in bank, and opens the key of data assurance case, has not only been included public key but also has been includedPrivate key, dual safe manner greatly strengthen the safety of data, and the data transmission between system different levels, which also uses, to be addedClose mode, and the decryption using web services technology to the data progress private key of encapsulation, and before the decryption of web servicesAdvance verification is carried out, to ensure that the safety of decrypting process.
Description of the drawings
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show belowThere is attached drawing needed in technology description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only thisSome embodiments of invention without having to pay creative labor, may be used also for those of ordinary skill in the artWith obtain other attached drawings according to these attached drawings.
Fig. 1 is the block diagram of the present invention;
Fig. 2 is the operation principle schematic diagram of first group of fire wall;
Fig. 3 is the verification principle schematic of third level fire wall;
Fig. 4 is the principle schematic that user changes data;
Fig. 5 is the principle schematic for calling web services decryption.
Specific implementation mode
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, completeSite preparation describes, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based onEmbodiment in the present invention, those of ordinary skill in the art are obtained every other without creative effortsEmbodiment shall fall within the protection scope of the present invention.
As shown in Figure 1, SaaS manages system, including view layer, control layer, service layer and data Layer,
View layer, the user terminal page logic of each function module for controlling the management system, and with page formatIt is presented to the user terminal page;
Control layer, the request for receiving view layer, and the logical process of service layer's finishing service is called, and finally forwardTo the user terminal page of each function module;
Service layer, the data for calling data Layer, and the logical process of the calling finishing service according to control layer;
Data Layer, including database, LD and system file, for storing user information and business datum.
In one embodiment, the view layer includes presentation layer and front end assemblies, and the front end assemblies are used for and controlLayer interacts and controls the user terminal page logic of the presentation layer, and the presentation layer is for showing the user terminal page.
In one embodiment, it is controlled using synchronization call between the control layer and the presentation layer, the control layerIt is controlled using asynchronous call between the front end assemblies, the unified machine cycle will be used between control layer and presentation layer, heldThe different instruction of row, takes the unified machine cycle, has same time interval and equal number of beat as the machine cycle,And controlled using asynchronous call between control layer and the front end assemblies, carry out a certain microoperation control signal when control layer is sent outAfterwards, front end assemblies receive control signal, then complete " answer " signal beamed back after this operation or " end " signal, then start newMicrooperation.
In one embodiment, be provided with first order fire wall between the control layer and presentation layer, the service layer withIt is provided with second level fire wall between control layer, third level fire wall is provided between the service layer and data Layer.
In one embodiment, Fig. 2 is please referred to, the first order fire wall is specifically used for control layer according to from image layerUser fill in document after, document on the one hand filled according to user generate random number and working key and generate eap-message digest, it is anotherAspect then carries out sensitive field encryption to document using public key, then generates signature file using private key to eap-message digest, and willSignature file and the sensitive encrypted document of field are submitted after being packaged.
In one embodiment, Fig. 3 is please referred to, the third level fire wall is used to encapsulate the encapsulation of data submitted and decomposesFor signature file and encrypted document, then encrypted document serial number is verified, document has been returned to after by verificationThrough existence information, user right is determined, and verify user and pass through.
In one embodiment, it please refers to Fig. 4, after user searches by control layer and decrypts document, sends modification documentOn the one hand request generates the eap-message digest of document, signature file is generated through private key, is on the other hand carried out to sensitive field through public keyEncryption generates document after encryption, document after original modification document is requested to generate signature file and encrypted, then carries out data envelopeIt is submitted after dress.
In one embodiment, Fig. 5 is please referred to, the encapsulation of data that encapsulation is submitted is decomposed into signature text by third level fire wallPart and encrypted document, including web services decryption is called by service layer, and whether verification web services are legal in advance, if testedAfter card passes through, private key is called to decrypt signature file, public key decryptions is called to go out sensitive field.
In one embodiment, web services decryption is called by service layer, when verification web services are illegal, returned illegalDecryption error information terminates decrypting process, using web service technology closed datas library decrypted private key, in order to ensure to encryptData afterwards can show associated user by platform, private key and decipherment algorithm are closed as web service, validated user canPlatform is driven to call closed web service, after verification, it is legal to return to the data after decryption using safety measureUser, and the user of public service platform and platform is owned by the public and private key pair of oneself, then set up core company management and ownThe public key of user, collaborative enterprise only need to manage the public key of oneself private key and core company, and user is submitted using private keyTo the data signature of platform, also data are encrypted using the public key of core company, if industrial chain cooperation public service platform PThe core company (core enterprise) of upper coalition of companies A, alliance A are Ac, any collaborative enterprise A in alliance AiWith core company AcBusiness collaboration, business transferring cooperation electronic information are carried out by public service platform P.If enterprise X (X=AcOr X=Ai) by flatPlatform P presentation of documents M gives enterprise Y (Y=AcOr Y=Ai), M=Field1||Field2||^…||Fieldn, enterprise X's is public and private closeKey is to for (PKX, SKX), the public and private key of enterprise Y is to for (PKY,SKY), indicate decryption operation with D, core company AC's is public and privateKey pair is (PKAC,SKAC)。
In one embodiment, user terminal and server are each equipped with session key, when between user terminal and server intoWhen row communication, session private key is generated in advance to session encryption, and the session private key is destroyed after both sides' conversation end.
The Management System Data stores the cipher mode that confidentiality uses database, in order to ensure the maneuverability of system platformCan, using sensitive field level Encryption Granularity, the database of coalition of companies is equivalent to the guarantor for being stored in bank for the data encryption of platformIn dangerous case, and the key of data assurance case is opened, has not only included public key but also included private key, dual safe manner greatly strengthensThe safety of data, the data transmission between system different levels also uses encrypted mode, and uses web services technology pairThe data of encapsulation carry out the decryption of private key, and advance verification is carried out before the decryption of web services, decrypted to ensure thatThe safety of journey, is based on said program, this management system mainly realizes following advantages:Confidentiality is stored, industrial chain cooperationSaaS platforms, data are using the private key that the key that the sensitive field encryption of business data is stored, and decrypted is core company, platformEnsure only have validated user that could call the web service of core company that encryption data is decrypted;In addition, no matter in numberAccording to decryption, in modification and signature-verification process, platform is all unable to get the plaintext of encryption data;The confidentiality of transmission, forThe transmission of data, either from enterprise to platform, or from platform to enterprise, transmission is all encrypted data, and is decryptedKey only have core company to possess, only the enterprise customer of core company mandate can just call web service to data intoRow decryption operation, any other people intercept and capture the data of transmission, hardly result in the easy plaintext of data, therefore ensure the guarantor of data transmissionClose property;The completion of data, data can be all verified in any distort of wiper of transmission, to ensure that the complete of dataProperty;The non repudiation of transmission ensure that the non repudiation that data are sent using digital signature technology.
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the invention, all essences in the present inventionWith within principle, any modification, equivalent replacement, improvement and so on should all be included in the protection scope of the present invention god.