CN118473814A - Access control method, device, equipment, medium and program product of application gateway - Google Patents
Access control method, device, equipment, medium and program product of application gateway Download PDFInfo
- Publication number
- CN118473814A CN118473814A CN202410741996.5A CN202410741996A CN118473814A CN 118473814 A CN118473814 A CN 118473814A CN 202410741996 A CN202410741996 A CN 202410741996A CN 118473814 A CN118473814 A CN 118473814A
- Authority
- CN
- China
- Prior art keywords
- access
- terminal device
- target
- application
- terminal equipment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/30—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
- H04L63/306—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information intercepting packet switched data communications, e.g. Web, Internet or IMS communications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/2866—Architectures; Arrangements
- H04L67/30—Profiles
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Technology Law (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The disclosure relates to the technical field of networks, and discloses an access control method, an access control device, an access control medium and a program product of an application gateway. The disclosure provides an access control method of an application gateway, comprising the following steps: analyzing a network resource locator (URL) request sent by first terminal equipment, and determining the access requirement for target service application and the current access record of the first terminal equipment; if the first terminal equipment allows the first terminal equipment to access the access permission representation of the target service application, carrying out identity verification on the first terminal equipment based on the current access record, determining a target access result of accessing the target service application based on the access requirement and feeding back the target access result to the first terminal equipment when the identity verification result is verification passing, so as to respond to the URL request. The access requirement and the current access record of the first terminal equipment are determined through the URL request, and then targeted interception is performed, so that the access security of the target service application can be effectively improved.
Description
Technical Field
The present disclosure relates to the field of network technologies, and in particular, to an access control method, apparatus, device, medium, and program product for an application gateway.
Background
The application gateway is a network (Web) traffic (open systems interconnection reference model (Open System Interconnect, OSI) layer 7) load balancer that can be used to manage traffic for Web applications. Conventional load balancers operate at the transport layer (OSI layer 4-TCP and UDP) and route traffic to destination IP addresses and ports based on the source IP addresses and ports.
In the related art, in a private network/private network of an enterprise or other organization or the like, it is generally necessary to install security management software in a terminal device to control access to applications deployed in the private network/private network to the terminal device through the security management software. However, when the number of terminal devices requesting connection is large, how to ensure the data security of the application becomes a problem to be solved.
Disclosure of Invention
In view of the above, the present disclosure provides an access control method, apparatus, device, medium and program product for an application gateway, so as to solve the problem of low security of data access.
In a first aspect, the present disclosure provides an access control method for an application gateway, where the method includes:
Receiving a network resource locator (URL) request sent by first terminal equipment, wherein the URL request is used for requesting to access a target service application deployed in a first network;
analyzing the URL request, and determining the access requirement for the target service application and the current access record of the first terminal equipment;
Determining access rights of a first terminal device to a target service application through a preset first configuration file, wherein the first configuration file comprises access rights between a plurality of service applications and a first network;
if the access permission characterization allows the first terminal equipment to access, carrying out identity verification on the first terminal equipment based on the current access record, and determining a target access result of the access target business application based on the access requirement when the identity verification result is verification passing;
and feeding back the target access result to the first terminal equipment to respond to the URL request.
In a second aspect, the present disclosure provides an access control apparatus of an application gateway, the apparatus including:
the first receiving module is used for receiving a network resource locator (URL) request sent by the first terminal equipment, wherein the URL request is used for requesting to access a target service application deployed in a first network;
The analysis module is used for analyzing the URL request and determining the access requirement for the target service application and the current access record of the first terminal equipment;
the first processing module is used for determining the access right of the first terminal equipment to the target service application through a preset first configuration file, wherein the first configuration file comprises the access rights between a plurality of service applications and a first network;
The second processing module is used for carrying out identity verification on the first terminal equipment based on the current access record if the access authority characterization allows the first terminal equipment to access, and determining a target access result of the access target service application based on the access requirement when the identity verification result is verification passing;
And the feedback module is used for feeding back the target access result to the first terminal equipment so as to respond to the URL request.
In a third aspect, the present disclosure provides a computer device comprising: the memory and the processor are in communication connection with each other, the memory stores computer instructions, and the processor executes the computer instructions, thereby executing the access control method of the application gateway according to the first aspect or any implementation manner corresponding to the first aspect.
In a fourth aspect, the present disclosure provides a computer readable storage medium having stored thereon computer instructions for causing a computer to perform the access control method of the application gateway of the first aspect or any of the embodiments corresponding thereto.
In a fifth aspect, the present invention provides a computer program product comprising computer instructions for causing a computer to perform the access control method of the application gateway of the first aspect or any of its corresponding embodiments.
According to the access control method of the application gateway, the access security of the target service application can be guaranteed by determining the access authority of the first terminal equipment to the target service application through the URL request, and further under the condition that the first terminal equipment can access the target service application, targeted interception is performed based on the access requirement of the first terminal equipment to the target service application and the current access record, the target access result finally fed back to the first terminal equipment is determined, the data access security of the target service application can be effectively guaranteed, and the legality and the security of the accessed target service application are improved.
Drawings
In order to more clearly illustrate the embodiments of the present disclosure or the prior art, the drawings that are required in the detailed description or the prior art will be briefly described, it will be apparent that the drawings in the following description are some embodiments of the present disclosure, and other drawings may be obtained according to the drawings without inventive effort for a person of ordinary skill in the art.
FIG. 1 is a system architecture diagram of an access control system according to an embodiment of the present disclosure;
Fig. 2 is a flow diagram of an access control method of an application gateway according to an embodiment of the present disclosure;
FIG. 3 is a flow chart of another access control method for an application gateway according to an embodiment of the present disclosure;
Fig. 4 is a block diagram of an access control device of an application gateway according to an embodiment of the present disclosure;
FIG. 5 is a flow chart of a method of access control for yet another application gateway according to an embodiment of the present disclosure;
Fig. 6 is a block diagram of an access control device of another application gateway according to an embodiment of the present disclosure;
fig. 7 is a schematic diagram of a hardware structure of a computer device according to an embodiment of the present disclosure.
Detailed Description
Embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While certain embodiments of the present disclosure have been illustrated in the accompanying drawings, it is to be understood that the present disclosure may be embodied in various forms and should not be construed as limited to the embodiments set forth herein, but rather, these embodiments are provided so that this disclosure will be more thorough and complete. It should be understood that the drawings and embodiments of the present disclosure are for illustration purposes only and are not intended to limit the scope of the present disclosure.
In describing embodiments of the present disclosure, the term "comprising" and its like should be taken to be open-ended, i.e., including, but not limited to. The term "based on" should be understood as "based at least in part on". The term "one embodiment" or "the embodiment" should be understood as "at least one embodiment". The term "some embodiments" should be understood as "at least some embodiments". Other explicit and implicit definitions are also possible below.
In this context, unless explicitly stated otherwise, performing a step "in response to a" does not mean that the step is performed immediately after "a", but may include one or more intermediate steps.
It will be appreciated that the data (including but not limited to the data itself, the acquisition, use, storage or deletion of the data) involved in the present technical solution should comply with the corresponding legal regulations and the requirements of the relevant regulations.
It will be appreciated that prior to using the technical solutions disclosed in the embodiments of the present disclosure, the relevant users, which may include any type of rights subjects, such as individuals, enterprises, groups, etc., should be informed and authorized by appropriate means of the types of information, usage ranges, usage scenarios, etc. involved in the present disclosure according to relevant legal regulations.
For example, in response to receiving an active request from a user, prompt information is sent to the relevant user to explicitly prompt the relevant user that the operation requested to be performed will need to obtain and use information to the relevant user, so that the relevant user may autonomously select whether to provide information to software or hardware such as an electronic device, an application program, a server, or a storage medium that performs the operation of the technical solution of the present disclosure according to the prompt information.
As an alternative but non-limiting implementation manner, in response to receiving an active request from a relevant user, the prompt information may be sent to the relevant user, for example, in a popup window, where the prompt information may be presented in a text manner. In addition, a selection control for the user to select to provide information to the electronic device in a 'consent' or 'disagreement' manner can be carried in the popup window.
It will be appreciated that the above-described notification and user authorization process is merely illustrative and not limiting of the implementations of the present disclosure, and that other ways of satisfying relevant legal regulations may be applied to the implementations of the present disclosure.
Office security generally relates to security management of networks, identities and terminals, and digital office is safer, more efficient and easier to use by realizing private network networking, access control, management of terminals in the private network and information security protection. The security management at the network level can ensure that private networks such as office networks and the like can safely and efficiently operate, and further ensure that business data can be safely transmitted and stored. The safety management of the identity layer can improve the identity authentication efficiency and safety of the user accessing the private network. The security management of the terminal layer can realize the unified management of terminal equipment in a private network, data leakage prevention and terminal threat protection, thereby ensuring the security of enterprise data.
In practical application, the security management of the network, the identity and the terminal can be technically associated with a plurality of technical branches such as networking strategy, network access and control, remote access, unified terminal management, terminal detection and response, enterprise data leakage prevention, identity authentication management and the like, so that digital office is simpler, more efficient and easier to fall to the ground.
In the related art, a terminal device of an external network may access an enterprise-level application deployed in an enterprise intranet through a preset proxy server. However, when the number of terminal devices requesting access is large, how to ensure the data security of the enterprise-level application in the enterprise intranet becomes a problem to be solved.
In view of this, the disclosed embodiments provide an access control method for an application gateway, it being noted that the steps shown in the flowcharts of the figures may be performed in a computer system such as a set of computer executable instructions, and although a logical order is shown in the flowcharts, in some cases the steps shown or described may be performed in an order other than that shown or described herein.
As shown in fig. 1, a system architecture of an access control system adopted in an embodiment of the present disclosure mainly includes: a plurality of terminal devices, an application gateway and a server where a business application server is located. The enterprise internal member can access application resources such as a data center, public cloud, private cloud application programs and SaaS application and the like which are hosted in the first network through a business application client on the terminal equipment. The application gateway is deployed in a headquarter, a branch network, an internet data center (INTERNET DATA CENTER, IDC machine room for short) or cloud services (such as public cloud and private cloud) of an enterprise. The application gateway is connected with each business application server side hosted in the first network and used for controlling the terminal equipment to access the application resources of each business application. The server where the business application server is located is used for providing services for the corresponding business application client.
In this embodiment, an access control method of an application gateway is provided, which may be used in a computer device, such as a proxy server and a gateway, and fig. 2 is a flowchart of an access control method of an application gateway according to an embodiment of the disclosure, as shown in fig. 2, where the flowchart includes the following steps:
step S201, a network resource locator URL request sent by the first terminal device is received.
Wherein the URL request is for requesting access to a target business application deployed in the first network. The target service application may be understood as a service application that is pre-deployed in the first network and that needs targeted management. The first terminal device may access it via the internet. The first terminal device may be a terminal device deployed on the first network with the target service application, or may be a terminal device deployed under another network line, which is not limited herein.
When the URL request sent by the first terminal equipment is detected, the access safety of the target service application is guaranteed, the URL request is intercepted, and whether the first terminal equipment can access the target service application or not is identified based on the URL request.
Step S202, analyzing the URL request, and determining the access requirement of the target service application and the current access record of the first terminal equipment.
In order to determine the access purpose of the first terminal equipment for accessing the target service application, analyzing the URL request, determining whether the first terminal equipment needs to execute data operation on data in the target service application and whether the first terminal equipment has accessed the target service application, and further determining the access requirement for the target service application and the current access record of the first terminal equipment, so that the purpose of the first terminal equipment for accessing the target service application can be better known. For example, by parsing the parameters and parameter values in the URL request, it is possible to determine specific data operations, such as reading, writing, deleting, downloading, etc., that the first terminal device needs to perform. Resolving other relevant information in the request, such as user identity, access time, etc., may also help determine the context and constraints of the access requirements.
In some alternative implementations, the URL request may be parsed by a preset parsing tool. For example: the parsing tool may be a request parsing library or a uniform resource locator (Uniform Resource Locator, URL) parsing library using a hypertext transfer protocol (Hypertext Transfer Protocol, HTTP) in global Wide area network (World Wide Web) development, and the like, and may be selected according to actual requirements.
Step S203, determining the access authority of the first terminal device to the target service application through a preset first configuration file.
Wherein the first configuration file includes access rights between the plurality of business applications and the first network. In order to ensure the access security of the target service application, determining the access authority between the target service application and the first network from the access authorities between the plurality of service applications and the first network so as to determine whether the first terminal equipment can access the target service application.
Step S204, if the access authority characterization allows the first terminal device to access, the identity verification is performed on the first terminal device based on the current access record, and when the identity verification result is verification passing, a target access result of the access target service application is determined based on the access requirement.
If the access permission characterization allows the first terminal equipment to access, in order to ensure the data security of the target service application, the identity of the first terminal equipment is verified based on the current access record so as to ensure whether the current access of the first terminal equipment to the target service application is legal or not. If the authentication result is that the authentication is passed, the current access of the first terminal device to the target service application is characterized as legal access, so that the access redirection processing is performed based on the access requirement to ensure the validity and the safety of the access in order to ensure the data security of the target application, and a proper target access result is obtained.
Step S205, feeding back the target access result to the first terminal equipment to respond to the URL request.
And feeding back the target access result to the first terminal equipment so that the first terminal equipment can determine whether the sent URL request is valid according to the obtained target access result, so that targeted processing can be performed later, unnecessary polling or waiting time is reduced, and further the performance of the system is guaranteed.
According to the access control method of the application gateway, the access security of the target service application can be guaranteed by determining the access authority of the first terminal equipment to the target service application through the URL request, and further under the condition that the first terminal equipment can access the target service application, targeted interception is performed based on the access requirement of the first terminal equipment to the target service application and the current access record, the target access result finally fed back to the first terminal equipment is determined, the data access security of the target service application can be effectively guaranteed, and the legality and the security of the accessed target service application are improved.
In some alternative embodiments, in the process of authenticating the first terminal device based on the current access record, the method includes the following steps:
Step a1, acquiring a history access record of first terminal equipment;
Step a2, based on a matching result between the current access record and the historical access record, carrying out identity verification on the first terminal equipment;
step a3, if the matching result characterizes that the access record which is the same as the current access record exists in the history access record, determining that the identity verification result is verification passing;
And a4, if the matching result characterizes that the access record which is the same as the current access record does not exist in the history access record, determining that the authentication result is failed in authentication.
Specifically, the access record includes any one or more of the following record data: the method comprises the steps of identifying equipment of a first terminal device, a currently used access account, a request initiating position corresponding to a URL request, an operating system corresponding to the first terminal device, an Internet protocol address or a local area network address corresponding to the first terminal device.
In order to determine whether the access of the first terminal equipment is legal, historical access information of the first terminal equipment is obtained to determine the historical access condition of the first terminal equipment to the target service application. And matching the current access record with the historical access record so as to verify whether the current access is normal or not through the historical access record. If the matching result indicates that the access record which is the same as the current access record exists in the historical access record, the current access of the first terminal equipment is reasonably represented, and therefore the identity verification result is determined to pass verification. If the matching result indicates that the access record which is the same as the current access record does not exist in the historical access record, the current access of the first terminal equipment is unreasonable, and therefore the identity verification result is determined to be failed in verification.
The authentication is performed based on the historical access record of the user, so that the access safety of the target application can be ensured, and the use experience of the user can be effectively improved.
In some alternative embodiments, in determining the access requirement to the target service application, if the URL request includes a download field, the access requirement to the target service application is determined to be a data download. That is, in parsing the URL request, field parsing is performed on the URL request. If the "/download" field exists in the URL, determining that the access requirement for the target service application is data download.
If the URL request comprises a target field for representing data protection, determining that the access requirement to the target service application is to access the protected data in the target service application. That is, the target field may be a field defined by itself according to traffic demands. In the process of analyzing the URL request, whether a field matched with a target field exists in the URL request is identified in a field matching mode, and if the field matched with the target field exists in the URL request, the access requirement of the target service application is determined to be data protection.
In this embodiment, there is provided an access control method of an application gateway, and fig. 3 is a flowchart of an access control method of an application gateway according to an embodiment of the disclosure, as shown in fig. 3, where the flowchart includes the following steps:
Step S301, a network resource locator URL request sent by a first terminal device is received.
Step S302, analyzing the URL request, and determining the access requirement of the target service application and the current access record of the first terminal equipment.
Step S303, determining the access authority of the first terminal device to the target service application through a preset first configuration file.
Step S304, if the access authority characterization allows the first terminal equipment to access, the identity of the first terminal equipment is verified based on the current access record.
In step S305, when the authentication result is that the authentication is passed, a target access result of accessing the target service application is determined based on the access requirement.
Specifically, the step S305 includes:
In step S3051, when the authentication result is that the authentication is passed, if the access requirement is data downloading, the first operation authority for allowing the first terminal device to access the target service application is determined through a preset second configuration file.
The second configuration file comprises at least one data operation authority allowing the first terminal equipment to access the target service application, the second configuration file is obtained through the authority configuration platform, and the data operation authority corresponding to data downloading is the downloading authority.
And when the authentication result is that the authentication passes, the first terminal equipment can access the target service application. In order to ensure the data security of the target application, determining, through the second configuration file, a first operation authority that the first terminal device accesses the target service application.
In step S3052, if the operation corresponding to the first operation authority does not include the download authority, the URL request is blocked, and the preset access error page is used as the target access result for the target service application.
If the operation corresponding to the first operation authority does not include the downloading authority, the first terminal equipment is characterized in that although the first terminal equipment can access the target service application, the first terminal equipment cannot perform downloading operation on the target service application, so that the URL request is prevented, a preset access error page is used as a target access result for the target service application, the first terminal equipment is prompted to belong to an invalid request through the access error page, the data safety in the target service application is further ensured, and the occurrence of data leakage is reduced.
In some optional embodiments, the step S305 further includes:
in step S3053, if the access requirement is to access the protected data in the target service application, the second authentication is performed on the first terminal device.
If the access requirement is to access the protected data in the target service application, the data security of the target service application is affected by the access requirement requested by the characterization first terminal device. Therefore, in order to ensure the data security of the target service application, the access identity of the first terminal device is verified for the second time, so that the access security of the target service application is ensured in a continuous verification mode, and the access reliability of the target service application is ensured.
In some alternative embodiments, the procedure of performing the secondary authentication on the first terminal device may be as follows: redirecting the URL request to an identity authentication page of an identity authentication system, and sending the identity authentication page to first terminal equipment so as to carry out secondary identity authentication on the first terminal equipment through the identity authentication system; if the URL request sent again by the first terminal equipment is received within the appointed time, determining that the secondary identity verification of the first terminal equipment is passed; if the URL request sent again by the first terminal equipment is not received within the appointed duration, determining that the secondary identity verification of the first terminal equipment is not passed.
In order to ensure the access legitimacy of the first terminal equipment, the URL request is redirected to an identity authentication page of an identity authentication system so as to carry out secondary identity authentication on the access identity of the first terminal equipment by means of the identity authentication system, and the identity authentication page is sent to the first terminal equipment so as to prompt the first terminal equipment to carry out identity authentication processing. The authentication mode through the authentication page includes, but is not limited to, any one or more of the following authentication modes: the verification is performed by inputting a dynamic password, by sending a specified short message or by sending a mail. Wherein, the content of the identity authentication comprises, but is not limited to, any one or more of the following dimension identities: the method comprises the steps of accessing a login account number of a target service application, a model number of first terminal equipment, a login geographic position of the target service application, an operating system corresponding to the first terminal equipment, an internet address where the first terminal equipment is located, a MAC (MEDIA ACCESS Control address), a network equipment address and the like.
The purpose of the secondary authentication of the first terminal device is to further determine the validity of the access of the first terminal device. Because, in order to ensure the validity of the identity authentication, a specified duration is preset to define the validity duration of the identity authentication through the specified duration. For example: the specified duration may be 6 hours or 5 minutes, and the specific duration may be set according to the requirement, which is not limited herein.
If the URL request sent by the first terminal equipment again is received within the appointed time, determining that the access identity verification of the first terminal equipment is passed, and considering the access identity of the first terminal equipment as legal identity, so that the URL request sent by the first terminal equipment can be met later. If the URL request sent by the first terminal equipment again is not received within the appointed duration, determining that the access identity verification of the first terminal equipment is not passed, further considering the access identity of the first terminal equipment as an illegal identity, and intercepting the URL request sent by the first terminal equipment.
Step 3054, if the secondary authentication of the first terminal device passes, performing data protection processing on an application access result page corresponding to the access requirement in the target service application, and taking the processed application access result page as a target access result.
If the secondary identity verification of the first terminal equipment passes, the access identity of the first terminal equipment is represented as legal identity, so that the access requirement of the first terminal equipment is met, the protected data in the target service application is protected, data protection processing is carried out on an application access result page corresponding to the access requirement in the target service application, the data safety in the application access result page is guaranteed in a data protection processing mode, and the processed application access result page is used as a target access result, so that the access requirement of the first terminal equipment can be met when the target access result is fed back to the first terminal equipment later.
In some alternative embodiments, the data protection processing of the application access result page may include: and determining an application access result page corresponding to the access requirement in the target service application, and further adding a preset target identification to the application access result page to obtain a processed application access result page. By adding the preset target identifier to the application access result page, the specific data access operation executed by the first terminal equipment on the application access result page can be clarified, and further the situation that the data of the target service application is tampered can be effectively reduced, so that the data security and traceability of the target service application are enhanced. The target identifier can be a specified unique identifier or a specified tracking code, and the specific identification content can be determined by the user according to the requirement.
And step S306, feeding back the target access result to the first terminal equipment to respond to the URL request.
According to the access control method of the application gateway, the access authority of the first terminal equipment to the target service application is determined through the preset first configuration file, centralized access control management can be achieved, whether access to the target service application needs to be intercepted or not is judged based on the URL request sent by the first terminal equipment, access safety efficiency can be improved, the occurrence of missing identification is reduced, further under the condition that the first terminal equipment can access the target service application is determined, the first terminal equipment is controlled to access the target service application by verifying the access identity of the first terminal equipment, data access safety of the target service application is effectively improved, and therefore the first terminal equipment is guided to an application access result page required by the first terminal equipment according to access requirements, and more accurate and personalized access results can be provided.
In some optional embodiments, in the case that the first terminal device is allowed to access the target service application, in a process that the first terminal device accesses the target service application, the method further includes: and acquiring a data access record of the first terminal equipment for accessing the protected data in the target service application, so that the running condition of the target service application can be defined according to the data access record. In order to optimize the utilization and response speed of resources, data processing is performed on the protected data in the data access records so as to reduce redundant and invalid data storage, and further, target access records capable of performing targeted management on target service applications are obtained.
In other optional embodiments, in order to ensure the reliability of the first configuration file, the first configuration file is obtained from the rights configuration platform according to a preset period and stored, so that when the first configuration file is updated, the updated first configuration file can be obtained in time, and the control effectiveness can be ensured when the first terminal device is controlled to access the target service application subsequently, so that the access security and the data security of the target service application can be effectively improved. The first configuration file comprises access rights between a plurality of service applications and corresponding terminal equipment. The preset period can be determined according to actual requirements, for example, the first configuration file is obtained from the authority configuration platform every 5 minutes and stored. For another example, the first configuration file is obtained from the rights configuration platform once every 30 seconds and saved.
In yet other alternative embodiments, the means for obtaining the first configuration file further includes: the method comprises the steps of receiving an increment first configuration file pushed by a permission configuration platform, updating the first configuration file through the increment first configuration file, and storing the updated first configuration file so as to ensure that the first configuration file in an application gateway can be updated in time and realize data synchronization with the permission configuration platform, thereby improving the effectiveness and reliability of targeted control on access of target service application.
In some optional examples, to ensure network security, access control rules, routing rules, security policies, and the like for accessing different target service applications are also included in the obtained first configuration file.
The present disclosure further provides an application gateway, where the structural block diagram of the application gateway may be as shown in fig. 4, including: control plane and data plane.
The control surface is connected with the authority configuration platform and is used for acquiring a first configuration file from the authority configuration platform according to a preset period and storing the first configuration file into a local memory and a disk. The first configuration file includes, but is not limited to, access control rules, routing rules, security policies and access rights between the plurality of service applications and corresponding terminal devices for accessing different target service applications. The permission configuration platform can perform real-time rule increment and change pushing based on event driving, so that a control surface can timely acquire the updated first configuration file. In order to save network resources, a first configuration file stored in a local memory is sent to an execution module connected with a control surface for cache update in a local offline storage mode so as to synchronize the first configuration file.
The control plane is also used for providing configuration management functions of the access control device for managing the application gateway, including operations such as uploading, modifying, backing up and recovering the first configuration file, so that an administrator can flexibly manage and adjust the access control device of the application gateway. The control plane is also used for providing services for the data module, including functions of forwarding, routing, accelerating, load balancing and the like of the traffic, so as to ensure high performance and stability of the network.
The number of the data surfaces is at least one, and the data surfaces are connected with servers corresponding to a plurality of target service applications, so that a plurality of deployment architectures of public cloud, private cloud and hybrid cloud can be supported. The data surface is used for redirecting the access to an access error page, an identity authentication page of the identity authentication system or an application access result page after data protection processing. In the process of data surface operation, the first configuration file, the first terminal equipment and the access information corresponding to the first terminal equipment can be cached in the memory, and targeted analysis is carried out in the memory, so that the final target access result can be rapidly determined.
Because the first configuration file is cached in the memory of the access control device of the application gateway, the first terminal equipment can still be controlled to access the target service application of the intranet in a targeted manner through the locally cached first configuration file under the condition of no public network.
As one or more specific application embodiments of the present disclosure, an example is that the access control device of the application gateway is an application gateway. When the user needs to access the target service application through the first terminal device, the interaction flow of the application gateway controlling the first terminal device to access the target service application may be as shown in fig. 5, including:
Configuration phase: the control plane of the application gateway firstly acquires a first configuration file from the authority configuration platform, and the authority configuration platform responds to send the first configuration file to the control plane of the application gateway. The control surface of the application gateway stores the acquired first configuration file into the memory and the disk, and then synchronously caches the first configuration file into the data surface of the application gateway so as to ensure the safety of the first configuration file.
And (3) a control stage: the user sends a URL request for the target business application through the first terminal device. The data plane of the application gateway receives the URL request. And carrying out field analysis on the URL request, and determining the access requirement of the target service application and the current access record of the first terminal equipment. And determining the access authority of the first terminal equipment to the target service application through a preset first configuration file. If the access permission representation allows the access of the first terminal equipment, carrying out identity verification on the first terminal equipment based on the current access record, and when the identity verification result is verification passing and the access requirement is data downloading, stopping URL request, and taking a preset access error page as a target access result of target service application. And feeding back the target access result to the first terminal equipment to respond to the URL request.
If the access permission characterization allows the access of the first terminal equipment, carrying out identity verification on the first terminal equipment based on the current access record, and redirecting the URL request to an identity authentication page of an identity authentication system and sending the identity authentication page to the first terminal equipment when the identity verification result is verification passing and the access requirement is the protected data in the access target service application. The first terminal equipment performs access identity verification through the identity authentication page so as to send a verification result to the identity authentication system. The identity authentication system replies according to the received verification result. And if the access authentication of the first terminal equipment is passed, triggering the first terminal equipment to send the URL request again. If the data surface of the application gateway receives the URL request sent by the first terminal equipment again within the appointed duration, determining that the access authentication of the first terminal equipment passes. When the secondary identity verification of the first terminal equipment passes, the first terminal equipment is connected with a server of a target service application, an application access result page corresponding to the access requirement in the target service application is determined, a preset target identification is added to the application access result page, and the processed application access result page is fed back to the first terminal equipment as a target access result.
And in the process that the first terminal equipment accesses the target service application through the application gateway, acquiring an access record of the first terminal equipment for accessing the target service application, and performing data processing on protected data corresponding to a target field in the access record to acquire a target access record.
By the access control method of the application gateway, the access of the target service application can be ensured to be safer and more reliable, and the data security of the target service application can be effectively ensured.
The embodiment also provides an access control device of an application gateway, which is used for implementing the foregoing embodiments and preferred embodiments, and is not described in detail. As used below, the term "module" may be a combination of software and/or hardware that implements a predetermined function. While the means described in the following embodiments are preferably implemented in software, implementation in hardware, or a combination of software and hardware, is also possible and contemplated.
The present embodiment provides an access control device of an application gateway, as shown in fig. 6, including:
A first receiving module 601, configured to receive a network resource locator URL request sent by a first terminal device, where the URL request is used to request access to a target service application deployed in a first network;
The parsing module 602 is configured to parse the URL request, determine an access requirement for the target service application, and a current access record of the first terminal device;
the first processing module 603 is configured to determine access rights of the first terminal device to the target service application through a preset first configuration file, where the first configuration file includes access rights between the plurality of service applications and the first network;
The second processing module 604 is configured to, if the access permission representation allows the first terminal device to access, perform identity verification on the first terminal device based on the current access record, and determine a target access result of the access target service application based on the access requirement when the identity verification result is verification passing;
And the feedback module 605 is configured to feed back the target access result to the first terminal device, so as to respond to the URL request.
In some alternative embodiments, the second processing module 604 includes:
An acquisition unit, configured to acquire a history access record of a first terminal device;
The first verification unit is used for carrying out identity verification on the first terminal equipment based on a matching result between the current access record and the historical access record;
The first judging unit is used for determining that the identity verification result is verification passing if the matching result characterizes that the access record identical to the current access record exists in the history access record;
the second judging unit is used for determining that the authentication result is failed in authentication if the matching result characterizes that the access record which is the same as the current access record does not exist in the history access record;
Wherein the access record includes any one or more of the following record data: the method comprises the steps of identifying equipment of a first terminal device, a currently used access account, a request initiating position corresponding to a URL request, an operating system corresponding to the first terminal device, an Internet protocol address or a local area network address corresponding to the first terminal device.
In some alternative embodiments, parsing module 602 includes:
The first analysis unit is used for determining that the access requirement of the target service application is data downloading if the URL request comprises a downloading field;
And the second analysis unit is used for determining that the access requirement to the target service application is to access the protected data in the target service application if the URL request comprises the target field for representing the data protection.
In some alternative embodiments, the second processing module 604 includes:
The first determining unit is used for determining a first operation authority which allows the first terminal equipment to access the target service application through a preset second configuration file if the access requirement is data downloading, wherein the second configuration file comprises at least one data operation authority which allows the first terminal equipment to access the target service application, the second configuration file is obtained through an authority configuration platform, and the data operation authority corresponding to the data downloading is downloading authority;
And the first execution unit is used for preventing the URL request if the operation corresponding to the first operation authority does not comprise the downloading authority, and taking the preset access error page as a target access result of the target service application.
In some alternative embodiments, the second processing module 604 includes:
The second execution unit is used for carrying out secondary identity verification on the first terminal equipment if the access requirement is to access the protected data in the target service application;
And the third execution unit is used for carrying out data protection processing on the application access result page corresponding to the access requirement in the target service application if the secondary authentication of the first terminal equipment is passed, and taking the processed application access result page as a target access result.
In some alternative embodiments, the third execution unit includes:
The second determining unit is used for determining an application access result page corresponding to the access requirement in the target service application;
The identification adding unit is used for adding a preset target identification to the application access result page to obtain a processed application access result page.
In some alternative embodiments, the apparatus further comprises:
the first acquisition module is used for acquiring a data access record of the first terminal equipment for accessing the protected data in the target service application;
And the third processing module is used for carrying out data processing on the protected data in the data access record to obtain the target access record.
In some optional embodiments, the obtaining means of the first configuration file includes:
The second acquisition module is used for acquiring and storing the first configuration file from the right configuration platform according to a preset period.
In some optional embodiments, the obtaining means of the first configuration file further includes:
The second receiving module is used for receiving the incremental first configuration file pushed by the permission configuration platform;
and the updating module is used for updating the first configuration file through the increment of the first configuration file and saving the updated first configuration file.
Further functional descriptions of the above respective modules and units are the same as those of the above corresponding embodiments, and are not repeated here.
The access control device of the Application gateway in this embodiment is presented in the form of a functional unit, where the unit refers to an ASIC (Application SPECIFIC INTEGRATED Circuit) Circuit, a processor and a memory that execute one or more software or firmware programs, and/or other devices that can provide the above functions.
The embodiment of the disclosure also provides a computer device, which is provided with the access control device of the application gateway shown in the figure 6.
Referring to fig. 7, fig. 7 is a schematic structural diagram of a computer device according to an alternative embodiment of the disclosure, as shown in fig. 7, the computer device includes: one or more processors 10, memory 20, and interfaces for connecting the various components, including high-speed interfaces and low-speed interfaces. The various components are communicatively coupled to each other using different buses and may be mounted on a common motherboard or in other manners as desired. The processor may process instructions executing within the computer device, including instructions stored in or on memory to display graphical information of the GUI on an external input/output device, such as a display device coupled to the interface. In some alternative embodiments, multiple processors and/or multiple buses may be used, if desired, along with multiple memories and multiple memories. Also, multiple computer devices may be connected, each providing a portion of the necessary operations (e.g., as a server array, a set of blade servers, or a multiprocessor system). One processor 10 is illustrated in fig. 7.
The processor 10 may be a central processor, a network processor, or a combination thereof. The processor 10 may further include a hardware chip, among others. The hardware chip may be an application specific integrated circuit, a programmable logic device, or a combination thereof. The programmable logic device may be a complex programmable logic device, a field programmable gate array, a general-purpose array logic, or any combination thereof.
Wherein the memory 20 stores instructions executable by the at least one processor 10 to cause the at least one processor 10 to perform a method for implementing the embodiments described above.
The memory 20 may include a storage program area that may store an operating system, at least one application program required for functions, and a storage data area; the storage data area may store data created according to the use of the computer device, etc. In addition, the memory 20 may include high-speed random access memory, and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid-state storage device. In some alternative embodiments, memory 20 may optionally include memory located remotely from processor 10, which may be connected to the computer device via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
Memory 20 may include volatile memory, such as random access memory; the memory may also include non-volatile memory, such as flash memory, hard disk, or solid state disk; the memory 20 may also comprise a combination of the above types of memories.
The computer device further comprises input means 30 and output means 40. The processor 10, memory 20, input device 30, and output device 40 may be connected by a bus or other means, for example in fig. 7.
The input device 30 may receive input numeric or character information and generate key signal inputs related to user settings and function control of the computer apparatus, such as a touch screen, a keypad, a mouse, a trackpad, a touchpad, a pointer stick, one or more mouse buttons, a trackball, a joystick, and the like. The output means 40 may include a display device, auxiliary lighting means (e.g., LEDs), tactile feedback means (e.g., vibration motors), and the like. Such display devices include, but are not limited to, liquid crystal displays, light emitting diodes, displays and plasma displays. In some alternative implementations, the display device may be a touch screen.
The presently disclosed embodiments also provide a computer readable storage medium, and the methods described above according to the presently disclosed embodiments may be implemented in hardware, firmware, or as recordable storage medium, or as computer code downloaded over a network that is originally stored in a remote storage medium or a non-transitory machine-readable storage medium and is to be stored in a local storage medium, such that the methods described herein may be stored on such software processes on a storage medium using a general purpose computer, special purpose processor, or programmable or dedicated hardware. The storage medium can be a magnetic disk, an optical disk, a read-only memory, a random access memory, a flash memory, a hard disk, a solid state disk or the like; further, the storage medium may also comprise a combination of memories of the kind described above. It will be appreciated that a computer, processor, microprocessor controller or programmable hardware includes a storage element that can store or receive software or computer code that, when accessed and executed by the computer, processor or hardware, implements the methods illustrated by the above embodiments.
Portions of the present invention may be implemented as a computer program product, such as computer program instructions, which when executed by a computer, may invoke or provide methods and/or aspects in accordance with the present invention by way of operation of the computer. Those skilled in the art will appreciate that the form of computer program instructions present in a computer readable medium includes, but is not limited to, source files, executable files, installation package files, etc., and accordingly, the manner in which the computer program instructions are executed by a computer includes, but is not limited to: the computer directly executes the instruction, or the computer compiles the instruction and then executes the corresponding compiled program, or the computer reads and executes the instruction, or the computer reads and installs the instruction and then executes the corresponding installed program. Herein, a computer-readable medium may be any available computer-readable storage medium or communication medium that can be accessed by a computer.
It will be appreciated that prior to using the technical solutions disclosed in the embodiments of the present disclosure, the user should be informed and authorized of the type, usage range, usage scenario, etc. of the personal information related to the present disclosure in an appropriate manner according to the relevant legal regulations.
For example, in response to receiving an active request from a user, a prompt is sent to the user to explicitly prompt the user that the operation it is requesting to perform will require personal information to be obtained and used with the user. Thus, the user can autonomously select whether to provide personal information to software or hardware such as an electronic device, an application program, a server or a storage medium for executing the operation of the technical scheme of the present disclosure according to the prompt information.
As an alternative but non-limiting implementation, in response to receiving an active request from a user, the manner in which the prompt information is sent to the user may be, for example, a popup, in which the prompt information may be presented in a text manner. In addition, a selection control for the user to select to provide personal information to the electronic device in a 'consent' or 'disagreement' manner can be carried in the popup window.
It will be appreciated that the above-described notification and user authorization process is merely illustrative and not limiting of the implementations of the present disclosure, and that other ways of satisfying relevant legal regulations may be applied to the implementations of the present disclosure.
Although embodiments of the present disclosure have been described in connection with the accompanying drawings, various modifications and variations may be made by those skilled in the art without departing from the spirit and scope of the disclosure, and such modifications and variations are within the scope defined by the appended claims.
Claims (14)
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410741996.5A CN118473814A (en) | 2024-06-07 | 2024-06-07 | Access control method, device, equipment, medium and program product of application gateway |
| PCT/CN2025/076611 WO2025251669A1 (en) | 2024-06-07 | 2025-02-10 | Access control method and apparatus for application gateway, and device, medium and program product |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410741996.5A CN118473814A (en) | 2024-06-07 | 2024-06-07 | Access control method, device, equipment, medium and program product of application gateway |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN118473814A true CN118473814A (en) | 2024-08-09 |
Family
ID=92157832
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410741996.5A Pending CN118473814A (en) | 2024-06-07 | 2024-06-07 | Access control method, device, equipment, medium and program product of application gateway |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN118473814A (en) |
| WO (1) | WO2025251669A1 (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN119544328A (en) * | 2024-11-27 | 2025-02-28 | 中国农业银行股份有限公司 | Content distribution network access control method, device, node, medium and product |
| WO2025251669A1 (en) * | 2024-06-07 | 2025-12-11 | 北京火山引擎科技有限公司 | Access control method and apparatus for application gateway, and device, medium and program product |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112131588A (en) * | 2020-09-25 | 2020-12-25 | 北京锐安科技有限公司 | Application access method, apparatus, electronic device and storage medium |
| WO2023274295A1 (en) * | 2021-06-30 | 2023-01-05 | 上海云盾信息技术有限公司 | Cloud-based internet access control method and apparatus, medium, device, and system |
| CN115701019A (en) * | 2021-07-14 | 2023-02-07 | 腾讯科技(深圳)有限公司 | Access request processing method and device of zero trust network and electronic equipment |
| CN116743472A (en) * | 2023-06-26 | 2023-09-12 | 新华三信息安全技术有限公司 | Resource access method, device, equipment and medium |
| CN117938515A (en) * | 2024-01-26 | 2024-04-26 | 中国农业银行股份有限公司 | Access request processing method and device, electronic equipment and storage medium |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8347368B2 (en) * | 2006-03-29 | 2013-01-01 | The Bank Of Tokyo-Mitsubishi Ufj, Ltd. | Apparatus, method, and program for validating user |
| CN104640114B (en) * | 2015-01-04 | 2018-09-11 | 中国联合网络通信集团有限公司 | A kind of verification method and device of access request |
| CN105426415A (en) * | 2015-10-30 | 2016-03-23 | Tcl集团股份有限公司 | Management method, device and system of website access request |
| CN115964687A (en) * | 2022-12-14 | 2023-04-14 | 武汉卓讯互动信息科技有限公司 | Block chain-based enterprise unified account authentication method and platform |
| CN118473814A (en) * | 2024-06-07 | 2024-08-09 | 北京火山引擎科技有限公司 | Access control method, device, equipment, medium and program product of application gateway |
-
2024
- 2024-06-07 CN CN202410741996.5A patent/CN118473814A/en active Pending
-
2025
- 2025-02-10 WO PCT/CN2025/076611 patent/WO2025251669A1/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112131588A (en) * | 2020-09-25 | 2020-12-25 | 北京锐安科技有限公司 | Application access method, apparatus, electronic device and storage medium |
| WO2023274295A1 (en) * | 2021-06-30 | 2023-01-05 | 上海云盾信息技术有限公司 | Cloud-based internet access control method and apparatus, medium, device, and system |
| CN115701019A (en) * | 2021-07-14 | 2023-02-07 | 腾讯科技(深圳)有限公司 | Access request processing method and device of zero trust network and electronic equipment |
| CN116743472A (en) * | 2023-06-26 | 2023-09-12 | 新华三信息安全技术有限公司 | Resource access method, device, equipment and medium |
| CN117938515A (en) * | 2024-01-26 | 2024-04-26 | 中国农业银行股份有限公司 | Access request processing method and device, electronic equipment and storage medium |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2025251669A1 (en) * | 2024-06-07 | 2025-12-11 | 北京火山引擎科技有限公司 | Access control method and apparatus for application gateway, and device, medium and program product |
| CN119544328A (en) * | 2024-11-27 | 2025-02-28 | 中国农业银行股份有限公司 | Content distribution network access control method, device, node, medium and product |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2025251669A1 (en) | 2025-12-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN114902612B (en) | Account protection service based on edge network | |
| US11792194B2 (en) | Microsegmentation for serverless computing | |
| CN109547458B (en) | Login verification method and device, computer equipment and storage medium | |
| US10503545B2 (en) | Universal security agent | |
| US9154475B1 (en) | User authentication and authorization in distributed security system | |
| CN113341798A (en) | Method, system, device, equipment and storage medium for remotely accessing application | |
| US20140122716A1 (en) | Virtual private network access control | |
| CN118473814A (en) | Access control method, device, equipment, medium and program product of application gateway | |
| US10999080B2 (en) | Dynamically analyzing third-party application website certificates across users to detect malicious activity | |
| EP3042487B1 (en) | Secured mobile communications device | |
| US11784993B2 (en) | Cross site request forgery (CSRF) protection for web browsers | |
| CN117938962B (en) | Network request scheduling method, device, equipment and medium for CDN | |
| US12015594B2 (en) | Policy integration for cloud-based explicit proxy | |
| CN114745145A (en) | Business data access method, device and equipment and computer storage medium | |
| CN118159967A (en) | Controlling access to computing resources implemented in an isolated environment | |
| US8127033B1 (en) | Method and apparatus for accessing local computer system resources from a browser | |
| CN114124556A (en) | Network access control method, device, equipment and storage medium | |
| US8104077B1 (en) | System and method for adaptive end-point compliance | |
| US11695736B2 (en) | Cloud-based explicit proxy with private access feature set | |
| CN113901428A (en) | Login method and device of multi-tenant system | |
| CN118353719B (en) | Access control method, system, device, medium and program product for application | |
| CN110602134A (en) | Method, device and system for identifying illegal terminal access based on session label | |
| CN119382990B (en) | Web application access proxy method and device in heterogeneous network environment | |
| CN114157472A (en) | Network access control method, device, equipment and storage medium | |
| CN113872933A (en) | Method, system, device, equipment and storage medium for hiding source station |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |