CN114070583A

Movatterモバイル変換

Info

Publication number: CN114070583A
Application number: CN202111195211.1A
Authority: CN
Inventors: 陈旃
Original assignee: Cormorant Technology Shenzhen Co ltd
Current assignee: Cormorant Technology Shenzhen Co ltd
Priority date: 2021-10-12
Filing date: 2021-10-12
Publication date: 2022-02-18
Anticipated expiration: 2041-10-12
Also published as: CN114070583B

Abstract

The invention discloses an information access control method, an information access control device, computer equipment and a storage medium, wherein the method comprises the following steps: the method comprises the steps of verifying identity verification information in an information access request based on a unified identity authentication mechanism by receiving an information access request of a client, determining identity information of the client, determining a user group corresponding to the identity information as a target group, acquiring authority information of the target group as target access authority, further acquiring authority requirements of information to be accessed, performing cross scanning on each interface of the information to be accessed based on the target access authority and the authority requirements of the information to be accessed, judging whether an unauthorized vulnerability exists in each interface of the information to be accessed, and ensuring data access safety.

Description

Information access control method, information access control device, computer equipment and medium

Technical Field

The present invention relates to the field of data processing, and in particular, to a method and an apparatus for controlling information access, a computer device, and a medium.

Background

With the deepening of the digital transformation of financial users, more and more financial services present the characteristics of internet, mobility and the like, and the application architecture and application deployment of the financial services are greatly changed in order to realize faster and safer online and iteration of the services.

At present, no matter on a financial network, an industrial network or a wide area network such as the Internet, the development of the traffic exceeds the most optimistic estimation in the past, a large amount of information requests of users, continuously updated application demands and uninterrupted continuous access to services become key factors for application service providers to solve Internet services and obtain user approval, and even if the network constructed according to the optimal conditions at that time is configured, the server cannot bear the continuous and rapid user growth. With the continuous development of application architecture and application deployment, the traditional security protection means is more and more inattentive from single application to hierarchical application, to micro-service application, from local deployment to containerized deployment, and to multi-cloud deployment. With the development of cloud platforms, more and more users migrate applications to the cloud platforms, and meanwhile, part of the applications (data) are reserved in local private clouds or data centers.

Disclosure of Invention

The embodiment of the invention provides an information access control method, an information access control device, computer equipment and a storage medium, and aims to improve the security of data access.

In order to solve the foregoing technical problem, an embodiment of the present application provides an information access control method, including:

receiving an information access request of a client, wherein the information access request comprises identity authentication information and information to be accessed;

verifying the identity verification information in the information access request based on a uniform identity authentication mechanism, and determining the identity information of the client;

determining a user group corresponding to the identity information as a target group, and acquiring authority information of the target group as target access authority;

and acquiring the authority requirement of the information to be accessed, performing cross scanning on each interface of the information to be accessed based on the target access authority and the authority requirement of the information to be accessed, and judging whether an unauthorized vulnerability exists in each interface of the information to be accessed.

Optionally, the unified identity authentication mechanism includes at least one of single-factor demonstration, double-factor demonstration, multi-cloud cross-domain identity authentication and information system authentication.

Optionally, the identity verification information is audio information and an SDK short message, the SDK short message further includes an initial verification code, the verifying the identity verification information in the information access request based on a unified identity authentication mechanism, and determining the identity information of the client includes:

performing voiceprint extraction on the audio information to obtain target voiceprint information;

comparing and verifying the target voiceprint information with each preset user voiceprint information to obtain a first verification result;

converting the audio information by adopting a voice text conversion mode to obtain a target text;

performing text analysis on the target text to obtain a current verification code;

carrying out consistency verification on the current verification code and the initial verification code to obtain a second verification result;

and if the first verification result and the second verification result are both verified, confirming that the verification result is verified.

Optionally, the cross-scanning each interface of the information to be accessed based on the target access permission and the permission requirement of the information to be accessed, and determining whether each interface of the information to be accessed has an unauthorized vulnerability includes:

determining the required authority of each interface in the information to be accessed as a first authority based on the authority requirement of the information to be accessed; performing intersection operation on the first authority and the target access authority, and taking an obtained result as a second authority;

taking the authority which does not belong to the second authority in the first authority as a third authority, and taking an interface corresponding to the third authority as an interface to be tested;

and adopting the identity information of the client to carry out access test on the interface to be tested and judging whether the unauthorized vulnerability exists.

In order to solve the above technical problem, an embodiment of the present application further provides an information access control apparatus, including:

the system comprises a request receiving module, a request processing module and a request processing module, wherein the request receiving module is used for receiving an information access request of a client, and the information access request comprises identity authentication information and information to be accessed;

the identity verification module is used for verifying the identity verification information in the information access request based on a uniform identity authentication mechanism and determining the identity information of the client;

the authority determining module is used for determining a user group corresponding to the identity information as a target group, and acquiring authority information of the target group as a target access authority;

and the access control module is used for acquiring the authority requirement of the information to be accessed, performing cross scanning on each interface of the information to be accessed based on the target access authority and the authority requirement of the information to be accessed, and judging whether an unauthorized vulnerability exists in each interface of the information to be accessed.

Optionally, the identity authentication information is audio information and an SDK short message, the SDK short message further includes an initial authentication code, and the identity authentication module includes:

Optionally, the access control module includes:

the first permission determining unit is used for determining the required permission of each interface in the information to be accessed as a first permission based on the permission requirement of the information to be accessed;

the second permission determining unit is used for performing intersection operation on the first permission and the target access permission and taking the obtained result as a second permission;

the to-be-tested interface confirming unit is used for taking the authority which does not belong to the second authority in the first authority as a third authority and taking an interface corresponding to the third authority as an to-be-tested interface;

and the unauthorized detection control unit is used for performing access test on the interface to be tested by adopting the identity information of the client and judging whether an unauthorized vulnerability exists.

In order to solve the above technical problem, an embodiment of the present application further provides a computer device, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, where the processor implements the steps of the information access control method when executing the computer program.

In order to solve the above technical problem, an embodiment of the present application further provides a computer-readable storage medium, where a computer program is stored, and the computer program, when executed by a processor, implements the steps of the above information access control method.

According to the information access control method, the information access control device, the computer equipment and the storage medium provided by the embodiment of the invention, the identity verification information in the information access request is verified based on a unified identity authentication mechanism by receiving the information access request of the client, the identity information of the client is determined, the user group corresponding to the identity information is determined to be used as a target group, the authority information of the target group is obtained to be used as a target access authority, the authority requirement of the information to be accessed is further obtained, each interface of the information to be accessed is subjected to cross scanning based on the target access authority and the authority requirement of the information to be accessed, whether the unauthorized access exists in each interface of the information to be accessed is judged, and the data access safety is ensured.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments of the present invention will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to these drawings without inventive labor.

FIG. 1 is a schematic diagram of an application environment of the present application;

FIG. 2 is a flow diagram of one embodiment of an information access control method of the present application;

FIG. 3 is a schematic block diagram of one embodiment of an information access control device according to the present application;

FIG. 4 is a schematic block diagram of one embodiment of a computer device according to the present application.

Detailed Description

Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs; the terminology used in the description of the application herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application; the terms "including" and "having," and any variations thereof, in the description and claims of this application and the description of the above figures are intended to cover non-exclusive inclusions. The terms "first," "second," and the like in the description and claims of this application or in the above-described drawings are used for distinguishing between different objects and not for describing a particular order.

Reference herein to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the application. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. It is explicitly and implicitly understood by one skilled in the art that the embodiments described herein can be combined with other embodiments.

The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

Referring to fig. 1, as shown in fig. 1, asystem architecture 100 may include

terminal devices

101, 102, 103, anetwork 104 and aserver 105. Thenetwork 104 serves as a medium for providing communication links between the

terminal devices

101, 102, 103 and theserver 105.Network 104 may include various connection types, such as wired, wireless communication links, or fiber optic cables, to name a few.

The user may use the

terminal devices

101, 102, 103 to interact with theserver 105 via thenetwork 104 to receive or send messages or the like.

The

terminal devices

101, 102, 103 may be various electronic devices having display screens and supporting web browsing, including but not limited to smart phones, tablet computers, E-book readers, MP3 players (Moving Picture E interface shows a properties Group Audio Layer III, motion Picture experts compress standard Audio Layer 3), MP4 players (Moving Picture E interface shows a properties Group Audio Layer IV, motion Picture experts compress standard Audio Layer 4), laptop portable computers, desktop computers, and the like.

Theserver 105 may be a server providing various services, such as a background server providing support for pages displayed on the

terminal devices

101, 102, 103.

The information access control method provided by the embodiment of the present application is executed by a server, and accordingly, an information access control device is provided in the server.

It should be understood that the number of terminal devices, networks, and servers in fig. 1 is merely illustrative. Any number of terminal devices, networks and servers may be provided according to implementation needs, and the

terminal devices

101, 102 and 103 in this embodiment may specifically correspond to an application system in actual production.

Referring to fig. 2, fig. 2 shows an information access control method according to an embodiment of the present invention, which is detailed as follows:

s201: and receiving an information access request of a client, wherein the information access request comprises authentication information and information to be accessed.

S202: and verifying the identity verification information in the information access request based on a uniform identity authentication mechanism to determine the identity information of the client.

Optionally, the unified identity authentication mechanism includes at least one of single-factor demonstration, two-factor demonstration, multi-cloud cross-domain identity authentication and information system authentication.

In a specific optional real-time manner, in step S202, the identity verification information is audio information and an SDK short message, the SDK short message further includes an initial verification code, the identity verification information in the information access request is verified based on a unified identity authentication mechanism, and determining the identity information of the client includes:

Further, the audio information is subjected to text conversion in a preset text-to-speech conversion mode to obtain a target text.

The preset text conversion mode may be implemented by a text conversion algorithm, or by a third-party tool, or by calling an Application Programming Interface (API), and may be selected according to actual requirements, which is not limited herein.

Further, a preset regular expression is adopted to carry out regular matching on the target text, and the current verification code contained in the target text is obtained.

S203: and determining a user group corresponding to the identity information as a target group, and acquiring the authority information of the target group as a target access authority.

S204: and acquiring the authority requirement of the information to be accessed, performing cross scanning on each interface of the information to be accessed based on the target access authority and the authority requirement of the information to be accessed, and judging whether each interface of the information to be accessed has an unauthorized vulnerability.

In a specific optional real-time manner, in step S204, based on the target access permission and the permission requirement of the information to be accessed, cross-scanning each interface of the information to be accessed, and determining whether each interface of the information to be accessed has an unauthorized vulnerability includes:

determining the required authority of each interface in the information to be accessed as a first authority based on the authority requirement of the information to be accessed; performing intersection operation on the first authority and the target access authority, and taking the obtained result as a second authority;

and performing access test on the interface to be tested by adopting the identity information of the client to judge whether the unauthorized vulnerability exists.

Specifically, in some interfaces, some unknown data access security holes may exist, and in this embodiment, before access, cross-validation is performed on the unauthorized holes based on the target access authority and the authority requirement of the information to be accessed, so as to ensure the security of data access.

In the embodiment, by receiving an information access request of a client, identity verification information in the information access request is verified based on a unified identity authentication mechanism, identity information of the client is determined, a user group corresponding to the identity information is determined to be used as a target group, authority information of the target group is obtained to be used as target access authority, further authority requirements of information to be accessed are obtained, each interface of the information to be accessed is subjected to cross scanning based on the target access authority and the authority requirements of the information to be accessed, whether an unauthorized vulnerability exists in each interface of the information to be accessed is judged, and data access safety is ensured.

It should be understood that, the sequence numbers of the steps in the foregoing embodiments do not imply an execution sequence, and the execution sequence of each process should be determined by its function and inherent logic, and should not constitute any limitation to the implementation process of the embodiments of the present invention.

Fig. 3 shows a schematic block diagram of an information access control apparatus in one-to-one correspondence with the information access control methods of the above-described embodiments. As shown in fig. 3, the information access control apparatus includes arequest receiving module 31, anauthentication module 32, a right determiningmodule 33, and anaccess control module 34. The functional modules are explained in detail as follows:

arequest receiving module 31, configured to receive an information access request of a client, where the information access request includes authentication information and information to be accessed;

theidentity verification module 32 is used for verifying the identity verification information in the information access request based on a unified identity authentication mechanism and determining the identity information of the client;

theauthority determining module 33 is configured to determine a user group corresponding to the identity information as a target group, and acquire authority information of the target group as a target access authority;

and theaccess control module 34 is configured to obtain the permission requirement of the information to be accessed, perform cross scanning on each interface of the information to be accessed based on the target access permission and the permission requirement of the information to be accessed, and determine whether an unauthorized vulnerability exists in each interface of the information to be accessed.

Optionally, the authentication information is audio information and an SDK short message, the SDK short message further includes an initial authentication code, and theauthentication module 32 includes:

Optionally, theaccess control module 34 comprises:

For specific limitations of the information access control device, reference may be made to the above limitations of the information access control method, which are not described herein again. The modules in the information access control device can be wholly or partially implemented by software, hardware and a combination thereof. The modules can be embedded in a hardware form or independent from a processor in the computer device, and can also be stored in a memory in the computer device in a software form, so that the processor can call and execute operations corresponding to the modules.

In order to solve the technical problem, an embodiment of the present application further provides a computer device. Referring to fig. 4, fig. 4 is a block diagram of a basic structure of a computer device according to the present embodiment.

The computer device 4 comprises amemory 41, aprocessor 42, anetwork interface 43 communicatively connected to each other via a system bus. It is noted that only the computer device 4 having thecomponents connection memory 41,processor 42,network interface 43 is shown, but it is understood that not all of the shown components are required to be implemented, and that more or fewer components may be implemented instead. As will be understood by those skilled in the art, the computer device is a device capable of automatically performing numerical calculation and/or information processing according to a preset or stored instruction, and the hardware includes, but is not limited to, a microprocessor, an Application Specific Integrated Circuit (ASIC), a Programmable Gate Array (FPGA), a Digital Signal Processor (DSP), an embedded device, and the like.

The computer device can be a desktop computer, a notebook, a palm computer, a cloud server and other computing devices. The computer equipment can carry out man-machine interaction with a user through a keyboard, a mouse, a remote controller, a touch panel or voice control equipment and the like.

Thememory 41 includes at least one type of readable storage medium including a flash memory, a hard disk, a multimedia card, a card-type memory (e.g., SD or D interface display memory, etc.), a Random Access Memory (RAM), a Static Random Access Memory (SRAM), a Read Only Memory (ROM), an Electrically Erasable Programmable Read Only Memory (EEPROM), a Programmable Read Only Memory (PROM), a magnetic memory, a magnetic disk, an optical disk, etc. In some embodiments, thememory 41 may be an internal storage unit of the computer device 4, such as a hard disk or a memory of the computer device 4. In other embodiments, thememory 41 may also be an external storage device of the computer device 4, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), and the like, which are provided on the computer device 4. Of course, thememory 41 may also include both internal and external storage devices of the computer device 4. In this embodiment, thememory 41 is generally used for storing an operating system installed in the computer device 4 and various types of application software, such as program codes for controlling electronic files. Further, thememory 41 may also be used to temporarily store various types of data that have been output or are to be output.

Theprocessor 42 may be a Central Processing Unit (CPU), controller, microcontroller, microprocessor, or other data Processing chip in some embodiments. Theprocessor 42 is typically used to control the overall operation of the computer device 4. In this embodiment, theprocessor 42 is configured to execute the program code stored in thememory 41 or process data, for example, execute the program code for data access.

Thenetwork interface 43 may comprise a wireless network interface or a wired network interface, and thenetwork interface 43 is generally used for establishing communication connection between the computer device 4 and other electronic devices.

The present application provides yet another embodiment, which is to provide a computer-readable storage medium storing a data access program, which is executable by at least one processor to cause the at least one processor to perform the steps of the information access control method as described above.

Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solutions of the present application may be embodied in the form of a software product, which is stored in a storage medium (such as ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal device (such as a mobile phone, a computer, a server, an air conditioner, or a network device) to execute the method according to the embodiments of the present application.

It is to be understood that the above-described embodiments are merely illustrative of some, but not restrictive, of the broad invention, and that the appended drawings illustrate preferred embodiments of the invention and do not limit the scope of the invention. This application is capable of embodiments in many different forms and is provided for the purpose of enabling a thorough understanding of the disclosure of the application. Although the present application has been described in detail with reference to the foregoing embodiments, it will be apparent to one skilled in the art that the present application may be practiced without modification or with equivalents of some of the features described in the foregoing embodiments. All equivalent structures made by using the contents of the specification and the drawings of the present application are directly or indirectly applied to other related technical fields and are within the protection scope of the present application.

Claims

1. An information access control method is applied to a cluster server, and is characterized by comprising the following steps:

2. The information access control method of claim 1, wherein the unified identity authentication mechanism comprises at least one of single factor demonstration, two factor demonstration, multi-cloud cross-domain identity authentication, and information system authentication.

3. The information access control method of claim 1, wherein the authentication information is audio information and an SDK short message, the SDK short message further includes an initial authentication code, the authenticating the authentication information in the information access request based on the unified authentication mechanism, and determining the identity information of the client comprises:

4. The information access control method according to any one of claims 1 to 3, wherein the cross-scanning each interface of the information to be accessed based on the target access authority and the authority requirement of the information to be accessed, and the determining whether there is an unauthorized vulnerability in each interface of the information to be accessed includes:

5. An information access control apparatus, characterized in that the information access control apparatus comprises:

6. The information access control device of claim 5, wherein the authentication information is audio information and an SDK message, the SDK message further includes an initial authentication code, and the authentication module comprises:

if the first verification result and the second verification result are both verified, confirming that the verification results are verified;

optionally, the access control module includes:

7. The information access control device of claim 5, wherein the node state determination module comprises:

the detection instruction sending unit is used for sending a heartbeat packet detection instruction to each node based on cluster communication;

and the node state judging unit is used for determining the node state corresponding to each node according to the feedback result of each node aiming at the heartbeat packet detection instruction.

8. A computer device comprising a memory, a processor and a computer program stored in the memory and executable on the processor, characterized in that the processor implements the information access control method according to any one of claims 1 to 4 when executing the computer program.

9. A computer-readable storage medium storing a computer program, wherein the computer program is executed by a processor to implement the information access control method according to any one of claims 1 to 4.