技术领域Technical Field
本发明涉及电子数字数据处理技术领域,尤其涉及一种访问权限管理方法、访问权限管理设备以及可读存储介质。The present invention relates to the technical field of electronic digital data processing, and in particular to an access rights management method, an access rights management device and a readable storage medium.
背景技术Background technique
现有的在客户端通过令牌访问交换机应用程序的方法中,只考虑到基本的身份验证和访问功能控制,未考虑到不同用户角色之间的权限划分。因此,大部分交换机仅支持基本的用户添加和通过令牌进行访问的功能,而无法满足细粒度的权限控制以及用户权限的管理需求。The existing methods of accessing switch applications through tokens on the client side only consider basic identity authentication and access function control, but do not consider the division of permissions between different user roles. Therefore, most switches only support basic user addition and access through tokens, but cannot meet the needs of fine-grained permission control and user permission management.
因此,常用的访问交换机应用程序的方法,存在无法对交换机的用户进行细粒度的权限控制以及用户权限的管理的缺陷。Therefore, the commonly used method for accessing switch applications has the defect of being unable to perform fine-grained permission control on switch users and manage user permissions.
上述内容仅用于辅助理解本发明的技术方案,并不代表承认上述内容是现有技术。The above contents are only used to assist in understanding the technical solution of the present invention and do not constitute an admission that the above contents are prior art.
发明内容Summary of the invention
本发明的主要目的在于提供一种访问权限管理方法,旨在解决无法对交换机的多个用户进行管理的缺陷的问题。The main purpose of the present invention is to provide an access rights management method, aiming to solve the problem that multiple users of a switch cannot be managed.
为实现上述目的,本发明提供的一种访问权限管理方法,应用于服务器端,所述访问权限管理方法包括以下步骤:To achieve the above object, the present invention provides an access rights management method, which is applied to a server side. The access rights management method comprises the following steps:
当接收到客户端发送的用户登录信息时,根据所述用户登录信息,调用对应的本地用户数据;When receiving the user login information sent by the client, calling the corresponding local user data according to the user login information;
根据所述本地用户数据,生成并发送所述本地用户数据对应的访问字符串至所述客户端;According to the local user data, generating and sending an access string corresponding to the local user data to the client;
当接收到所述客户端发送的所述访问字符串之后,调用所述访问字符串对应的本地用户数据;After receiving the access string sent by the client, calling the local user data corresponding to the access string;
根据所述本地用户数据,生成并发送携带权限标识的消息头部至交换机应用程序;Generate and send a message header carrying an authority identifier to a switch application according to the local user data;
当接收到所述交换机应用程序基于所述消息头部返回的允许访问信息时,对所述交换机应用程序进行访问。When the access permission information returned by the switch application based on the message header is received, the switch application is accessed.
可选地,所述根据所述本地用户数据,生成并发送携带权限标识的消息头部至交换机应用程序的步骤包括:Optionally, the step of generating and sending a message header carrying an authority identifier to a switch application according to the local user data includes:
当所述本地用户数据的权限级别为基础权限时,生成并发送携带一级权限标识的消息头部;When the permission level of the local user data is basic permission, a message header carrying a first-level permission identifier is generated and sent;
当所述本地用户数据的权限级别为监测权限时,生成并发送携带二级权限标识的消息头部;When the permission level of the local user data is monitoring permission, generating and sending a message header carrying a secondary permission identifier;
当所述本地用户数据的权限级别为管理权限时,生成并发送携带三级权限标识的消息头部。When the authority level of the local user data is management authority, a message header carrying a third-level authority identifier is generated and sent.
可选地,所述当接收到所述客户端发送的所述访问字符串之后,调用所述访问字符串对应的本地用户数据的步骤包括:Optionally, after receiving the access string sent by the client, the step of calling local user data corresponding to the access string includes:
基于所述访问字符串中的期限字段,对所述访问字符串进行超期验证;Based on the expiration field in the access string, performing an expiration verification on the access string;
当判定所述访问字符串失效之后,发送访问字符串失效提示至所述客户端;When it is determined that the access string is invalid, sending an access string invalidation prompt to the client;
当判定所述访问字符串有效之后,根据所述访问字符串,调用所述本地用户数据。After determining that the access character string is valid, the local user data is called according to the access character string.
可选地,所述基于所述访问字符串中的期限字段,对所述访问字符串进行超期验证的步骤包括:Optionally, the step of performing expiration verification on the access string based on the expiration field in the access string includes:
读取所述访问字符串中的期限字段,以及所述访问字符串对应的会话记录中的访问时间;Reading the expiration field in the access string and the access time in the session record corresponding to the access string;
根据所述期限字段,确定所述访问字符串对应的有效时长,以及根据当前时间与所述访问时间的差值,确定所述客户端的离线时长;Determine the validity period corresponding to the access string according to the period field, and determine the offline period of the client according to the difference between the current time and the access time;
当所述离线时长大于或者等于所述有效时长时,判定所述访问字符串失效;When the offline time is greater than or equal to the valid time, determining that the access string is invalid;
当所述离线时长小于所述有效时长时,判定所述访问字符串有效。When the offline duration is less than the valid duration, it is determined that the access character string is valid.
可选地,所述当接收到所述交换机应用程序基于所述消息头部返回的允许访问信息时,对所述交换机应用程序进行访问的步骤之后,还包括:Optionally, after the step of accessing the switch application upon receiving the access permission information returned by the switch application based on the message header, the step further includes:
刷新所述访问字符串的会话记录中的访问时间。Refresh the access time in the session record of the access string.
可选地,所述刷新所述访问字符串的会话记录中的访问时间的步骤之前,还包括:Optionally, before the step of refreshing the access time in the session record of the access string, the method further includes:
确定所述访问字符串是否携带定时任务标识;Determine whether the access string carries a scheduled task identifier;
当所述访问字符串携带定时任务标识时,不执行所述刷新所述访问字符串的会话记录中的访问时间的步骤。When the access string carries a scheduled task identifier, the step of refreshing the access time in the session record of the access string is not performed.
可选地,所述当接收到客户端发送的用户登录信息时,根据所述用户登录信息,调用对应的本地用户数据的步骤包括:Optionally, when receiving the user login information sent by the client, the step of calling the corresponding local user data according to the user login information includes:
当接收到所述用户登录信息之后,基于随机加密串,对所述用户登录信息进行加密封装,生成密文信息,并将所述密文信息发送至用户管理进程;After receiving the user login information, encrypt and encapsulate the user login information based on the random encryption string to generate ciphertext information, and send the ciphertext information to the user management process;
所述用户管理进程基于所述密文信息的加密标识,于加密库中获取对应的解密算法;The user management process obtains the corresponding decryption algorithm in the encryption library based on the encryption identifier of the ciphertext information;
基于所述解密算法,对所述密文信息进行解密操作,获得所述本地用户数据;Based on the decryption algorithm, decrypt the ciphertext information to obtain the local user data;
根据所述本地用户数据,生成在线用户,并添加至用户管理表中。Generate online users based on the local user data and add them to the user management table.
此外,本发明还提供一种访问权限管理方法,应用于交换机应用程序,所述访问权限管理方法包括以下步骤:In addition, the present invention also provides an access rights management method, which is applied to a switch application program, and the access rights management method comprises the following steps:
当接收到服务器端发送的消息头部时,读取所述消息头部携带的权限标识,并根据所述权限标识,确定所述权限标识对应的权限级别;When receiving a message header sent by the server, reading the permission identifier carried in the message header, and determining the permission level corresponding to the permission identifier according to the permission identifier;
验证所述权限级别是否大于或者等于本地权限级别;Verifying whether the permission level is greater than or equal to the local permission level;
若是,生成并发送允许访问信息至所述服务器端;If so, generate and send access permission information to the server;
若否,生成并发送拒绝访问信息至所述服务器端。If not, generate and send access denial information to the server.
此外,为实现上述目的,本发明还提供一种访问权限管理设备,所述访问权限管理设备包括存储器、处理器及存储在所述存储器上并可在所述处理器上运行的访问权限管理程序,所述访问权限管理程序被所述处理器执行时实现如上所述的访问权限管理方法的步骤。In addition, to achieve the above-mentioned purpose, the present invention also provides an access permission management device, which includes a memory, a processor, and an access permission management program stored in the memory and executable on the processor, and the access permission management program implements the steps of the access permission management method described above when executed by the processor.
此外,为实现上述目的,本发明还提供一种计算机可读存储介质,所述计算机可读存储介质上存储有访问权限管理程序,所述访问权限管理程序被处理器执行时实现如上所述的访问权限管理方法的步骤。In addition, to achieve the above object, the present invention also provides a computer-readable storage medium, on which a access permission management program is stored, and when the access permission management program is executed by a processor, the steps of the access permission management method described above are implemented.
本发明实施例提供一种访问权限管理方法,通过根据用户登录信息,调用对应的本地用户数据,以确保登录用户的身份验证准确;通过生成并发送本地用户数据对应的访问字符串至客户端,由于访问字符串中包含了用户信息,因此可以直接根据访问字符串,向服务器端请求访问交换机应用程序,并且由于不需要通过用户名和用户密码进行访问,可以确保本地用户数据的安全性。当接收到客户端发送的访问字符串之后,调用访问字符串对应的本地用户数据,生成并发送携带权限标识的消息头部至交换机应用程序,以供交换机应用程序验证该用户是否具有使用该交换机应用程序的功能的权限,从而实现细粒度的权限控制。当接收到交换机应用程序基于消息头部返回的允许访问信息时,对交换机应用程序进行访问,以使只有拥有符合权限级别的用户,才可以使用交换机应用程序,进而实现对用户的访问进行管理和控制。因此,通过用户登录信息、本地用户数据、访问字符串和消息头部,进行访问权限的验证和控制,实现了对交换机的用户进行细粒度的权限控制以及用户权限的管理。The embodiment of the present invention provides an access rights management method, which ensures the accuracy of the identity authentication of the logged-in user by calling the corresponding local user data according to the user login information; and by generating and sending the access string corresponding to the local user data to the client, since the access string contains the user information, the server can be directly requested to access the switch application according to the access string, and since the access does not need to be performed through the user name and user password, the security of the local user data can be ensured. After receiving the access string sent by the client, the local user data corresponding to the access string is called, and a message header carrying a permission identifier is generated and sent to the switch application, so that the switch application verifies whether the user has the permission to use the function of the switch application, thereby realizing fine-grained permission control. When the switch application receives the access permission information returned by the message header based on the switch application, the switch application is accessed so that only users with the permission level can use the switch application, thereby realizing the management and control of the user's access. Therefore, the access rights are verified and controlled through the user login information, local user data, access string and message header, and the fine-grained permission control and user permission management of the switch users are realized.
附图说明BRIEF DESCRIPTION OF THE DRAWINGS
此处的附图被并入说明书中并构成本说明书的一部分,示出了符合本发明的实施例,并与说明书一起用于解释本发明的原理。为了更清楚地说明本发明实施例的技术方案,下面将对实施例描述中所需要使用的附图作简单地介绍,显而易见地,对于本领域普通技术人员而言,在不付出创造性劳动性的前提下,还可以根据这些附图获得其他的附图。The drawings herein are incorporated into and constitute a part of the specification, illustrate embodiments consistent with the present invention, and together with the specification are used to explain the principles of the present invention. In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required for the description of the embodiments are briefly introduced below. Obviously, for ordinary technicians in this field, other drawings can be obtained based on these drawings without creative labor.
图1为本发明实施例涉及的访问权限管理设备的硬件运行环境的架构示意图;FIG1 is a schematic diagram of the architecture of the hardware operating environment of the access rights management device involved in an embodiment of the present invention;
图2为本发明访问权限管理方法的第一实施例的流程示意图;FIG2 is a schematic flow chart of a first embodiment of a method for managing access rights according to the present invention;
图3为本发明访问权限管理方法的第二实施例的流程示意图;FIG3 is a schematic flow chart of a second embodiment of a method for managing access rights according to the present invention;
图4为本发明访问权限管理方法的第三实施例的流程示意图。FIG. 4 is a schematic flow chart of a third embodiment of the access rights management method of the present invention.
本发明目的的实现、功能特点及优点将结合实施例,参照附图作进一步说明。The realization of the purpose, functional features and advantages of the present invention will be further explained in conjunction with embodiments and with reference to the accompanying drawings.
具体实施方式Detailed ways
本申请一种访问权限管理方法,所述访问权限管理方法应用于服务器端,通过当接收到客户端发送的用户登录信息时,根据所述用户登录信息,调用对应的本地用户数据;根据所述本地用户数据,生成并发送所述本地用户数据对应的访问字符串至所述客户端;当接收到所述客户端发送的所述访问字符串之后,调用所述访问字符串对应的本地用户数据;根据所述本地用户数据,生成并发送携带权限标识的消息头部至交换机应用程序;当接收到所述交换机应用程序基于所述消息头部返回的允许访问信息时,对所述交换机应用程序进行访问。提高了对交换机用户的管理能力和本地用户数据的安全性。The present application discloses a method for managing access rights. The method is applied to the server side. When receiving user login information sent by a client, the corresponding local user data is called according to the user login information; an access string corresponding to the local user data is generated and sent to the client according to the local user data; after receiving the access string sent by the client, the local user data corresponding to the access string is called; a message header carrying a permission identifier is generated and sent to a switch application according to the local user data; when receiving the access permission information returned by the switch application based on the message header, the switch application is accessed. The management capability of the switch users and the security of the local user data are improved.
为了更好地理解上述技术方案,下面将参照附图更详细地描述本公开的示例性实施例。虽然附图中显示了本公开的示例性实施例,然而应当理解,可以以各种形式实现本公开而不应被这里阐述的实施例所限制。相反,提供这些实施例是为了能够更透彻地理解本公开,并且能够将本公开的范围完整地传达给本领域的技术人员。In order to better understand the above technical solution, exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. Although exemplary embodiments of the present disclosure are shown in the accompanying drawings, it should be understood that the present disclosure can be implemented in various forms and should not be limited by the embodiments described herein. On the contrary, these embodiments are provided to enable a more thorough understanding of the present disclosure and to fully convey the scope of the present disclosure to those skilled in the art.
作为一种实现方案,图1为本发明实施例方案涉及的访问权限管理设备的硬件运行环境的架构示意图。As an implementation scheme, FIG1 is a schematic diagram of the architecture of the hardware operating environment of the access rights management device involved in the embodiment of the present invention.
如图1所示,该访问权限管理设备可以包括:处理器101,例如中央处理器(CentralProcessing Unit,CPU),存储器102,通信总线103。其中,存储器102可以是高速的随机存取存储器(Random Access Memory,RAM)存储器,也可以是稳定的非易失性存储器(Non-Volatile Memory,NVM),例如磁盘存储器。存储器102可选的还可以是独立于前述处理器101的存储装置。通信总线103用于实现这些组件之间的连接通信。As shown in FIG1 , the access rights management device may include: a processor 101, such as a central processing unit (CPU), a memory 102, and a communication bus 103. The memory 102 may be a high-speed random access memory (RAM) memory, or a stable non-volatile memory (NVM), such as a disk memory. The memory 102 may optionally be a storage device independent of the aforementioned processor 101. The communication bus 103 is used to realize the connection and communication between these components.
本领域技术人员可以理解,图1中示出的结构并不构成对访问权限管理设备的限定,可以包括比图示更多或更少的部件,或者组合某些部件,或者不同的部件布置。Those skilled in the art will appreciate that the structure shown in FIG. 1 does not limit the access permission management device, and may include more or fewer components than shown in the figure, or combine certain components, or arrange the components differently.
如图1所示,作为一种计算机可读存储介质的存储器102中可以包括操作系统、数据存储模块、网络通信模块、用户接口模块以及访问权限管理程序。As shown in FIG. 1 , the memory 102 as a computer-readable storage medium may include an operating system, a data storage module, a network communication module, a user interface module, and an access rights management program.
在图1所示的访问权限管理设备中,处理器101、存储器102可以设置在访问权限管理设备中,所述访问权限管理设备通过处理器101调用存储器102中存储的访问权限管理程序,并执行以下操作:In the access permission management device shown in FIG. 1 , the processor 101 and the memory 102 may be provided in the access permission management device. The access permission management device calls the access permission management program stored in the memory 102 through the processor 101 and performs the following operations:
当接收到客户端发送的用户登录信息时,根据所述用户登录信息,调用对应的本地用户数据;When receiving the user login information sent by the client, calling the corresponding local user data according to the user login information;
根据所述本地用户数据,生成并发送所述本地用户数据对应的访问字符串至所述客户端;According to the local user data, generate and send an access string corresponding to the local user data to the client;
当接收到所述客户端发送的所述访问字符串之后,调用所述访问字符串对应的本地用户数据;After receiving the access string sent by the client, calling the local user data corresponding to the access string;
根据所述本地用户数据,生成并发送携带权限标识的消息头部至交换机应用程序;Generate and send a message header carrying an authority identifier to a switch application according to the local user data;
当接收到所述交换机应用程序基于所述消息头部返回的允许访问信息时,对所述交换机应用程序进行访问。When the access permission information returned by the switch application based on the message header is received, the switch application is accessed.
在一实施例中,处理器101可以用于调用存储器102中存储的访问权限管理程序,并执行以下操作:In one embodiment, the processor 101 may be used to call the access permission management program stored in the memory 102 and perform the following operations:
当所述本地用户数据的权限级别为基础权限时,生成并发送携带一级权限标识的消息头部;When the permission level of the local user data is basic permission, a message header carrying a first-level permission identifier is generated and sent;
当所述本地用户数据的权限级别为监测权限时,生成并发送携带二级权限标识的消息头部;When the permission level of the local user data is monitoring permission, generating and sending a message header carrying a secondary permission identifier;
当所述本地用户数据的权限级别为管理权限时,生成并发送携带三级权限标识的消息头部。When the authority level of the local user data is management authority, a message header carrying a third-level authority identifier is generated and sent.
在一实施例中,处理器101可以用于调用存储器102中存储的访问权限管理程序,并执行以下操作:In one embodiment, the processor 101 may be used to call the access permission management program stored in the memory 102 and perform the following operations:
基于所述访问字符串中的期限字段,对所述访问字符串进行超期验证;Based on the expiration field in the access string, performing an expiration verification on the access string;
当判定所述访问字符串失效之后,发送访问字符串失效提示至所述客户端;When it is determined that the access string is invalid, sending an access string invalidation prompt to the client;
当判定所述访问字符串有效之后,根据所述访问字符串,调用所述本地用户数据。After determining that the access character string is valid, the local user data is called according to the access character string.
在一实施例中,处理器101可以用于调用存储器102中存储的访问权限管理程序,并执行以下操作:In one embodiment, the processor 101 may be used to call the access permission management program stored in the memory 102 and perform the following operations:
读取所述访问字符串中的期限字段,以及所述访问字符串对应的会话记录中的访问时间;Reading the expiration field in the access string and the access time in the session record corresponding to the access string;
根据所述期限字段,确定所述访问字符串对应的有效时长,以及根据当前时间与所述访问时间的差值,确定所述客户端的离线时长;Determine the validity period corresponding to the access string according to the period field, and determine the offline period of the client according to the difference between the current time and the access time;
当所述离线时长大于或者等于所述有效时长时,判定所述访问字符串失效;When the offline time is greater than or equal to the valid time, determining that the access string is invalid;
当所述离线时长小于所述有效时长时,判定所述访问字符串有效。When the offline duration is less than the valid duration, it is determined that the access character string is valid.
在一实施例中,处理器101可以用于调用存储器102中存储的访问权限管理程序,并执行以下操作:In one embodiment, the processor 101 may be used to call the access permission management program stored in the memory 102 and perform the following operations:
刷新所述访问字符串的会话记录中的访问时间。Refresh the access time in the session record of the access string.
在一实施例中,处理器101可以用于调用存储器102中存储的访问权限管理程序,并执行以下操作:In one embodiment, the processor 101 may be used to call the access permission management program stored in the memory 102 and perform the following operations:
确定所述访问字符串是否携带定时任务标识;Determine whether the access string carries a scheduled task identifier;
当所述访问字符串携带定时任务标识时,不执行所述刷新所述访问字符串的会话记录中的访问时间的步骤。When the access string carries a scheduled task identifier, the step of refreshing the access time in the session record of the access string is not performed.
在一实施例中,处理器101可以用于调用存储器102中存储的访问权限管理程序,并执行以下操作:In one embodiment, the processor 101 may be used to call the access permission management program stored in the memory 102 and perform the following operations:
当接收到所述用户登录信息之后,基于随机加密串,对所述用户登录信息进行加密封装,生成密文信息,并将所述密文信息发送至用户管理进程;After receiving the user login information, encrypt and encapsulate the user login information based on the random encryption string to generate ciphertext information, and send the ciphertext information to the user management process;
所述用户管理进程基于所述密文信息的加密标识,于加密库中获取对应的解密算法;The user management process obtains the corresponding decryption algorithm in the encryption library based on the encryption identifier of the ciphertext information;
基于所述解密算法,对所述密文信息进行解密操作,获得所述本地用户数据;Based on the decryption algorithm, decrypt the ciphertext information to obtain the local user data;
根据所述本地用户数据,生成在线用户,并添加至用户管理表中。Generate online users based on the local user data and add them to the user management table.
在一实施例中,处理器101可以用于调用存储器102中存储的访问权限管理程序,并执行以下操作:In one embodiment, the processor 101 may be used to call the access permission management program stored in the memory 102 and perform the following operations:
当接收到服务器端发送的消息头部时,读取所述消息头部携带的权限标识,并根据所述权限标识,确定所述权限标识对应的权限级别;When receiving a message header sent by the server, reading the permission identifier carried in the message header, and determining the permission level corresponding to the permission identifier according to the permission identifier;
验证所述权限级别是否大于或者等于本地权限级别;Verifying whether the permission level is greater than or equal to the local permission level;
若是,生成并发送允许访问信息至所述服务器端;If so, generate and send access permission information to the server;
若否,生成并发送拒绝访问信息至所述服务器端。If not, generate and send access denial information to the server.
基于上述访问权限管理设备的硬件架构,提出本发明访问权限管理方法的实施例。Based on the hardware architecture of the access permission management device described above, an embodiment of the access permission management method of the present invention is proposed.
需要说明的是,在本申请实施例中,交换机的一端与客户端进行网络连接;交换机的另一端与服务器端进行网络连接。It should be noted that, in the embodiment of the present application, one end of the switch is connected to the client through a network; the other end of the switch is connected to the server through a network.
参照图2,在第一实施例中,所述访问权限管理方法,应用于服务器端,所述访问权限管理方法包括以下步骤:2, in a first embodiment, the access permission management method is applied to a server side, and the access permission management method includes the following steps:
步骤S100:当接收到客户端发送的用户登录信息时,根据所述用户登录信息,调用对应的本地用户数据。Step S100: When user login information sent by the client is received, corresponding local user data is called according to the user login information.
在本实施例中,当服务器端接收到客户端发送的用户登录信息时,根据用户登录信息,于用户管理表中,调用对应的本地用户数据。可选地,客户端可以是计算机、打印机、IP摄像头、网络存储设备等。用户登录信息包括用户名和用户密码。本地用户数据包括但不限于用户身份信息、用户权限信息、用户访问数据等。用户管理表包括所有在线用户的本地用户数据,其中,在线用户指的是经过注册的用户。可选地,在接收到客户端发送的用户登录信息之后,需要先确定用户登录信息是否与linux数据库中的用户数据匹配;然后,当用户登录信息是与linux数据库中的用户数据匹配时,从后台管理终端调用详细的本地用户数据。In this embodiment, when the server receives the user login information sent by the client, the corresponding local user data is called in the user management table according to the user login information. Optionally, the client can be a computer, a printer, an IP camera, a network storage device, etc. The user login information includes a user name and a user password. Local user data includes but is not limited to user identity information, user authority information, user access data, etc. The user management table includes local user data of all online users, wherein online users refer to registered users. Optionally, after receiving the user login information sent by the client, it is necessary to first determine whether the user login information matches the user data in the Linux database; then, when the user login information matches the user data in the Linux database, the detailed local user data is called from the background management terminal.
可选地,当客户端连接到已与服务器端连接的交换机之后,服务器端会通过交换机,向客户端请求登录信息。然后,当服务器端接收到用户登录信息之后,基于随机加密串,对用户登录信息进行加密封装,生成密文信息,并将密文信息发送至用户管理进程。其中,用户管理进程是在服务器端运行的一个程序,用于处理用户登录请求、验证用户身份、管理本地用户数据和权限等任务。需要说明的是,随机加密串是从本地数据库中获取的,随机加密串是由用户名和密码组合生成的加密标识,对用户密码进行加密生成的。Optionally, after the client is connected to the switch that is connected to the server, the server will request login information from the client through the switch. Then, after the server receives the user login information, it encrypts and encapsulates the user login information based on the random encryption string, generates ciphertext information, and sends the ciphertext information to the user management process. Among them, the user management process is a program running on the server, which is used to process user login requests, verify user identities, manage local user data and permissions, and other tasks. It should be noted that the random encryption string is obtained from the local database. The random encryption string is an encryption identifier generated by combining the user name and password, and is generated by encrypting the user password.
用户管理进程在接收到上述密文信息之后,基于密文信息的加密标识,于加密库中获取对应的解密算法。然后,基于解密算法,对密文信息进行解密操作,获得上述本地用户数据。然后,根据本地用户数据,生成在线用户,并添加至用户管理表中。其中,对密文信息进行解密操作,获得上述本地用户数据的步骤之后,还可以包括对本地用户数据进行核实,以确保该本地用户数据是正确的。其中,加密库是在系统初始化期间就分配至用户管理进程中的。After receiving the above ciphertext information, the user management process obtains the corresponding decryption algorithm in the encryption library based on the encryption identifier of the ciphertext information. Then, based on the decryption algorithm, the ciphertext information is decrypted to obtain the above local user data. Then, based on the local user data, an online user is generated and added to the user management table. Among them, after the step of decrypting the ciphertext information to obtain the above local user data, the local user data can also be verified to ensure that the local user data is correct. Among them, the encryption library is allocated to the user management process during system initialization.
这样可以在用户管理进程上,确保只有管理员可以看到所有本地用户数据,并且,能看到本地用户数据中不包括用户密码和加密串,进而确保对外数据的安全性。并且,由于在系统初始化期间,给不同的交换机应用程序分配不同的加密库,因此,只有加密库中包括对应的解密算法的交换机应用程序,才能对接收的密文信息进行解密。因此,通过加密的方式将本地用户数据传递至用户管理进程,可以防止本地用户数据在传递的时候被监听到,提高了本地用户数据传递时的安全性。In this way, in the user management process, it can be ensured that only the administrator can see all local user data, and that the local user data does not include user passwords and encryption strings, thereby ensuring the security of external data. In addition, since different encryption libraries are assigned to different switch applications during system initialization, only switch applications that include corresponding decryption algorithms in the encryption library can decrypt the received ciphertext information. Therefore, by encrypting the local user data and passing it to the user management process, it is possible to prevent the local user data from being monitored during transmission, thereby improving the security of local user data transmission.
步骤S200:根据所述本地用户数据,生成并发送所述本地用户数据对应的访问字符串至所述客户端。Step S200: Generate and send an access string corresponding to the local user data to the client according to the local user data.
在本实施例中,服务器端在调用到用户登录信息对应的本地用户数据之后,生成与本地用户数据对应的访问字符串,并通过交换机,将该访问字符串发送至客户端。需要说明的是,该客户端是发送用户登录信息对应的客户端。访问字符串用于供客户端对交换机的数据进行访问。In this embodiment, after the server side calls the local user data corresponding to the user login information, it generates an access string corresponding to the local user data, and sends the access string to the client through the switch. It should be noted that the client is the client corresponding to the user login information. The access string is used for the client to access the data of the switch.
由于将访问字符串发送至客户端,因此,在客户端接收到访问字符串之后,便可以通过访问字符串,在服务器端访问交换机应用程序,对交换机进行管理。通过访问字符串访问服务器中的交换机应用程序,可以让用户免去频繁输入用户名和密码的繁琐操作,提升用户访问的便捷性。Since the access string is sent to the client, after the client receives the access string, it can access the switch application on the server through the access string to manage the switch. Accessing the switch application on the server through the access string can save users from the tedious operation of frequently entering usernames and passwords, thus improving the convenience of user access.
步骤S300:当接收到所述客户端发送的所述访问字符串之后,调用所述访问字符串对应的本地用户数据。Step S300: after receiving the access string sent by the client, calling the local user data corresponding to the access string.
在本实施例中,当客户端通过服务器端访问交换机应用程序时,将服务器发送的访问字符串,发送至服务器,以请求对交换机应用程序进行访问。当服务器端接收到客户端发送的访问字符串之后,通过该访问字符串,查询到对应的本地用户数据,并调用该本地用户数据。In this embodiment, when the client accesses the switch application through the server, the access string sent by the server is sent to the server to request access to the switch application. After receiving the access string sent by the client, the server queries the corresponding local user data through the access string and calls the local user data.
可选地,服务器端在接收到访问字符串之后,对访问字符串进行超期验证。可选地,访问字符串包括期限字段,其中期限字段用于进行超期验证。具体地,读取访问字符串中的期限字段,以及访问字符串对应的会话记录中的上一次访问时间。然后,根据期限字段,确定访问字符串对应的有效时长,以及根据当前时间与上一次访问时间的差值,确定客户端的离线时长。当离线时长大于或者等于有效时长时,判定所述访问字符串失效;当离线时长小于有效时长时,判定访问字符串有效。具体地,根据当前时间与访问时间的差值,确定客户端的离线时长这一步骤,是由服务端通过计算实现的。Optionally, after receiving the access string, the server performs an expiration verification on the access string. Optionally, the access string includes a deadline field, wherein the deadline field is used for expiration verification. Specifically, read the deadline field in the access string, and the last access time in the session record corresponding to the access string. Then, according to the deadline field, determine the valid duration corresponding to the access string, and determine the offline duration of the client according to the difference between the current time and the last access time. When the offline duration is greater than or equal to the valid duration, the access string is determined to be invalid; when the offline duration is less than the valid duration, the access string is determined to be valid. Specifically, the step of determining the offline duration of the client according to the difference between the current time and the access time is implemented by the server through calculation.
在对访问字符串进行超期验证之后,当判定访问字符串失效之后,发送访问字符串失效提示至客户端;当判定访问字符串有效之后,执行根据访问字符串,调用本地用户数据的步骤。After the access string is verified for expiration, when it is determined that the access string is invalid, an access string invalidation prompt is sent to the client; when it is determined that the access string is valid, the step of calling local user data according to the access string is executed.
可选地,在确定访问字符串失效之后,将该失效的访问字符串对应的会话记录删除,以使下次接收到该访问字符串时,无法调用对应的本地用户数据。此时,若用户需要对服务器端的交换机应用程序,则需要在客户端重新输入用户登录信息,以获取新的访问字符串,然后通过新的访问字符串,访问交换机应用程序。Optionally, after determining that the access string is invalid, the session record corresponding to the invalid access string is deleted so that the corresponding local user data cannot be called the next time the access string is received. At this time, if the user needs to access the switch application on the server side, the user needs to re-enter the user login information on the client side to obtain a new access string, and then access the switch application through the new access string.
通过对访问字符串进行超期验证,可以确保访问字符串在一定时间内有效,防止恶意攻击者篡改或重复使用过期的访问字符串,进而可以防止未经授权的访问,并确保用户的数据安全。By performing expiration verification on the access string, you can ensure that the access string is valid for a certain period of time, prevent malicious attackers from tampering with or reusing expired access strings, and thus prevent unauthorized access and ensure user data security.
步骤S400:根据所述本地用户数据,生成并发送携带权限标识的消息头部至交换机应用程序。Step S400: Generate and send a message header carrying an authority identifier to a switch application according to the local user data.
在本实施例中,服务器端在调用到访问字符串对应的本地用户数据之后,根据该本地用户数据,生成携带权限标识的消息头部,然后,将消息头部发送至交换机应用程序。可选地,当本地用户数据的权限级别为基础权限时,生成并发送携带一级权限标识的消息头部;当本地用户数据的权限级别为监测权限时,生成并发送携带二级权限标识的消息头部;当本地用户数据的权限级别为管理权限时,生成并发送携带三级权限标识的消息头部;当本地用户数据的权限级别为标准权限时,生成并发送携带四级权限标识的消息头部。In this embodiment, after the server calls the local user data corresponding to the access string, it generates a message header carrying the permission identifier according to the local user data, and then sends the message header to the switch application. Optionally, when the permission level of the local user data is basic permission, a message header carrying the first-level permission identifier is generated and sent; when the permission level of the local user data is monitoring permission, a message header carrying the second-level permission identifier is generated and sent; when the permission level of the local user data is management permission, a message header carrying the third-level permission identifier is generated and sent; when the permission level of the local user data is standard permission, a message header carrying the fourth-level permission identifier is generated and sent.
可选地,拥有基础权限的用户,可以对服务器端的交换机应用程序进行访问;拥有监测权限的用户除了可以对服务器端的交换机应用程序进行访问之外,还可以使用监测功能,对交换机进行监测;拥有标准权限的用户除了可以访问交换机应用程序和使用监测功能之外,还能使用大部分交换机应用程序,以实现对交换机的配置;拥有管理权限的用户除了拥有上述权限之外,还拥有对交换机进行系统性管理的权限。Optionally, users with basic permissions can access the switch application on the server side; users with monitoring permissions can use the monitoring function to monitor the switch in addition to accessing the switch application on the server side; users with standard permissions can use most switch applications to configure the switch in addition to accessing the switch application and using the monitoring function; users with management permissions have the permissions mentioned above and also have the permissions to perform systemic management of the switch.
需要说明的是,细粒度的权限控制指的是,在用户权限分配过程中,对交换机应用程序具体的功能、操作或者数据进行控制。以实现对不同用户的具体权限需求,提供更加细致的权限管理。即具有管理权限的用户可以根据实际需要,将权限细化到更小的粒度,从而灵活地进行权限管理。这种控制方式可以提高服务器端的安全性,防止未经授权的用户访问敏感数据或执行不应该执行的操作。It should be noted that fine-grained permission control refers to the control of specific functions, operations or data of switch applications during the user permission allocation process. This is to meet the specific permission requirements of different users and provide more detailed permission management. That is, users with management permissions can refine permissions to smaller granularity according to actual needs, so as to flexibly manage permissions. This control method can improve the security of the server side and prevent unauthorized users from accessing sensitive data or performing operations that should not be performed.
由于拥有管理权限的用户可以对其他用户的权限进行设置,因此可以根据产品和用户管理方案的需求,对用户的权限进行调整,进而可以实现对交换机的用户进行权限管理,使得只有拥有符合权限级别的用户,才可以使用交换机应用程序。Since users with administrative privileges can set the privileges of other users, user privileges can be adjusted according to the needs of the product and user management solution, thereby enabling privilege management of switch users so that only users with the required privilege levels can use switch applications.
步骤S500:当接收到所述交换机应用程序基于所述消息头部返回的允许访问信息时,对所述交换机应用程序进行访问。Step S500: When receiving the access permission information returned by the switch application based on the message header, access the switch application.
在本实施例中,在服务器端将携带权限标识的消息头部至交换机应用程序之后,等待交换机应用程序返回的信息;若交换机应用程序返回的信息是允许访问信息,则可以对所述交换机应用程序进行访问。服务器端将访问时获取的数据发送至客户端,以供客户端对交换机应用程序进行操作。In this embodiment, after the server sends a message header carrying the permission identifier to the switch application, it waits for information returned by the switch application; if the information returned by the switch application is access permission information, the switch application can be accessed. The server sends the data obtained during the access to the client so that the client can operate the switch application.
示例性地,假设服务器端接收到的用户登录信息为,用户名aaa和用户密码bbb。然后,服务器端根据接收到的用户登录信息,在用户管理表中查询到对应的本地用户数据。然后,根据本地用户数据生成访问字符串XY1Z23,并通过交换机将该访问字符串发送给客户端。For example, assume that the user login information received by the server is user name aaa and user password bbb. Then, the server searches the user management table for the corresponding local user data based on the received user login information. Then, the access string XY1Z23 is generated based on the local user data, and the access string is sent to the client through the switch.
当服务器端接收到客户端发送的访问字符串XY1Z23之后,对访问字符串进行超期验证。假设访问字符串有效,服务器端查找到,访问字符串XY1Z23对应的本地用户数据中的用户权限级别为标准权限,然后,生成并发送携带四级权限标识的消息头部至交换机应用程序。After receiving the access string XY1Z23 sent by the client, the server verifies the access string for expiration. Assuming the access string is valid, the server finds that the user permission level in the local user data corresponding to the access string XY1Z23 is standard permission, and then generates and sends a message header carrying the level 4 permission identifier to the switch application.
假设服务器端接收到交换机应用程序返回的允许访问信息,则根据允许访问信息,对交换机应用程序进行访问。Assuming that the server receives the access permission information returned by the switch application, the server accesses the switch application according to the access permission information.
在本实施例提供的技术方案中,通过根据用户登录信息,调用对应的本地用户数据,以确保登录用户的身份验证准确;通过生成并发送本地用户数据对应的访问字符串至客户端,由于访问字符串中包含了用户信息,因此可以直接根据访问字符串,向服务器端请求访问交换机应用程序,并且由于不需要通过用户名和用户密码进行访问,可以确保本地用户数据的安全性。当接收到客户端发送的访问字符串之后,调用访问字符串对应的本地用户数据,生成并发送携带权限标识的消息头部至交换机应用程序,以供交换机应用程序验证该用户是否具有使用该交换机应用程序的功能的权限,从而实现细粒度的权限控制。当接收到交换机应用程序基于消息头部返回的允许访问信息时,对交换机应用程序进行访问,以使只有拥有符合权限级别的用户,才可以使用交换机应用程序,进而实现对用户的访问进行管理和控制。因此,通过用户登录信息、本地用户数据、访问字符串和消息头部,进行访问权限的验证和控制,实现了对交换机的用户进行细粒度的权限控制以及用户权限的管理。In the technical solution provided in this embodiment, the corresponding local user data is called according to the user login information to ensure the accuracy of the identity authentication of the logged-in user; by generating and sending the access string corresponding to the local user data to the client, since the access string contains the user information, it is possible to directly request access to the switch application from the server according to the access string, and since it is not necessary to access through the user name and user password, the security of the local user data can be ensured. After receiving the access string sent by the client, the local user data corresponding to the access string is called, and a message header carrying the permission identifier is generated and sent to the switch application, so that the switch application can verify whether the user has the permission to use the function of the switch application, thereby realizing fine-grained permission control. When the switch application receives the access permission information returned based on the message header, the switch application is accessed so that only users with the permission level can use the switch application, thereby realizing the management and control of user access. Therefore, through the user login information, local user data, access string and message header, the access rights are verified and controlled, and the fine-grained permission control and user permission management of the switch users are realized.
参照图3,基于上述实施例,在第二实施例中,所述当接收到所述交换机应用程序基于所述消息头部返回的允许访问信息时,对所述交换机应用程序进行访问的步骤之后,还包括:3 , based on the above embodiment, in the second embodiment, after the step of accessing the switch application upon receiving the access permission information returned by the switch application based on the message header, the step further includes:
步骤S600:刷新所述访问字符串的会话记录中的访问时间。Step S600: Refresh the access time in the session record of the access string.
在本实施例中,服务器端在对交换机应用程序进行访问时,对访问字符串对应的会话记录中的访问时间进行刷新,以延长访问字符串的有效时长。其中,会话记录可以包括用户名、访问字符串、访问时间、有效时长、用户ip、用户权限级别、在线状态等。需要说明的是,会话记录只有拥有相关加密库的交换机应用程序可以访问,因此,由于外部应用没有访问权限,故会话记录只允许本地访问,不对外发布,进而确保了本地用户数据的安全性。In this embodiment, when the server accesses the switch application, the access time in the session record corresponding to the access string is refreshed to extend the effective duration of the access string. The session record may include the user name, access string, access time, effective duration, user IP, user authority level, online status, etc. It should be noted that the session record can only be accessed by the switch application with the relevant encryption library. Therefore, since external applications do not have access rights, the session record is only allowed to be accessed locally and is not published to the outside, thereby ensuring the security of local user data.
在本实施例提供的技术方案中,通过对访问时间进行刷新,实现对字符串的有效时长进行延长,以避免在短时离线之后,访问字符串就失效的情况。In the technical solution provided in this embodiment, the effective duration of the character string is extended by refreshing the access time, so as to avoid the situation where the access to the character string becomes invalid after a short offline time.
进一步地,所述刷新所述访问字符串的会话记录中的访问时间的步骤之前,还包括:Furthermore, before the step of refreshing the access time in the session record of the access string, the method further includes:
确定所述访问字符串是否携带定时任务标识;Determine whether the access string carries a scheduled task identifier;
当所述访问字符串携带定时任务标识时,不执行所述刷新所述访问字符串的会话记录中的访问时间的步骤。When the access string carries a scheduled task identifier, the step of refreshing the access time in the session record of the access string is not performed.
在本实施例中,将定时数据和用户主动访问数据分开,以区分用户访问和定时器访问。因此,在对会话记录中的访问时间进行刷新之前,先确定访问字符串是否携带定时任务标识,若是,则不执行所述刷新所述访问字符串的会话记录中的访问时间的步骤。In this embodiment, the timing data and the user active access data are separated to distinguish between user access and timer access. Therefore, before refreshing the access time in the session record, it is first determined whether the access string carries a timing task identifier. If so, the step of refreshing the access time in the session record of the access string is not performed.
在本实施例通过的技术方案中,通过确定访问字符串是否携带定时任务标识,以确定访问操作是用户访问还是定时器访问,进而确保对用户的离线时间的计算的准确性。In the technical solution adopted in this embodiment, by determining whether the access character string carries a timed task identifier, it is determined whether the access operation is a user access or a timer access, thereby ensuring the accuracy of the calculation of the user's offline time.
参照图4,基于上述实施例,在第三实施例中,所述访问权限管理方法,应用于交换机应用程序,所述访问权限管理方法包括以下步骤:4 , based on the above embodiment, in a third embodiment, the access permission management method is applied to a switch application, and the access permission management method includes the following steps:
步骤S700:当接收到服务器端发送的消息头部时,读取所述消息头部携带的权限标识,并根据所述权限标识,确定所述权限标识对应的权限级别;Step S700: when receiving a message header sent by the server, reading the permission identifier carried in the message header, and determining the permission level corresponding to the permission identifier according to the permission identifier;
步骤S800:验证所述权限级别是否大于或者等于本地权限级别;Step S800: Verify whether the authority level is greater than or equal to the local authority level;
步骤S810:若是,生成并发送允许访问信息至所述服务器端;Step S810: If yes, generate and send access permission information to the server;
步骤S820:若否,生成并发送拒绝访问信息至所述服务器端。Step S820: If not, generate and send access denial information to the server.
在本实施例中,交换机应用程序在接收到服务器端发送的消息头部之后,对消息头部进行读取,以获取消息头部携带的权限标识,然后根据权限标识确定用户的权限级别。权限标识可以是一级权限标识、二级权限标识、三级权限标识或者四级权限标识;对应地,权限级别可以是基础权限、监测权限、管理权限或者标准权限。In this embodiment, after receiving the message header sent by the server, the switch application reads the message header to obtain the permission identifier carried in the message header, and then determines the user's permission level according to the permission identifier. The permission identifier can be a first-level permission identifier, a second-level permission identifier, a third-level permission identifier, or a fourth-level permission identifier; correspondingly, the permission level can be basic permission, monitoring permission, management permission, or standard permission.
在确定了用户的权限级别之后,验证权限级别是否大于或者等于本地权限级别;若是,生成并发送允许访问信息至服务器端;若否,生成并发送拒绝访问信息至服务器端。其中,允许访问信息用于告知客户服务器端,允许客户端对交换机应用程序进行访问;拒绝访问信息用于告知服务器端,发送访问字符串的客户端,无权访问交换机应用程序。After determining the user's permission level, verify whether the permission level is greater than or equal to the local permission level; if so, generate and send access permission information to the server; if not, generate and send access denial information to the server. The access permission information is used to inform the client server that the client is allowed to access the switch application; the access denial information is used to inform the server that the client that sent the access string has no right to access the switch application.
在本实施例提供的技术方案中,交换机应用程序通过对消息头部携带的权限标识进行验证,以确定请求访问的客户端是否有权访问交换机应用程序。进而实现对用户权限的管理,以使只有拥有符合权限级别的用户,才可以使用交换机应用程序,确保了交换机应用程序数据的安全性。In the technical solution provided in this embodiment, the switch application verifies the permission identifier carried in the message header to determine whether the client requesting access has the right to access the switch application. This enables management of user permissions so that only users with the required permission level can use the switch application, ensuring the security of the switch application data.
此外,本领域普通技术人员可以理解的是实现上述实施例的方法中的全部或部分流程,是可以通过计算机程序来指令相关的硬件来完成。该计算机程序包括程序指令,计算机程序可以存储于一存储介质中,该存储介质为计算机可读存储介质。该程序指令被访问权限管理设备中的至少一个处理器执行,以实现上述方法的实施例的流程步骤。In addition, it can be understood by a person skilled in the art that all or part of the processes in the method for implementing the above embodiment can be completed by instructing the relevant hardware through a computer program. The computer program includes program instructions, and the computer program can be stored in a storage medium, which is a computer-readable storage medium. The program instructions are executed by at least one processor in the access permission management device to implement the process steps of the embodiment of the above method.
因此,本发明还提供一种计算机可读存储介质,所述计算机可读存储介质存储有访问权限管理程序,所述访问权限管理程序被处理器执行时实现如上实施例所述的访问权限管理方法的各个步骤。Therefore, the present invention further provides a computer-readable storage medium, wherein the computer-readable storage medium stores an access permission management program, and when the access permission management program is executed by a processor, the steps of the access permission management method described in the above embodiment are implemented.
其中,所述计算机可读存储介质可以是U盘、移动硬盘、只读存储器(Read-OnlyMemory,ROM)、磁碟或者光盘等各种可以存储程序代码的计算机可读存储介质。The computer-readable storage medium may be a USB flash drive, a mobile hard disk, a read-only memory (ROM), a magnetic disk, or an optical disk, etc., which are computer-readable storage media that can store program codes.
需要说明的是,由于本申请实施例提供的存储介质,为实施本申请实施例的方法所采用的存储介质,故而基于本申请实施例所介绍的方法,本领域所属人员能够了解该存储介质的具体结构及变形,故而在此不再赘述。凡是本申请实施例的方法所采用的存储介质都属于本申请所欲保护的范围。It should be noted that since the storage medium provided in the embodiment of the present application is the storage medium used to implement the method of the embodiment of the present application, based on the method introduced in the embodiment of the present application, the person skilled in the art can understand the specific structure and deformation of the storage medium, so it is not repeated here. All storage media used in the method of the embodiment of the present application belong to the scope of protection of this application.
本领域内的技术人员应明白,本发明的实施例可提供为方法、系统或计算机程序产品。因此,本发明可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本发明可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。It should be understood by those skilled in the art that the embodiments of the present invention may be provided as methods, systems or computer program products. Therefore, the present invention may take the form of a complete hardware embodiment, a complete software embodiment, or an embodiment combining software and hardware aspects. Moreover, the present invention may take the form of a computer program product implemented on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code.
本发明是参照根据本发明实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present invention is described with reference to the flowcharts and/or block diagrams of the methods, devices (systems), and computer program products according to the embodiments of the present invention. It should be understood that each process and/or box in the flowchart and/or block diagram, as well as the combination of the processes and/or boxes in the flowchart and/or block diagram, can be implemented by computer program instructions. These computer program instructions can be provided to a processor of a general-purpose computer, a special-purpose computer, an embedded processor, or other programmable data processing device to produce a machine, so that the instructions executed by the processor of the computer or other programmable data processing device produce a device for implementing the functions specified in one or more processes in the flowchart and/or one or more boxes in the block diagram.
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing device to operate in a specific manner, so that the instructions stored in the computer-readable memory produce a manufactured product including an instruction device that implements the functions specified in one or more processes in the flowchart and/or one or more boxes in the block diagram.
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions may also be loaded onto a computer or other programmable data processing device so that a series of operational steps are executed on the computer or other programmable device to produce a computer-implemented process, whereby the instructions executed on the computer or other programmable device provide steps for implementing the functions specified in one or more processes in the flowchart and/or one or more boxes in the block diagram.
应当注意的是,在权利要求中,不应将位于括号之间的任何参考符号构造成对权利要求的限制。单词“包含”不排除存在未列在权利要求中的部件或步骤。位于部件之前的单词“一”或“一个”不排除存在多个这样的部件。本发明可以借助于包括有若干不同部件的硬件以及借助于适当编程的计算机来实现。在列举了若干装置的单元权利要求中,这些装置中的若干个可以是通过同一个硬件项来具体体现。单词第一、第二以及第三等的使用不表示任何顺序。可将这些单词解释为名称。It should be noted that in the claims, any reference signs placed between parentheses shall not be construed as limiting the claims. The word "comprising" does not exclude the presence of components or steps not listed in the claim. The word "a" or "an" preceding a component does not exclude the presence of a plurality of such components. The invention may be implemented by means of hardware comprising several different components and by means of a suitably programmed computer. In a unit claim enumerating several means, several of these means may be embodied by one and the same item of hardware. The use of the words first, second and third etc. does not indicate any order. These words may be interpreted as names.
尽管已描述了本发明的优选实施例,但本领域内的技术人员一旦得知了基本创造性概念,则可对这些实施例做出另外的变更和修改。所以,所附权利要求意欲解释为包括优选实施例以及落入本发明范围的所有变更和修改。Although the preferred embodiments of the present invention have been described, those skilled in the art may make additional changes and modifications to these embodiments once they have learned the basic creative concept. Therefore, the appended claims are intended to be interpreted as including the preferred embodiments and all changes and modifications that fall within the scope of the present invention.
显然,本领域的技术人员可以对本发明进行各种改动和变型而不脱离本发明的精神和范围。这样,倘若本发明的这些修改和变型属于本发明权利要求及其等同技术的范围之内,则本发明也意图包含这些改动和变型在内。Obviously, those skilled in the art can make various changes and modifications to the present invention without departing from the spirit and scope of the present invention. Thus, if these modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include these modifications and variations.
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311631437.0ACN117319096B (en) | 2023-12-01 | 2023-12-01 | Access right management method, access right management device, and readable storage medium |
| PCT/CN2024/084516WO2025112250A1 (en) | 2023-12-01 | 2024-03-28 | Access permission management method, access permission management device and readable storage medium |
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311631437.0ACN117319096B (en) | 2023-12-01 | 2023-12-01 | Access right management method, access right management device, and readable storage medium |
| Publication Number | Publication Date |
|---|---|
| CN117319096A CN117319096A (en) | 2023-12-29 |
| CN117319096Btrue CN117319096B (en) | 2024-04-23 |
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311631437.0AActiveCN117319096B (en) | 2023-12-01 | 2023-12-01 | Access right management method, access right management device, and readable storage medium |
| Country | Link |
|---|---|
| CN (1) | CN117319096B (en) |
| WO (1) | WO2025112250A1 (en) |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117319096B (en)* | 2023-12-01 | 2024-04-23 | 深圳市丰润达科技有限公司 | Access right management method, access right management device, and readable storage medium |
| CN118972178B (en)* | 2024-10-16 | 2025-03-11 | 紫光恒越技术有限公司 | A method, device, storage medium and electronic device for user authority management |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109981683A (en)* | 2019-04-11 | 2019-07-05 | 苏州浪潮智能科技有限公司 | A kind of exchange data access method, system, equipment and computer storage medium |
| CN111030828A (en)* | 2019-12-19 | 2020-04-17 | 中国电建集团华东勘测设计研究院有限公司 | Authority control method and system under micro-service architecture and access token |
| CN111181941A (en)* | 2019-12-23 | 2020-05-19 | 杭州安恒信息技术股份有限公司 | Page login method, system and related device |
| WO2021147442A1 (en)* | 2020-01-22 | 2021-07-29 | 华为技术有限公司 | Access control method and apparatus, terminal device, and storage medium |
| CN113922968A (en)* | 2021-10-19 | 2022-01-11 | 中国电信股份有限公司 | Access token generation and verification method and device, electronic equipment and storage medium |
| WO2022134063A1 (en)* | 2020-12-25 | 2022-06-30 | Oppo广东移动通信有限公司 | Access token usage method and device |
| CN114697063A (en)* | 2020-12-30 | 2022-07-01 | 北京国双科技有限公司 | Security authentication method and device, electronic equipment and storage medium |
| CN115996122A (en)* | 2021-10-20 | 2023-04-21 | 华为技术有限公司 | Access control method, device and system |
| CN116192432A (en)* | 2022-12-07 | 2023-05-30 | 国网智能电网研究院有限公司 | Security authentication and authority control method and device under micro-application architecture and storage medium |
| CN116226879A (en)* | 2022-12-26 | 2023-06-06 | 易方达基金管理有限公司 | Service interface access control method, device, computer equipment and storage medium |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8695071B2 (en)* | 2011-10-23 | 2014-04-08 | Gopal Nandakumar | Authentication method |
| CN108696480A (en)* | 2017-04-07 | 2018-10-23 | 沈机(上海)智能系统研发设计有限公司 | Industrial service right management method, device and machine tool |
| CN116684874A (en)* | 2023-04-26 | 2023-09-01 | 北京罗克维尔斯科技有限公司 | Application program access method, device, equipment, medium and program product |
| CN117319096B (en)* | 2023-12-01 | 2024-04-23 | 深圳市丰润达科技有限公司 | Access right management method, access right management device, and readable storage medium |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109981683A (en)* | 2019-04-11 | 2019-07-05 | 苏州浪潮智能科技有限公司 | A kind of exchange data access method, system, equipment and computer storage medium |
| CN111030828A (en)* | 2019-12-19 | 2020-04-17 | 中国电建集团华东勘测设计研究院有限公司 | Authority control method and system under micro-service architecture and access token |
| CN111181941A (en)* | 2019-12-23 | 2020-05-19 | 杭州安恒信息技术股份有限公司 | Page login method, system and related device |
| WO2021147442A1 (en)* | 2020-01-22 | 2021-07-29 | 华为技术有限公司 | Access control method and apparatus, terminal device, and storage medium |
| WO2022134063A1 (en)* | 2020-12-25 | 2022-06-30 | Oppo广东移动通信有限公司 | Access token usage method and device |
| CN114697063A (en)* | 2020-12-30 | 2022-07-01 | 北京国双科技有限公司 | Security authentication method and device, electronic equipment and storage medium |
| CN113922968A (en)* | 2021-10-19 | 2022-01-11 | 中国电信股份有限公司 | Access token generation and verification method and device, electronic equipment and storage medium |
| CN115996122A (en)* | 2021-10-20 | 2023-04-21 | 华为技术有限公司 | Access control method, device and system |
| CN116192432A (en)* | 2022-12-07 | 2023-05-30 | 国网智能电网研究院有限公司 | Security authentication and authority control method and device under micro-application architecture and storage medium |
| CN116226879A (en)* | 2022-12-26 | 2023-06-06 | 易方达基金管理有限公司 | Service interface access control method, device, computer equipment and storage medium |
| Publication number | Publication date |
|---|---|
| CN117319096A (en) | 2023-12-29 |
| WO2025112250A1 (en) | 2025-06-05 |
| Publication | Publication Date | Title |
|---|---|---|
| JP4746266B2 (en) | Method and system for authenticating a user for a sub-location in a network location | |
| CN117319096B (en) | Access right management method, access right management device, and readable storage medium | |
| US9774595B2 (en) | Method of authentication by token | |
| US10187373B1 (en) | Hierarchical, deterministic, one-time login tokens | |
| US7155616B1 (en) | Computer network comprising network authentication facilities implemented in a disk drive | |
| US8424077B2 (en) | Simplified management of authentication credentials for unattended applications | |
| CN111488598A (en) | Access control method, device, computer equipment and storage medium | |
| JP7421771B2 (en) | Methods, application servers, IOT devices and media for implementing IOT services | |
| CN108616504B (en) | A sensor node identity authentication system and method based on the Internet of Things | |
| US12289310B2 (en) | Decentralized application authentication | |
| CN114239046A (en) | data sharing method | |
| CN113572791B (en) | Video Internet of things big data encryption service method, system and device | |
| US11595398B1 (en) | Access control for named domain networking | |
| CN111917711B (en) | Data access method and device, computer equipment and storage medium | |
| JP4607602B2 (en) | How to provide access | |
| JP2009543208A (en) | Content management system and method using certificate chain | |
| CN114239000A (en) | Password processing method, device, computer equipment and storage medium | |
| JP5122225B2 (en) | A method for implementing a state tracking mechanism in a communication session between a server and a client system | |
| JP2009543207A (en) | Content management system and method using certificate revocation list | |
| CN111131160B (en) | A user, service and data authentication system | |
| CN109492384B (en) | Method for receiving entity access and accessing password device, password device and entity | |
| KR20150115332A (en) | Access control managemnet apparatus and method for open service components | |
| CN118174941A (en) | Access control method, device, storage medium and electronic equipment | |
| CN112165381B (en) | Key management system and method | |
| CN115426155A (en) | Access method, device and equipment of cluster nodes and storage medium |
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |