[go: up one dir, main page]

CN119046906A - User authority control method and device - Google Patents

User authority control method and device Download PDF

Info

Publication number
CN119046906A
CN119046906A CN202411118508.1A CN202411118508A CN119046906A CN 119046906 A CN119046906 A CN 119046906A CN 202411118508 A CN202411118508 A CN 202411118508A CN 119046906 A CN119046906 A CN 119046906A
Authority
CN
China
Prior art keywords
user
interface
permission
authority
user interface
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202411118508.1A
Other languages
Chinese (zh)
Inventor
孙众
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Inspur Cloud Information Technology Co Ltd
Original Assignee
Inspur Cloud Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Inspur Cloud Information Technology Co Ltd filed Critical Inspur Cloud Information Technology Co Ltd
Priority to CN202411118508.1A priority Critical patent/CN119046906A/en
Publication of CN119046906A publication Critical patent/CN119046906A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

The invention provides a user authority control method and a device, which can match the user operation authority with the operation authority of a back-end interface layer to realize finer granularity distribution of the user authority. The user permission control method comprises the steps of obtaining preset user interface permissions, storing the user interface permissions through a first key value based on a hash structure, adding permission notes to each back-end interface, wherein the notes represent permission codes of the interfaces, comparing the stored user interface permissions with permission notes of the target interfaces when the target interfaces are called, enabling the target interfaces to be any back-end interface, and enabling calling of the target interfaces when the permission notes of the target interfaces exist in the stored user interface permissions.

Description

User authority control method and device
Technical Field
The present invention relates to the field of rights management technologies, and in particular, to a method and an apparatus for controlling user rights.
Background
With rapid development of information technology, the method is particularly widely applied to the fields of cloud computing, big data, internet of things, financial science and technology and the like, and user permission control becomes a key link for guaranteeing system safety, data privacy and business continuity. In the use scene, the prior authority control mostly uses a mode of combining an RBAC model and an ACL model, and a common mode consists of a user module, a role module and an authority module. The control of the user authority is realized by defining the roles, defining the authorities, then assigning the authorities to the roles and then assigning the roles to the users. The disadvantage of this approach is that the user's permissions are implicit, and when there are multiple operation buttons in the same page, or multiple tab pages in the same page, different buttons or input boxes of different tab pages, etc. require different permissions, the RBAC approach cannot achieve very fine-grained allocation, which can cause a large amount of role redundancy if allocated next to each other.
Disclosure of Invention
The present invention has been made to solve the above-mentioned technical problems. The embodiment of the invention provides a user authority control method and a device, which can match the user operation authority with the operation authority of a back-end interface layer to realize finer granularity distribution of the user authority.
According to one aspect of the invention, a user permission control method is provided, which comprises the steps of obtaining preset user interface permissions, storing the user interface permissions through a first key value based on a hash structure, adding permission notes to each back-end interface, wherein the notes represent permission codes of the interfaces, comparing the stored user interface permissions with permission notes of the target interfaces when the target interfaces are called, wherein the target interfaces are any one back-end interface, and allowing the calling of the target interfaces when the permission notes of the target interfaces exist in the stored user interface permissions.
In one embodiment, the user interface permission is stored through a first key value based on a hash structure, and the user interface permission control method comprises the steps of storing preset user interface permission corresponding to a user into a database when the user logs in, and storing the user interface permission through the first key value, wherein the user permission control method further comprises the step of storing a user menu through a second key value.
In one embodiment, the user authority control method further comprises the steps of adding an authority section, defining an access point of the authority section to the authority annotation to be woven on the interface, acquiring the access point by means of reflection by using a surrounding notification to acquire the authority annotation on the method, acquiring the authority code of the interface based on the authority annotation on the method, and acquiring the ID of the current user through the context to acquire the user interface authority from the database.
In one embodiment, when a target interface is called, comparing the stored user interface rights with the rights annotation of the target interface, wherein the comparison result is obtained by comparing the rights code with the user interface rights acquired from the database, and when the rights annotation of the target interface exists in the stored user interface rights, the target interface is allowed to be called, and the method is released in the section when the comparison result indicates that the rights code corresponds to the user interface rights stored in the database.
In one embodiment, the user right control method further comprises the steps of presetting a front-end right code at the front end, obtaining a user right list through the user interface right stored by a first key value, inserting a new view when the front-end right code exists in the user right list, and displaying an operation button in the view, wherein the operation button corresponds to the user interface right, and when the front-end right code does not exist in the user right list, the operation button is not displayed.
In one embodiment, the user permission control method further comprises the steps of adopting a custom instruction PermissionDirective for an operation button for permission control on demand and adding the custom instruction PermissionDirective to the container to control the visibility or hiding of the operation button.
In an embodiment, the user permission control method further comprises the steps of not allowing to call an interface and sending out an abnormal prompt when permission comments of the target interface are not stored in the stored user interface permission, wherein the abnormal prompt is used for reminding a user of no operation permission, and sending out permission information prompts to the user based on the permission comments of the target interface and the abnormal prompt, and the permission information prompts are used for prompting the user to lack permission required for executing operation.
In one embodiment, the user interface permission is stored through a first key value based on a hash structure, and the user permission control method comprises the steps of creating a hash table to store interface permission information of a user, inserting a first key value pair into the hash table, wherein keys in the first key value pair comprise permission keys, the first key value in the first key value pair comprises the user interface permission, and searching the corresponding user interface permission through the keys in the first key value pair based on a query instruction.
In one embodiment, the user right control method comprises the steps of searching corresponding first target user interface rights through keys in the first key value pair and executing change when rights change occurs in the first target user interface rights, recording change information of the first target user interface rights, analyzing the change information to obtain a user right change record, and covering the first target user interface rights with new user interface rights and storing the new user interface rights.
According to another aspect of the invention, a user permission control device is provided, and the device comprises an acquisition module, a storage module, an annotation module and a comparison module, wherein the acquisition module is used for acquiring preset user interface permissions, the storage module is used for storing the user interface permissions through a first key value based on a hash structure, the annotation module is used for adding permission annotations to each back-end interface, the annotated values represent permission codes of the interfaces, the comparison module is used for comparing the stored user interface permissions with permission annotations of the target interfaces when the target interfaces are called, the target interfaces are any back-end interfaces, and the calling module is used for allowing the target interfaces to be called when the permission annotations of the target interfaces exist in the stored user interface permissions.
According to the user authority control method and device, the user authority is stored through the hash structure, a plurality of keys can be defined, the method and device are flexible, the user operation authority of the memory data is matched with the operation authority of the back-end interface layer, the purpose of controlling the user operation authority is achieved, finer-granularity authority distribution can be achieved, and the safety of the interface is guaranteed.
Drawings
The above and other objects, features and advantages of the present invention will become more apparent by describing embodiments of the present invention in more detail with reference to the attached drawings. The accompanying drawings are included to provide a further understanding of embodiments of the invention and are incorporated in and constitute a part of this specification, illustrate the invention and together with the embodiments of the invention, and not constitute a limitation to the invention. In the drawings, like reference numerals generally refer to like parts or steps.
Fig. 1 is a flowchart of a user right control method according to an exemplary embodiment of the present invention.
Fig. 2 is a flowchart illustrating a user right control method according to another exemplary embodiment of the present invention.
Fig. 3 is a schematic structural view of a user right control device according to an exemplary embodiment of the present invention.
Detailed Description
Hereinafter, exemplary embodiments according to the present invention will be described in detail with reference to the accompanying drawings. It should be apparent that the described embodiments are only some embodiments of the present invention and not all embodiments of the present invention, and it should be understood that the present invention is not limited by the example embodiments described herein.
Fig. 1 is a flowchart of a user right control method according to an exemplary embodiment of the present invention, where, as shown in fig. 1, the user right control method includes:
S100, acquiring preset user interface permission.
And customizing the roles by customizing the rights, and then forming preset user interface rights by carrying out rights allocation on the roles. For example, a Role-Based Access Control (Role-based access control) model may be employed as a basis for rights allocation, which is intended to control access rights to system resources (e.g., data, application functions, etc.) by assigning specific roles to different users or groups of users. The core concept of the RBAC model includes a Role, which is a basic unit in the RBAC model that represents a set of permissions. Each role is given the right to perform a specific operation or to access a specific resource, and users (users), which are actual operators of the system, obtain the corresponding right by being assigned to different roles. A user may be assigned one or more roles, but each role is typically associated with multiple users, rights (Permission) which refers to rights to perform a specific operation or access to a specific resource, rights are not directly assigned to users but are indirectly assigned through roles in an RBAC model, sessions (Session) which is a process in which users interact with a system, sessions being used to track users' roles and states of rights over a specific period of time to ensure the dynamics and timeliness of rights, constraints (constraints) which restrict the manner in which roles, users, rights, and relationships between them are assigned. These constraints may ensure security and compliance of the system, for example, to prevent rights conflicts between roles or users having too high rights.
S200, storing the user interface authority through a first key value based on the hash structure.
A hash structure, also known as a hash table or hash table, is a very important data structure for storing key-value pairs (keys-value pairs). It can quickly locate data by calculating hash value (hash value) of a key (key), so that it can quickly access data. Hash structures can be accessed quickly and hash tables are generally more space efficient in storing key-value pairs than other data structures (e.g., balanced binary trees) because they do not require maintaining additional data structures (e.g., node links of the tree) to preserve the order of the data. When the RBAC model-based application stores the user's rights, instead of using the traditional list data type, the menu rights and the data rights of the user are combined, the list data type is expanded into a hash (hash) type, the user rights are stored by using a hash structure of redis, and a plurality of keys can be defined, for example, the list rights and the operation rights of the user are respectively stored by two key values.
And S300, adding permission notes to each back-end interface.
Wherein the annotated value represents the authority encoding of the interface.
On the interface based on the Restful style, the permission annotation is added, and the value of the annotation is the permission code (permission code) of the interface, namely the permission_code. The Restful-style based interface is a Web service interface that follows REST (Representational STATE TRANSFER, representing layer transitions) principles. REST is a style of software architecture that defines how the APIs (application programming interfaces) of Web applications are designed so that they can be accessed and used by different clients (e.g., web browsers, mobile devices, desktop applications, etc.) in a uniform and predictable manner. The Restful style based interface design aims to provide a simple, intuitive and extensible way to build Web services. They allow developers to create easy to understand and use APIs that can be accessed and used by various clients in a unified manner. Since the Restful style interfaces follow the standards and best practices of the HTTP protocol, they have a wide range of compatibility and interoperability, and can be seamlessly integrated with a variety of client and server technologies. The scope of the permission annotation is the METHOD level, i.e. METHOD, meaning that the permission annotation is used to add additional information or instructions to the METHOD (METHOD).
S400, when the target interface is called, comparing the stored user interface permission with permission notes of the target interface.
Wherein the target interface is any one back end interface.
And setting a permission annotation for each back-end interface, if the stored user interface permission corresponds to the permission annotation of the back-end interface, calling the interface, and if the user interface permission corresponds to the permission annotation of the back-end interface, calling the back-end interface, and if the user interface permission does not correspond to the permission annotation, calling the back-end interface without permission.
S500 is to allow the invocation of the target interface when the permission annotation of the target interface exists in the stored user interface permissions.
For example, the ID of the current user is obtained, and then the user interface rights are obtained. The rights annotation of the back-end interface is compared with the stored user interface rights obtained, and if the rights annotation is included in the user's interface rights list, the target interface is allowed to be invoked.
In one embodiment, S200 (storing user interface rights through a first key value based on a hash structure) comprises storing preset user interface rights corresponding to a user in a database when the user logs in, and storing the user interface rights through the first key value, wherein the user rights control method can further comprise storing a user menu through a second key value.
In order to improve the reading efficiency, the database is prevented from being accessed by an access interface every time, the redis is used as an internal memory database, and after a user logs in, the operation authority of the user is put into the redis internal memory database to be used as a query cache. And, a plurality of keys may be defined using a hash structure of redis to store user rights, for example, a "permission" key (first key value) stores user interface rights, and a "menus" key (second key value) stores user menus, so that data can be clearly stored, and mutual interference is prevented.
Fig. 2 is a flowchart of a user right control method according to another exemplary embodiment of the present invention, where, as shown in fig. 2, the user right control method may further include:
and S600, adding a permission section, and defining an access point of the permission section to the permission annotation so as to weave the permission annotation into the interface.
AOP (tangent plane oriented programming) is a programming paradigm that aims to improve maintainability, reusability and modularity of software. AOP encapsulates common actions (e.g., logging, transaction management, security control, etc.) that are spread across multiple parts of an application into a reusable module, called "cut" by separating cross-points of interest (cross-cutting concerns). The entry points are used to specify which connection points (i.e., which methods) need to be enhanced and the entry point expressions are used to define the rules of these connection points. A cut plane consists of an entry point and a notification, which defines where (entry point) and how (notification) the enhancement of the cross-cut point of interest is performed. For example, using @ Pointcut ("@ animation ()"), the interface can be woven in.
S700, acquiring a method of an access point by using a surrounding notice in a reflection mode so as to acquire authority notes on the method.
In order to decouple codes, the invention uses the concept of AOP in a Spring framework, a permission section is customized, when a back-end interface is called, a surrounding notification is added, and the user permission is acquired from the Spring context, so that the use permission of the interface is judged when a user exists. Meanwhile, the authority annotation is customized, and control is added in a Controller layer, so that decoupling of codes is further realized, and readability and expandability of the codes are improved. The wraparound notification is used not only for controlling the execution flow of the method but also for further acquiring or manipulating information related to the method of the access point through a reflection mechanism. The wrap-around notification (AroundAdvice) is a notification type in AOP (slice-oriented programming) that intercepts the target method before and after execution and can decide whether to continue the target method, return its own return value, or throw an exception to end execution. The surrounding notification has complete control rights, and can acquire all information of the target method, including operations, parameters, return values and the like before and after the method call. The surround notification can perform custom operations before and after execution of the target method, which is a major difference from other notification types (such as pre-notification, post-notification, etc.), and the surround notification can completely control execution of the target method, including whether to execute the target method, return a return value of itself, or throw an exception. Reflection is a mechanism provided by the programming language, java, etc., that allows a program to examine or modify the behavior of a class at runtime. By reflection, class information (e.g., methods, fields, etc.) can be obtained and the methods can be invoked dynamically.
S800, acquiring the authority codes of the interfaces based on the authority annotation on the method.
Through the Java reflection API, annotation information for a class, including annotations on a method, may be accessed. Code may be written to traverse all methods of the class and check each method for authority annotations and if so, read the authority code in the annotations. The rights code of the interface is obtained based on the rights annotation on the method by assigning one or more rights identifiers (rights codes) to the interface method by way of the annotation and then performing rights verification at run-time based on these rights identifiers.
S900, acquiring the ID of the current user through the context so as to acquire the user interface authority from the database.
In Spring Security, obtaining the ID of the current user typically involves accessing the SpringSecurity context (SecurityContext), such as SecurityContextHolder and Authentication objects therein. User interface rights may be obtained from the redis in-memory database based on the user ID.
In an embodiment S400 (comparing stored user interface permissions with permission annotations of the target interface when invoking the target interface) comprises comparing the permission code with user interface permissions obtained from the database to obtain a comparison result, wherein S500 (allowing invoking the target interface when permission annotations of the target interface exist in the stored user interface permissions) comprises freeing the method in the cut plane when the comparison result indicates that the permission code corresponds to the user interface permissions stored in the database.
The method for acquiring the access point by using the surrounding notification in a reflection mode is used, then the annotation on the method is acquired, and then the permission code is acquired, then the ID of the current user is acquired through the context of SpringSecurity, and then the user interface permission is acquired from the redis. The code of the authority on the method is compared with the code of the authority which is obtained from redis and is allocated to the user, and if the code of the authority of the method is contained in the authority list of the user, the method is released in the section. If the operation permission is not included, the abnormality is thrown out, and the user is reminded of the lack of the operation permission.
In one embodiment, the user right control method further comprises the steps of presetting a front-end right code at the front end, obtaining a user right list through the user interface right stored by the first key value, inserting a new view when the front-end right code exists in the user right list, and displaying an operation button in the view, wherein the operation button corresponds to the user interface right, and when the front-end right code does not exist in the user right list, the operation button is not displayed.
In addition to performing authority matching at the rear end, in the front end framework using Angular, a custom instruction is used, that is, at the place of the button where the authority judging operation is required, the custom instruction is used to judge whether the authority of the user exists, and in this way, whether certain buttons or options exist is controlled. For example, a code of authority is preset in the front-end code, then a code list of the user can be obtained from the back-end user login interface, if the code of the operation is included, the normal display can be performed, otherwise, the button or the component is invisible to the user.
In one embodiment, the user rights control method may further include employing custom instructions PermissionDirective for the operation buttons for which rights control is required, and adding custom instructions PermissionDirective to the container to control the visibility or concealment of the operation buttons.
For example, define an operation right, code opereate, obtain user interface right from redis in-memory database storage through back-end interface, then judge whether code is opereate right or not in user interface right, if yes, instantiate view through createEmbeddedView method of ViewContainerRef, and then display corresponding operation button. Namely, the front-end page is arranged in a place where a component with control authority is needed, judgment is added, and only a user with the authority can see the button or operate, so that the operation experience of the user can be further improved, the safety of the system is improved, and the risk of misoperation is reduced.
In one embodiment, the user permission control method further comprises the steps of not allowing the interface to be called and sending out an abnormal prompt when permission comments of the target interface are not in the stored user interface permission, wherein the abnormal prompt is used for reminding a user that the user does not have operation permission, and sending out permission information prompt to the user based on the permission comments of the target interface and the abnormal prompt, and the permission information prompt is used for prompting the user to lack permission required for executing operation.
And if the permission annotation of the target interface does not exist in the stored user interface permission, throwing out the abnormality to remind the user that the user has no operation permission. In addition, a permission information prompt, such as an error message or a popup, can be sent to explicitly inform the user that the permission required for performing the operation is lacking, and enough context information can be contained in the message to let the user understand why the permission is required and how it affects the function of the application. If the functionality of the application can be partially implemented without relying entirely on the rights, alternative or degraded functionality can be provided to the user. The operation selection of the user after the lack of the authority is recorded, so that frequent and same prompts are prevented from being sent to the user every time.
In one embodiment, S200 (storing user interface permissions via a first key value based on a hash structure) comprises creating a hash table to store user interface permissions information, inserting a first key value pair into the hash table, wherein a key in the first key value pair comprises a permission key and a first key value in the first key value pair comprises user interface permissions, and wherein the user permissions control method comprises searching for corresponding user interface permissions via the key in the first key value pair based on a query instruction.
In a Hash Structure (Hash Structure), each Key (Key) is unique for uniquely identifying a Value (Value). For example, modifying the data type of the user rights in the original memory database, adding a key value permissions (permission key) to store the interface rights of the user by using the hash structure, and storing the user menu by using the menus key, namely, designing the Redis data type as follows:
Key:“permissions”:permisson_1,permisson_2,......
"menus" menu 1, menu 2, menu 3.
The key to be permissions is calculated by using a hash function, a corresponding hash value can be obtained, the calculated hash value is used as an index, a corresponding bucket (or slot) is positioned in the hash table, a key value pair (i.e. user interface authority) matched with a given key is searched in the bucket or a linked list, if the key value pair is found, the corresponding user interface authority is returned, and if the key value pair is not found, a value (such as no authority, null, none, 1 and the like) which indicates that the key pair is not found is generally returned.
In one embodiment, the user right control method can include searching for a corresponding first target user interface right through keys in a first key value pair and executing change when the right change occurs in the first target user interface right in the user interface rights, recording change information of the first target user interface right, analyzing the change information to obtain a user right change record, and covering the first target user interface right with the new user interface right and storing the new user interface right.
If user interface authority needs to be added, hash function is used for carrying out hash calculation on keys to obtain a hash value, the hash value is positioned to a specific barrel (or slot) in the hash table, and a new key value pair is inserted into the corresponding barrel. If the user interface rights need to be deleted, the user interface rights that match the key to be deleted are found, and the found user interface rights are removed from the bucket. If the user interface authority needs to be modified, the hash value of the key is calculated and positioned to the corresponding barrel, elements in the barrel are traversed, the user interface authority matched with the key to be modified is found, and the found user interface authority is replaced by a new user interface authority. If an attempt is made to insert an existing key, the old value corresponding to that key is typically overridden. In addition, the change information is analyzed, and the change condition and the change reason of the user are determined so as to provide reference for subsequent permission adjustment.
In summary, the application of the invention based on SpringBoot back end frames and on Angular or Vue front end frames relates to redis memory database, spring-based custom authority annotation and SpringAOP-based authority section, and the aim of controlling user operation authority is essentially achieved by matching the user operation authority of memory data with the operation authority of a back end interface layer, so that the allocation of user authority can be realized on the basis of RBAC model allocation authority, the supplement of RBAC models is completed, on one hand, the allocation of authority with finer granularity is realized from the back end, the safety of interfaces is ensured, and on the other hand, a certain button and the display modes of other components can be hidden or changed from the front end, and the use experience of users is improved.
Fig. 3 is a schematic structural diagram of a user rights control device according to an exemplary embodiment of the present invention, and as shown in fig. 3, the user rights control device 3 includes an obtaining module 31 for obtaining preset user interface rights, a storage module 32 for storing the user interface rights through a first key value based on a hash structure, an annotating module 33 for adding a rights annotation to each back interface, wherein the annotated value represents a rights code of the interface, a comparing module 34 for comparing the stored user interface rights with rights notes of the target interface when the target interface is invoked, wherein the target interface is any one of the back interfaces, and a calling module 35 for allowing the target interface to be invoked when the rights notes of the target interface exist in the stored user interface rights.
The user authority control device provided by the invention can define a plurality of keys by storing the user authority through the hash structure, is more flexible, and can achieve the purpose of controlling the user operation authority by matching the user operation authority of the memory data with the operation authority of the back-end interface layer, thereby realizing finer-granularity authority distribution and ensuring the safety of the interface.
In an embodiment, the storage module 32 may be configured to store a preset user interface right corresponding to a user in the database when the user logs in, and store the user interface right using a first key value, wherein the user right control method further includes storing a user menu through a second key value.
In an embodiment, the user permission control device 3 may be further configured to add a permission section, define an entry point of the permission section to the permission annotation to be woven on the interface, acquire the permission annotation on the method by using a method of acquiring the entry point in a reflection mode by using the surrounding notification, acquire the permission code of the interface based on the permission annotation on the method, and acquire the ID of the current user through the context to acquire the user interface permission from the database.
In an embodiment the comparison module 34 may be configured to compare the entitlement codes with the user interface entitlements obtained from the database to obtain a comparison result, wherein the invoking module 35 may be correspondingly configured to pass the method in the cut plane when the comparison result indicates that the entitlement codes correspond to the user interface entitlements stored in the database.
In an embodiment, the user permission control device 3 may be further configured to preset a front-end permission code at the front end, obtain a user permission list through the user interface permission stored by the first key value, insert a new view when the front-end permission code exists in the user permission list, and display an operation button in the view, wherein the operation button corresponds to the user interface permission, and not display the operation button when the front-end permission code does not exist in the user permission list.
In an embodiment, the user rights control means 3 may be further configured to apply custom instructions PermissionDirective to the operation buttons for which rights control is required, and to add custom instructions PermissionDirective to the container to control the visibility or concealment of the operation buttons.
In an embodiment the user rights control means 3 may be further configured to not allow the interface to be invoked and to issue an exception prompt when the rights annotation of the target interface is not present in the stored user interface rights, wherein the exception prompt is used for reminding the user that there is no operating rights, and to issue a rights information prompt to the user based on the rights annotation of the target interface and the exception prompt, wherein the rights information prompt is used for prompting the user that the rights required for performing the operation are absent.
In one embodiment, the storage module 32 may be configured to create a hash table to store interface rights information of a user, insert a first key-value pair into the hash table, wherein a key in the first key-value pair comprises a permission key and a first key in the first key-value pair comprises a user interface right, and wherein the user right control method comprises searching for a corresponding user interface right through the key in the first key-value pair based on a query instruction.
In an embodiment the user rights control means 3 may be further configured to find a corresponding first target user interface right through a key in the first key value pair and to perform the change when there is a right change in the first target user interface right in the user interface rights, to record change information of the first target user interface right and to analyze the change information to obtain a user rights change record, and to cover the first target user interface right with the new user interface right and to store the same.
The embodiment of the invention provides a user authority control device. The apparatus embodiments may be implemented by software, or may be implemented by hardware or a combination of hardware and software. In addition to the CPU, memory, network interfaces, and non-volatile storage, the device in which the apparatus of the embodiments is located may generally include other hardware, such as a forwarding chip responsible for processing the packet, and so on. Taking software implementation as an example, the device in a logic sense is formed by reading corresponding computer program instructions in a nonvolatile memory into a memory by a CPU of a device where the device is located.
According to another aspect of the present invention, there is provided a computer-readable storage medium storing a computer program for executing the user right control method of any one of the above embodiments.
In addition to the methods and apparatus described above, embodiments of the invention may also be a computer program product comprising computer program instructions which, when executed by a processor, cause the processor to perform steps in a user rights control method according to various embodiments of the invention described in the "exemplary methods" section of this specification.
According to another aspect of the present invention, there is provided an electronic device comprising a processor, a memory for storing processor-executable instructions, and a processor for performing the user rights control method of any of the embodiments described above.
Furthermore, embodiments of the present invention may also be a computer-readable storage medium, having stored thereon computer program instructions, which when executed by a processor, cause the processor to perform the steps in a user rights control method according to various embodiments of the present invention described in the "exemplary method" section of the present specification.
The foregoing description of the preferred embodiments of the invention is not intended to be limiting, but rather to enable any modification, equivalent replacement, improvement or the like to be made within the spirit and principles of the invention.

Claims (10)

1. A user rights control method, comprising:
Acquiring preset user interface rights;
Storing the user interface rights through a first key value based on a hash structure;
adding permission annotation to each back-end interface, wherein the value of the annotation represents the permission code of the interface;
when a target interface is called, comparing the stored user interface permission with permission notes of the target interface, wherein the target interface is any one back interface;
when the permission annotation of the target interface exists in the stored user interface permission, the target interface is allowed to be invoked.
2. The user authority control method according to claim 1, wherein storing the user interface authority through a first key value based on a hash structure, comprises:
when a user logs in, storing preset user interface rights corresponding to the user in a database, and storing the user interface rights by adopting a first key value;
the user authority control method further comprises the following steps:
And storing the user menu through the second key value.
3. The user rights control method of claim 2, wherein the user rights control method further comprises:
adding an authority section, defining an access point of the authority section to the authority annotation so as to weave the authority annotation into an interface;
The method for acquiring the access point by using the surrounding notification in a reflection mode is used for acquiring the authority annotation on the method;
Acquiring an authority code of an interface based on the authority annotation on the method;
and acquiring the ID of the current user through the context so as to acquire the user interface authority from the database.
4. A user rights control method according to claim 3, characterized in that when a target interface is invoked, comparing stored rights notes of said user interface with rights notes of said target interface, comprising:
comparing the authority codes with the user interface authorities obtained from the database to obtain a comparison result;
Wherein when a permission annotation of the target interface exists in the stored user interface permissions, allowing the target interface to be invoked, comprising:
and when the comparison result shows that the authority codes correspond to the user interface authorities stored in the database, the method is released in the tangent plane.
5. The user rights control method of claim 1, wherein the user rights control method further comprises:
Presetting a front-end authority code at the front end;
Obtaining a user authority list through the user interface authority stored by the first key value;
inserting a new view and displaying an operation button in the view when the front-end authority code exists in the user authority list, wherein the operation button corresponds to the user interface authority;
When the front-end authority code does not exist in the user authority list, an operation button is not displayed.
6. The user rights control method of claim 5, wherein the user rights control method further comprises:
the operation buttons for controlling the authority of the requirements adopt custom instructions PermissionDirective;
And custom instructions PermissionDirective are added to the container to control the visualization or hiding of the operating buttons.
7. The user right control method according to claim 1, the user right control method is characterized by further comprising the following steps:
When the permission annotation of the target interface does not exist in the stored user interface permission, the interface is not allowed to be called, and an abnormal prompt is sent out, wherein the abnormal prompt is used for reminding a user that the user has no operation permission;
and sending a permission information prompt to a user based on the permission annotation and the abnormal prompt of the target interface, wherein the permission information prompt is used for prompting the user to lack permission required by executing the operation.
8. The user authority control method according to claim 1, wherein storing the user interface authority through a first key value based on a hash structure, comprises:
creating a hash table to store interface authority information of a user;
Inserting a first key value pair into the hash table, wherein keys in the first key value pair comprise permission keys, and the first key value in the first key value pair comprises the user interface permission;
the user right control method comprises the following steps:
And searching the corresponding user interface permission through the keys in the first key value pair based on a query instruction.
9. The user right control method according to claim 8, characterized in that the user right control method comprises:
When the authority change occurs to the first target user interface authority in the user interface authorities, searching the corresponding first target user interface authority through the keys in the first key value pair, and executing the change;
recording change information of the first target user interface permission, and analyzing the change information to obtain a user permission change record;
the first target user interface right is overridden with the new user interface right and stored.
10. A user rights control apparatus, comprising:
The acquisition module is used for acquiring preset user interface rights;
The storage module is used for storing the user interface permission through a first key value based on a hash structure;
The annotation module is used for adding authority annotation to each back-end interface, wherein the value of the annotation represents the authority code of the interface;
The comparison module is used for comparing the stored user interface permission with permission annotation of the target interface when the target interface is called, wherein the target interface is any one back-end interface;
And the calling module is used for allowing the target interface to be called when the permission annotation of the target interface exists in the stored user interface permission.
CN202411118508.1A 2024-08-15 2024-08-15 User authority control method and device Pending CN119046906A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202411118508.1A CN119046906A (en) 2024-08-15 2024-08-15 User authority control method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202411118508.1A CN119046906A (en) 2024-08-15 2024-08-15 User authority control method and device

Publications (1)

Publication Number Publication Date
CN119046906A true CN119046906A (en) 2024-11-29

Family

ID=93586863

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202411118508.1A Pending CN119046906A (en) 2024-08-15 2024-08-15 User authority control method and device

Country Status (1)

Country Link
CN (1) CN119046906A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN121309239A (en) * 2025-12-15 2026-01-09 富盛科技股份有限公司 Interface authority dynamic verification method and device

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110768974A (en) * 2019-10-21 2020-02-07 成都安恒信息技术有限公司 Control method for single-page application real-time view authority
CN112035858A (en) * 2020-08-28 2020-12-04 中国建设银行股份有限公司 API access control method, device, equipment and medium
CN114006755A (en) * 2021-10-29 2022-02-01 中国平安财产保险股份有限公司 Method, system, device, equipment and storage medium for identifying interface calling authority
CN114519181A (en) * 2022-02-21 2022-05-20 深圳市商汤科技有限公司 Interface access control method and device, electronic equipment and storage medium
CN116701460A (en) * 2023-06-12 2023-09-05 中国工程物理研究院计算机应用研究所 A Static Method for Mass Analysis Datasets Based on Multidimensional Permissions
CN118227216A (en) * 2022-12-20 2024-06-21 山东华软金盾软件股份有限公司 Java annotation-based dynamic configuration interface authority control method

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110768974A (en) * 2019-10-21 2020-02-07 成都安恒信息技术有限公司 Control method for single-page application real-time view authority
CN112035858A (en) * 2020-08-28 2020-12-04 中国建设银行股份有限公司 API access control method, device, equipment and medium
CN114006755A (en) * 2021-10-29 2022-02-01 中国平安财产保险股份有限公司 Method, system, device, equipment and storage medium for identifying interface calling authority
CN114519181A (en) * 2022-02-21 2022-05-20 深圳市商汤科技有限公司 Interface access control method and device, electronic equipment and storage medium
CN118227216A (en) * 2022-12-20 2024-06-21 山东华软金盾软件股份有限公司 Java annotation-based dynamic configuration interface authority control method
CN116701460A (en) * 2023-06-12 2023-09-05 中国工程物理研究院计算机应用研究所 A Static Method for Mass Analysis Datasets Based on Multidimensional Permissions

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN121309239A (en) * 2025-12-15 2026-01-09 富盛科技股份有限公司 Interface authority dynamic verification method and device

Similar Documents

Publication Publication Date Title
US10348774B2 (en) Method and system for managing security policies
Maesa et al. Blockchain based access control services
JP4718753B2 (en) Filter permission sets using permission requests associated with code assembly
US7451403B1 (en) System and method for developing user interfaces purely by modeling as meta data in software application
US7757282B2 (en) System and method for distinguishing safe and potentially unsafe data during runtime processing
CA2636261A1 (en) Virtual roles
WO2011062973A2 (en) System and methods of resource usage using an interoperable management framework
Pretschner et al. Representation-independent data usage control
CN120218040A (en) A dynamic template generation method, device and medium based on business needs
CN119046906A (en) User authority control method and device
US20080168528A1 (en) Role-based authorization using conditional permissions
US20060236308A1 (en) Configurable functionality chaining
JP4671337B2 (en) Web service access control system
Bruckner et al. A Framework for Creating Policy-agnostic Programming Languages.
CN120447907B (en) Development system and method for quickly forming management capability of special equipment
US20040073598A1 (en) System-to-system inter-operation interface
US7631341B2 (en) Extensible security architecture for an interpretive environment
CN121327868A (en) A multi-dimensional unified access control method, system, terminal device, and computer-readable storage medium
Pandit Developing secure software using Aspect oriented programming
Lilleaas Configuration Files
Fenkam et al. DPS: An architectural style for development of secure software
CN120872446A (en) Control method of multi-state manager, and storage medium
Nouh Model-to-model transformation approach for systematic integration of security aspects into UML 2.0 design models
Liu et al. Policy-based attestation of service behavior for establishing rigorous trust
Rossberg et al. The Enterprise Application Architecture

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination