[go: up one dir, main page]

CN109286620B - User right management method, system, device and computer readable storage medium - Google Patents

User right management method, system, device and computer readable storage medium Download PDF

Info

Publication number
CN109286620B
CN109286620B CN201811117023.5A CN201811117023A CN109286620B CN 109286620 B CN109286620 B CN 109286620B CN 201811117023 A CN201811117023 A CN 201811117023A CN 109286620 B CN109286620 B CN 109286620B
Authority
CN
China
Prior art keywords
user
authority
request
user request
reverse proxy
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811117023.5A
Other languages
Chinese (zh)
Other versions
CN109286620A (en
Inventor
罗厚付
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ping An Technology Shenzhen Co Ltd
Original Assignee
Ping An Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ping An Technology Shenzhen Co Ltd filed Critical Ping An Technology Shenzhen Co Ltd
Priority to CN201811117023.5A priority Critical patent/CN109286620B/en
Publication of CN109286620A publication Critical patent/CN109286620A/en
Application granted granted Critical
Publication of CN109286620B publication Critical patent/CN109286620B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • H04L63/0838Network architectures or network communication protocols for network security for authentication of entities using passwords using one-time-passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0884Network architectures or network communication protocols for network security for authentication of entities by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The present disclosure relates to the field of information security technologies, and in particular, to a method, a system, a device, and a computer-readable storage medium for managing user rights. The method comprises the following steps: for each application of the one or more applications, intercepting, by the reverse proxy platform, a user request for the application by a user; the authentication center identifies the user authority of the user according to the user request; and feeding back the user request through the reverse proxy platform according to the authentication result of the user authority. Through each embodiment of the present disclosure, centralized management of user permissions can be realized for a plurality of applications, management is facilitated, security risks are reduced, data security management and system construction are facilitated, and data security management and system construction are facilitated.

Description

User right management method, system, device and computer readable storage medium
Technical Field
The present invention relates to the field of information security technologies, and in particular, to a method, a system, an apparatus, a computing device, and a computer-readable storage medium for managing user rights.
Background
Generally, there may be multiple applications accessing a system or an application platform, and the multiple applications may have their own rights management systems respectively, and the management manners are various.
The inventor of the present application has realized that different rights management manners for multiple applications in a system or application platform may result in security risks, and thus, there is a need for centralized management of user rights for each application.
Disclosure of Invention
To solve one or more of the above problems, embodiments of the present invention provide a user right management method, system, apparatus, computing device and computer-readable storage medium.
According to a first aspect of the present application, there is provided a user right management method, comprising:
for each application of the one or more applications, intercepting, by the reverse proxy platform, a user request for the application by a user;
the authentication center identifies the user authority of the user according to the user request;
and feeding back the user request through the reverse proxy platform according to the authentication result of the user authority.
According to an exemplary embodiment, said authenticating, by the authentication center, the user right of the user according to the user request includes:
generating an authority number corresponding to the user request according to the user request;
inquiring whether the authority number is the authority number of the user;
and when the authority number is the authority number which the user has, judging that the user has the user authority which meets the user request.
According to an exemplary embodiment, before querying whether the permission number is a permission number that the user has, the user permission management method further includes:
acquiring Token information from the user request;
and obtaining the user name of the user according to the Token information.
According to an exemplary embodiment, the feeding back the user request through the reverse proxy platform according to the authentication result of the user authority includes any one of the following:
connecting, by the reverse proxy platform, the user to the application through a reverse proxy in an instance in which it is determined that the user has user rights to satisfy the user request;
and under the condition that the user does not have the user authority meeting the user request, returning a prompt without authority to the user through the reverse proxy platform and/or redirecting the user to a login page.
According to an exemplary embodiment, the permission number includes one or more of: an application number of the requested application, a menu number and a role number to which the user request relates.
According to an exemplary embodiment, in a case where the authority number is an authority number that the user has, determining that the user has a user authority that satisfies the user request includes:
under the condition that the authority number is the authority number of the user, performing two-factor authentication according to the user name of the user and real-time; and
and in the case that the two-factor authentication is passed, judging that the user has the user right meeting the user request.
According to an exemplary embodiment, in the case that the user request is a login request, the authenticating, by the authentication center, the user right of the user according to the user request includes:
and verifying the user account and the password in the login request.
According to an exemplary embodiment, the feeding back the user request through the reverse proxy platform according to the authentication result of the user authority includes any one of the following:
under the condition that the user account and the password are verified, a prompt of successful login is returned to the user through the reverse proxy platform;
and under the condition that the user account and the password are not verified, a prompt of user login failure is returned to the user through the reverse proxy platform.
According to a second aspect of the present application, there is provided a user right management system for one or more applications, the user right management system comprising a reverse proxy platform and an authentication center, wherein:
the reverse proxy platform is configured to:
intercepting, by a reverse proxy platform, a user request for each of the one or more applications by a user;
feeding back the user request according to the authentication result of the user authority returned by the authentication center;
the authentication center is configured to:
and authenticating the user authority of the user according to the user request, and returning the authentication result of the user authority to the reverse proxy platform.
According to a third aspect of the present application, there is provided a user right management apparatus, comprising:
an intercept module configured to: for each application of the one or more applications, intercepting, by a reverse proxy, a user request for the application by a user;
an authentication module configured to: identifying the user authority of the user according to the user request;
a feedback module configured to: and feeding back the user request through the reverse proxy according to the authentication result of the user authority.
According to an exemplary embodiment, the authentication module comprises:
a permission number generation unit configured to: generating an authority number corresponding to the user request according to the user request;
a query unit configured to: inquiring whether the authority number is the authority number of the user;
a determination unit configured to: and when the authority number is the authority number which the user has, judging that the user has the user authority which meets the user request.
According to an exemplary embodiment, the user right management apparatus further includes:
a username acquisition module configured to: and acquiring Token information from the user request, and acquiring the user name of the user according to the Token information.
According to an exemplary embodiment, the feedback module comprises:
a connection unit configured to: connecting the user to the application through a reverse proxy in the event that it is determined that the user has user rights to satisfy the user request;
a failure feedback unit configured to: and under the condition that the user does not have the user authority meeting the user request, returning a prompt without authority to the user through the reverse proxy and/or redirecting the user to a login page.
According to an exemplary embodiment, the authentication module comprises:
a login authentication unit configured to: and under the condition that the user request is a login request, verifying the user account and the password in the login request.
According to an exemplary embodiment, the feedback module comprises:
a login success unit configured to: under the condition that the user account and the password are verified, a prompt of successful login is returned to the user through the reverse proxy;
a login failure unit configured to: and under the condition that the user account number and the password are not verified, returning a prompt of user login failure to the user through the reverse proxy.
According to a fourth aspect of the present application, there is provided a computing device comprising a memory and a processor, the memory having stored therein computer-readable instructions which, when executed by the processor, cause the computing device to perform any of the method embodiments as described above.
According to a fifth aspect of the present application, there is provided a computer-readable storage medium having stored thereon a computer program which, when executed by one or more processors, implements any of the method embodiments as described above.
The technical scheme provided by the embodiment of the application can have the following beneficial effects:
through the embodiments of the present application as described above and as described below, centralized management of user permissions of multiple applications in a system can be achieved, and security risks are reduced.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
FIG. 1 is a simplified schematic illustration of an exemplary environment in which the present application is directed, according to an illustrative embodiment.
Fig. 2 is a schematic flow chart diagram illustrating a user rights management method according to an exemplary embodiment of the present application.
Fig. 3 is a schematic flowchart illustrating a specific implementation manner of step S220 in the user right management method according to an exemplary embodiment of the present application.
Fig. 4 is a schematic flowchart illustrating steps before step S330 in the user right management method according to the corresponding embodiment of fig. 3.
Fig. 5 is a schematic block diagram of a user right management apparatus according to an exemplary embodiment of the present application.
FIG. 6 is a schematic block diagram of a computing device shown in accordance with an exemplary embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, exemplary embodiments of the present invention are described in further detail below with reference to the accompanying drawings and embodiments. The following description refers to the accompanying drawings in which the same numbers in different drawings represent the same or similar elements unless otherwise indicated. The implementations described in the following exemplary examples do not represent all implementations consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application, as detailed in the appended claims. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
FIG. 1 is a simplified schematic illustration of an exemplary environment in which the present application is directed, according to an illustrative embodiment. As shown in fig. 1, the user right management system of the embodiment of the present application may include a reverse proxy platform 110 and an authentication center 120, which are shared by one or more applications (application 1, application 2, and application 3 are examples in fig. 1) in a system or an application platform. The user rights of the one or more applications are centrally managed collectively by the reverse proxy platform 110 and the authentication center 120. A user may access an application through a client (e.g., a browser or APP on the client) and send a user request to the application. The reverse proxy platform 110 intercepts the user request of the user for each application, the authentication center 120 performs unified authentication and returns the authentication result to the reverse proxy platform 110, and the reverse proxy platform 110 feeds back the user request according to the authentication result. In this way, all the applications are reverse-proxied by the reverse proxy platform 110 without allowing direct access to them, so that centralized right management by the reverse proxy platform 110 and the authentication center 120 is realized, centralized management of user rights of multiple applications in the system can be realized, and security risk is reduced. FIG. 1 and the preceding description are merely exemplary embodiments of an implementation environment to which the present application relates, and it should be appreciated that a variety of variations exist for an implementation environment suitable for use with the present application.
Fig. 2 is a schematic flow chart diagram illustrating a user rights management method according to an exemplary embodiment of the present application. As shown in the exemplary embodiment of fig. 2, the method may include the steps of:
s210, for each application in the one or more applications, intercepting a user request of a user for the application through the reverse proxy platform.
For centralized rights management, a uniform interception of all user requests is performed by a common reverse proxy platform. In one embodiment, the reverse proxy platform is an OpenResty Web platform implemented with Nginx + lua. Nginx divides the session between the user and the requested application based on the user request into a number of phases, one of which is access by lua and the other is content by lua. In one embodiment, the reverse proxy platform intercepts during the access by lua phase. In another embodiment, the reverse proxy platform intercepts during the content _ by _ lua phase.
And S220, the authentication center identifies the user authority of the user according to the user request.
To implement a user request, the user is required to have a user right corresponding to the user request. Therefore, authentication of the user authority of the user is required. In the prior art, each application has its own authentication module and rights management means. In the embodiment of the application, the user request of each application is subjected to unified authentication processing through a shared authentication center, and the authentication result is returned to the reverse proxy platform.
And S230, feeding back the user request through the reverse proxy platform according to the authentication result of the user authority.
After receiving the authentication result, the reverse proxy platform performs feedback processing on the user request according to the authentication result, for example, when the user has the user right corresponding to the user request, the user is connected to the requested application through the reverse proxy, or when the user does not have the user right corresponding to the user request, an error prompt is returned to the user, and so on.
Fig. 3 is a schematic flowchart illustrating a specific implementation manner of step S220 in the user right management method according to an exemplary embodiment of the present application. As shown in fig. 3, step S220 may include the steps of:
s310, generating an authority number corresponding to the user request according to the user request.
In one example, the user request is due to the user, for example, clicking on a menu option on a user interface of an application. This information is carried in the user request. An application number, a menu number, and a role number (e.g., an administrator role, a general user role, etc.) of each application are prestored in the authentication center. The authentication center searches the corresponding application number, menu number and role number according to the user request and generates the authority number corresponding to the user request according to the application number, the menu number and the role number. In one example, the privilege number includes the following: an application number of the requested application, a menu number, a role number, or a combination thereof, to which the user request relates.
In another example, when a user clicks a certain menu option on a user operation interface of a certain application, a user request generated by the application may include information such as an application number of the requested application, a menu number and a role number related to the user request, and the authentication center may directly generate an authority number according to the information, or the application may automatically include an authority number corresponding to the user request when generating the user request without being generated by the authentication center.
In yet another example, the authority number is not generated by the authentication center, but by the reverse proxy platform and sent to the authentication center.
S320, inquiring whether the authority number is the authority number of the user.
In one example, a list of authority numbers each user has is maintained at the authentication center, in the same form as mentioned in the above description of step S310. The authority number list of the user sending the user request can be inquired to see whether the authority number corresponding to the user request is in the authority number list, so that whether the authority number corresponding to the user request is the authority number of the user is judged.
In another example, a list of user names corresponding to each list of authority numbers is maintained at the authentication center, the form of the authority numbers being the same as mentioned above in the description of step S310. Whether the user name of the user sending the user request is in the list can be seen by inquiring the user name list of the authority number corresponding to the user request, so that whether the authority number corresponding to the user request is the authority number of the user is judged.
In an embodiment, before determining whether the authority number is the authority number that the user has, the method may further include a step of obtaining a user name of the user that sent the user request, so as to obtain an authority number list of the user according to the user name, thereby querying whether the authority number generated according to the user request is in the authority number list of the user. The manner of obtaining the user name of the user may be various, for example, the user name of the user may be directly included in the user request so as to be obtained by the authentication center, or may be obtained from other information, such as Token information, and the like. Fig. 4 shows a schematic flow diagram for obtaining a username according to an example embodiment. As shown in fig. 4, the process includes the steps of:
s410, acquiring Token information from the user request;
and S420, obtaining the user name of the user according to the Token information.
In one example, step S420 includes a step of decrypting Token information, and then obtaining a user name from the decrypted Token information.
In one example, the above steps S410 and S420 are performed by the reverse proxy platform and provide the username to the authentication center. In another example, the above steps S410 and S420 are performed by an authentication center.
The following returns to step S330 of fig. 3:
s330, under the condition that the authority number is the authority number of the user, judging that the user has the user authority meeting the user request.
If the authority number corresponding to the user request is in the authority number list of the user, the user is indicated to have the user authority meeting the user request, otherwise, the user does not have the authority.
In one embodiment, in step S330, a two-factor authentication is further introduced for authentication, that is, in case that the authority number is an authority number that the user has, the two-factor authentication is further performed according to the user name and the real-time, and in case that the two-factor authentication is passed, it is determined that the user has the user authority that satisfies the user request.
The two-factor authentication is a system adopting a time synchronization technology, and adopts a one-time password generated based on three variables of time, event and key to replace the traditional static password. Each dynamic password card has a unique secret key, the secret key is stored in a server side at the same time, and the dynamic password card and the server calculate the authenticated dynamic password according to the same secret key, the same random parameters (time and events) and the same algorithm during authentication each time, so that the consistency of the passwords is ensured, and the authentication of users is realized. Since the random parameter is different for each authentication, the dynamic password generated for each authentication is also different. The randomness of the parameters during each calculation ensures the unpredictability of each password, so that the safety of the system is ensured in the most basic password authentication link. The method solves the serious loss caused by password fraud, prevents malicious intruders or artificial damage, and solves the intrusion problem caused by password divulgence. In the above example, in the case where the authority number is an authority number that the user has, the user is also required to input a password received by other means (such as a mobile phone, a U Key, or the like), and if the password is a correct password input within a prescribed time, the two-factor authentication is considered to be passed, otherwise, the password is considered not to be passed.
In the case that it is determined that the user has the user right satisfying the user request, step S230 may include: connecting, by the reverse-proxy platform, the user to the application through a reverse proxy;
in the case where it is determined that the user does not have the user authority satisfying the user request, step S230 may include: a prompt without permission is returned to the user and/or the user is redirected to a login page through the reverse proxy platform.
In the embodiments described above, the user request is a general access request, and the login request is a specific user request. In the case where the user request is a login request, step S220 includes: and the authentication center verifies the user account and the password in the login request. In case that the user account and password are verified, step S230 may include: and returning a prompt of successful login to the user through the reverse proxy platform. In the case that the user account and the password are not verified, step S230 may include: and returning a prompt of user login failure to the user through the reverse proxy platform.
Fig. 5 is a schematic block diagram of a user right management apparatus according to an exemplary embodiment of the present application. The apparatus 501 is used to perform embodiments of the user right management method as described above. The apparatus 501 is configured to implement the functionality of both the reverse proxy platform and the authentication center as described above. As shown in fig. 5, an example user right management apparatus 501 includes:
an intercept module 510 configured to: for each application of the one or more applications, intercepting, by a reverse proxy, a user request for the application by a user;
an authentication module 520 configured to: identifying the user authority of the user according to the user request;
a feedback module 530 configured to: and feeding back the user request through the reverse proxy according to the authentication result of the user authority.
According to the embodiment shown in fig. 5, the authentication module 520 further comprises:
a right number generation unit 521 configured to: generating an authority number required by the user request according to the user request;
a querying element 522 configured to: inquiring whether the authority number is the authority number of the user;
a judging unit 523 configured to: and when the authority number is the authority number which the user has, judging that the user has the user authority which meets the user request.
According to the embodiment shown in fig. 5, the apparatus further comprises:
a username acquisition module 540 configured to: and acquiring Token information from the user request, and acquiring the user name of the user according to the Token information.
According to the embodiment shown in fig. 5, the feedback module 530 further comprises:
a connection unit 531 configured to: connecting the user to the application through a reverse proxy in the event that it is determined that the user has user rights to satisfy the user request;
a failure feedback unit 532 configured to: and under the condition that the user does not have the user authority meeting the user request, returning a prompt without authority to the user through the reverse proxy and/or redirecting the user to a login page.
According to the embodiment shown in fig. 5, the authentication module 520 further comprises:
a login authentication unit 524 configured to: and under the condition that the user request is a login request, verifying a user account and a password in the login request.
According to the embodiment shown in fig. 5, the feedback module 530 further comprises:
a login success unit 533 configured to: under the condition that the user account and the password are verified, a prompt of successful login is returned to the user through the reverse proxy;
a login failure unit 534 configured to: and under the condition that the user account number and the password are not verified, returning a prompt of user login failure to the user through the reverse proxy.
The implementation processes and the relevant details of the functions and actions of each unit/module in the above device are specifically referred to the implementation processes of the corresponding steps in the above method embodiments, and are not described herein again.
The apparatus in the above embodiments may be implemented by hardware, software, firmware or a combination thereof, and may be implemented as a single apparatus, or may be implemented as a logic integration system in which the constituent units/modules are dispersed in one or more computing devices and each perform a corresponding function.
The units/modules constituting the apparatus in the above embodiments are divided according to logical functions, they may be subdivided according to logical functions, for example, the apparatus may be implemented by more or less units/modules. These constituent units/modules may be implemented by hardware, software, firmware or their combination, and they may be separate independent components or may be integrated units/modules combining multiple components to perform corresponding logical functions. The hardware, software, firmware, or combination thereof may include: separate hardware components, functional blocks implemented through programming, functional blocks implemented through programmable logic devices, etc., or a combination thereof.
According to an exemplary embodiment, the apparatus may be realized as a computing device comprising a memory and a processor, the memory having stored therein a computer program that, when executed by the processor, causes the processor to perform any one of the method embodiments as described above, or the computer program, when executed by the processor, causes the computing device to realize the functions as implemented by the constituent elements/modules of the user right management apparatus embodiments as described above.
The processor described in the above embodiments may refer to a single processing unit, such as a central processing unit CPU, or may be a distributed processor system comprising a plurality of distributed processing units.
The memory described in the above embodiments may include one or more memories, which may be internal memories of the computing device, such as various memories of a transient or non-transient type, or external storage devices connected to the computing device through a memory interface.
FIG. 6 shows a schematic block diagram of an exemplary embodiment of such a computing device 601. As shown in fig. 6, the computing device 601 may include: a processor 610, a communication interface 620, a memory 630, and a bus 640. The memory 630 has stored therein a computer program that can be executed by the processor 610. The processor 610, when executing the computer program, implements the functions of the method and apparatus in the above embodiments. The number of the memory 630 and the processor 610 may be one or more, respectively. The communication interface 620 is used for communication between the processor 610 and an external device.
The processor 610 may be, among other things, a central processing unit, a general purpose processor, a digital signal processor, an application specific integrated circuit, a field programmable gate array or other programmable logic device, transistor logic, a hardware component, or any combination thereof. Which may implement or perform the various illustrative process steps, functional units/modules, and/or circuits described in connection with the present disclosure. The processor may also be a combination of computing functions, e.g., comprising one or more microprocessors, digital signal processors, and the like.
The memory 630 may include volatile memory and/or non-volatile memory, such as non-volatile dynamic random access memory, phase change random access memory, magnetoresistive random access memory, magnetic disk memory, electrically erasable programmable read only memory, flash memory devices, semiconductor devices (e.g., solid state drives), and so forth. The memory 630 may optionally also be an external remote storage device.
The bus 640 may be an Industry Standard Architecture (ISA) bus, a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown in FIG. 6, but this is not intended to represent only one bus or type of bus. Alternatively, if the memory 630, the processor 610 and the communication interface 620 are integrated on one chip, the memory 630, the processor 610 and the communication interface 620 can communicate with each other through an internal interface.
The above method and apparatus embodiments may also be implemented in the form of a computer program, stored on a storage medium, and distributed. Thus, according to another aspect of the present disclosure, there is also provided a computer program product stored on a computer-readable storage medium and implementing any of the method and apparatus embodiments described above when executed by a processor. According to yet another aspect of the present disclosure, there is also provided a computer readable storage medium having stored thereon a computer program executable by a processor, the computer program, when executed by the processor, implementing any of the method and apparatus embodiments as described above.
The computer readable storage medium may be any tangible device that can hold and store instructions for use by an instruction execution device. For example, it may be, but is not limited to, an electrical storage device, a magnetic storage device, an optical storage device, an electromagnetic storage device, a semiconductor storage device, or any suitable combination of the foregoing. More specific examples (a non-exhaustive list) of the storage medium include: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a Static Random Access Memory (SRAM), a portable compact disc read-only memory (CD-ROM), a Digital Versatile Disc (DVD), a memory stick, a floppy disk, a mechanical coding device, such as punch cards or in-groove projection structures having instructions stored thereon, and any suitable combination of the foregoing.
The computer programs/computer instructions described herein may be downloaded to the respective computing/processing devices from a computer-readable storage medium, or to an external computer or external storage device via a network, such as the internet, a local area network, a wide area network, and/or a wireless network. The network may include copper transmission cables, fiber optic transmission, wireless transmission, routers, firewalls, switches, gateway computers and/or edge servers. The network adapter card or network interface in each computing/processing device receives computer-readable program instructions from the network and forwards the computer-readable program instructions for storage in a computer-readable storage medium in the respective computing/processing device.
The computer program instructions described in this disclosure may be assembly instructions, Instruction Set Architecture (ISA) instructions, machine related instructions, microcode, firmware instructions, state setting data, or source code or object code written in any combination of one or more programming languages, including an object oriented programming language such as Smalltalk, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The computer-readable program instructions may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider). In some embodiments, aspects of the present invention are implemented by personalizing an electronic circuit, such as a programmable logic circuit, a Field Programmable Gate Array (FPGA), or a Programmable Logic Array (PLA), with state information of computer-readable program instructions, which can execute the computer-readable program instructions.
Aspects of the present invention are described herein with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer-readable program instructions.
These computer-readable program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks. These computer-readable program instructions may also be stored in a computer-readable storage medium that can direct a computer, programmable data processing apparatus, and/or other devices to function in a particular manner, such that the computer-readable medium storing the instructions comprises an article of manufacture including instructions which implement the function/act specified in the flowchart and/or block diagram block or blocks.
The computer readable program instructions may also be loaded onto a computer, other programmable data processing apparatus, or other devices to cause a series of operational steps to be performed on the computer, other programmable apparatus or other devices to produce a computer implemented process such that the instructions which execute on the computer, other programmable apparatus or other devices implement the functions/acts specified in the flowchart and/or block diagram block or blocks.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of instructions, which comprises one or more executable instructions for implementing the specified logical function(s). In some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions. It is well known to those skilled in the art that implementation by hardware, by software, and by a combination of software and hardware are equivalent.
It should be noted that, in the present specification, the embodiments are all described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments may be referred to each other. It will be apparent to those skilled in the art that the above embodiments may be used alone or in combination with each other as desired. In addition, for the device embodiment, since it corresponds to the method embodiment, the description is relatively simple, and for relevant points, refer to the description of the corresponding parts of the method embodiment.
The above-mentioned embodiments only express several embodiments of the present invention, and the description thereof is more specific and detailed, but not construed as limiting the scope of the present invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the inventive concept, which falls within the scope of the present invention. Therefore, the protection scope of the present patent shall be subject to the appended claims.

Claims (8)

1. A method for user rights management, comprising:
for each application of the one or more applications, intercepting, by the reverse proxy platform, a user request for the application by a user;
the authentication center identifies the user authority of the user according to the user request;
feeding back a user request through a reverse proxy platform according to the authentication result of the user authority;
wherein, the authentication center stores the authority number list which each user has respectively, and the authentication center identifies the user authority of the user according to the user request comprises:
generating an authority number corresponding to the user request according to the user request;
inquiring whether the authority number is the authority number of the user or not according to the authority number list of the user;
under the condition that the authority number is the authority number of the user, performing two-factor authentication according to the user name of the user and real-time; and determining that the user has the user right to satisfy the user request in the case that the two-factor authentication is passed.
2. The user right management method according to claim 1, wherein before inquiring whether the right number is a right number that the user has, the user right management method further comprises:
acquiring Token information from the user request;
and obtaining the user name of the user according to the Token information.
3. The user right management method of claim 1, wherein the feedback of the user request through the reverse proxy platform according to the authentication result of the user right comprises any one of the following:
connecting, by the reverse proxy platform, the user to the application through a reverse proxy if it is determined that the user has user rights to satisfy the user request;
and under the condition that the user does not have the user authority meeting the user request, returning a prompt without authority to the user through the reverse proxy platform and/or redirecting the user to a login page.
4. The user right management method according to claim 1, wherein the right number includes one or more of: an application number of the requested application, a menu number and a role number to which the user request relates.
5. A user rights management system for one or more applications, the user rights management system comprising a reverse proxy platform and an authentication center, wherein:
the reverse proxy platform is configured to: intercepting, by a reverse proxy platform, a user request for each of the one or more applications by a user; feeding back the user request according to the authentication result of the user authority returned by the authentication center;
the authentication center is configured to: identifying the user authority of the user according to the user request, and returning an identification result of the user authority to the reverse proxy platform;
the authentication center stores a permission number list which each user has, and the identification of the user permission of the user according to the user request comprises the following steps:
generating an authority number corresponding to the user request according to the user request;
inquiring whether the authority number is the authority number of the user or not according to the authority number list of the user;
under the condition that the authority number is the authority number of the user, performing two-factor authentication according to the user name of the user and real-time; and determining that the user has the user right to satisfy the user request in the case that the two-factor authentication is passed.
6. A user right management apparatus, comprising:
an intercept module configured to: for each application of the one or more applications, intercepting, by a reverse proxy, a user request for the application by a user;
an authentication module configured to: identifying the user authority of the user according to the user request;
a feedback module configured to: feeding back the user request through a reverse proxy according to the authentication result of the user authority;
the authentication center stores a permission number list which each user has, and the identification of the user permission of the user according to the user request comprises the following steps:
a right number generation unit configured to: generating an authority number corresponding to the user request according to the user request;
a query unit configured to: inquiring whether the authority number is the authority number of the user or not according to the authority number list of the user;
a determination unit configured to: under the condition that the authority number is the authority number of the user, performing two-factor authentication according to the user name of the user and real-time; and determining that the user has the user right to satisfy the user request in the case that the two-factor authentication is passed.
7. A computing device comprising a memory and a processor, the memory having stored therein a computer program that, when executed by the processor, causes the computing device to perform the user rights management method of any of claims 1-4.
8. A computer readable storage medium having stored thereon a computer program which, when executed by one or more processors, implements the user rights management method of any of claims 1-4.
CN201811117023.5A 2018-09-25 2018-09-25 User right management method, system, device and computer readable storage medium Active CN109286620B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811117023.5A CN109286620B (en) 2018-09-25 2018-09-25 User right management method, system, device and computer readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811117023.5A CN109286620B (en) 2018-09-25 2018-09-25 User right management method, system, device and computer readable storage medium

Publications (2)

Publication Number Publication Date
CN109286620A CN109286620A (en) 2019-01-29
CN109286620B true CN109286620B (en) 2022-07-08

Family

ID=65181300

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811117023.5A Active CN109286620B (en) 2018-09-25 2018-09-25 User right management method, system, device and computer readable storage medium

Country Status (1)

Country Link
CN (1) CN109286620B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109617753B (en) * 2019-02-26 2022-03-22 深信服科技股份有限公司 Network platform management method, system, electronic equipment and storage medium
CN110414809B (en) * 2019-07-15 2023-10-31 中国平安人寿保险股份有限公司 Optimization method and device of risk management system and related equipment
CN110929269B (en) * 2019-10-12 2023-08-15 平安证券股份有限公司 System authority management method, device, medium and electronic equipment
CN112818328A (en) * 2021-02-26 2021-05-18 重庆度小满优扬科技有限公司 Multi-system authority management method, device, equipment and storage medium
CN115102766A (en) * 2022-06-24 2022-09-23 中电云数智科技有限公司 User authority verification and access system and method

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101064717A (en) * 2006-04-26 2007-10-31 北京华科广通信息技术有限公司 Safety protection system of information system or equipment and its working method
CN103632082A (en) * 2013-12-10 2014-03-12 惠州华阳通用电子有限公司 Universal permission management system and universal permission management method
CN104573478A (en) * 2014-11-20 2015-04-29 深圳市远行科技有限公司 User authority management system of Web application
CN104994102A (en) * 2015-07-08 2015-10-21 浪潮软件股份有限公司 Enterprise information system authentication and access control method based on reverse proxy
CN106612246A (en) * 2015-10-21 2017-05-03 星际空间(天津)科技发展有限公司 Unified authentication method for simulation identity

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7886352B2 (en) * 2006-09-22 2011-02-08 Oracle International Corporation Interstitial pages
US9092640B2 (en) * 2010-11-09 2015-07-28 International Business Machines Corporation Access control for server applications

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101064717A (en) * 2006-04-26 2007-10-31 北京华科广通信息技术有限公司 Safety protection system of information system or equipment and its working method
CN103632082A (en) * 2013-12-10 2014-03-12 惠州华阳通用电子有限公司 Universal permission management system and universal permission management method
CN104573478A (en) * 2014-11-20 2015-04-29 深圳市远行科技有限公司 User authority management system of Web application
CN104994102A (en) * 2015-07-08 2015-10-21 浪潮软件股份有限公司 Enterprise information system authentication and access control method based on reverse proxy
CN106612246A (en) * 2015-10-21 2017-05-03 星际空间(天津)科技发展有限公司 Unified authentication method for simulation identity

Also Published As

Publication number Publication date
CN109286620A (en) 2019-01-29

Similar Documents

Publication Publication Date Title
CN109286620B (en) User right management method, system, device and computer readable storage medium
JP7426475B2 (en) Decentralized data authentication
US20230370265A1 (en) Method, Apparatus and Device for Constructing Token for Cloud Platform Resource Access Control
CN105991614B (en) It is a kind of it is open authorization, resource access method and device, server
CN111355726B (en) Identity authorization login method and device, electronic equipment and storage medium
CN110048848B (en) Method, system and storage medium for sending session token through passive client
TW201710937A (en) Method, device, and system for access control of a cloud hosting service
CN111538977B (en) Cloud API key management method, cloud platform access method, cloud API key management device, cloud platform access device and server
US12015606B2 (en) Virtual machine provisioning and directory service management
US11063922B2 (en) Virtual content repository
US12107961B2 (en) Connection resilient multi-factor authentication
CN111680308B (en) File sharing method, method for controlling shared file, device and terminal thereof
US11977620B2 (en) Attestation of application identity for inter-app communications
CN111818088A (en) Authorization mode management method and device, computer equipment and readable storage medium
CN114363088B (en) Method and device for requesting data
JP2022534677A (en) Protecting online applications and web pages that use blockchain
EP3966722A1 (en) Systems and methods for securing offline data
US9407654B2 (en) Providing multi-level password and phishing protection
CN112699404A (en) Method, device and equipment for verifying authority and storage medium
CN111988262B (en) Authentication method, authentication device, server and storage medium
CN113765876B (en) Report processing software access method and device
US11728973B2 (en) System and method for secure access management
CN112653676A (en) Identity authentication method and equipment of cross-authentication system
US10621319B2 (en) Digital certificate containing multimedia content
CN112311716B (en) Data access control method, device and server based on openstack

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant