Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, completeSite preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based onEmbodiment in the present invention, those skilled in the art's every other implementation obtained without creative effortsExample, shall fall within the protection scope of the present invention.
The embodiment of the present invention provides a kind of business access method, apparatus, terminal and storage medium.
The embodiment of the present invention provides a kind of network system, which includes being suitable for eventually for any offer of the embodiment of the present inventionThe resource access device (referred to as first resource access mechanism) at end and suitable for access control apparatus resource access device (claimFor Secondary resource access mechanism), which can integrate in the terminal, which can be mobile phone, plateApparatus such as computer;The Secondary resource access mechanism can integrate in access control apparatus such as server.In addition, the system may be used alsoTo include other equipment, for example, gateway etc..
With reference to Fig. 1 a, the embodiment of the invention provides a kind of network systems, comprising: terminal 10, gateway 20, access controlControl equipment 30 and Resource Server 40.Wherein, terminal 10 can by network respectively with gateway 20, access control apparatus30 connections.Resource Server 40 is connect by network with gateway 20.
Wherein, terminal 10 is equipped with network insertion client, and terminal 10 receives resource as worked as when needing to access resourceWhen access request, access tickets acquisition request is sent to network insertion client;Receive the access that network insertion client returnsBill, access tickets are based on access tickets acquisition request by network insertion client and obtain from access control apparatus 30;Terminal 10Connection is sent to the gateway 30 of network and establishes request, and connection establishes request and carries access tickets;When being successfully established connection,Terminal is based on connection and sends resource access request to gateway 20, so as to Resource Server 40 of the gateway 20 into networkForward resource access request.
In addition, terminal 10 can also obtain safety by the safe condition of network insertion client real-time detection terminal 10Status information;Safety state information is sent to access control apparatus 30 by network insertion client, so as to access control apparatus30 determine whether the safe condition of terminal 10 is abnormal according to safety state information;When access control apparatus 30 determines the peace of terminal 10When total state exception, disconnecting instruction is sent to gateway 30;Gateway 30 according to disconnecting instruction breaks 10 withAll connections between gateway 30.
The example of above-mentioned Fig. 1 a is a system architecture example for realizing the embodiment of the present invention, and the embodiment of the present invention is notIt is limited to the system structure of above-mentioned Fig. 1 a, is based on the system architecture, proposes each embodiment of the present invention.
It is described in detail separately below.
In embodiments of the present invention, it will be described with the angle of resource access device, which specifically may be usedTo be integrated in the equipment such as terminal, such as mobile phone, laptop, tablet computer.
In one embodiment, a kind of resource access method is provided, this method can be executed by the processor of terminal, such as be schemedShown in 1b, the detailed process of the resource access method be can be such that
101, when needing to access resource, access tickets acquisition request is sent to network insertion client.
In one embodiment, can when receiving resource access request (can determine need to access resource at this time), toNetwork insertion client sends access tickets acquisition request.
Wherein, resource access request can be by the applications trigger in terminal, for example, can be touched by the browser in terminalHair;When user uses browser, corresponding resource access request can be sent by operation triggering, for example, code access is askedIt asks, resource access request etc. of handling official business.It for example, can be when receiving the resource access request of application process transmission, to networkIt accesses client and sends access tickets acquisition request.
Wherein, access tickets acquisition request can carry service resources information, for example, the resource information etc. for needing to accessDeng.
Resource access method provided in an embodiment of the present invention can pass through the gateway proxy process or module (i.e. sheet in terminalGround gateway agent process or module) Lai Shixian;For example, working as gateway proxy process such as SmartGateAgent (intelligent gateway agency)When receiving resource access request, gateway proxy process can be to network insertion client request access tickets;It specifically, can be withAccess tickets acquisition request is sent to network insertion client.
For example, with reference to Fig. 1 c, when gateway agent process receives the resource access request of browser triggering in terminal, netClosing agent process can be to network insertion client such as NGN (New Generation Network, next generation network) clientBill is requested access to, specifically, access tickets acquisition request can be sent to network insertion client.
In one embodiment, before accessing resource, terminal can also be registered to access control apparatus, to work asPreceding terminal and subscriber identity information carry out binding and Standardization instrument, and then can promote the safety of resource access.For example, thisInventive embodiments provide method before needing to access resource, can also include:
To access control apparatus sending device registration request, facility registration request carries subscriber identity information and terminalEquipment identification information;
When succeeding in registration, Standardization instrument processing is carried out to terminal by network insertion client.
Wherein, subscriber identity information may include: account, password, such as login account, the password of network insertion clientDeng.
Wherein, Standardization instrument processing may include being standardized to application, firmware, system, various interfaces.ToolBody, Standardization instrument processing can be set according to actual needs.
With reference to Fig. 1 c, terminal is registered to access control apparatus first, after registering through, can pass through network insertion clientEnd carries out Standardization instrument processing, then, resource access can be realized by gateway proxy process.For example, access control apparatus existsWhen receiving facility registration request, which can be requested parse, obtain subscriber identity information and terminalFacility information, then, access control apparatus can verify subscriber identity information, if be verified, by user's bodyPart information is bound with device identification, completes facility registration.For example, access control apparatus can verify system pair by accountUser account is verified.
In practical application, facility registration can be accessed in client process in user's logging in network and be realized, facility registration is askedIt asks as logging request, for example, when needing to access resource, being first turned on terminal for the new employee in an enterpriseThen the network insertion client of installation inputs user account and password login network insertion client, that is, terminal can be withLogging request is sent to access control apparatus, access control apparatus verifies the user account and password of request carrying, ifIt is verified, then returns and login successfully information, terminal can enter network insertion client, as shown in Figure 1 d.Access controlEquipment can be when being verified, can be by the device identification (such as device id) of present terminal and subscriber identity information (such as userName etc.) binding, and be stored in list of devices namely equipment baseline.
In one embodiment, terminal can be run with automatic trigger, and logging in network accesses client, for example, working as terminalWhen booting, the subscriber identity information automated log on network insertion client based on preservation;Specifically, step " is controlled to the accessControl equipment sending device registration request ", comprising:
When terminal booting, in running background network insertion client;
Whether the historical user's identity information detected in the corresponding storage unit of the network insertion client fails;
If it is not, then extracting historical user's identity information from the storage unit;
According to historical user's identity information from trend described in access control apparatus sending device registration request.
For example, terminal detects the slow of NGN client in backstage automatic running NGN client when user opens terminal(subscriber identity information can log in the user identity that NGN client uses to the subscriber identity information saved in memory cell beforeInformation) whether fail, if it is not, then logging request, the equipment of the logging request carried terminal can be sent to access control apparatusIdentification information and the subscriber identity information of preservation;Access control apparatus verifies subscriber identity information, if being verified,Then allow to log in, and facility information and subscriber identity information are bound.
In one embodiment, when historical user's identity information fails, the user identity letter of user's input can also be obtainedBreath, then, to access control apparatus sending device registration request, which asks the subscriber identity information based on user's inputSeek the subscriber identity information of the equipment identification information that carried terminal is current and user's input.
For example, terminal detects the slow of NGN client in backstage automatic running NGN client when user opens terminal(subscriber identity information can log in the user identity that NGN client uses to the subscriber identity information saved in memory cell beforeInformation) whether fail, if failure, shows the login interface of NGN client, the information input of login interface is directed to according to userOperation obtains the subscriber identity information of user's input, it is then possible to send logging request, the logging request to access control apparatusThe facility information of carried terminal and the subscriber identity information of user's input;Access control apparatus tests subscriber identity informationCard, if being verified, allows to log in, and equipment identification information and subscriber identity information are bound.102, network is receivedThe access tickets that client returns are accessed, access tickets are based on access tickets acquisition request by network insertion client and control from accessControl equipment obtains.
Wherein, access tickets can need authentication information to be used for access resource, for example, can be the information such as password.
It, can be to access control apparatus application for providing when network insertion client receives access tickets acquisition requestThe access tickets of source access.For example, network insertion client can send access tickets application request to access control apparatus, visitAsk that control equipment can request to issue or send corresponding access tickets to network insertion client according to access tickets application.
After network insertion client receives the access tickets that access control apparatus is issued, access tickets can be returnedGive gateway proxy process.
With reference to Fig. 1 c, when network insertion client such as NGN client receives the access tickets of gateway proxy process transmissionIt, can be to access control apparatus application resource access tickets when acquisition request.For example, network insertion client such as NGN clientIt can be requested to access control apparatus access tickets application;Access control apparatus can be requested according to access tickets application to networkCorresponding access tickets are issued or sent to access client.
In one embodiment, access control apparatus can request legal assessment to be believed according to access tickets application requestBreath, then, according to requesting legal assessment information determines whether current resource access request is legal, if legal, then such as to terminalNetwork insertion client sends or issues access tickets.
Wherein, request legal assessment information be for assess or determine bill application request whether legal reference information,For example, may include: the resource information etc. that subscriber identity information, the facility information of terminal, progress information, needs access.
Wherein, subscriber identity information may include: user's login account, password, employee number, position, portion locating for userDoor etc. information.In addition, subscriber identity information can also include: the access authority information of user, access object information etc..
Wherein, facility information may include the type of equipment, the binding information of equipment and user information, Standardization instrument orInitialization information etc..
Wherein, progress information may include: the currently running progress information of terminal, the progress information for needing to access resource,For example, process identification (PID), process type, security information (such as dangerous or security level) of process etc..
Wherein, the resource information for needing to access may include the Resource Properties information for currently needing to access, for example, resource nameTitle, resource address, resource size etc..
In the embodiment of the present invention, request legal assessment information acquiring pattern can there are many, for example, access tickets application is askedThe legal assessment information of request can be carried by asking, at this point, can request access tickets application to parse can for access control apparatusTo obtain requesting legal assessment information.
In one embodiment, access control apparatus also requests legal assessment information to terminal request, for example, working as access controlEquipment receives access tickets
103, connection being sent to the gateway of network and establishing request, connection establishes request and carries access tickets.
Wherein, network can be local area network, which can be the computer interconnected network of a small range, such as Intranet,For example Intranet etc..
Wherein, gateway provides the computer system or equipment of Data Conversion Service between being thought as multiple networks.NetClosing equipment is exactly the connector between different nets, is exactly that data will setting by " negotiation " when netting from a net to anotherIt is standby.The gateway can be SmartGate (intelligent gateway), such as non-boundary intelligent gateway.
The embodiment of the present invention can pass through net before establishing connection after gateway proxy process receives resource access requestNetwork accesses client application access tickets, and then, access tickets and gateway based on application establish connection, for example, with netIt closes equipment and establishes TCP (Transmission Control Protocol transmission control protocol) connection.
In one embodiment, in order to promote the safety that resource accesses, encryption connection or encrypted tunnel can also be established.
It, can be to the access tickets of request carrying after request is established in the connection that gateway receives gateway transmissionIt is verified or is verified, verified for example, access tickets are sent to access control apparatus, if being verified, gateway is setIt is standby to establish connection with terminal.
104, when being successfully established connection, resource access request is sent to gateway based on connection, so as to gatewayResource Server into network forwards resource access request.
For example, the resource access request of application process can be forwarded to gateway based on connection.For example, when terminal is surfed the InternetWhen pass agent process receives the resource access request of application process (such as browser) transmission, it can send and visit to NGN clientAsk that bill acquisition request, NGN client can obtain access ticket from access control apparatus based on the access tickets acquisition requestAccording to, and return to gateway proxy process;Gateway proxy process can establish connection according to the access tickets and gateway, when evenIt connects when being successfully established, it can be by the connection to gateway resource access request.
For example, when establishing encrypted tunnel or connection, terminal can be based on the encrypted tunnel or connect to net with reference to Fig. 1 cIt closes equipment and sends resource access request such as office (OA) resource access request, after gateway receives the resource access request,The resource access request can be forwarded to corresponding Resource Server (such as OA Resource Server) in Intranet, to realize in accessNet resource.
In one embodiment, for gateway, request is established in the connection that gateway can receive terminal transmission,Connection establishes request and carries access tickets;The checking request for carrying access tickets is sent, to access control apparatus to access clothesBusiness device verifies access tickets;When access tickets are verified, request is established according to connection and establishes connection with terminal;BaseThe resource access request that terminal is sent is received in the connection of foundation, and forwards resource access request to Resource Server.
In one embodiment, to promote resource access security, resource access request carries access tickets;At this point, step" forwarding resource access request to Resource Server " may include:
To access control apparatus send carry access tickets checking request, so as to access control apparatus to access tickets intoRow verifying;
When access tickets are verified, resource access request is forwarded to Resource Server.
In one embodiment, in order to promote resource access security, can be arranged for the connection of foundation a validity period;When being not up to the validity period of connection, the connection can be used and send resource access request, when reaching the validity period of connection, thenResource access request is sent without using the connection.For example, step " sends resource access based on described connect to the gatewayRequest ", may include:
Determine whether the validity period of the connection reaches;
If it is not, then sending the resource access request based on described connect to the gateway.
In one embodiment, when reaching the validity period of connection, the access that please can look for novelty to network insertion client againThen bill re-establishes new connection based on new access tickets and gateway, turned based on new connection to gatewaySend out resource access request.
In one embodiment, it in order to promote the safety of resource, upon establishment of a connection, when accessing resource every time, needs to send outAccess tickets are sent to be verified, when being verified, resource access request can be just forwarded to corresponding resource service by gatewayDevice.
For example, the resource access request can also carry access tickets and business information;Gateway receives resource visitThe access tickets can be sent after requesting to access control apparatus by, which asking, is verified, if being verified, gateway can basisBusiness information forwards the resource access request to corresponding Resource Server.
In one embodiment, in order to promote the safety of resource, network insertion client can be with real-time monitoring terminalSafe condition, and safety state information is sent to access control apparatus, so that access control apparatus is true based on safety state informationWhether the safe condition for determining terminal is abnormal.For example, method provided in an embodiment of the present invention can also include:
By the safe condition of network insertion client real-time detection terminal, safety state information is obtained;
By network insertion client to access control apparatus send safety state information, so as to access control apparatus according toSafety state information determines whether the safe condition of terminal is abnormal.
For example, the safe condition of network insertion client such as NGN client real-time detection terminal can be passed through with reference to Fig. 1 cThen information reports the safety state information to access control apparatus in real time or periodically.
Wherein, safety state information may include: heartbeat data, secure data (such as wooden horse, patch, system log etc.Data), progress information (such as process identification (PID), carry out security level), facility information (such as tie up by Standardization instrument information, equipmentDetermine information etc.), interface message (security information of such as api interface, interface recalls information etc.), resource access log informationDeng.
Access control apparatus can be in real time according to the safe condition that safety state information determines terminal be received, when discovery is wholeIt, can be with all connections between notification gateway device interrupt and terminal, to promote resource access when the safe condition exception at endSafety.
For example, in one embodiment, when access control apparatus determines that the safe condition of terminal is abnormal according to safe conditionWhen, disconnecting instruction can be sent to gateway, at this point, gateway can also receive the company of access control apparatus transmissionConnect interrupt instruction;According to all connections of the disconnecting instruction breaks and the terminal.From the foregoing, it will be observed that the embodiment of the present inventionWhen needing to access resource, access tickets acquisition request is sent to network insertion client;Network insertion client is received to returnAccess tickets, access tickets by network insertion client be based on access tickets acquisition request from access control apparatus obtain;ToThe gateway of network sends connection and establishes request, and connection establishes request and carries access tickets;When being successfully established connection, it is based onIt connects to gateway and sends resource access request, so that Resource Server forwarding resource access of the gateway into network is askedIt asks.The program can act on behalf of all resource access requests by gateway, and conjunction is controlled by issuing access ticketsMethod accessing terminal to network so that terminal can not directly access the resource of Intranet, while only allowing the accessible Intranet of credit processResource;Even if user terminal is by hacker attacks in this way, the hack tool in terminal also can not cause to invade to sensitive resource, significantlyThe resource resource security of promotion.
In addition, the embodiment of the present invention can also report safety state information to access control apparatus in real time, access control is setThe standby safe condition for determining terminal in real time, if noting abnormalities, all connections of notification gateway device interrupt and terminal, furtherPromote resource resource security.
In embodiments of the present invention, it will be described with the angle of another resource access device, the resource access deviceSpecifically it can integrate in access control apparatus, such as server equipment.
In one embodiment, a kind of resource access method is provided, this method can be by the processor of access control apparatusIt executes, as shown in Fig. 2, the detailed process of the resource access method can be such that
201, the bill application request that terminal is sent is received.
Wherein, bill application request can be sent by the network insertion client of terminal, for example, the network insertion visitor of terminalWhen family termination receives the access tickets acquisition request of gateway proxy process transmission, bill application can be sent to access control apparatusRequest.
202, legal assessment information is requested according to bill application request.
Wherein, request legal assessment information for for assessing or determining the whether legal reference information of resource access request,For example, may include: the resource information etc. that subscriber identity information, the facility information of terminal, progress information, needs access.
Wherein, subscriber identity information may include: user's login account, password, employee number, position, portion locating for userDoor etc. information.In addition, subscriber identity information can also include: the access authority information of user, access object information etc..
Wherein, facility information may include the type of equipment, the binding information of equipment and user information, Standardization instrument orInitialization information etc..
Wherein, progress information may include: the currently running progress information of terminal, the progress information for needing to access resource,For example, process identification (PID), process type, security information (such as dangerous or security level) of process etc..
Wherein, the resource information for needing to access may include the Resource Properties information for currently needing to access, for example, resource nameTitle, resource address, resource size etc..
In the embodiment of the present invention, terminal can actively be sent to access control apparatus, for example, bill application request can be takenBand requests legal assessment information, at this point, access control apparatus can be believed the legal assessment of request is parsed in bill application requestBreath.
In one embodiment, access control apparatus can also be when receiving bill application request, from terminal acquisition requestLegal assessment information.
203, whether legal according to requesting legal assessment information to determine current resource access request, if so, executing stepRapid 204, if it is not, then refusal issues access tickets etc..
In one embodiment, access control apparatus can successively carry out terminal security judgement, the legal judgement of request process, useWhether the operation such as family authentication, authorization check is legal with the current bill application request of determination.
For example, when request it is legal assessment information include: progress information, need access resource information, facility information andWhen subscriber identity information, step " according to requesting legal assessment information to determine whether current bill application request is legal " can be withInclude:
Determine whether terminal is safe according to the legal assessment information of request;
If safety, determines whether the process of current accessed resource is legal according to progress information;
If legal, then it is verified according to identity of the subscriber identity information to current request user;
If being verified, the resource access authority of current request user is verified;
If verification passes through, it is determined that current bill application request is legal.
It in one embodiment, can be according to the security level for requesting legal assessment information acquisition terminal, when security level is bigWhen predetermined level, terminal security is determined.
In one embodiment, in order to promote the safety that resource accesses, the heartbeat situation and use of terminal be can be combined withThe resource access behavior at family requests whether legal, the accuracy of the legal judgement of promotion request to determine.For example, the embodiment of the present inventionResource access method can also include:
Obtain the heartbeat data that terminal sends the resource access log of request user and terminal is sent;
At this point, step " according to requesting legal assessment information to determine whether terminal is safe ", may include:
Determine whether the heartbeat of terminal is abnormal, obtains heartbeat abnormal results according to heartbeat data;
Anomaly analysis is carried out to the resource access behavior of request user according to resource access log, obtains abnormal behavior analysisAs a result;
According to heartbeat abnormal results, abnormal behavior analysis result and the legal assessment information of request, the safety of terminal is obtainedGrade;
When security level is greater than predetermined level, terminal security is determined.
Wherein, heartbeat data can be reported in real time or periodically by terminal, for example, completing to set when terminal device succeeds in registrationIt, can be with real-time report heartbeat data to access control apparatus after standby standardization.
Wherein, requesting the resource access log of user can obtain from log storage system or in terminal, specifically obtainMode is taken to set according to actual needs, for example, terminal can also be after facility registration success, real-time report resource access logDeng.
For example, when the heartbeat data of terminal stops transmission, i.e. heartbeat exception, but access control is set in some scenesIt is standby to receive ticket requests, at this point it is possible to determine that resource access is risky, then can determine that request is illegal, do not issueAccess tickets are sent out to forbid resource to access.
In another example access control apparatus is according to the access log analysis request user same time not in some scenesWhen same place accesses resource, at this point, determining that Current resource access is risky, then can determine that request is illegal, do not issueAccess tickets are to forbid resource to access.
In one embodiment, it in order to promote the safety that resource accesses, can also be issued only for the equipment of registered mistakeSend out access tickets;Due to registered equipment, all can in list of devices, therefore, based in list of devices with the presence or absence of withFamily binding equipment come determine Current resource access whether safety.Specifically, present invention method can also include:
List of devices is obtained, list of devices includes the equipment identification information and subscriber identity information mutually bound;
It determines that list of devices whether there is the equipment identification information with the binding of the subscriber identity information of request user, obtains equipmentDefinitive result;
At this point, step " according to heartbeat abnormal results, abnormal behavior analysis result and the legal assessment information of request, obtainsThe security level of terminal " may include:
According to equipment definitive result, heartbeat abnormal results, abnormal behavior analysis result and the legal assessment information of request, obtainTake the security level of terminal.
For example, in some scenes, when determining whether terminal is safe, it is also necessary to consider whether present terminal has carried outFacility registration can have the equipment identification information of terminal and the use of identification information binding if registration generally in list of devicesFamily identity information;Assuming that there is no the equipment identification informations with request subscriber identity information binding in list of devices, then at this point,It can determine that resource access is risky, the security level of terminal can be reduced, so that it is determined that request is illegal, do not issue access ticketResource is forbidden to access accordingly.
In one embodiment, in order to promote the safety that resource accesses, access control apparatus is determining whether request is legalWhen issuing access tickets, it is also necessary to be verified to the resource access authority of current request user;For example, in current request userAuthentication when passing through, then do not issue access tickets to forbid resource to access.Specifically, step is " to current request user'sResource access authority is verified ", may include:
Obtain the default access letter of attribute information and to be visited resource of the current request user in default organizational structureBreath;
According to attribute information and default access information, the resource access authority of current request user is verified.
Wherein, default organizational structure can be with most basic structures such as the operating of the process of enterprise, Department formation and function planning.
Wherein, attribute information of the user in organizational structure may include: department locating for user, position locating for userEtc..
It in one embodiment, can be according to attribute information acquisition request user pair of the request user in default organizational structureThe authority information of resource to be visited matches the authority information with default access information, if successful match, it is determined that currentThe resource access authority verification of request user passes through, and otherwise, does not pass through.
In one embodiment, in order to promote the flexibility that resource accesses, the access control of resource to be visited can be pre-configured withTactful (for example specifying which employee accessible) is made, at this point, can also use according to current request when verifying to permissionThe subscriber identity information and access control policy at family verify the resource access authority of current request user.For example, working asWhen the identity information of user being requested to be identity information as defined in access control policy, it can determine and authorization check is passed through, otherwiseDo not pass through.
In one embodiment, subscriber identity information can be stored in when access control apparatus gets subscriber identity informationIn caching, and certain validity period is set;When being verified to user identity, if the subscriber identity information in caching hasEffect then directly carries out authentication according to the subscriber identity information of caching;If the user identity in caching newly fails, needThe subscriber identity information of request user is reacquired, such as, it is desirable that it is close that request user in terminal side re-enters user accountCode etc..
204, access tickets are sent to terminal.
By the mode of above-mentioned introduction, access control apparatus can determine whether current bill application request is legal.When determining legal, the available access tickets of access control apparatus, and to the network insertion client of terminal such as NGN clientSend the access tickets.
205, the checking request that gateway is sent is received, checking request carries access tickets.
When the network insertion client of terminal receives access tickets, the access ticket can be returned to gateway proxy processAccording to;Gateway proxy process can establish connection or channel according to the access tickets and gateway, for example, gateway proxy process canRequest is established to send connection to gateway.When being successfully established connection, gateway proxy process can be based on the connection to netIt closes equipment and sends resource access request.
206, access tickets are verified, and sends note validating result to gateway.
When gateway, which receives connection, establishes request, gateway can be parsed out connection and establish the access that request carriesBill, and the checking request for carrying the access tickets is sent to access control apparatus.Access control apparatus receives the verifying and asksWhen asking, which can be verified, for example, whether detect the access tickets legal (for example, whether validity period reachesIt whether is access tickets oneself issued etc. to, access tickets).
In one embodiment, the method for the present invention can also include:
Receive the facility registration request that terminal is sent, the equipment that facility registration request carries subscriber identity information and terminalIdentification information;
Subscriber identity information is verified;
If being verified, equipment identification information is bound with subscriber identity information, and update list of devices.
In practical application, facility registration can be accessed in client process in user's logging in network and be realized, facility registration is askedIt asks as logging request.For example, terminal can send logging request to access control apparatus, which carries user identityThe equipment identification information of information (account number cipher etc.) and terminal;Access control apparatus can test subscriber identity informationCard, for example user's login account password is verified by account number cipher system, if being verified, logging in network is allowed to connectEnter client, and equipment identification information and subscriber identity information are bound, and update list of devices, completes login and equipmentRegistration.
It in one embodiment, is the safety for further promoting resource access, the peace that can be sent with real-time reception terminalFull state information determines whether the safe condition of terminal is abnormal according to safety state information;If abnormal, sent to gatewayDisconnecting instruction.
Wherein, safety state information may include: heartbeat data, secure data (such as wooden horse, patch, system log etc.Data), progress information (such as process identification (PID), carry out security level), facility information (such as tie up by Standardization instrument information, equipmentDetermine information etc.), interface message (security information of such as api interface, interface recalls information etc.), resource access log informationDeng.
Access control apparatus can be in real time according to the safe condition that safety state information determines terminal be received, when discovery is wholeIt, can be with all connections between notification gateway device interrupt and terminal, to promote resource access when the safe condition exception at endSafety.
From the foregoing, it will be observed that the embodiment of the present invention receives the bill application request that terminal is sent;According to bill application requestRequest legal assessment information;Determine whether current bill application request is legal according to the legal assessment information of request;If legal, thenAccess tickets are sent to terminal;The checking request that gateway is sent is received, checking request carries access tickets;To access ticketsIt is verified, and sends note validating result to gateway.The program can act on behalf of all resources by gateway and visitIt asks request, and controls legal terminal access network by issuing access tickets, so that terminal can not directly access IntranetResource, while only allowing the accessible Intranet resource of credit process;It is black in terminal even if user terminal is by hacker attacks in this wayObjective tool also can not cause to invade to sensitive resource, the resource resource security greatly promoted.
Citing, is described in further detail by the method according to described in above-described embodiment below.
Terminal will be integrated in first resource access mechanism in one embodiment, Secondary resource access mechanism basis is accessingFor controlling equipment, to further illustrate resource access method of the invention.
The resource with reference to shown in Fig. 1 a accesses system, and it may include: terminal, gateway, access which, which accesses system,Control equipment and Resource Server.
Wherein, terminal is equipped with network insertion client (such as NGN client), gateway proxy process and browser.
With reference to Fig. 3 a and Fig. 3 b, it is based on above-mentioned resource access process, as follows:
301, when gateway proxy process receives resource access request, access tickets is sent to network insertion client and are obtainedRequest.
For example, in one embodiment, (can determine need at this time when gateway proxy process receives resource access requestAccess resource) when, gateway proxy process sends access tickets application request to network insertion client.
Wherein, access tickets acquisition request can carry current business information etc..
With reference to Fig. 3 c, when gateway agent process receives the resource access request of browser triggering in terminal, gateway generationReason process can be to network insertion client such as NGN (New Generation Network, next generation network) client requestAccess tickets specifically can send access tickets acquisition request to network insertion client.
In one embodiment, before accessing resource, terminal can also be registered to access control apparatus, to work asThe equipment identification information of preceding terminal is bound with subscriber identity information, and then can promote the safety of resource access.For example,Method provided in an embodiment of the present invention can also be registered to access control apparatus sending device and be asked before needing to access resourceIt asks, facility registration request carries the equipment identification information of subscriber identity information and terminal;When facility registration success, terminal canTo carry out Standardization instrument processing by network insertion client such as NGN client.
Wherein, subscriber identity information may include: account, password, such as login account, the password of network insertion clientDeng.
For example, terminal is registered to access control apparatus first with reference to Fig. 3 c, after registering through, gateway generation can be passed throughReason process realizes resource access.For example, access control apparatus can ask the facility registration when receiving facility registration requestIt asks and is parsed, obtain the facility information of subscriber identity information and terminal, then, access control apparatus can be to user identityInformation is verified, if be verified, subscriber identity information and equipment identification information are bound, and completes equipment noteVolume.User account is verified for example, access control apparatus can verify system by account.
In practical application, facility registration can be accessed in client process in user's logging in network and be realized, facility registration is askedIt asks as logging request, for example, when needing to access resource, being first turned on terminal for the new employee in an enterpriseThen the network insertion client of installation inputs user account and password login network insertion client, that is, terminal can be withLogging request is sent to access control apparatus, access control apparatus verifies the user account and password of request carrying, ifIt is verified, then returns and login successfully information, terminal can enter network insertion client, as shown in Figure 1 d.Access controlEquipment can be when being verified, can be by the device identification (such as device id) of present terminal and subscriber identity information (such as userName etc.) binding, and be stored in list of devices namely equipment baseline.
In one embodiment, in order to promote the safety of resource, network insertion client can be with real-time monitoring terminalSafe condition, and safety state information is sent to access control apparatus, so that access control apparatus is true based on safety state informationWhether the safe condition for determining terminal is abnormal.
For example, network insertion client can obtain safe condition letter with the safe condition of real-time detection terminal with reference to Fig. 3 cBreath;Safety state information is sent to access control apparatus in real time.
Wherein, safety state information may include: heartbeat data, secure data (such as wooden horse, patch, system log etc.Data), progress information (such as process identification (PID), carry out security level), facility information (such as tie up by Standardization instrument information, equipmentDetermine information etc.), interface message (security information, the interface use information of such as api interface) etc..For example, network insertionClient can monitor API by API monitoring module, and report monitoring data etc..
Access control apparatus can be in real time according to the safe condition that safety state information determines terminal be received, when discovery is wholeIt, can be with all connections between notification gateway device interrupt and terminal, to promote resource access when the safe condition exception at endSafety.For example, can send disconnecting instruction to gateway, gateway is according to disconnecting instruction breaks and terminalAll connections, it is ensured that the safety of resource.
With reference to Fig. 3 c, access control apparatus is integrated with access control engine, and access control apparatus is held in the embodiment of the present inventionCapable operation can be realized by access control engine.The access control engine may include: heartbeat service module, security centre(SOC) module, security configuration module, equipment base line module and user behavior analysis module.
Wherein, heartbeat service module specifically, receives the heartbeat data of terminal real-time report for providing heartbeat service,And heartbeat data is responded.
Wherein, SOC module, for storing secure data, for example, the system log of equipment, resource access log, terminalProgress information, standardized information etc., and access behavioral data according to user resources and determine whether terminal abnormal etc..
Wherein, security configuration module, for configuring secure access strategy, such as configurating terminal safe condition for technical staffThe strategy of exception, the strategy for issuing access tickets, resource access authority, security level calculate vehicle etc..
Wherein, user behavior analysis module, for being divided according to resource access log the resource access behavior of userIt analyses (for example can be analyzed based on the secure data in SOC module), obtains behavioural analysis as a result, so that access control engine can be withAccording to the security level of the computing terminals such as behavioural analysis result, heartbeat abnormal results, the legal assessment information of request to confirm that endEnd equipment whether safety etc..
In one embodiment, access control apparatus can safety state information based on terminal real-time report and from safetyThe safety state information that system (such as SOC module) obtains, to determine the safe condition of terminal.
In one embodiment, access control engine can also include post-audit module, for obtaining business access logIf cloud disk access log (can obtain) from security system, the path of business access request is determined according to business access log,And judge whether business access request sends by gateway, if not, it is determined that business access is abnormal, can be set with notification gatewayStandby middle connection breaking, and reminding technology personnel.
302, network insertion client sends bill application request to access control apparatus according to access tickets acquisition request.
For example, network insertion client can be according to access tickets acquisition request, the legal assessment information of acquisition request, soAfterwards, corresponding bill application is generated according to the legal assessment information of request to request, and send the bill application to access control apparatusRequest.
303, access control apparatus can request legal assessment information according to bill application request.
For example, in one embodiment, it, can be to bill application when bill application, which requests to carry, requests legal assessment informationRequest, which is parsed to obtain, requests legal assessment information.
For another example, in one embodiment, access control apparatus can also be requested according to bill application from security system, orThe legal assessment information of acquisition request in terminal.The security system can be located at access control apparatus, can also be by other equipment realityIt is existing.
Wherein, request legal assessment information be for assess or determine bill application request whether legal reference information,For example, may include: the resource information etc. that subscriber identity information, the facility information of terminal, progress information, needs access.
Wherein, subscriber identity information may include: user's login account, password, employee number, position, portion locating for userDoor etc. information.In addition, subscriber identity information can also include: the access authority information of user, access object information etc..
Wherein, facility information may include the type of equipment, the binding information of equipment and user information, Standardization instrument orInitialization information etc..
Wherein, progress information may include: the currently running progress information of terminal, the progress information for needing to access resource,For example, process identification (PID), process type, security information (such as dangerous or security level) of process etc..
Wherein, the resource information for needing to access may include the Resource Properties information for currently needing to access, for example, resource nameTitle, resource address, resource size etc..
304, access control apparatus determines whether current bill application request is legal according to the legal assessment information of request, ifIt is legal, then follow the steps 305.
Access tickets are issued when access control apparatus determines that current bill application request is legal, when illegal, are refusedAccess tickets are issued absolutely.
In one embodiment, access control apparatus can successively carry out terminal security judgement, the legal judgement of request process, useWhether the operation such as family authentication, authorization check is legal with the current bill application request of determination.
For example, when request it is legal assessment information include: progress information, need access resource information, facility information andWhen subscriber identity information, access control apparatus determines whether terminal is safe according to the legal assessment information of request;If safety, basisProgress information determines whether the process of current accessed resource is legal;If legal, then current request is used according to subscriber identity informationThe identity at family is verified;If being verified, the resource access authority of current request user is verified;If verification is logicalIt crosses, it is determined that current bill application request is legal.
For example, in one embodiment, in order to promote the safety of resource access, can be combined with terminal heartbeat situation,The resource access behavior of list of devices binding situation and user request whether legal, the standard of the legal judgement of promotion request to determineTrue property.Access control apparatus can determine whether the heartbeat of terminal is abnormal, obtains heartbeat abnormal results according to heartbeat data;According toResource access log carries out anomaly analysis to the resource access behavior of request user, obtains abnormal behavior analysis result;Determination is setStandby list whether there is the equipment identification information with the binding of the subscriber identity information of request user, obtain equipment definitive result;According toEquipment definitive result, heartbeat abnormal results, abnormal behavior analysis result and the legal assessment information of request, obtain the safety of terminalGrade;When security level is greater than predetermined level, terminal security is determined.
Wherein, heartbeat data can be reported in real time or periodically by terminal, for example, completing to set when terminal device succeeds in registrationIt, can be with real-time report heartbeat data to access control apparatus after standby standardization.
In one embodiment, the mode of resource access authority verification may include: to obtain current request user in preset groupThe default access information of attribute information and resource to be visited in stretching frame structure;Believed according to attribute information and default accessBreath, verifies the resource access authority of current request user.
Wherein, default organizational structure can be with most basic structures such as the operating of the process of enterprise, Department formation and function planning.
Wherein, attribute information of the user in organizational structure may include: department locating for user, position locating for userEtc..
305, access control apparatus sends access tickets to network insertion client.
By the mode of above-mentioned introduction, access control apparatus can determine whether current bill application request is legal.When determining legal, the available access tickets of access control apparatus, and to the network insertion client of terminal such as NGN clientSend the access tickets.
306, network insertion client returns to the access tickets to gateway proxy process.
307, gateway proxy process sends the foundation request that connection carries access tickets to the gateway of network.
Wherein, network can be local area network, which can be the computer interconnected network of a small range, such as Intranet,For example Intranet etc..
Wherein, gateway provides the computer system or equipment of Data Conversion Service between being thought as multiple networks.NetClosing equipment is exactly the connector between different nets, is exactly that data will setting by " negotiation " when netting from a net to anotherIt is standby.The gateway can be SmartGate (intelligent gateway), such as non-boundary intelligent gateway.
The embodiment of the present invention can pass through net before establishing connection after gateway proxy process receives resource access requestNetwork accesses client application access tickets, and then, access tickets and gateway based on application establish connection, for example, with netIt closes equipment and establishes TCP (Transmission Control Protocol transmission control protocol) connection.
In one embodiment, in order to promote the safety that resource accesses, encryption connection or encrypted tunnel can also be established.?That is, gateway proxy process sends encrypted tunnel to gateway or channel establishes request.
308, gateway sends the checking request for carrying access tickets to access control apparatus.
It, can be to the access tickets of request carrying after request is established in the connection that gateway receives gateway transmissionIt is verified or is verified, verified for example, access tickets are sent to access control apparatus, if being verified, gateway is setIt is standby to establish connection with terminal.
309, access control apparatus verifies access tickets, and sends note validating result to gateway.
Wherein, note validating result may include being verified or verifying not passing through.
310, when bill is verified, gateway and terminal establish connection.
For example, gateway can establish encrypted tunnel with terminal when bill is verified.
311, gateway proxy process sends resource access request to gateway by the connection established.
312, gateway forwards the resource access request to Resource Server.
For example, when establishing encrypted tunnel or connection, terminal can be based on the encrypted tunnel or connect to net with reference to Fig. 3 cIt closes equipment and sends resource access request such as office (OA) resource access request, after gateway receives the resource access request,The resource access request can be forwarded to corresponding Resource Server (such as OA Resource Server) in Intranet, to realize in accessNet resource.
In one embodiment, it in order to promote the safety of resource, upon establishment of a connection, when accessing resource every time, needs to send outAccess tickets are sent to be verified, when being verified, resource access request can be just forwarded to corresponding resource service by gatewayDevice.
For example, the resource access request can also carry access tickets and business information;Gateway receives resource visitThe access tickets can be sent after requesting to access control apparatus by, which asking, is verified, if being verified, gateway can basisBusiness information forwards the resource access request to corresponding Resource Server.
Using scheme provided in an embodiment of the present invention, the new employee of enterprise can log in after installing NGN clientNGN client completes Standardization instrument, then can access network and accesses resource, and the access control apparatus when accessing resourceAccess tickets can be issued based on safe condition, resource access etc. is realized by access tickets.
For the old employee of enterprise, when opening terminal such as computer every time, terminal can be automatically operated NGN client, andIt logs in NGN client and completes Standardization instrument, then can access network and access resource.
Using scheme provided in an embodiment of the present invention, terminal can not directly access Intranet resource such as corporate resources, and terminal mustNetwork insertion client such as NGN client must be installed, all user networks requests pass through gateway such as NGN intelligent gateway generationReason;Hacker can be prevented to access internal resource using illegality equipment;Meanwhile only allowing credit process in the embodiment of the present inventionAccessible sensitive resource, even if user computer, by hacker attacks, the hack tool on computer can not also cause sensitive resourceInvasion.
In addition, terminal with care testing device security state of terminal and can report in scheme provided in an embodiment of the present inventionTo access control apparatus, access control apparatus carries out access device real-time by analyzing each road safe state data mergerSecurity rating, dynamic regulation equipment access authority, further improves resource access security.
In addition, it is core that scheme provided in an embodiment of the present invention, which is based on " people+equipment+process ", compared to based on " people+setIt is standby " traditional scheme, the protection of proceeding graininess is finer, more acurrate, safer.
In order to better implement above method, the embodiment of the present invention also provides a kind of resource access device, resource accessDevice specifically can integrate in the equipment such as terminal, which can be view tablet computer, laptop, mobile phone etc..
For example, as shown in fig. 4 a, which may include ticket requests unit 401, ticket recipient unit402, connection unit 403 and access unit 404 are as follows:
Ticket requests unit 401, for sending access tickets to network insertion client and obtaining when needing to access resourceRequest;
Ticket recipient unit 402, the access tickets returned for receiving the network insertion client, the access ticketsThe access tickets acquisition request is based on by the network insertion client to obtain from access control apparatus;
Connection unit 403 establishes request for sending connection to the gateway of network, and the connection is established request and carriedThe access tickets;
Access unit 404, for sending resource visit based on described connect to the gateway when being successfully established connectionRequest is asked, so that Resource Server of the gateway into the network forwards the resource access request.
In one embodiment, with reference to Fig. 4 b, which can also include safety detection unit 405;
Safety detection unit 405, can be used for:
By the safe condition of the network insertion client real-time detection terminal, safety state information is obtained;
Safety state information is sent to the access control apparatus by the network insertion client, so as to the accessControl equipment determines whether the safe condition of terminal is abnormal according to the safety state information.
In one embodiment, with reference to Fig. 4 c, which can also include registering unit 406;
Registering unit 406, can be used for: Xiang Suoshu access control apparatus sending device registration request, the facility registrationRequest carries the facility information of subscriber identity information and terminal;
Standard processing unit 407, for carrying out equipment standard to terminal by network insertion client when succeeding in registrationChange processing.
In one embodiment, the access unit 404, can be specifically used for:
Determine whether the validity period of the connection reaches;
If it is not, then sending the resource access request based on described connect to the gateway.
In one embodiment, registering unit 406 can be used for:
When terminal booting, in running background network insertion client;
Whether the historical user's identity information detected in the corresponding storage unit of the network insertion client fails;
If it is not, then extracting historical user's identity information from the storage unit;
According to historical user's identity information from trend described in access control apparatus sending device registration request.
From the foregoing, it will be observed that the embodiment of the present invention is when needing to access resource, it is objective to network insertion by ticket requests unit 401Family end sends access tickets acquisition request;The access ticket that the network insertion client returns is received by ticket recipient unit 402According to the access tickets are based on the access tickets acquisition request by the network insertion client and obtain from access control apparatusIt takes;Connection is sent to the gateway of network from connection unit 403 and establishes request, and the connection establishes request and carries the accessBill;When being successfully established connection, described connect to the gateway is based on from access unit 404 and sends the resource accessRequest, so that Resource Server of the gateway into the network forwards the resource access request.The program can be withAll resource access requests are acted on behalf of by gateway, and legal terminal access net is controlled by issuing access ticketsNetwork so that terminal can not directly access the resource of Intranet, while only allowing the accessible Intranet resource of credit process;Even if in this wayBy hacker attacks, the hack tool in terminal also can not cause to invade user terminal to sensitive resource, the resource peace greatly promotedQuan Xing.
In order to better implement above method, the embodiment of the present invention also provides another resource access device, which visitsAsk that device specifically can integrate in gateway.
For example, as shown in Figure 5 a, which may include receiving unit 501, authentication unit 502, connection listMember 503 and retransmission unit 504, as follows:
Request is established in receiving unit 501, the connection for receiving terminal transmission, and the connection establishes request and carries the visitAsk bill;
Authentication unit 502, for sending the checking request for carrying the access tickets to access control apparatus, to accessServer verifies the access tickets;
Connection unit 503, for establishing request and the end according to the connection when the access tickets are verifiedConnection is established at end;
Retransmission unit 504 receives the resource access request that the terminal is sent for the connection based on foundation, and to resourceServer forwards the resource access request.
In one embodiment, with reference to Fig. 5 b, which can also include connection control unit 505;
Control unit 505 is connected, can be used for:
Receive the disconnecting instruction that access control apparatus is sent;
According to all connections of the disconnecting instruction breaks and the terminal.
In one embodiment, the resource access request carries the access tickets;The retransmission unit 504 can be specificFor:
Connection based on foundation receives the resource access request that the terminal is sent;
The checking request for carrying the access tickets is sent, to the access control apparatus so that access control apparatus is to instituteAccess tickets are stated to be verified;
When the access tickets are verified, the resource access request is forwarded to Resource Server.
From the foregoing, it will be observed that resource access device provided in an embodiment of the present invention receives what terminal was sent by receiving unit 501Request is established in connection, and the connection establishes request and carries the access tickets;It is sent from authentication unit 502 to access control apparatusThe checking request of the access tickets is carried, is verified to access server to the access tickets;By connection unit 503When the access tickets are verified, request is established according to the connection and establishes connection with the terminal;By retransmission unit 504Connection based on foundation receives the resource access request that the terminal is sent, and forwards the resource access to ask to Resource ServerIt asks.The program can act on behalf of all resource access requests by gateway, and conjunction is controlled by issuing access ticketsMethod accessing terminal to network so that terminal can not directly access the resource of Intranet, while only allowing the accessible Intranet of credit processResource;Even if user terminal is by hacker attacks in this way, the hack tool in terminal also can not cause to invade to sensitive resource, significantlyThe resource resource security of promotion.
In order to better implement above method, the embodiment of the present invention also provides another resource access device, which visitsAsk that device specifically can integrate in access control apparatus.
For example, as shown in Figure 6 a, the resource access device may include receiving unit 601, information acquisition unit 602, reallyOrder member 603 and bill transmission unit 604, as follows:
First receiving unit 601, for receiving the bill application request of terminal transmission;
Information acquisition unit 602, for requesting legal assessment information according to the bill application request;
Determination unit 603, for determining whether current resource access request closes according to the legal assessment information of requestMethod;
Bill transmission unit 604, for when the determination unit determines that current resource access request is legal, Xiang SuoshuTerminal sends access tickets;
Second receiving unit 605, for receiving the checking request of gateway transmission, the checking request carries the visitAsk bill;
Note validating unit 606 for verifying to the access tickets, and sends bill to the gateway and testsDemonstrate,prove result.
In one embodiment, the legal assessment information of the request includes: progress information, needs the resource information accessed, setsStandby information and the subscriber identity information for requesting user;With reference to Fig. 6 b, the determination unit 603 may include:
Subelement 6031 is completely determined, for determining whether the terminal is safe according to the legal assessment information of request;
Process determines subelement 6032, for it is described completely determine subelement and determine safe when, then according to the processInformation determines whether the process of current accessed resource is legal;
Authentication subelement 6033, when for determining that process is legal, then according to the subscriber identity information to currently askingThe identity of user is asked to verify;
Subelement 6034 is verified, for passing through when authentication, then the resource access authority of current request user is carried outVerification;If verification passes through, it is determined that current bill application request is legal.
In one embodiment, with reference to Fig. 6 c, which can also include: data capture unit 607;
The data capture unit 607, the heartbeat that resource access log and terminal for acquisition request user are sentData;
It is described to completely determine subelement 6031, it is used for:
Determine whether the heartbeat of terminal is abnormal, obtains heartbeat abnormal results according to the heartbeat data;
Anomaly analysis is carried out to the resource access behavior of request user according to resource access log, obtains abnormal behavior analysisAs a result;
According to the heartbeat abnormal results, abnormal behavior analysis result and the legal assessment information of request, obtainTake the security level of the terminal;
When the security level is greater than predetermined level, the terminal security is determined.
In one embodiment, described to completely determine subelement 6031, it is also used to:
List of devices is obtained, the list of devices includes the equipment identification information and subscriber identity information mutually bound;
It determines that the list of devices whether there is to believe with the device identification of the subscriber identity information binding of the request userBreath, obtains equipment definitive result;
According to the equipment definitive result, the heartbeat abnormal results, abnormal behavior analysis result and described askLegal assessment information is sought, the security level of the terminal is obtained.
In one embodiment, the verification subelement 6034, for obtaining current request user when authentication passes throughThe default access information of attribute information and resource to be visited in default organizational structure;
According to the attribute information and the default access information, to the resource access authority of current request user intoRow verification.
In one embodiment, with reference to Fig. 6 d, which can also include secure processing units 608;
The secure processing units 608, can be specifically used for:
The safety state information that real-time reception terminal is sent;
Determine whether the safe condition of the terminal is abnormal according to the safety state information;
If abnormal, disconnecting instruction is sent to gateway.
In one embodiment, with reference to Fig. 6 d, which can also include registering unit 609;
The registering unit 609, can be specifically used for:
The facility registration request that reception terminal is sent, the facility registration request carrying subscriber identity information and terminalFacility information;
The subscriber identity information is verified, if being verified, by the equipment identification information and the userIdentity information is bound, and updates list of devices.