[go: up one dir, main page]

CN115603962A - Data resource access method, gateway and storage medium - Google Patents

Data resource access method, gateway and storage medium Download PDF

Info

Publication number
CN115603962A
CN115603962A CN202211197434.6A CN202211197434A CN115603962A CN 115603962 A CN115603962 A CN 115603962A CN 202211197434 A CN202211197434 A CN 202211197434A CN 115603962 A CN115603962 A CN 115603962A
Authority
CN
China
Prior art keywords
access
target
user information
resource
target user
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211197434.6A
Other languages
Chinese (zh)
Inventor
李波
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Original Assignee
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Topsec Technology Co Ltd, Beijing Topsec Network Security Technology Co Ltd, Beijing Topsec Software Co Ltd filed Critical Beijing Topsec Technology Co Ltd
Priority to CN202211197434.6A priority Critical patent/CN115603962A/en
Publication of CN115603962A publication Critical patent/CN115603962A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the invention provides a data resource access method, a gateway and a storage medium, and relates to the field of communication. The data resource access method is applied to a gateway and comprises the following steps: receiving an access request sent by a user side, and extracting request user information and access target resources from the access request; redirecting the access request to a background server of the user side; receiving a target user list returned by the background server, wherein the target user list comprises target user information allowing access to the target resource; and if the request user information is the same as any one of the target user information in the target user list, sending the access target resource to the user side. Compared with the prior art, the data resource access method, the background server, the gateway and the storage medium provided by the embodiment of the invention have the advantage of improving the data security in the data resource access process.

Description

数据资源访问方法、网关及存储介质Data resource access method, gateway and storage medium

技术领域technical field

本发明涉及通信领域,具体而言,涉及一种数据资源访问方法、网关及存储介质。The present invention relates to the communication field, in particular, to a method for accessing data resources, a gateway and a storage medium.

背景技术Background technique

在现有技术中,通过将应用访问过程中的SSL(Secure Sockets Layer安全套接层协议)加解密环节转移到相应提供加解密能力的设备上来实现SSL卸载。该种方式在满足高并发访问需求的同时,能够降低后台服务器的性能压力,提升网站的访问速度,一定情况下,能够降低对于后台服务器的硬件资源的要求,节省运营成本。配备SSL卸载功能的网关可以充当SSL代理后台服务器的角色,与客户端建立SSL连接,与客户端进行加密通信,与后台服务器端进行明文通信,全面卸载SSL数据处理的负荷,不占用后台服务器的硬件资源。In the prior art, SSL offloading is realized by transferring the SSL (Secure Sockets Layer protocol) encryption and decryption links in the application access process to corresponding devices that provide encryption and decryption capabilities. While meeting the high concurrent access requirements, this method can reduce the performance pressure of the background server and increase the website access speed. Under certain circumstances, it can reduce the requirements for the hardware resources of the background server and save operating costs. The gateway equipped with the SSL offloading function can act as an SSL proxy background server, establish an SSL connection with the client, communicate with the client in encrypted form, and communicate with the background server in plain text, completely offloading the load of SSL data processing without occupying the background server. hardware resources.

当前各个企业为快速实现企业连接内部、连接生态伙伴、连接消费者、专业协作、安全管理、人即服务的需求,均会使用类似企业微信、政务微信、钉钉等移动办公服务,用户在使用这些APP进行办公的过程中,需要频繁的对其它数据资源页面进行访问。现有的数据资源访问方法虽然通过支持SSL卸载的网关在一定程度上提升了数据资源访问过程中的数据安全性能,但数据资源访问过程中的数据安全性仍存在提升的空间。At present, in order to quickly realize the needs of enterprises to connect internally, connect with ecological partners, connect with consumers, professional collaboration, security management, and people-as-a-service, all enterprises will use mobile office services such as enterprise WeChat, government affairs WeChat, and DingTalk. Users are using During the working process of these APPs, it is necessary to frequently visit other data resource pages. Although the existing data resource access methods improve the data security performance in the process of data resource access to a certain extent through gateways that support SSL offloading, there is still room for improvement in the data security in the process of data resource access.

发明内容Contents of the invention

本发明的目的包括,例如,提供了一种数据资源访问方法、网关、及存储介质,其能够提升数据资源访问过程中的数据安全性。The purpose of the present invention includes, for example, providing a data resource access method, a gateway, and a storage medium, which can improve data security during data resource access.

本发明的实施例可以这样实现:第一方面,本发明提供一种数据资源访问方法,应用于网关,包括:接收用户端发送的访问请求,从所述访问请求中提取请求用户信息和访问目标资源;将所述访问请求重定向到所述用户端的后台服务器;接收所述后台服务器返回的目标用户列表,所述目标用户列表中包含允许访问所述访问目标资源的目标用户信息;若所述请求用户信息与所述目标用户列表中的任一所述目标用户信息相同,则向所述用户端发送所述访问目标资源。Embodiments of the present invention can be implemented as follows: First, the present invention provides a method for accessing data resources, which is applied to a gateway, including: receiving an access request sent by a client, and extracting requesting user information and access target from the access request resources; redirect the access request to the background server of the client; receive the target user list returned by the background server, the target user list includes target user information that is allowed to access the access target resource; if the If the requesting user information is the same as any of the target user information in the target user list, the access target resource is sent to the client.

第二方面,本发明提供一种后台服务器,包括:接收用户端发送的访问请求,从所述访问请求中提取访问目标资源;根据所述访问目标资源返回目标用户列表,所述目标用户列表中包含允许访问所述访问目标资源的目标用户信息。In a second aspect, the present invention provides a background server, including: receiving an access request sent by a client, extracting an access target resource from the access request; returning a target user list according to the access target resource, and the target user list Contains target user information that is allowed to access the access target resource.

第三方面,本发明提供一种网关,包括:通信模块,所述通信模块用于接收用户端发送的访问请求、以及接收后台服务器返回的目标用户列表,所述目标用户列表中包含允许访问所述访问目标资源的目标用户信息;重定向模块,所述重定向模块用于将所述访问请求重定向到所述用户端的后台服务器;数据处理模块,所述数据处理模块用于从所述访问请求中提取请求用户信息和访问目标资源、以及在所述请求用户信息与所述目标用户列表中的任一所述目标用户信息相同时,向所述用户端发送所述访问目标资源。In the third aspect, the present invention provides a gateway, including: a communication module, the communication module is used to receive the access request sent by the client, and receive the target user list returned by the background server, and the target user list includes the list of users allowed to access The target user information of the access target resource; the redirection module, the redirection module is used to redirect the access request to the backend server of the client; the data processing module, the data processing module is used for accessing the Extracting the requesting user information and the access target resource from the request, and sending the access target resource to the client when the requesting user information is the same as any target user information in the target user list.

第四方面,本发明提供一种网关,包括:至少一个处理器;以及,与所述至少一个处理器通信连接的存储器;其中,所述存储器存储有可被所述至少一个处理器执行的指令,所述指令被所述至少一个处理器执行,以使所述至少一个处理器能够执行如前述实施方式中任意一项所述的数据资源访问方法。In a fourth aspect, the present invention provides a gateway, including: at least one processor; and a memory connected in communication with the at least one processor; wherein, the memory stores instructions executable by the at least one processor , the instructions are executed by the at least one processor, so that the at least one processor can execute the data resource access method described in any one of the foregoing implementation manners.

第五方面,本发明提供一种存储介质,存储有计算机程序,所述计算机程序被处理器执行实现前述实施方式中任意一项所述的数据资源访问方法。In a fifth aspect, the present invention provides a storage medium storing a computer program, and the computer program is executed by a processor to implement the data resource access method described in any one of the foregoing implementation manners.

与现有技术相比,本发明实施例所提供的数据资源访问方法、后台服务器、网关、及存储介质中,通过将访问请求重定向到用户端的后台服务器,后台服务器中存储有大量的用户端可以访问的数据和被允许访问这些数据的目标用户,后台服务器在接收到重定向的访问请求后,可以根据从访问请求中提取的用户端想要访问的访问目标资源获取被允许访问目标资源目标用户列表,并将目标用户列表和目标用户列表中的目标用户的目标用户信息反馈至网关,网关在接收到后台服务器返回的目标用户列表后,即可将从访问请求中提取的请求用户信息与目标用户列表中的目标用户的目标用户信息进行对比,若请求用户信息与目标用户列表中的任一目标用户信息相同,则说明发送当前访问请求的请求用户属于被允许访问目标资源的用户,此时连接用户端与访问目标资源即可避免数据被不被允许的用户访问,从而提升数据资源访问过程中的数据安全性。Compared with the prior art, in the data resource access method, background server, gateway, and storage medium provided by the embodiments of the present invention, by redirecting the access request to the background server of the client, the background server stores a large number of client The data that can be accessed and the target users who are allowed to access these data. After the background server receives the redirected access request, it can obtain the target resource target that is allowed to access according to the access target resource that the client wants to access extracted from the access request. user list, and feed back the target user information of the target user list and the target user in the target user list to the gateway. After receiving the target user list returned by the background server, the gateway can extract the requested user information from the access request with the Compare the target user information of the target user in the target user list. If the requesting user information is the same as any target user information in the target user list, it means that the requesting user who sent the current access request belongs to the user who is allowed to access the target resource. Connecting the client and accessing the target resource in real time can prevent the data from being accessed by users who are not allowed, thereby improving the data security in the process of data resource access.

在可选的实施方式中,所述将所述访问请求重定向到所述用户端的后台服务器前,所述方法还包括:判断所述网关是否保存有所述请求用户信息;若所述网关保存有所述请求用户信息,向所述用户端发送所述访问目标资源;若所述网关内未保存所述请求用户信息,将所述访问请求重定向到所述用户端的后台服务器。In an optional implementation manner, before redirecting the access request to the background server of the client, the method further includes: judging whether the gateway saves the requested user information; if the gateway saves If there is the requesting user information, send the access target resource to the client; if the requesting user information is not saved in the gateway, redirect the access request to the background server of the client.

在可选的实施方式中,所述从所述访问请求中提取请求用户信息和访问目标资源,包括:从所述访问请求中提取所述用户端的用户cookie和所述访问目标资源。In an optional implementation manner, the extracting the requesting user information and the access target resource from the access request includes: extracting the user cookie of the client terminal and the access target resource from the access request.

在可选的实施方式中,所述从所述访问请求中提取请求用户信息和访问目标资源后,所述方法还包括:根据所述请求用户信息创建与所述请求用户信息一一对应的用户session,并设置与所述用户session对应的用户cookie。In an optional implementation manner, after extracting the requesting user information and the access target resource from the access request, the method further includes: creating a user corresponding to the requesting user information one-to-one according to the requesting user information session, and set the user cookie corresponding to the user session.

在可选的实施方式中,所述方法还包括:根据各个所述目标用户信息创建与所述目标用户信息一一对应的目标session,并设置与各个所述目标session一一对应的目标cookie;若所述用户cookie与任一所述目标cookie相同,则表征所述请求用户信息与所述目标用户列表中的任一所述目标用户信息相同。In an optional implementation manner, the method further includes: creating a target session one-to-one corresponding to the target user information according to each target user information, and setting a target cookie one-to-one corresponding to each target session; If the user cookie is the same as any of the target cookies, it means that the requested user information is the same as any of the target user information in the target user list.

在可选的实施方式中,所述接收所述后台服务器返回的目标用户列表,包括:接收所述后台服务器根据所述访问目标资源返回的接口调用凭据需求,所述接口调用凭据需求包括返回所述目标用户列表需求的接口调用凭据;根据所述接口调用凭据需求向所述后台服务器发送接口调用凭据;接收所述后台服务器返回的所述目标用户列表。In an optional implementation manner, the receiving the target user list returned by the background server includes: receiving the interface call credential requirement returned by the background server according to the access target resource, and the interface call credential requirement includes returning the The interface calling credential required by the target user list; sending the interface calling credential to the background server according to the interface calling credential requirement; receiving the target user list returned by the background server.

附图说明Description of drawings

为了更清楚地说明本发明实施例的技术方案,下面将对实施例中所需要使用的附图作简单地介绍,应当理解,以下附图仅示出了本发明的某些实施例,因此不应被看作是对范围的限定,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他相关的附图。In order to illustrate the technical solutions of the embodiments of the present invention more clearly, the accompanying drawings used in the embodiments will be briefly introduced below. It should be understood that the following drawings only show some embodiments of the present invention, and thus It should be regarded as a limitation on the scope, and those skilled in the art can also obtain other related drawings based on these drawings without creative work.

图1为本发明实施例一所提供的数据资源访问方法的流程示意图;FIG. 1 is a schematic flowchart of a data resource access method provided by Embodiment 1 of the present invention;

图2为本发明实施例二所提供的数据资源访问方法的流程示意图;FIG. 2 is a schematic flowchart of a data resource access method provided in Embodiment 2 of the present invention;

图3为本发明实施例三所提供的数据资源访问方法的流程示意图;FIG. 3 is a schematic flowchart of a data resource access method provided in Embodiment 3 of the present invention;

图4为本发明实施例四所提供的数据资源访问方法的流程示意图;FIG. 4 is a schematic flowchart of a data resource access method provided in Embodiment 4 of the present invention;

图5为本发明实施例五所提供的网关的结构示意图;FIG. 5 is a schematic structural diagram of a gateway provided by Embodiment 5 of the present invention;

图6为本发明实施例六所提供的网关的结构示意图。FIG. 6 is a schematic structural diagram of a gateway provided by Embodiment 6 of the present invention.

具体实施方式detailed description

为使本发明实施例的目的、技术方案和优点更加清楚,下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本发明一部分实施例,而不是全部的实施例。通常在此处附图中描述和示出的本发明实施例的组件可以以各种不同的配置来布置和设计。In order to make the purpose, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below in conjunction with the drawings in the embodiments of the present invention. Obviously, the described embodiments It is a part of embodiments of the present invention, but not all embodiments. The components of the embodiments of the invention generally described and illustrated in the figures herein may be arranged and designed in a variety of different configurations.

因此,以下对在附图中提供的本发明的实施例的详细描述并非旨在限制要求保护的本发明的范围,而是仅仅表示本发明的选定实施例。基于本发明中的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。Accordingly, the following detailed description of the embodiments of the invention provided in the accompanying drawings is not intended to limit the scope of the claimed invention, but merely represents selected embodiments of the invention. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without creative efforts fall within the protection scope of the present invention.

应注意到:相似的标号和字母在下面的附图中表示类似项,因此,一旦某一项在一个附图中被定义,则在随后的附图中不需要对其进行进一步定义和解释。It should be noted that like numerals and letters denote similar items in the following figures, therefore, once an item is defined in one figure, it does not require further definition and explanation in subsequent figures.

在本发明的描述中,需要说明的是,若出现术语“上”、“下”、“内”、“外”等指示的方位或位置关系为基于附图所示的方位或位置关系,或者是该发明产品使用时惯常摆放的方位或位置关系,仅是为了便于描述本发明和简化描述,而不是指示或暗示所指的装置或元件必须具有特定的方位、以特定的方位构造和操作,因此不能理解为对本发明的限制。In the description of the present invention, it should be noted that if the orientation or positional relationship indicated by the terms "upper", "lower", "inner" and "outer" appear, it is based on the orientation or positional relationship shown in the drawings, or It is the orientation or positional relationship that the invention product is usually placed in use, and it is only for the convenience of describing the present invention and simplifying the description, rather than indicating or implying that the referred device or element must have a specific orientation, be constructed and operated in a specific orientation , and therefore cannot be construed as a limitation of the present invention.

此外,若出现术语“第一”、“第二”等仅用于区分描述,而不能理解为指示或暗示相对重要性。In addition, terms such as "first" and "second" are used only for distinguishing descriptions, and should not be understood as indicating or implying relative importance.

需要说明的是,在不冲突的情况下,本发明的实施例中的特征可以相互结合。It should be noted that, in the case of no conflict, the features in the embodiments of the present invention may be combined with each other.

本发明实施例一提供了一种数据资源访问方法,应用于网关,具体步骤如图1所示,包括以下步骤。Embodiment 1 of the present invention provides a method for accessing data resources, which is applied to a gateway. The specific steps are shown in FIG. 1 , including the following steps.

步骤S101:接收用户端发送的访问请求,从访问请求中提取请求用户信息和访问目标资源。Step S101: Receive the access request sent by the client, and extract the requesting user information and the access target resource from the access request.

具体的,在本步骤中,用户端可以为各类社交、办公、娱乐的应用程序的客户端,用户在使用客户端时,首先根据应用程序的自有认证方式在客户端登陆,登陆后的客户端即本步骤中的用户端。用户登录后即可通过用户端发起对访问目标资源的访问请求,用户端在接收到用户对访问目标资源的点击指令后,根据访问目标资源和用户信息构建访问请求,然后将访问请求发送至网关,网关接收到访问请求后,即对访问请求进行解构和数据处理,根据解构和数据处理结果从访问请求中提取请求用户信息和访问目标资源。Specifically, in this step, the client can be a client of various social, office, and entertainment applications. The client is the client in this step. After the user logs in, the user can initiate an access request to access the target resource through the user terminal. After receiving the user's click instruction on the access target resource, the user terminal constructs an access request based on the access target resource and user information, and then sends the access request to the gateway After the gateway receives the access request, it deconstructs and processes the data, and extracts the requested user information and access target resources from the access request according to the deconstruction and data processing results.

具体的,在本实施例中,请求用户信息保存在用户端的用户cookie中,从访问请求中提取请求用户信息即为从访问请求中提取用户端的用户cookie。所谓cookie为一种标识用户信息的数据段,在数据交互过程中,访问请求是无状态的。也就是说即使用户端第一次已经和网关连接、并且登录成功,第二次网关依然不能知道当前请求是哪个用户。cookie的出现就是为了解决这个问题,第一次登录后网关向用户端返回一些标识用户信息的数据(即cookie)给用户端,然后用户端保存在本地,当该用户端再次发送访问请求时,就会自动的把存储的cookie数据携带在访问请求中发送给网关,网关通过用户端携带的用户cookie数据就能识别当前用户端。Specifically, in this embodiment, the requesting user information is stored in the user cookie of the client, and extracting the requesting user information from the access request is to extract the user cookie of the client from the access request. The so-called cookie is a data segment that identifies user information. During the data interaction process, the access request is stateless. That is to say, even if the client has connected to the gateway for the first time and logged in successfully, the gateway still cannot know which user the current request is for the second time. The emergence of cookies is to solve this problem. After the first login, the gateway returns some data identifying user information (ie cookies) to the client, and then the client saves it locally. When the client sends an access request again, It will automatically carry the stored cookie data in the access request and send it to the gateway, and the gateway can identify the current client through the user cookie data carried by the client.

进一步的,在本步骤中,当用户端为首次向网关发送访问请求时,访问请求中并不存在用户cookie,即网关从访问请求中提取用户cookie失败,此时可以从访问请求中直接提取完整的请求用户信息,然后根据请求用户信息创建与请求用户信息一一对应的用户session,并设置与用户session对应的用户cookie。Further, in this step, when the client sends an access request to the gateway for the first time, there is no user cookie in the access request, that is, the gateway fails to extract the user cookie from the access request, and at this time, the complete cookie can be directly extracted from the access request. The requested user information, and then create a user session corresponding to the requested user information according to the requested user information, and set the user cookie corresponding to the user session.

步骤S102:将访问请求重定向到用户端的后台服务器。Step S102: Redirect the access request to the background server of the client.

具体的,在本步骤中,根据步骤S101中从访问请求中提取到的访问目标资源将访问请求重定向到用户端应用程序的后台服务器。Specifically, in this step, the access request is redirected to the background server of the client application program according to the access target resource extracted from the access request in step S101.

步骤S103:接收后台服务器返回的目标用户列表,目标用户列表中包含允许访问访问目标资源的目标用户信息。Step S103: Receive the target user list returned by the background server, the target user list includes target user information that is allowed to access the target resource.

后台服务器内存储有可以供用户端访问的各种资源,且与各个资源对应存储有被允许访问各个资源的用户白名单。例如对于存储在后台服务器内的资源A,后台服务器对应存储有允许访问资源A的用户A1、A2、A3、A4、A5、A6等用户的用户信息。后台服务器接收到重定向的访问请求后,获取访问请求中所包含的访问目标资源,根据访问目标资源确定允许访问访问目标资源的目标用户白名单,将目标用户白名单中的目标用户的用户信息整合形成目标用户列表,将目标用户列表发送至网关。Various resources that can be accessed by the client end are stored in the background server, and corresponding to each resource is stored a white list of users who are allowed to access each resource. For example, for resource A stored in the background server, the background server correspondingly stores user information of users A1 , A2 , A3 , A4 , A5 , A6 who are allowed to access resource A. After the background server receives the redirected access request, it obtains the access target resource included in the access request, determines the target user whitelist that allows access to the target resource according to the access target resource, and saves the target user's user information in the target user whitelist Integrate to form a target user list, and send the target user list to the gateway.

网关接收到后台服务器发送的目标用户列表后,可以对目标用户列表中的目标用户信息进行提取。After the gateway receives the target user list sent by the background server, it can extract the target user information in the target user list.

步骤S104:若请求用户信息与目标用户列表中的任一目标用户信息相同,则向用户端发送访问目标资源。Step S104: If the requested user information is the same as any target user information in the target user list, send the access target resource to the client.

具体的,在本步骤中,将步骤S101中从访问请求中提取的请求用户信息和步骤S103中从后台服务器接收的目标用户信息进行对比,如果请求用户信息与目标用户列表中的任意一个目标用户信息相同,则说明发送访问请求的请求用户为允许访问访问目标资源的用户,此时向用户端发送访问目标资源。Specifically, in this step, compare the requesting user information extracted from the access request in step S101 with the target user information received from the background server in step S103, if the requesting user information matches any target user in the target user list If the information is the same, it means that the requesting user who sends the access request is a user who is allowed to access the target resource, and at this time, send the access target resource to the client.

具体的,在本步骤中,网关在接收到目标用户列表后,可以根据目标用户列表中的目标用户信息创建session,并设置与各个目标session一一对应的目标cookie。具体为使用各个目标用户的目标用户信息创建与目标用户一一对应的目标session,为每一个目标session设置一个目标cookie。然后将目标cookie与步骤S101中提取的用户cookie进行对比,由于网关设置cookie的方法不变,因此当目标cookie与用户cookie相同时,则表示目标cookie对应的目标用户信息与用户cookie对应的请求用户信息相同。使用用户cookie和目标cookie进行对比,由于cookie的数据量远少于用户信息的数据量,可以有效的提升对用户端的验证效率,进而从整体上提升数据资源访问速率。可以理解的是,前述仅为本实施例中的一种具体的实施实例的举例说明,并不构成限定,在本发明的其它实施例中,也可以是其它方法,例如将各个目标用户信息与访问用户信息进行一一的对比等方法,具体可以根据实际需要进行灵活的使用。Specifically, in this step, after receiving the target user list, the gateway may create a session according to the target user information in the target user list, and set a target cookie corresponding to each target session one by one. Specifically, the target user information of each target user is used to create a target session corresponding to the target user one by one, and a target cookie is set for each target session. Then compare the target cookie with the user cookie extracted in step S101. Since the method of setting the cookie by the gateway remains unchanged, when the target cookie is the same as the user cookie, it means that the target user information corresponding to the target cookie corresponds to the requesting user corresponding to the user cookie The information is the same. Use the user cookie and the target cookie to compare. Since the data volume of the cookie is far less than the data volume of the user information, it can effectively improve the verification efficiency of the user terminal, and thus improve the access rate of data resources as a whole. It can be understood that the foregoing is only an illustration of a specific implementation example in this embodiment, and does not constitute a limitation. In other embodiments of the present invention, other methods may also be used, such as combining each target user information with Methods such as accessing user information for one-to-one comparison can be flexibly used according to actual needs.

与现有技术相比,本发明实施例一所提供的数据资源访问方法中,通过将访问请求重定向到用户端的后台服务器,后台服务器中存储有大量的用户端可以访问的数据和被允许访问这些数据的目标用户,后台服务器在接收到重定向的访问请求后,可以根据从访问请求中提取的用户端想要访问的访问目标资源获取被允许访问目标资源目标用户列表,并将目标用户列表和目标用户列表中的目标用户的目标用户信息反馈至网关,网关在接收到后台服务器返回的目标用户列表后,即可将从访问请求中提取的请求用户信息与目标用户列表中的目标用户的目标用户信息进行对比,若请求用户信息与目标用户列表中的任一目标用户信息相同,则说明发送当前访问请求的请求用户属于被允许访问目标资源的用户,此时连接用户端与访问目标资源即可避免数据被不被允许的用户访问,从而提升数据资源访问过程中的数据安全性。Compared with the prior art, in the data resource access method provided by Embodiment 1 of the present invention, by redirecting the access request to the background server of the client, the background server stores a large amount of data that the client can access and the data that is allowed to access For the target users of these data, after the background server receives the redirected access request, it can obtain the list of target users who are allowed to access the target resource according to the access target resources that the client wants to access extracted from the access request, and store the list of target users and the target user information of the target user in the target user list are fed back to the gateway. After the gateway receives the target user list returned by the background server, it can combine the requested user information extracted from the access request with the target user information in the target user list. Compare the target user information, if the request user information is the same as any target user information in the target user list, it means that the requesting user who sent the current access request belongs to the user who is allowed to access the target resource. It can prevent data from being accessed by unauthorized users, thereby improving data security during data resource access.

本发明实施例二提供了一种数据资源访问方法,应用于网关,具体步骤如图2所示,包括以下步骤。Embodiment 2 of the present invention provides a method for accessing data resources, which is applied to a gateway. The specific steps are shown in FIG. 2 , including the following steps.

步骤S201:接收用户端发送的访问请求,从访问请求中提取请求用户信息和访问目标资源。Step S201: Receive the access request sent by the client, and extract the requesting user information and the access target resource from the access request.

步骤S202:将访问请求重定向到用户端的后台服务器。Step S202: Redirect the access request to the background server of the client.

可以理解的是,本实施例中的步骤S201至步骤S202与实施例一种的步骤S101至步骤S102大致相同,具体可以参照前述实施例的具体说明,在此不再赘述。It can be understood that steps S201 to S202 in this embodiment are substantially the same as steps S101 to S102 in Embodiment 1. For details, reference may be made to the specific descriptions of the foregoing embodiments, and details are not repeated here.

步骤S203:接收后台服务器根据访问目标资源返回的接口调用凭据需求,接口调用凭据需求包括返回目标用户列表需求的接口调用凭据。Step S203: receiving the interface invocation credential requirement returned by the background server according to the access target resource, the interface invocation credential requirement including the interface invocation credential for returning the target user list requirement.

根据本发明实施例一的步骤S103中的具体说明可知,后台服务器中存储有各种数据资源和允许访问各个资源的用户白名单,此外后台服务器中还与各个用户白名单对应存储有调用各个用户白名单所需的接口调用凭据。后台服务器接收到重定向的访问请求后,获取访问请求中所包含的访问目标资源,根据访问目标资源确定允许访问访问目标资源的目标用户白名单,然后根据目标用户白名单获取调用目标用户白名单所需的接口调用凭据,将获取到的接口调用凭据需求发送到网关。According to the specific description in step S103 of Embodiment 1 of the present invention, it can be seen that various data resources and user whitelists that are allowed to access each resource are stored in the background server. The API call credentials required by the whitelist. After the background server receives the redirected access request, it obtains the access target resource contained in the access request, determines the white list of target users who are allowed to access the target resource according to the access target resource, and then obtains the white list of the calling target user according to the target user white list The required interface calling credentials, and the obtained interface calling credentials needs to be sent to the gateway.

步骤S204:根据接口调用凭据需求向后台服务器发送接口调用凭据。Step S204: Send the interface invocation credentials to the background server according to the interface invocation credentials requirements.

接收到后台服务器发送的接口调用凭据需求后,根据接口调用凭据需求获取接口调用凭据,并将获取到的接口调用凭证发送至后台服务器。可以理解的是,在本步骤中,对于网关中预先已经存储有的接口调用凭据可以直接调用后发送至后台服务器,对于网关中并不存在的接口调用凭据将接口调用凭据需求发送至用户端,接收用户端反馈的接口调用凭据后转发至后台服务器。After receiving the interface call credential requirement sent by the background server, the interface call credential is obtained according to the interface call credential requirement, and the obtained interface call credential is sent to the background server. It can be understood that in this step, the pre-stored interface call credentials in the gateway can be directly called and sent to the background server, and the interface call credentials requirements that do not exist in the gateway are sent to the client. After receiving the interface call credentials fed back by the client, it is forwarded to the background server.

步骤S205:接收后台服务器返回的目标用户列表,目标用户列表中包含允许访问访问目标资源的目标用户信息。Step S205: Receive the target user list returned by the background server, the target user list includes target user information that is allowed to access the target resource.

后台服务器接收到网关发送的接口调用凭据后,对接收到的接口调用凭据进行核验,即将接收到的接口调用凭据和步骤S203中获取到的调用目标用户白名单所需的接口调用凭据进行对比,若两者相同,则网关发送的接口调用凭据核验通过,后台服务器向网关发送目标用户列表;若两者不相同,则网关发送的接口调用凭据核验不通过,后台服务器不向网关发送目标用户列表。After receiving the interface call credentials sent by the gateway, the background server verifies the received interface call credentials, and compares the received interface call credentials with the interface call credentials obtained in step S203 to call the target user whitelist, If the two are the same, the interface call credentials sent by the gateway pass the verification, and the background server sends the target user list to the gateway; if the two are not the same, the interface call credentials sent by the gateway fail the verification, and the background server does not send the target user list to the gateway .

步骤S206:若请求用户信息与目标用户列表中的任一目标用户信息相同,则向用户端发送访问目标资源。Step S206: If the requested user information is the same as any target user information in the target user list, send the access target resource to the client.

可以理解的是,本实施例中的步骤S206与实施例一中的步骤S106大致相同,具体可以参照前述实施例的具体说明,在此不再赘述。It can be understood that the step S206 in this embodiment is substantially the same as the step S106 in the first embodiment, for details, reference may be made to the specific description of the foregoing embodiments, and details are not repeated here.

与现有技术相比,本发明实施例二所提供的数据资源访问方法中保留了实施例一中的全部技术步骤,因此具备与实施例一相同的技术效果。此外,本发明实施例二中还接收后台服务器发送的接口调用凭据需求,并根据接口调用凭据需求向后台服务器发送相应的接口调用凭据,只有后台服务器对接口调用凭据核验通过后才能接收后台服务器返回的目标用户列表,进而向用户端发送访问目标资源,进一步的对网关的接口调用凭据进行核验可以进一步的提升数据资源访问方法的安全性能。Compared with the prior art, the data resource access method provided by the second embodiment of the present invention retains all the technical steps in the first embodiment, so it has the same technical effect as the first embodiment. In addition, in the second embodiment of the present invention, the interface call credential request sent by the background server is also received, and the corresponding interface call credential is sent to the background server according to the interface call credential requirement. Only after the background server passes the verification of the interface call credential can the background server return The list of target users, and then send access target resources to the client, and further verify the interface call credentials of the gateway can further improve the security performance of the data resource access method.

本发明实施例三提供了一种数据资源访问方法,应用于网关,具体步骤如图3所示,包括以下步骤。Embodiment 3 of the present invention provides a method for accessing data resources, which is applied to a gateway. The specific steps are shown in FIG. 3 , including the following steps.

步骤S301:接收用户端发送的访问请求,从访问请求中提取请求用户信息和访问目标资源。Step S301: Receive the access request sent by the client, and extract the requesting user information and the access target resource from the access request.

步骤S302:判断网关是否保存有请求用户信息,若是,执行步骤S306,若否,执行步骤S303。Step S302: Determine whether the gateway saves the requesting user information, if yes, execute step S306, if not, execute step S303.

具体的,在本步骤中,网关在接收到后台服务器返回的目标用户列表后,会对目标用户列表中的目标用户信息进行存储,若网关中已经保存有请求用户信息,则说明发送访问请求的访问用户在此前已经通过网关访问过访问目标资源,因此,可以直接执行步骤S306向用户端发送访问目标资源,若网关中已经保存有请求用户信息,则说明发送访问请求的访问用户在此前并未通过网关访问过访问目标资源,因此,执行步骤S303将访问请求重定向到用户端的后台服务器。Specifically, in this step, after receiving the target user list returned by the background server, the gateway will store the target user information in the target user list. The access user has already accessed the access target resource through the gateway before, so step S306 can be directly executed to send the access target resource to the client. If the request user information has been stored in the gateway, it means that the access user who sent the access request has not previously The access target resource has been accessed through the gateway, therefore, step S303 is performed to redirect the access request to the background server of the client.

步骤S303:将访问请求重定向到用户端的后台服务器。Step S303: Redirect the access request to the background server of the client.

步骤S304:接收后台服务器返回的目标用户列表,目标用户列表中包含允许访问访问目标资源的目标用户信息。Step S304: Receive the target user list returned by the background server, the target user list includes target user information that is allowed to access the target resource.

步骤S305:若请求用户信息与目标用户列表中的任一目标用户信息相同,则执行步骤S306。Step S305: If the requested user information is the same as any target user information in the target user list, execute step S306.

步骤S306:向用户端发送访问目标资源。Step S306: Send the access target resource to the client.

可以理解的是,本实施例中的步骤S301、S303至步骤S306与实施例一种的步骤S101至步骤S104大致相同,具体可以参照前述实施例的具体说明,在此不再赘述。It can be understood that steps S301, S303 to S306 in this embodiment are substantially the same as steps S101 to S104 in Embodiment 1, and for details, reference may be made to the specific descriptions of the foregoing embodiments, and details are not repeated here.

与现有技术相比,本发明实施例三所提供的数据资源访问方法中保留了实施例一中的全部技术步骤,因此具备与实施例一相同的技术效果。此外,本发明实施例三中在判定网关已经保存有请求用户信息时直接向用户端发送访问目标资源,即发送访问请求的访问用户在此前已经通过网关访问过访问目标资源的情况下直接向用户端发送访问目标资源,避免对请求用户信息进行反复的验证,提升数据资源访问的效率。Compared with the prior art, the data resource access method provided by the third embodiment of the present invention retains all the technical steps in the first embodiment, so it has the same technical effect as the first embodiment. In addition, in the third embodiment of the present invention, when it is determined that the gateway has saved the requesting user information, the access target resource is directly sent to the user terminal, that is, the access user who sends the access request directly sends the request to the user if the access user has previously accessed the access target resource through the gateway. The terminal sends access to the target resource, avoiding repeated verification of the requesting user information, and improving the efficiency of data resource access.

本发明实施例四提供了一种数据资源访问方法,应用于后台服务器,具体步骤如图4所示,包括以下步骤。Embodiment 4 of the present invention provides a method for accessing data resources, which is applied to a background server. The specific steps are shown in FIG. 4 , including the following steps.

步骤S401:接收用户端发送的访问请求,从访问请求中提取访问目标资源。Step S401: Receive the access request sent by the client, and extract the access target resource from the access request.

具体的,在本步骤中,用户端发送的访问请求为前述实施例中网关进行重定向后的访问请求,访问请求中包含用户端的请求用户信息和访问目标资源。在本实施例中,后台服务器直接从接收到访问请求中提取访问目标资源。Specifically, in this step, the access request sent by the client is an access request redirected by the gateway in the foregoing embodiment, and the access request includes the requested user information and the access target resource of the client. In this embodiment, the background server directly extracts the access target resource from the received access request.

步骤S402:根据访问目标资源返回目标用户列表,目标用户列表中包含允许访问访问目标资源的目标用户信息。Step S402: Return a target user list according to the access target resource, and the target user list includes target user information that is allowed to access the target resource.

后台服务器内存储有可以供用户端访问的各种资源,且与各个资源对应存储有被允许访问各个资源的用户白名单。提取访问请求中所包含的访问目标资源后,可以根据访问目标资源确定允许访问访问目标资源的目标用户白名单,将目标用户白名单中的目标用户的用户信息整合形成目标用户列表,将目标用户列表发送至网关。Various resources that can be accessed by the client end are stored in the background server, and corresponding to each resource is stored a white list of users who are allowed to access each resource. After extracting the access target resource contained in the access request, the target user whitelist that is allowed to access the target resource can be determined according to the access target resource, and the user information of the target user in the target user whitelist is integrated to form a target user list, and the target user The list is sent to the gateway.

与现有技术相比,本发明实施例四所提供的数据资源访问方法为与前述实施例相对应的执行于后台服务器端的数据资源访问方法,因此具备与前述实施例相同的技术效果,具体可以参照前述实施例的具体说明,在此不进行赘述。Compared with the prior art, the data resource access method provided by Embodiment 4 of the present invention is a data resource access method executed on the background server side corresponding to the foregoing embodiments, so it has the same technical effect as the foregoing embodiments, and can be specifically Reference is made to the specific descriptions of the foregoing embodiments, and details are not repeated here.

本发明实施例五涉及一种网关,具体结构如图5所示,包括通信模块501,通信模块501用于接收用户端发送的访问请求、以及接收后台服务器返回的目标用户列表,目标用户列表中包含允许访问访问目标资源的目标用户信息;重定向模块502,重定向模块502用于将访问请求重定向到用户端的后台服务器;数据处理模块503,数据处理模块503用于从访问请求中提取请求用户信息和访问目标资源、以及在请求用户信息与目标用户列表中的任一目标用户信息相同时,向用户端发送访问目标资源。进一步的,本实施例五所提供的网关为SSL卸载网关。可以理解的是,前述网关为SSL卸载网关仅为本实施例中的一种具体的举例说明,在本发明的其它实施例中,也可以是其它类型的网关,具体可以根据实际需要进行灵活的设置。Embodiment 5 of the present invention relates to a gateway. The specific structure is shown in FIG. 5 , including a communication module 501. The communication module 501 is used to receive the access request sent by the client and the target user list returned by the background server. In the target user list Contains target user information that is allowed to access the target resource; redirection module 502, redirection module 502 is used to redirect the access request to the background server of the client; data processing module 503, data processing module 503 is used to extract the request from the access request The user information and the access target resource, and when the request user information is the same as any target user information in the target user list, send the access target resource to the client. Further, the gateway provided in Embodiment 5 is an SSL offloading gateway. It can be understood that the foregoing gateway is an SSL offloading gateway only as a specific example in this embodiment. In other embodiments of the present invention, it can also be other types of gateways, which can be flexibly determined according to actual needs. set up.

与现有技术相比,本发明实施例五所提供的网关中,通过重定向模块502将访问请求重定向到用户端的后台服务器,后台服务器中存储有大量的用户端可以访问的数据和被允许访问这些数据的目标用户,后台服务器在接收到重定向的访问请求后,可以根据从访问请求中提取的用户端想要访问的访问目标资源获取被允许访问目标资源目标用户列表,并将目标用户列表和目标用户列表中的目标用户的目标用户信息反馈至网关,通信模块501在接收到后台服务器返回的目标用户列表后,数据处理模块503即可将从访问请求中提取的请求用户信息与目标用户列表中的目标用户的目标用户信息进行对比,若请求用户信息与目标用户列表中的任一目标用户信息相同,则说明发送当前访问请求的请求用户属于被允许访问目标资源的用户,此时连接用户端与访问目标资源即可避免数据被不被允许的用户访问,从而提升数据资源访问过程中的数据安全性。Compared with the prior art, in the gateway provided by Embodiment 5 of the present invention, the access request is redirected to the background server of the client through the redirection module 502, and a large amount of data accessible to the client and the data allowed to be accessed are stored in the background server. For the target users of these data, after the background server receives the redirected access request, it can obtain the list of target users who are allowed to access the target resource according to the access target resources that the client wants to access extracted from the access request, and store the list of target users and the target user information of the target user in the target user list are fed back to the gateway. After the communication module 501 receives the target user list returned by the background server, the data processing module 503 can combine the request user information extracted from the access request with the target user information. Compare the target user information of the target user in the target user list. If the requesting user information is the same as any target user information in the target user list, it means that the requesting user who sent the current access request belongs to the user who is allowed to access the target resource. At this time, the connection The client can prevent data from being accessed by unauthorized users by accessing the target resource, thereby improving data security during data resource access.

本发明实施例六涉及一种电子设备,如图6所示,包括:至少一个处理器601;以及,与至少一个处理器601通信连接的存储器602;其中,存储器602存储有可被至少一个处理器601执行的指令,指令被至少一个处理器601执行,以使至少一个处理器601能够执行上述各实施例中的数据资源访问方法。Embodiment 6 of the present invention relates to an electronic device, as shown in FIG. 6 , including: at least one processor 601; and a memory 602 communicatively connected to at least one processor 601; The instructions executed by the processor 601 are executed by at least one processor 601, so that the at least one processor 601 can execute the data resource access methods in the foregoing embodiments.

其中,存储器和处理器采用总线方式连接,总线可以包括任意数量的互联的总线和桥,总线将一个或多个处理器和存储器的各种电路连接在一起。总线还可以将诸如外围设备、稳压器和功率管理电路等之类的各种其他电路连接在一起,这些都是本领域所公知的,因此,本文不再对其进行进一步描述。总线接口在总线和收发机之间提供接口。收发机可以是一个元件,也可以是多个元件,比如多个接收器和发送器,提供用于在传输介质上与各种其他装置通信的单元。经处理器处理的数据通过天线在无线介质上进行传输,进一步,天线还接收数据并将数据传送给处理器。Wherein, the memory and the processor are connected by a bus, and the bus may include any number of interconnected buses and bridges, and the bus connects one or more processors and various circuits of the memory together. The bus may also connect together various other circuits such as peripherals, voltage regulators, and power management circuits, all of which are well known in the art and therefore will not be further described herein. The bus interface provides an interface between the bus and the transceivers. A transceiver may be a single element or multiple elements, such as multiple receivers and transmitters, providing means for communicating with various other devices over a transmission medium. The data processed by the processor is transmitted on the wireless medium through the antenna, further, the antenna also receives the data and transmits the data to the processor.

处理器负责管理总线和通常的处理,还可以提供各种功能,包括定时,外围接口,电压调节、电源管理以及其他控制功能。而存储器可以被用于存储处理器在执行操作时所使用的数据。The processor is responsible for managing the bus and general processing, and can also provide various functions, including timing, peripheral interface, voltage regulation, power management, and other control functions. Instead, memory can be used to store data that the processor uses when performing operations.

本发明实施例七涉及一种存储介质,存储有计算机程序。计算机程序被处理器执行时实现上述方法实施例。Embodiment 7 of the present invention relates to a storage medium storing a computer program. The above method embodiments are implemented when the computer program is executed by the processor.

即,本领域技术人员可以理解,实现上述实施例方法中的全部或部分步骤是可以通过程序来指令相关的硬件来完成,该程序存储在一个存储介质中,包括若干指令用以使得一个设备(可以是单片机,芯片等)或处理器(processor)执行本申请各个实施例方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(ROM,Read-OnlyMemory)、随机存取存储器(RAM,Random Access Memory)、磁碟或者光盘等各种可以存储程序代码的介质。That is, those skilled in the art can understand that all or part of the steps in the method of the above-mentioned embodiments can be completed by instructing related hardware through a program, the program is stored in a storage medium, and includes several instructions to make a device ( It may be a single-chip microcomputer, a chip, etc.) or a processor (processor) to execute all or part of the steps of the methods in the various embodiments of the present application. The aforementioned storage medium includes: U disk, mobile hard disk, read-only memory (ROM, Read-OnlyMemory), random access memory (RAM, Random Access Memory), magnetic disk or optical disk and other media that can store program codes.

最后应说明的是:以上各实施例仅用以说明本发明的技术方案,而非对其限制;尽管参照前述各实施例对本发明进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分或者全部技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本发明各实施例技术方案的范围。Finally, it should be noted that: the above embodiments are only used to illustrate the technical solutions of the present invention, rather than limiting them; although the present invention has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that: It is still possible to modify the technical solutions described in the foregoing embodiments, or perform equivalent replacements for some or all of the technical features; and these modifications or replacements do not make the essence of the corresponding technical solutions deviate from the technical solutions of the various embodiments of the present invention. scope.

Claims (10)

1.一种数据资源访问方法,其特征在于,应用于网关,包括:1. A data resource access method, characterized in that it is applied to a gateway, comprising: 接收用户端发送的访问请求,从所述访问请求中提取请求用户信息和访问目标资源;receiving the access request sent by the client, and extracting the requesting user information and the access target resource from the access request; 将所述访问请求重定向到所述用户端的后台服务器;Redirecting the access request to the background server of the client; 接收所述后台服务器返回的目标用户列表,所述目标用户列表中包含允许访问所述访问目标资源的目标用户信息;receiving the target user list returned by the background server, the target user list including target user information allowed to access the access target resource; 若所述请求用户信息与所述目标用户列表中的任一所述目标用户信息相同,则向所述用户端发送所述访问目标资源。If the requesting user information is the same as any of the target user information in the target user list, sending the access target resource to the client. 2.根据权利要求1所述的方法,其特征在于,所述将所述访问请求重定向到所述用户端的后台服务器前,所述方法还包括:2. The method according to claim 1, wherein before the redirection of the access request to the background server of the client, the method further comprises: 判断所述网关是否保存有所述请求用户信息;judging whether the gateway saves the requesting user information; 若所述网关保存有所述请求用户信息,向所述用户端发送所述访问目标资源;If the gateway stores the requested user information, send the access target resource to the client; 若所述网关内未保存所述请求用户信息,则执行步骤:所述将所述访问请求重定向到所述用户端的后台服务器。If the requesting user information is not saved in the gateway, the step of: redirecting the access request to the background server of the user terminal is performed. 3.根据权利要求1所述的方法,其特征在于,所述从所述访问请求中提取请求用户信息和访问目标资源,包括:3. The method according to claim 1, wherein said extracting request user information and access target resource from said access request comprises: 从所述访问请求中提取所述用户端的用户cookie和所述访问目标资源。Extracting the user cookie of the user terminal and the access target resource from the access request. 4.根据权利要求1所述的方法,其特征在于,所述从所述访问请求中提取请求用户信息和访问目标资源后,所述方法还包括:4. The method according to claim 1, wherein after extracting the requested user information and the access target resource from the access request, the method further comprises: 根据所述请求用户信息创建与所述请求用户信息一一对应的用户session,并设置与所述用户session对应的用户cookie。Create a user session one-to-one corresponding to the requesting user information according to the requesting user information, and set a user cookie corresponding to the user session. 5.根据权利要求3或4所述的方法,其特征在于,所述方法还包括:5. according to the described method of claim 3 or 4, it is characterized in that, described method also comprises: 根据各个所述目标用户信息创建与所述目标用户信息一一对应的目标session,并设置与各个所述目标session一一对应的目标cookie;Create a target session one-to-one corresponding to the target user information according to each of the target user information, and set a target cookie corresponding to each of the target sessions; 若所述用户cookie与任一所述目标cookie相同,则表征所述请求用户信息与所述目标用户列表中的任一所述目标用户信息相同。If the user cookie is the same as any of the target cookies, it means that the requested user information is the same as any of the target user information in the target user list. 6.根据权利要求1所述的方法,其特征在于,所述接收所述后台服务器返回的目标用户列表,包括:6. The method according to claim 1, wherein the receiving the target user list returned by the background server comprises: 接收所述后台服务器根据所述访问目标资源返回的接口调用凭据需求,所述接口调用凭据需求包括返回所述目标用户列表需求的接口调用凭据;receiving the interface call credential demand returned by the background server according to the access target resource, the interface call credential demand including the interface call credential for returning the target user list demand; 根据所述接口调用凭据需求向所述后台服务器发送接口调用凭据;Sending the interface calling credentials to the background server according to the interface calling credentials requirement; 接收所述后台服务器返回的所述目标用户列表。and receiving the target user list returned by the background server. 7.一种数据资源访问方法,其特征在于,应用于后台服务器,其特征在于,包括:7. A data resource access method, characterized in that it is applied to a backend server, comprising: 接收用户端发送的访问请求,从所述访问请求中提取访问目标资源;receiving the access request sent by the client, and extracting the access target resource from the access request; 根据所述访问目标资源返回目标用户列表,所述目标用户列表中包含允许访问所述访问目标资源的目标用户信息。A target user list is returned according to the access target resource, and the target user list includes target user information that is allowed to access the access target resource. 8.一种网关,其特征在于,包括:8. A gateway, characterized in that, comprising: 通信模块,所述通信模块用于接收用户端发送的访问请求、以及接收后台服务器返回的目标用户列表,所述目标用户列表中包含允许访问所述访问目标资源的目标用户信息;A communication module, the communication module is used to receive the access request sent by the client, and receive the target user list returned by the background server, the target user list includes target user information that is allowed to access the access target resource; 重定向模块,所述重定向模块用于将所述访问请求重定向到所述用户端的后台服务器;A redirection module, the redirection module is used to redirect the access request to the background server of the client; 数据处理模块,所述数据处理模块用于从所述访问请求中提取请求用户信息和访问目标资源、以及在所述请求用户信息与所述目标用户列表中的任一所述目标用户信息相同时,向所述用户端发送所述访问目标资源。A data processing module, the data processing module is configured to extract the requesting user information and the access target resource from the access request, and when the requesting user information is the same as any one of the target user information in the target user list , sending the access target resource to the client. 9.一种网关,其特征在于,包括:9. A gateway, characterized in that, comprising: 至少一个处理器;以及,与所述至少一个处理器通信连接的存储器;at least one processor; and, a memory communicatively coupled to the at least one processor; 其中,所述存储器存储有可被所述至少一个处理器执行的指令,所述指令被所述至少一个处理器执行,以使所述至少一个处理器能够执行如权利要求1至6中任意一项所述的数据资源访问方法。Wherein, the memory stores instructions executable by the at least one processor, and the instructions are executed by the at least one processor, so that the at least one processor can perform any one of claims 1 to 6. The data resource access methods described in the item. 10.一种存储介质,存储有计算机程序,其特征在于,所述计算机程序被处理器执行实现权利要求1至6中任意一项所述的数据资源访问方法。10. A storage medium storing a computer program, wherein the computer program is executed by a processor to implement the data resource access method according to any one of claims 1 to 6.
CN202211197434.6A 2022-09-29 2022-09-29 Data resource access method, gateway and storage medium Pending CN115603962A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211197434.6A CN115603962A (en) 2022-09-29 2022-09-29 Data resource access method, gateway and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211197434.6A CN115603962A (en) 2022-09-29 2022-09-29 Data resource access method, gateway and storage medium

Publications (1)

Publication Number Publication Date
CN115603962A true CN115603962A (en) 2023-01-13

Family

ID=84844820

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211197434.6A Pending CN115603962A (en) 2022-09-29 2022-09-29 Data resource access method, gateway and storage medium

Country Status (1)

Country Link
CN (1) CN115603962A (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109688114A (en) * 2018-12-10 2019-04-26 迈普通信技术股份有限公司 Single-point logging method, certificate server and application server
CN110958275A (en) * 2019-12-30 2020-04-03 杭州迪普科技股份有限公司 Portal authentication roaming method and device and computer equipment
CN111756729A (en) * 2020-06-23 2020-10-09 北京网瑞达科技有限公司 Network resource access method, device, computer equipment and storage medium
CN112235400A (en) * 2020-10-14 2021-01-15 腾讯科技(深圳)有限公司 Communication method, communication system, communication apparatus, server, and storage medium

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109688114A (en) * 2018-12-10 2019-04-26 迈普通信技术股份有限公司 Single-point logging method, certificate server and application server
CN110958275A (en) * 2019-12-30 2020-04-03 杭州迪普科技股份有限公司 Portal authentication roaming method and device and computer equipment
CN111756729A (en) * 2020-06-23 2020-10-09 北京网瑞达科技有限公司 Network resource access method, device, computer equipment and storage medium
CN112235400A (en) * 2020-10-14 2021-01-15 腾讯科技(深圳)有限公司 Communication method, communication system, communication apparatus, server, and storage medium

Similar Documents

Publication Publication Date Title
EP1934780B1 (en) Creating secure interactive connections with remote resources
US9866556B2 (en) Common internet file system proxy authentication of multiple servers
US7594018B2 (en) Methods and apparatus for providing access to persistent application sessions
US8245281B2 (en) Method and apparatus for policy-based network access control with arbitrary network access control frameworks
CN101394371B (en) Method and system for implementing a chat application proxy server
US7886341B2 (en) External authentication against a third-party directory
EP3286889B1 (en) Secure in-band service detection
MX2008014855A (en) Policy driven, credential delegation for single sign on and secure access to network resources.
CN106330999A (en) Method, client and system for realizing data sharing between client and virtual desktop
WO2015049825A1 (en) Terminal authentication and registration system, method for authenticating and registering terminal, and storage medium
US9641512B2 (en) Identity protocol translation gateway
US20070136471A1 (en) Systems and methods for negotiating and enforcing access to network resources
US9948648B1 (en) System and method for enforcing access control to publicly-accessible web applications
CN113518091B (en) Multi-user authentication method, device, system and storage medium
CN100505734C (en) A Method for Realizing External Device Mapping of Network Computer
US20070136301A1 (en) Systems and methods for enforcing protocol in a network using natural language messaging
CN113660204A (en) Method for realizing unified integrated binding service
CN118802438A (en) Router web management page access method, device and storage medium
CN115603962A (en) Data resource access method, gateway and storage medium
WO2006045323A1 (en) Method and adapted terminal device for secure session transfer
US9584516B2 (en) Proxy authentication for a multiple core network device
US11316854B2 (en) Reverse authentication in a virtual desktop infrastructure environment
JP6710230B2 (en) Authentication system and authentication method
US20070136472A1 (en) Systems and methods for requesting protocol in a network using natural language messaging
JP7611347B2 (en) Service integration system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination