Detailed Description
Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with aspects of the application as detailed in the accompanying claims.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this specification and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will also be understood that the term "and/or" as used herein refers to and encompasses any or all possible combinations of one or more of the corresponding listed items.
It should be understood that although the terms first, second, third, etc. may be used herein to describe various information, these information should not be limited by these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the application. The word "if" as used herein may be interpreted as "at … …" or "at … …" or "responsive to a determination", depending on the context.
A communication method provided by the embodiment of the present application is described in detail below. Referring to fig. 1, fig. 1 is a flowchart of a communication method according to an embodiment of the present application. The method is applied to the gateway, and the communication method provided by the embodiment of the application can comprise the following steps.
Step 110, receiving a service message sent by a client, wherein the service message comprises a source address;
specifically, after the user terminal passes the login authentication of the controller, the user terminal wants to access the service resource in the network. The user terminal generates a service message comprising a source address, which may be specifically an IP address.
After the user terminal generates the service message, the service message is sent to the gateway through the client. And the gateway receives the service message sent by the client and acquires the source address from the service message.
In the embodiment of the application, the service message also comprises the identification of the service resources accessed by the user token and the user terminal.
In the login authentication process of the user terminal, the controller first identifies the authentication mode of the user terminal. And after the user terminal passes the authentication, feeding back an authentication result to the client. At the same time, the controller also generates a user token (in particular, a character string format) for the user terminal, where the user token is used to uniquely identify one user terminal.
The controller also sends a user online notification to the gateway, where the user online notification includes at least one address in the user terminal, a class label corresponding to each address, an online mode, a user token, and authorized resource information, so that the gateway generates various types of relationship entries, for example, a user online entry, a mapping relationship entry, a binding relationship entry, and an authorized resource entry.
Of course, the controller itself also locally establishes a user presence entry matched with the user terminal, and the user presence entry may store presence information of the user terminal, for example, a presence mode of the user terminal, a user token, a login address, a presence time, and so on.
The process of the controller sending a user online notification to the gateway and the gateway generating various types of relationship entries is described in the subsequent embodiments and will not be repeated here.
Step 120, if the user terminal where the client is located is online in a transparent mode, searching whether a mapping relation table item matched with the source address exists in a mapping relation table according to the source address;
specifically, according to the description of step 110, after the gateway obtains the source address and the user token from the service message, the gateway searches the local user online table by using the user token. If the user online list item matched with the user token exists in the user online list, the gateway determines that the user terminal is an online user.
Meanwhile, the gateway acquires the online mode identifier from the online list item of the user. If the presence mode identifier is a first value (for example, the first value is 1), the gateway determines that the presence mode of the user terminal is a transparent mode.
After the gateway determines that the online mode of the user terminal is a transparent mode, the gateway searches whether a mapping relation table item matched with the source address exists in a local mapping relation table by utilizing the source address.
If there is no mapping table entry in the mapping table that matches the source address, the gateway performs step 130.
Optionally, if the mapping relation table has a mapping relation table item matched with the source address, the gateway judges whether the service resource accessed by the user terminal is authorized to be accessed; if the service resource accessed by the user terminal is authorized to be accessed, the gateway forwards the service message to the service resource.
Optionally, if the mapping relation table has a mapping relation table item matched with the source address, the specific process of judging whether the service resource accessed by the user terminal is authorized to be accessed by the gateway is as follows:
if the mapping relation table has the mapping relation table item matched with the source address, the gateway searches whether the local authorized resource table has the authorized resource table item matched with the source address or not by utilizing the source address; if the authorized resource list item exists, the gateway acquires authorized resource information included in the authorized resource list item; when the authorized resource information includes an identification of a service resource accessed by the user terminal, the gateway determines that the service resource accessed by the user terminal is authorized to be accessed.
It can be understood that after the gateway determines that the mapping relation table item matched with the source address exists in the mapping relation table, the gateway can use the source address to search when searching the authorized resource table, and can also use the user token to search. The user token may be obtained from the service message in step 110, or the user token may be obtained from a mapping table.
130, if the mapping relation table item does not exist, searching whether a binding relation table item matched with the source address exists in a binding relation table according to the source address;
specifically, according to the description of step 120, if the gateway determines that the mapping relationship table entry matching the source address does not exist in the mapping relationship table, the gateway searches whether the local binding relationship table entry matching the source address exists in the local binding relationship table according to the source address.
If there is a binding table entry in the binding table that matches the source address, the gateway performs step 140.
Optionally, if the binding relation table item matched with the source address does not exist in the binding relation table, the gateway discards the service message and prevents the user terminal from accessing the service resource subsequently.
Step 140, if the binding relation table item exists, judging whether the service resource accessed by the user terminal is authorized to be accessed;
specifically, according to the description of step 130, if the gateway determines that the binding relationship table entry matching the source address exists in the binding relationship table, the gateway determines whether the service resource accessed by the user terminal is authorized to be accessed.
If the service resource accessed by the user terminal is authorized to be accessed, the gateway performs step 150.
Optionally, if the service resource accessed by the user terminal is not authorized to be accessed, the gateway discards the service message and prevents the user terminal from subsequently accessing the service resource.
Optionally, if the binding relationship table has a binding relationship table entry matching with the source address, the specific process of determining, by the gateway, whether the service resource accessed by the user terminal is authorized to be accessed is: if the binding relation table item matched with the source address exists in the binding relation table, the gateway searches whether the local authorized resource table item matched with the source address exists or not according to the source address; if the authorized resource list item matched with the source address exists in the authorized resource list, the gateway acquires authorized resource information included in the authorized resource list item; when the authorized resource information includes an identification of a service resource accessed by the user terminal, the gateway determines that the service resource accessed by the user terminal is authorized to be accessed.
And step 150, if the access is authorized, forwarding the service message to the service resource.
Specifically, according to the description of step 140, after the gateway determines that the service resource accessed by the user terminal is authorized to be accessed, the gateway forwards the service message to the service resource.
Therefore, by applying the communication method provided by the application, the gateway receives the service message sent by the client, and the service message comprises the source address; if the user terminal where the client is located is on line in a transparent mode, the gateway searches whether a mapping relation table item matched with the source address exists in the mapping relation table according to the source address; if the mapping relation table item does not exist, the gateway searches whether a binding relation table item matched with the source address exists in the binding relation table according to the source address; if the binding relation table item exists, the gateway judges whether the business resource accessed by the user terminal is authorized to be accessed; if the access is authorized, the gateway forwards the service message to the service resource.
Thus, if the user terminal where the client is located adopts the transparent mode to be on line, the gateway can use the locally established multi-level relation table entry to look up the table of the service message sent by the client; and forwarding the service message to the service resource when the service resource accessed by the client is determined to be authorized to be accessed. The method solves the problem that when the existing gateway does not locally have a relation table item between a user token and a source IP address, even if a client is online, the client still cannot access network resources through the gateway. The use experience of the user on the product is improved; the probability of failure of the gateway due to the receiving or analyzing of the UDP message is also reduced.
Optionally, in the embodiment of the present application, before the gateway executes step 110, the gateway further receives a user online notification sent by the controller, and uses the user online notification to locally generate a mapping relationship table entry, a binding relationship table entry, and a process of authorizing a resource table entry.
Specifically, after the user terminal passes the login authentication of the controller, the controller generates a user online notification, wherein the user online notification comprises at least one address in the user terminal, a grade mark corresponding to each address, a user token and authorized resource information.
The controller sends a user online notification to the gateway. After receiving the user online notification, the gateway acquires at least one address in the user terminal, a grade mark corresponding to each address, a user token and authorized resource information from the address; the gateway generates a mapping relation table item, a binding relation table item and an authorized resource table item respectively, and stores the table items into a corresponding table.
The mapping relation table item comprises a login address, a grade mark of the login address and a user token; the binding relation table item comprises a login address, a grade mark of the login address, a non-login address except the login address in at least one address and a grade mark of the non-login address; the authorized resource table entry includes login address, non-login address, user token, and authorized resource information.
The login address specifically refers to an address carried by a source address field of an authentication message when the client sends the authentication message to the controller; the non-login address specifically refers to an address in the user terminal other than the login address, for example, various addresses configured on the network card.
It should be noted that the user online notification further includes online information of the user terminal, for example, an online mode, an online time, and the like of the user terminal. The gateway also generates a user presence entry in which presence information of the user terminal, such as a presence mode, a login address, a presence time, a presence port, a belonging VLAN, etc., of the user terminal may be stored.
Optionally, in the embodiment of the present application, the method further includes a process that the gateway receives a change notification sent by the controller, and updates the local table item according to the change notification.
Specifically, the client periodically scans various applications and components with addresses configured in the user terminal to obtain the currently configured addresses. The client compares the currently configured address with the previously configured address for whether a change has occurred.
If the currently configured address is changed, the client generates a change notification, wherein the change notification comprises the changed address, a grade mark corresponding to the changed address and a user token. The client sends a change notification to the controller.
After receiving the change notification, the controller acquires the change address, the grade mark corresponding to the change address and the user token. If the change address is determined to be the login address according to the grade mark corresponding to the change address, the user online list item matched with the user token is updated through the user token.
At the same time, the controller also sends a change notification to the gateway. After receiving the change notification, the gateway acquires the change address, the grade mark corresponding to the change address and the user token from the change address; according to the user token, the gateway acquires a mapping relation table item matched with the user token from a mapping relation table, acquires an authorized resource table item matched with the user token from an authorized resource table, and acquires a binding relation table item corresponding to the mapping relation table item from a binding relation table; the gateway deletes the mapping relation table item and the binding relation table item; according to the changed address, the gateway updates the login address and the non-login address included in the authorized resource table item; and regenerating a new mapping relation table item and a new binding relation table item according to the changed address and the grade mark corresponding to the changed address.
The change notification may be encrypted by the controller and then transmitted.
In the embodiment of the application, the changed address comprises a login address and a non-login address. The gateway can delete the mapping relation table item and the binding relation table item which are generated before and then regenerate the mapping relation table item and the binding relation table item of the information. And the authorized resource table entry can update and replace the login address and the non-login address.
Optionally, in the embodiment of the present application, the method further includes a step that the gateway receives a user offline notification sent by the controller, and deletes the local table entry according to the user offline notification.
Specifically, when the user terminal no longer accesses the service resource, the client may be notified to go offline. The client sends a drop message to the controller, the drop message including a user token. After the client sends the offline message, the user terminal stops accessing the service resource.
After determining that the user terminal is off-line, the controller generates and sends a user off-line notification to the gateway, wherein the user off-line notification comprises a user token.
And the gateway acquires the user token from the user offline notification after receiving the user offline notification. According to the user token, the gateway obtains mapping relation table items and authorized resource table items matched with the user token from the mapping relation table and the authorized resource table respectively; the gateway obtains a binding relation table item matched with the login address from the binding relation table through the login address included in the mapping relation table; the gateway deletes the mapping relation table item, the binding relation table item and the authorized resource table item.
According to the user token, the gateway also deletes the user online list item matched with the user token.
It can be understood that the controller deletes the user online entry matching the user token recorded locally after sending the user offline notification to the gateway.
Another communication method provided by the embodiment of the present application is described in detail below. Referring to fig. 2, fig. 2 is a flowchart of another communication method according to an embodiment of the present application. The method is applied to a controller, and the communication method provided by the embodiment of the application can comprise the following steps.
Step 210, receiving an authentication message sent by a client, wherein the authentication message comprises at least one address in a user terminal where the client is located;
specifically, the user terminal wants to access the service resource in the network, and initiates login authentication through the client. The client generates and sends an authentication message to the controller, the authentication message including at least one address within the user terminal.
The at least one address may be carried by a different field included in the authentication message, e.g., a source address field, a data field. The source address field carries an address, and addresses other than the one carried by the source address field are carried by the data field. The address carried by the source address field may also be referred to as a login address, and the other addresses carried by the data field are referred to as non-login addresses.
It will be appreciated that the authentication message also includes authentication information, such as a user name, password, etc., for authentication.
Step 220, assigning a corresponding level mark to each address in the at least one address;
specifically, according to the description of step 210, after the controller acquires at least one address in the user terminal from the authentication message, a corresponding level flag is assigned to each address in the at least one address.
Optionally, the specific process of assigning a corresponding level flag to each address in the at least one address by the controller is: the controller takes a source address included in the authentication message as a login address, and distributes a first grade mark for the login address; the controller takes other addresses except the login address in the at least one address as non-login addresses, and assigns a second level mark for the non-login addresses.
Wherein the first and second level marks may be specifically denoted by numerals. For example, the first level is marked "1"; the second level is marked as "2".
It will be appreciated that the controller also needs to perform authentication processing on the authentication message, and the authentication process is briefly described in the foregoing embodiments and will not be repeated here.
Step 230, sending a user online notification to a gateway, where the user online notification includes the at least one address, a class label corresponding to each address, a user token, and authorized resource information, so that the gateway generates a mapping relationship table entry, a binding relationship table entry, and an authorized resource table entry.
Specifically, according to the description of step 220, after the controller assigns a corresponding rank label to each address, the controller generates a user online notification, where the user online notification includes at least one address, the rank label corresponding to each address, the user token, and the authorized resource information.
And the controller sends a user online notification to the gateway so that the gateway generates a mapping relation table entry, a binding relation table entry and an authorized resource table entry according to the user online notification. The specific process of generating the mapping relation table entry, the binding relation table entry and the authorized resource table entry by the gateway is described in the foregoing embodiments, and will not be repeated here.
Optionally, in the embodiment of the present application, the method further includes a step of identifying an online mode of the user terminal by the controller during a login authentication process of the user terminal.
Specifically, an address pool is configured in the controller, and the address pool is an intranet address pool. After the controller acquires the login address from the authentication message, judging whether the login address belongs to an address pool; if the login address belongs to the address pool, the controller determines that the user terminal is online in a transparent mode, and sends an online success notification to the client.
It can be understood that the user online notification generated by the controller further includes an online mode of the user terminal, so that the gateway identifies the online mode of the user terminal after receiving the service message sent by the client.
The communication method provided by the embodiment of the application is described in detail below. Referring to fig. 3, fig. 3 is a signaling diagram of forwarding a service packet by a client, a controller, and a gateway according to an embodiment of the present application.
Step 300, the client sends an authentication message to the controller, wherein the authentication message comprises at least one address in a user terminal where the client is located.
Specifically, the user terminal wants to access the service resource in the network, and initiates login authentication through the client. The client generates and sends an authentication message to the controller, the authentication message including at least one address within the user terminal.
The at least one address may be carried by a different field included in the authentication message, e.g., a source address field, a data field. The source address field carries an address, and addresses other than the one carried by the source address field are carried by the data field. The address carried by the source address field may also be referred to as a login address, and the other addresses carried by the data field are referred to as non-login addresses.
The authentication message also includes authentication information, such as a user name, a password, etc., for authentication.
Step 301, the controller performs login authentication, and assigns a corresponding level mark to each address in at least one address.
Specifically, the controller performs authentication processing on the user terminal and judges whether the login address belongs to a configured intranet address pool. If the login address belongs to the address pool, the controller determines that the user terminal is online in a transparent mode.
The controller also randomly generates a character string as a user token for uniquely identifying a user terminal. Meanwhile, the controller assigns a corresponding rank flag to each address. For example, the controller assigns a first level tag to the login address; the controller assigns a second level tag to the non-login address.
Step 302, if authentication is successful, the controller sends an online success notification to the client.
Specifically, if the user terminal authentication is successful, the controller sends an online success notification to the client, where the online success notification includes a user token.
Step 303, the controller sends a user online notification to the gateway, where the user online notification includes the at least one address, a class mark corresponding to each address, a user token, and authorized resource information.
Specifically, the controller sends a user online notification to the gateway, where the user online notification includes at least one address, a class label corresponding to each address, a user token, and authorized resource information.
The user online notification further includes an online mode of the user terminal, so that the gateway identifies the online mode of the user terminal after receiving the service message sent by the client.
The process of authenticating the user terminal by the controller and locally generating the user online entry is described in the foregoing embodiment, and will not be repeated here.
Step 304, the gateway generates various types of relation table items locally.
Specifically, the gateway locally generates a mapping relation table entry, a binding relation table entry and an authorized resource table entry by using at least one address, a grade mark corresponding to each address, a user token and authorized resource information.
The mapping relation table entry is used for representing the mapping relation between the login address and the user token, and comprises the login address, the grade mark of the login address and the user token; the binding relation table item is used for representing the binding relation between the login address and the non-login address, and comprises a login address, a non-login address, a login address and a grade mark of the non-login address; the resource authorization table item is used for representing the service resources which the user terminal is authorized to access, and comprises a login address, a non-login address, a user token and authorized resource information.
It will be appreciated that the gateway also generates locally a user presence entry including a user token, login address, presence time, presence port, belonging VLAN, etc.
The process of establishing each type of entry by the gateway is described in the foregoing embodiments and will not be repeated here.
Step 305, the gateway receives a service message sent by the client, where the service message includes a source address.
Specifically, the user terminal wants to access the service resources in the network through the gateway. The user terminal generates a service message, which includes a source address. After the user terminal generates the service message, the service message is sent to the gateway through the client. And the gateway receives the service message sent by the client and acquires the source address from the service message.
In the embodiment of the application, the service message also comprises the identification of the service resources accessed by the user token and the user terminal.
Step 306, checking the access right of the user terminal according to the source address.
Specifically, the gateway searches a plurality of locally generated entries by using the source address, and determines whether the service resource accessed by the user terminal is authorized to be accessed.
If the service resource accessed by the user terminal is authorized to be accessed, the gateway forwards the service message to the service resource; if the service resource accessed by the user terminal is not authorized to be accessed, the gateway discards the service message and prevents the user terminal from accessing the service resource subsequently.
The process of the gateway searching for a plurality of locally generated entries by using the source address and determining whether the service resource accessed by the user terminal is authorized to be accessed is described in detail in the foregoing embodiments, and will not be repeated here.
Step 307, the client sends a change notification to the controller.
Specifically, the client periodically scans various applications and components with addresses configured in the user terminal to obtain the currently configured addresses. The client compares the currently configured address with the previously configured address for whether a change has occurred.
If the currently configured address is changed, the client generates a change notification, wherein the change notification comprises the changed address, a grade mark corresponding to the changed address and a user token. The client sends a change notification to the controller.
Step 308, the controller sends a change notification to the gateway.
Specifically, after receiving the change notification, the controller acquires the change address, the level mark corresponding to the change address and the user token from the change address. And updating the user online list item which is locally recorded and matched with the user token through the user token.
At the same time, the controller also sends a change notification to the gateway.
Step 309, the gateway updates the locally generated various types of relationship table entries.
Specifically, after receiving the change notification, the gateway regenerates or updates each type of relationship table item by using the user token.
The gateway updates the locally generated types of relationship entries described in the foregoing embodiments are not repeated here.
Step 310, the client sends an offline message to the controller.
Specifically, when the user terminal no longer accesses the service resource, the client may be notified to go offline. The client sends a drop message to the controller, the drop message including a user token. After the client sends the offline message, the user terminal stops accessing the service resource.
Step 311, the controller sends a user offline notification to the gateway.
Specifically, after determining that the user terminal is offline, the controller generates and sends a user offline notification to the gateway, where the user offline notification includes a user token.
Step 312, the gateway deletes the locally generated various types of relationship entries.
Specifically, after receiving the user offline notification, the gateway acquires the matched various types of relation table items by using the user token. The gateway deletes the various types of relationship entries.
The gateway deletes locally generated types of relationship entries in the foregoing embodiments, which are not described in detail herein.
Based on the same inventive concept, the embodiment of the application also provides a communication device corresponding to the communication method. Referring to fig. 4, fig. 4 is a communication device provided in an embodiment of the present application, where the device is applied to a gateway, and the device includes:
a receiving unit 410, configured to receive a service packet sent by a client, where the service packet includes a source address;
a searching unit 420, configured to search, if the user terminal where the client is located is online in a transparent mode, whether a mapping relationship table entry matching the source address exists in the mapping relationship table according to the source address;
the lookup unit 420 is further configured to, if the mapping relationship table entry does not exist, find, according to the source address, whether a binding relationship table entry matching the source address exists in a binding relationship table;
a judging unit 430, configured to judge whether the service resource accessed by the user terminal is authorized to be accessed if the binding relationship table entry exists;
and the sending unit 440 is configured to forward the service packet to the service resource if access is authorized.
Optionally, the determining unit 430 is further configured to determine whether the service resource accessed by the user terminal is authorized to be accessed if the mapping relationship table entry exists;
The sending unit 440 is further configured to forward the service packet to the service resource if access is authorized.
Optionally, the receiving unit 410 is further configured to receive a user online notification sent by the controller, where the user online notification includes at least one address in the user terminal, a class mark corresponding to each address, a user token, and authorized resource information;
the apparatus further comprises: a generating unit (not shown in the figure) for generating the mapping relation table item, wherein the mapping relation table item comprises a login address in the at least one address, a grade mark of the login address and the user token;
the generating unit (not shown in the figure) is further configured to generate the binding relationship table entry, where the binding relationship table entry includes the login address, a non-login address other than the login address in the at least one address, and a level flag of the non-login address;
the generating unit (not shown in the figure) is further configured to generate an authorized resource table entry, where the authorized resource table entry includes the login address, the non-login address, the user token, and the authorized resource information.
Optionally, the determining unit 430 is specifically configured to, if the mapping relationship table entry exists, search whether the authorized resource table entry matching the source address or the user token exists in the authorized resource table according to the source address or the user token;
if the authorized resource list item exists, acquiring the authorized resource information included in the authorized resource list item;
when the authorized resource information comprises the identification of the service resource accessed by the user terminal, determining that the service resource accessed by the user terminal is authorized to be accessed;
the user token is obtained from the service message or the mapping relation table item.
Optionally, the determining unit 430 is further specifically configured to, if the binding relationship table entry exists, search, according to the source address, whether the authorized resource table entry matching the source address exists in an authorized resource table;
if the authorized resource list item exists, acquiring the authorized resource information included in the authorized resource list item;
and when the authorized resource information comprises the identification of the service resource accessed by the user terminal, determining that the service resource accessed by the user terminal is authorized to be accessed.
Optionally, the receiving unit 410 is further configured to receive a change notification sent by the controller, where the change notification includes a change address, a class mark corresponding to the change address, and the user token;
the apparatus further comprises: an obtaining unit (not shown in the figure) configured to obtain, according to the user token, the mapping relationship table entry matching the user token from a mapping relationship table, obtain, from an authorized resource table, the authorized resource table entry matching the user token, and obtain, from a binding relationship table, the binding relationship table entry corresponding to the mapping relationship table entry;
the apparatus further comprises: a deleting unit (not shown in the figure) for deleting the mapping relation table item and the binding relation table item;
an updating unit (not shown in the figure) for updating the login address and the non-login address included in the authorized resource table item according to the change address;
the generating unit (not shown in the figure) is further configured to regenerate a new mapping relationship table entry and a new binding relationship table entry according to the change address and the level flag corresponding to the change address.
Optionally, the receiving unit 410 is further configured to receive a user offline notification sent by the controller, where the user offline notification includes the user token;
The obtaining unit (not shown in the figure) is further configured to obtain, according to the user token, the mapping relationship table entry and the authorized resource table entry that are matched with the user token from a mapping relationship table and an authorized resource table, respectively;
the obtaining unit (not shown in the figure) is further configured to obtain, from a binding relationship table, a binding relationship table entry that matches the login address through the login address included in the mapping relationship table;
the deleting unit (not shown in the figure) is further configured to delete the mapping relation table entry, the binding relation table entry, and the authorized resource table entry.
Based on the same inventive concept, the embodiment of the application also provides a communication device corresponding to the communication method. Referring to fig. 5, fig. 5 is another communication device provided in an embodiment of the present application, where the device is applied to a controller, and the device includes:
a receiving unit 510, configured to receive an authentication message sent by a client, where the authentication message includes at least one address in a user terminal where the client is located;
an allocation unit 520 for allocating a corresponding rank flag to each of the at least one address;
and a sending unit 530, configured to send a user online notification to a gateway, where the user online notification includes the at least one address, a class label corresponding to each address, a user token, and authorized resource information, so that the gateway generates a mapping relationship table entry, a binding relationship table entry, and an authorized resource table entry.
Optionally, the allocation unit 520 is specifically configured to take a first address of the at least one address as a login address, and allocate a first level flag to the login address, where the first address is a source address included in the authentication message;
and taking the other addresses except the login address in the at least one address as non-login addresses, and allocating a second level mark for the non-login addresses.
Optionally, an address pool is configured in the controller; the apparatus further comprises: a judging unit (not shown) for judging whether the login address belongs to the address pool;
the sending unit 530 is further configured to determine that the user terminal is online in a transparent mode if yes, and send an online success notification to the client.
Therefore, by applying the communication method and the device provided by the application, the gateway receives the service message sent by the client, and the service message comprises the source address; if the user terminal where the client is located is on line in a transparent mode, the gateway searches whether a mapping relation table item matched with the source address exists in the mapping relation table according to the source address; if the mapping relation table item does not exist, the gateway searches whether a binding relation table item matched with the source address exists in the binding relation table according to the source address; if the binding relation table item exists, the gateway judges whether the business resource accessed by the user terminal is authorized to be accessed; if the access is authorized, the gateway forwards the service message to the service resource.
Thus, if the user terminal where the client is located adopts the transparent mode to be on line, the gateway can use the locally established multi-level relation table entry to look up the table of the service message sent by the client; and forwarding the service message to the service resource when the service resource accessed by the client is determined to be authorized to be accessed. The method solves the problem that when the existing gateway does not locally have a relation table item between a user token and a source IP address, even if a client is online, the client still cannot access network resources through the gateway. The use experience of the user on the product is improved; the probability of failure of the gateway due to the receiving or analyzing UDP message is also reduced
Based on the same inventive concept, the embodiment of the present application further provides a network device, as shown in fig. 6, including a processor 610, a transceiver 620, and a machine-readable storage medium 630, where the machine-readable storage medium 630 stores machine-executable instructions capable of being executed by the processor 610, and the processor 610 is caused to perform the communication method provided by the embodiment of the present application. The communication devices shown in fig. 4 and 5 may be implemented by using a hardware structure of a network device as shown in fig. 6.
The computer readable storage medium 630 may include a random access Memory (in english: random Access Memory, abbreviated as RAM) or a nonvolatile Memory (in english: non-volatile Memory, abbreviated as NVM), such as at least one magnetic disk Memory. Optionally, the computer readable storage medium 630 may also be at least one storage device located remotely from the aforementioned processor 610.
The processor 610 may be a general-purpose processor, including a central processing unit (Central Processing Unit, CPU), a network processor (Network Processor, NP), etc.; it may also be a digital signal processor (English: digital Signal Processor; DSP; for short), an application specific integrated circuit (English: application Specific Integrated Circuit; ASIC; for short), a Field programmable gate array (English: field-Programmable Gate Array; FPGA; for short), or other programmable logic device, discrete gate or transistor logic device, discrete hardware components.
In an embodiment of the present application, processor 610, by reading machine-executable instructions stored in machine-readable storage medium 630, is caused by the machine-executable instructions to implement processor 610 itself and invoke transceiver 620 to perform the communication methods described in the previous embodiments of the present application.
Additionally, embodiments of the present application provide a machine-readable storage medium 630, the machine-readable storage medium 630 storing machine-executable instructions that, when invoked and executed by the processor 610, cause the processor 610 itself and the invoking transceiver 620 to perform the communication methods described in the foregoing embodiments of the present application.
The implementation process of the functions and roles of each unit in the above device is specifically shown in the implementation process of the corresponding steps in the above method, and will not be described herein again.
For the device embodiments, reference is made to the description of the method embodiments for the relevant points, since they essentially correspond to the method embodiments. The apparatus embodiments described above are merely illustrative, wherein the elements illustrated as separate elements may or may not be physically separate, and the elements shown as elements may or may not be physical elements, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purposes of the present application. Those of ordinary skill in the art will understand and implement the present application without undue burden.
For the communication device and the machine-readable storage medium embodiments, since the method content involved is substantially similar to the method embodiments described above, the description is relatively simple, and reference will only be made to part of the description of the method embodiments.
The foregoing description of the preferred embodiments of the application is not intended to be limiting, but rather to enable any modification, equivalent replacement, improvement or the like to be made within the spirit and principles of the application.