CN111787008A - Access control method, device, electronic equipment and computer readable storage medium - Google Patents
Access control method, device, electronic equipment and computer readable storage medium Download PDFInfo
- Publication number
- CN111787008A CN111787008A CN202010623781.5A CN202010623781A CN111787008A CN 111787008 A CN111787008 A CN 111787008A CN 202010623781 A CN202010623781 A CN 202010623781A CN 111787008 A CN111787008 A CN 111787008A
- Authority
- CN
- China
- Prior art keywords
- access
- access request
- request
- information
- admission
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 59
- 230000005540 biological transmission Effects 0.000 claims description 31
- 238000004590 computer program Methods 0.000 claims description 10
- 238000010586 diagram Methods 0.000 description 10
- 230000006870 function Effects 0.000 description 4
- 230000003993 interaction Effects 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 238000004891 communication Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- VYZAMTAEIAYCRO-UHFFFAOYSA-N Chromium Chemical compound [Cr] VYZAMTAEIAYCRO-UHFFFAOYSA-N 0.000 description 2
- 230000001413 cellular effect Effects 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
The application provides an access control method, an access control device, an electronic device and a computer-readable storage medium, wherein the method is applied to a gateway device, and the access control method comprises the following steps: acquiring an access request sent by external equipment; analyzing the access request to determine access attribute information carried by the access request; determining whether the access request is an access admission request or not according to the access attribute information; and if the access request is an access admission request, sending the access request to a server associated with the gateway equipment. By the method in the embodiment of the application, the safety of server access can be improved.
Description
Technical Field
The present application relates to the field of network technologies, and in particular, to an access control method, an access control apparatus, an electronic device, and a computer-readable storage medium.
Background
In some crowdsourcing applications, the services provided by the server are only applicable to a portion of the users. For example, the application service inside an enterprise is only used by internal employees inside the enterprise, and in order to improve the security of the application service inside the enterprise, a method of restricting access of external employees is generally adopted. For example, the internal application service of the enterprise can be accessed only in the case of the internal network of the company, but the access cannot be achieved outside the company due to the processing mode, and the applicability of the internal application service of the enterprise is reduced.
Disclosure of Invention
The application aims to provide an access control method, an access control device, an electronic device and a computer readable storage medium, which can improve the security of server access.
In a first aspect, an embodiment of the present application provides an access control method, which is applied to a gateway device, where the access control method includes:
acquiring an access request sent by external equipment;
analyzing the access request to determine access attribute information carried by the access request;
determining whether the access request is an access admission request or not according to the access attribute information;
and if the access request is an access admission request, sending the access request to a server associated with the gateway equipment.
In an optional embodiment, the analyzing the access request to determine the access attribute information carried by the access request includes:
acquiring header information of the access request;
and determining the access attribute information carried by the access request according to the header information.
In the method in this embodiment, since the header carries some information for accessing the transmission source, the security of the transmission source can be verified by identifying the header, so that the security of the server access can be improved.
In an alternative embodiment, the access request comprises an access request sent by a target application on the external device, and the access attribute information comprises application information and user information; the analyzing the access request to determine the access attribute information carried by the access request includes:
analyzing the access request, and determining application program information and user information corresponding to the access request;
the determining whether the access request is an access admission request according to the access attribute information includes:
and determining whether the access request is an access admission request or not according to the application program information and the user information.
In the method in the embodiment, relevant information of the application program can be adaptively checked for an access request sent by the application program, so that safety check of different scenes can be adapted.
In an optional embodiment, the determining whether the access request is an access admission request according to the application information and the user information includes:
judging whether the target application program is a virtual safe area application program or not according to the application program information;
judging whether a user account corresponding to the user information is a legal user or not according to the user information;
if the target application program is a virtual safe area application program and the user account corresponding to the user information is a legal user, determining that the access request is an access admission request;
and if the target application program is not a virtual safe area application program or the user account corresponding to the user information is not a legal user, determining that the access request is not an access admission request.
In the method in this embodiment, by authenticating both the application and the user, the security of the access request can be checked in multiple dimensions, so that the security of the server access can be further improved.
In an alternative embodiment, the access request includes an access request sent by a target browser on the external device, and the access attribute information includes browser information and user information; the analyzing the access request to determine the access attribute information carried by the access request includes:
analyzing the access request, and determining browser information and user information corresponding to the access request;
the determining whether the access request is an access admission request according to the access attribute information includes:
judging whether the target browser is a safe browser or not according to the browser information;
judging whether a user account corresponding to the user information is a legal user or not according to the user information;
if the target browser is a safe browser and the user account corresponding to the user information is a legal user, determining that the access request is an access admission request;
and if the target browser is not a safe browser or the user account corresponding to the user information is not a legal user, determining that the access request is not an access admission request.
In the method in the embodiment, relevant information of the browser can be adaptively checked for an access request sent by the browser, so that security check of different scenes can be adapted.
In an optional embodiment, an admission rule is stored in the gateway device; the determining whether the access request is an access admission request according to the access attribute information includes:
matching the access attribute information with the admission rule to determine whether the access attribute information conforms to the limited range of the admission rule;
if the access attribute information conforms to the limited range of the admission rule, determining that the access request is an admission access request;
and if the access attribute information does not conform to the limited range of the admission rule, determining that the access request is not an admission access request.
In the method in this embodiment, an admission rule may be stored in the gateway device in advance, and it may be determined quickly whether the access information meets the access condition through matching of the rule, so that the detection speed of the access request may be increased.
In an optional embodiment, the admission rule includes one or more of an admission device list, a limited transmission source list, and an admission user list, and the matching the access attribute information with the admission rule to determine whether the access attribute information conforms to the limited range of the admission rule includes:
matching the access attribute information with at least one of the access equipment list, the limited transmission source list and the access user list to determine whether the access request is an access request transmitted by a transmission source limited in the access equipment list or the limited transmission source list or the access user list;
and if the access request is not the access request transmitted by the transmission source limited in the admission equipment list, the limited transmission source list and/or the admissible user list, determining that the access request is not the admissible access request.
In the method in this embodiment, the admission rule may include multiple types of lists, so that the access request may be verified from different angles, and thus the security of server access may be improved.
In a second aspect, an embodiment of the present application provides an access control apparatus, including:
the acquisition module is used for acquiring an access request sent by external equipment;
the analysis module is used for analyzing the access request to determine the access attribute information carried by the access request;
the determining module is used for determining whether the access request is an access admission request or not according to the access attribute information;
and the sending module is used for sending the access request to a server associated with the gateway equipment if the access request is an access admission request.
In a third aspect, an embodiment of the present application provides an electronic device, including: a processor, a memory storing machine readable instructions executable by the processor, the machine readable instructions when executed by the processor perform the steps of the method of any of the preceding embodiments when the electronic device is run.
In a fourth aspect, the present application provides a computer-readable storage medium, on which a computer program is stored, where the computer program is executed by a processor to perform the steps of the method according to any one of the foregoing embodiments.
The beneficial effects of the embodiment of the application are that: by verifying the access request to determine whether the access request is an access admission request which is allowed to be accessed, the security user can realize the access of the server in some security environments outside the company under the condition that the security of the access server can be determined.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and for those skilled in the art, other related drawings can be obtained from the drawings without inventive effort.
Fig. 1 is a schematic diagram illustrating interaction between a gateway device and a server according to an embodiment of the present application.
Fig. 2 is a schematic block diagram of a gateway device according to an embodiment of the present application.
Fig. 3 is a flowchart of an access control method according to an embodiment of the present application.
Fig. 4 is a schematic functional block diagram of an access control apparatus according to an embodiment of the present application.
Detailed Description
The technical solution in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures. Meanwhile, in the description of the present application, the terms "first", "second", and the like are used only for distinguishing the description, and are not to be construed as indicating or implying relative importance.
In some applications with higher security requirements, there are security requirements for the access terminal and the environment in which the access terminal is located. For example, in some scenarios, the user can only access through connecting to the intranet where the specified application is located. For example, the designated application may be an intra-enterprise application service, and an employee may not be able to gain access in an out-of-office location. As another example, the designated application may be a campus website, and the like.
In order to enable an employee to access the application service inside an enterprise through a public Network such as cellular data/Wi-Fi (wireless Network) by using a computer device in a non-office place, and in order to protect the security of the application service inside the enterprise, a device-level security tunnel may be provided through a VPN (Virtual Private Network), and all access terminals access the application service inside the enterprise through the security tunnel. The inventor researches that the realization based on the secure tunnel is relatively troublesome, so that the inventor provides a mode which can realize the secure access to the internal application service of the enterprise without establishing a secure channel.
In the access control method, the access control device, the electronic device and the computer-readable storage medium provided by the embodiment of the application, the gateway device verifies the access request by using the header information of the request sent by the sending source to determine whether to allow the access. For example, access control is performed on an access request for accessing the application service of the enterprise intranet through the gateway device, a security request is released, and an insecure request is intercepted, so that the application service of the enterprise intranet is protected from external attack.
Example one
To facilitate understanding of the present embodiment, a detailed description will be given of an operating environment for executing an access control method disclosed in the embodiments of the present application.
Fig. 1 is a schematic diagram illustrating an interaction between a gateway device 110 and a server 120 according to an embodiment of the present application. The server 120 is communicatively coupled to one or more external devices via a network for data communication or interaction. Illustratively, the external device 130 passes security authentication of the gateway device before accessing the server 120.
In this embodiment, the server 120 may be a web server, a database server, or the like. The external device may be a Personal Computer (PC), a tablet PC, a smart phone, a Personal Digital Assistant (PDA), or the like.
Illustratively, the gateway device 110 is disposed in an isolation zone, and the gateway device 110 is disposed between two firewalls, isolating the server from external devices. The server is arranged in the intranet and is separated from the gateway equipment through a firewall.
As shown in fig. 2, is a block schematic diagram of gateway device 110. Gateway device 110 may include memory 111, processor 113. It will be understood by those of ordinary skill in the art that the structure shown in fig. 2 is merely illustrative and is not intended to limit the structure of the gateway device 110. For example, gateway device 110 may also include more or fewer components than shown in fig. 2, or have a different configuration than shown in fig. 2.
The above-mentioned components of the memory 111 and the processor 113 are directly or indirectly electrically connected to each other to realize data transmission or interaction. For example, the components may be electrically connected to each other via one or more communication buses or signal lines. The processor 113 is used to execute the executable modules stored in the memory.
The Memory 111 may be, but is not limited to, a Random Access Memory (RAM), a Read Only Memory (ROM), a Programmable Read-Only Memory (PROM), an Erasable Read-Only Memory (EPROM), an electrically Erasable Read-Only Memory (EEPROM), and the like. The memory 111 is configured to store a computer program, and the processor 113 executes the computer program after receiving an execution instruction, and the method executed by the gateway device 110 defined by the process disclosed in any embodiment of the present application may be applied to the processor 113, or implemented by the processor 113.
The processor 113 may be an integrated circuit chip having signal processing capability. The Processor 113 may be a general-purpose Processor, and includes a Central Processing Unit (CPU), a Network Processor (NP), and the like; the Integrated Circuit may also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other programmable logic device, a discrete gate or transistor logic device, or a discrete hardware component. The various methods, steps, and logic blocks disclosed in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The gateway device 110 in this embodiment may be configured to perform each step in each method provided in this embodiment. The implementation of the access control method is described in detail below by means of several embodiments.
Example two
Please refer to fig. 3, which is a flowchart illustrating an access control method according to an embodiment of the present application. The specific flow shown in fig. 3 will be described in detail below.
Alternatively, the external device may be installed with an application program of an application service provided by the server. Alternatively, the external device may be equipped with a browser that can access a service provided by the server.
In this embodiment, header information in the access request may be recorded with information on the external device, access information, and the like.
In one embodiment, step 202 may comprise: acquiring header information of the access request; and determining the access attribute information carried by the access request according to the header information.
The relevant information that can determine to send the access request is determined by analyzing the header information.
Optionally, accessing the attribute information may include: user account, user name, application name or browser name, device type, etc.
For example, when the external device sends an access request through the browser, the access attribute information may further include information such as a browser name and a browser version number.
In one example, the header information may include: User-Agent Mozilla/5.0(Windows NT 6.1; Win 64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/75.0.3770.100Safari/537.36
In this case, it can be determined from the header information in the above example that the operation of the external device sending the corresponding access request is the operating system win7 indicated by Windows NT 6.1. The engine version of the external device sending the corresponding access request can be determined according to the keyword "applWebKit/537.36 (KHTML, like Gecko)". The browser version number used by the external device sending the corresponding access request can be determined according to the keyword 'Chrome/75.0.3770.100 Safari/537.36'.
In this embodiment, the application program installed in the external device or the browser installed in the external device may be used to send the access request. The browser obtains the service in the server through the website address provided by the server.
In one embodiment, the access request may include an access request sent by a target application on the external device, and the access attribute information may include application information and user information. The application information may include an application name, application version information, application type, and the like. The user information may include a user name, a user account, and the like.
The target application may be a VSA (Virtual Security Area) application. Vsa (virtual Security area) represents a technology for implementing a virtual machine on a mobile device by taking over communication between a mobile application and an operating system (an operating system such as Android and iOS). Through the virtualization technology, the VSA is hooked with the drive of the bottom layer of the operating system, so that enterprise-level applications can safely run in a virtual machine, and the safety and fine-grained control of the applications are realized.
In this embodiment, step 202 may include: and analyzing the access request, and determining application program information and user information corresponding to the access request.
Illustratively, the header information of the access request may be parsed to determine the application information and the user information corresponding to the access request.
Optionally, the access attribute information may further include device information of the external device, and the device information may also be parsed from the header information of the access request.
In another embodiment, the access request may include an access request sent by a target browser on the external device. The access attribute information may include browser information and user information, among others. The browser information may include browser version information, browser security information, and the like.
In this embodiment, step 202 may include: and analyzing the access request, and determining browser information and user information corresponding to the access request.
Optionally, the browser information and the user information corresponding to the access request may be obtained by parsing from header information of the access request.
Optionally, when the access request is sent by an application program in the external device, it may be determined whether the access request is an access admission request according to the application program information and the user information.
Step 203 may comprise: and judging whether the target application program is a virtual safe area application program or not according to the application program information, and judging whether a user account corresponding to the user information is a legal user or not according to the user information.
Exemplarily, if the target application program is a virtual secure area application program and the user account corresponding to the user information is a valid user, it is determined that the access request is an admission access request.
For example, if the target application program is not the virtual secure area application program, or the user account corresponding to the user information is not a legal user, it is determined that the access request is not an access admission request.
For example, if the user account is an account registered when the server sends an account registration request, it may be determined that the user account is a secured account.
Optionally, when the access request is sent by an application program in the external device, it may be determined whether the access request is an access admission request according to the application program information, the user information, and the device information.
Step 203 may comprise: judging whether the target application program is a virtual safe area application program or not according to the application program information; judging whether a user account corresponding to the user information is a legal user or not according to the user information; and judging whether the external equipment is the safety equipment or not according to the equipment information.
Exemplarily, if the target application program is a virtual secure area application program, the user account corresponding to the user information is a legal user, and the external device is a secure device, it is determined that the access request is an admission access request.
For example, if the target application program is not a virtual secure area application program, or the user account corresponding to the user information is not a legal user, or the external device is not a secure device, it is determined that the access request is not an access admission request.
Alternatively, the device information may include information such as a model of the device, a network environment in which the external device is located, and the like.
Optionally, when the device model is a device that logs in the server frequently, and the network environment where the external device is located is a secure network environment, it may be determined that the external device is a secure device.
For example, if the network used by the external device is personal mobile cellular data or is under private Wi-Fi, the network environment in which the external device is located may be considered as a secure network environment; if the Wi-Fi connected with the external equipment is the shared wireless network, the network environment where the external equipment is located can be determined to be an unsafe network environment.
Optionally, when the access request is sent by a browser in the external device, it may be determined whether the access request is an access admission request according to the browser information and the user information.
Step 203 may comprise: judging whether the target browser is a safe browser or not according to the browser information; and judging whether the user account corresponding to the user information is a legal user or not according to the user information.
Exemplarily, if the target browser is a secure browser and the user account corresponding to the user information is a legal user, it is determined that the access request is an admission access request.
Exemplarily, if the target browser is not a secure browser or the user account corresponding to the user information is not a legal user, it is determined that the access request is not an access admission request.
Optionally, when the access request is sent by a browser in the external device, it may be determined whether the access request is an access admission request according to the browser information, the user information, and the device information.
Step 203 may comprise: judging whether the target browser is a safe browser or not according to the browser information; judging whether a user account corresponding to the user information is a legal user or not according to the user information; and judging whether the external equipment is the safety equipment or not according to the equipment information.
Exemplarily, if the target browser is a secure browser, the user account corresponding to the user information is a legal user, and the external device is a secure device, it is determined that the access request is an admission access request.
Exemplarily, if the target browser is not a secure browser, or the user account corresponding to the user information is not a legal user, or the external device is not a secure device, it is determined that the access request is not an access admission request.
In this embodiment, the access request may also be verified according to the set admission rule.
Optionally, an admission rule is stored in the gateway device. Optionally, step 203 may comprise: and matching the access attribute information with the admission rule to determine whether the access attribute information conforms to the limited range of the admission rule.
Illustratively, the access request is determined to be an admission access request if the access attribute information complies with the defined range of the admission rules.
Illustratively, if the access attribute information does not comply with the restricted range of the admission rule, it is determined that the access request is not an admitted access request.
Optionally, the admission rules may include one or more of a list of admission devices, a list of restricted transmission sources, and a list of admitted users.
On this basis, step 203 may include: and matching the access attribute information with at least one of the access equipment list, the limited transmission source list and the access user list to determine whether the access request is an access request transmitted by a transmission source limited in the access equipment list or the limited transmission source list or the access user list.
Illustratively, the list of admissible devices can include a plurality of device models that can access the server.
Illustratively, the restricted delivery source list may include a plurality of browser or application information that may be accessed. For example, the application information may be a virtual secure enclave application. For example, the browser may be a secure browser, or a designated browser. For example, the designated browser may be an IE browser, google browser, or the like.
Illustratively, the list of admitted users may be a plurality of user account information that are allowed to be accessed.
Illustratively, if the access request is not an access request transmitted by the admission device list, the limited transmission source list or the transmission source limited in the admissible user list, then it is determined that the access request is not an admissible access request.
Illustratively, if the access request is an access request transmitted by the admission device list, the limited transmission source list and the transmission sources limited in the admissible user list, then the access request is determined to be an admissible access request.
Illustratively, when the admission rules include only: and when any one of the access equipment list, the limited transmission source list and the allowed user list is selected, and the access attribute information conforms to the range limited in the corresponding list, the access request can be determined to be the access request.
Illustratively, when the admission rules include only: and when any two of the access equipment list, the limited transmission source list and the access user list are selected, and the access attribute information conforms to the commonly limited range in the corresponding two lists, the access request can be determined to be the access request.
Illustratively, when the admission rules include only: when the access attribute information conforms to the commonly defined range in the three lists, the access request can be determined to be an admission access request.
In this embodiment, if the access request is an admission access request, step 204 is executed.
According to the access control method in the embodiment, the access request is verified to determine whether the access request is an access admission request which is allowed to be accessed, so that the security user can realize the access of the server in some security environments outside a company under the condition that the security of the access server can be determined. Further, in the method provided in this embodiment, the gateway device may perform admission control on the requests sent by the browser and the application program, only release the requests sent by the secure browser and the application program, and intercept the requests sent by the unsecure browser and the application program, so that the security of accessing the server may be improved.
EXAMPLE III
Based on the same application concept, an access control device corresponding to the access control method is further provided in the embodiment of the present application, and since the principle of solving the problem of the device in the embodiment of the present application is similar to that in the embodiment of the access control method, the implementation of the device in the embodiment of the present application may refer to the description in the embodiment of the method, and repeated details are not repeated.
Please refer to fig. 4, which is a schematic diagram of functional modules of an access control apparatus according to an embodiment of the present application. The respective modules in the access control device in this embodiment are configured to perform the respective steps in the above-described method embodiments. The access control device includes: an acquisition module 301, an analysis module 302, a determination module 303, and a sending module 304; wherein,
an obtaining module 301, configured to obtain an access request sent by an external device;
the analysis module 302 is configured to analyze the access request to determine access attribute information carried in the access request;
a determining module 303, configured to determine whether the access request is an access admission request according to the access attribute information;
a sending module 304, configured to send an access request to a server associated with the gateway device if the access request is an admission access request.
In a possible implementation, the parsing module 302 is configured to:
acquiring header information of the access request;
and determining the access attribute information carried by the access request according to the header information.
In one possible embodiment, the access request includes an access request sent by a target application on the external device, and the access attribute information includes application information and user information; the analysis module 302 is configured to analyze the access request, and determine application information and user information corresponding to the access request;
a determining module 303, configured to determine whether the access request is an access permission request according to the application information and the user information.
In a possible implementation, the determining module 303 is configured to:
judging whether the target application program is a virtual safe area application program or not according to the application program information;
judging whether a user account corresponding to the user information is a legal user or not according to the user information;
if the target application program is a virtual safe area application program and the user account corresponding to the user information is a legal user, determining that the access request is an access admission request;
and if the target application program is not a virtual safe area application program or the user account corresponding to the user information is not a legal user, determining that the access request is not an access admission request.
In one possible implementation, the access request includes an access request sent by a target browser on the external device, and the access attribute information includes browser information and user information; the analysis module 302 is configured to analyze the access request, and determine browser information and user information corresponding to the access request;
a determining module 303, configured to:
judging whether the target browser is a safe browser or not according to the browser information;
judging whether a user account corresponding to the user information is a legal user or not according to the user information;
if the target browser is a safe browser and the user account corresponding to the user information is a legal user, determining that the access request is an access admission request;
and if the target browser is not a safe browser or the user account corresponding to the user information is not a legal user, determining that the access request is not an access admission request.
In a possible implementation manner, an admission rule is stored in the gateway device; a determining module 303, configured to:
matching the access attribute information with the admission rule to determine whether the access attribute information conforms to the limited range of the admission rule;
if the access attribute information conforms to the limited range of the admission rule, determining that the access request is an admission access request;
and if the access attribute information does not conform to the limited range of the admission rule, determining that the access request is not an admission access request.
In one possible embodiment, the admission rule includes one or more of an admission device list, a list of qualified transmission sources, and an allowed user list, and the determining module 303 is configured to:
matching the access attribute information with at least one of the access equipment list, the limited transmission source list and the access user list to determine whether the access request is an access request transmitted by a transmission source limited in the access equipment list or the limited transmission source list or the access user list;
and if the access request is not the access request transmitted by the transmission source limited in the admission equipment list, the limited transmission source list and/or the admissible user list, determining that the access request is not the admissible access request.
Furthermore, an embodiment of the present application further provides a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the computer program performs the steps of the access control method in the foregoing method embodiment.
The computer program product of the access control method provided in the embodiment of the present application includes a computer-readable storage medium storing a program code, where instructions included in the program code may be used to execute the steps of the access control method in the above method embodiment, which may be specifically referred to in the above method embodiment, and are not described herein again.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method can be implemented in other ways. The apparatus embodiments described above are merely illustrative, and for example, the flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes. It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The above description is only a preferred embodiment of the present application and is not intended to limit the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application. It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (10)
1. An access control method applied to a gateway device, the access control method comprising:
acquiring an access request sent by external equipment;
analyzing the access request to determine access attribute information carried by the access request;
determining whether the access request is an access admission request or not according to the access attribute information;
and if the access request is an access admission request, sending the access request to a server associated with the gateway equipment.
2. The method of claim 1, wherein the parsing the access request to determine the access attribute information carried by the access request comprises:
acquiring header information of the access request;
and determining the access attribute information carried by the access request according to the header information.
3. The method according to claim 1 or 2, wherein the access request comprises an access request sent by a target application on the external device, and the access attribute information comprises application information and user information; the analyzing the access request to determine the access attribute information carried by the access request includes:
analyzing the access request, and determining application program information and user information corresponding to the access request;
the determining whether the access request is an access admission request according to the access attribute information includes:
and determining whether the access request is an access admission request or not according to the application program information and the user information.
4. The method of claim 3, wherein determining whether the access request is an access-granted request based on the application information and user information comprises:
judging whether the target application program is a virtual safe area application program or not according to the application program information;
judging whether a user account corresponding to the user information is a legal user or not according to the user information;
if the target application program is a virtual safe area application program and the user account corresponding to the user information is a legal user, determining that the access request is an access admission request;
and if the target application program is not a virtual safe area application program or the user account corresponding to the user information is not a legal user, determining that the access request is not an access admission request.
5. The method according to claim 1 or 2, wherein the access request includes an access request transmitted by a target browser on the external device, and the access attribute information includes browser information and user information; the analyzing the access request to determine the access attribute information carried by the access request includes:
analyzing the access request, and determining browser information and user information corresponding to the access request;
the determining whether the access request is an access admission request according to the access attribute information includes:
judging whether the target browser is a safe browser or not according to the browser information;
judging whether a user account corresponding to the user information is a legal user or not according to the user information;
if the target browser is a safe browser and the user account corresponding to the user information is a legal user, determining that the access request is an access admission request;
and if the target browser is not a safe browser or the user account corresponding to the user information is not a legal user, determining that the access request is not an access admission request.
6. The method of claim 1, wherein the gateway device has an admission rule stored therein; the determining whether the access request is an access admission request according to the access attribute information includes:
matching the access attribute information with the admission rule to determine whether the access attribute information conforms to the limited range of the admission rule;
if the access attribute information conforms to the limited range of the admission rule, determining that the access request is an admission access request;
and if the access attribute information does not conform to the limited range of the admission rule, determining that the access request is not an admission access request.
7. The method of claim 6, wherein the admission rules include one or more of a list of admissible devices, a list of defined transmission sources, and a list of admissible users, and wherein matching the access attribute information to the admission rules to determine whether the access attribute information complies with the defined range of admission rules comprises:
matching the access attribute information with at least one of the access equipment list, the limited transmission source list and the access user list to determine whether the access request is an access request transmitted by a transmission source limited in the access equipment list or the limited transmission source list or the access user list;
and if the access request is not the access request transmitted by the transmission source limited in the admission equipment list, the limited transmission source list and/or the admissible user list, determining that the access request is not the admissible access request.
8. An access control apparatus, applied to a gateway device, the access control apparatus comprising:
the acquisition module is used for acquiring an access request sent by external equipment;
the analysis module is used for analyzing the access request to determine the access attribute information carried by the access request;
the determining module is used for determining whether the access request is an access admission request or not according to the access attribute information;
and the sending module is used for sending the access request to a server associated with the gateway equipment if the access request is an access admission request.
9. An electronic device, comprising: a processor, a memory storing machine-readable instructions executable by the processor, the machine-readable instructions when executed by the processor performing the steps of the method of any of claims 1 to 7 when the electronic device is run.
10. A computer-readable storage medium, having stored thereon a computer program which, when being executed by a processor, is adapted to carry out the steps of the method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010623781.5A CN111787008B (en) | 2020-06-30 | 2020-06-30 | Access control method, device, electronic equipment and computer readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010623781.5A CN111787008B (en) | 2020-06-30 | 2020-06-30 | Access control method, device, electronic equipment and computer readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111787008A true CN111787008A (en) | 2020-10-16 |
| CN111787008B CN111787008B (en) | 2023-01-20 |
Family
ID=72760614
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010623781.5A Active CN111787008B (en) | 2020-06-30 | 2020-06-30 | Access control method, device, electronic equipment and computer readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111787008B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8010961B1 (en) * | 2003-06-11 | 2011-08-30 | Symantec Corporation | Data layer prioritization in an application layered system |
| CN106484712A (en) * | 2015-08-27 | 2017-03-08 | 北京易车互联信息技术有限公司 | The date storage method of distributed file system and device |
| CN110809011A (en) * | 2020-01-08 | 2020-02-18 | 医渡云(北京)技术有限公司 | Access control method and system, and storage medium |
| CN110999215A (en) * | 2017-08-22 | 2020-04-10 | T移动美国公司 | Secure Device Access Token |
| CN111177741A (en) * | 2019-11-29 | 2020-05-19 | 云深互联(北京)科技有限公司 | Pre-authorization data access method and device based on enterprise browser |
| CN111182537A (en) * | 2019-12-31 | 2020-05-19 | 北京指掌易科技有限公司 | Network access method, device and system for mobile application |
-
2020
- 2020-06-30 CN CN202010623781.5A patent/CN111787008B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8010961B1 (en) * | 2003-06-11 | 2011-08-30 | Symantec Corporation | Data layer prioritization in an application layered system |
| CN106484712A (en) * | 2015-08-27 | 2017-03-08 | 北京易车互联信息技术有限公司 | The date storage method of distributed file system and device |
| CN110999215A (en) * | 2017-08-22 | 2020-04-10 | T移动美国公司 | Secure Device Access Token |
| CN111177741A (en) * | 2019-11-29 | 2020-05-19 | 云深互联(北京)科技有限公司 | Pre-authorization data access method and device based on enterprise browser |
| CN111182537A (en) * | 2019-12-31 | 2020-05-19 | 北京指掌易科技有限公司 | Network access method, device and system for mobile application |
| CN110809011A (en) * | 2020-01-08 | 2020-02-18 | 医渡云(北京)技术有限公司 | Access control method and system, and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111787008B (en) | 2023-01-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US12355741B2 (en) | Controlling access to resources on a network | |
| US10862870B2 (en) | Privacy as a service by offloading user identification and network protection to a third party | |
| US8713646B2 (en) | Controlling access to resources on a network | |
| KR101970123B1 (en) | Dual channel identity authentication | |
| US11727101B2 (en) | Methods and systems for verifying applications | |
| US20160323309A1 (en) | Method and system for blocking malicious third party site tagging | |
| US20170374057A1 (en) | System and method for secure online authentication | |
| US11729145B2 (en) | User interface for web server risk awareness | |
| WO2014175721A1 (en) | A system and method for privacy management for internet of things services | |
| US10445514B1 (en) | Request processing in a compromised account | |
| TWI718291B (en) | Service provision system, service provision method, and computer program | |
| US20170155683A1 (en) | Remedial action for release of threat data | |
| US20240346149A1 (en) | Methods and systems for verifying applications | |
| RU2724713C1 (en) | System and method of changing account password in case of threatening unauthorized access to user data | |
| CN113239853A (en) | Biological identification method, device and equipment based on privacy protection | |
| US10033719B1 (en) | Mobile work platform for remote data centers | |
| US10447693B2 (en) | Selectively permitting a receiver device to access a message based on authenticating the receiver device | |
| CN111431918B (en) | Method and system for determining state label of target user based on block chain | |
| CN111787008B (en) | Access control method, device, electronic equipment and computer readable storage medium | |
| CN112866080B (en) | Mail information security control method and device, computer equipment and storage medium | |
| US12363112B2 (en) | Real-time analysis plugin for cyber defense | |
| CN117955739A (en) | A method, device, computing device and storage medium for identifying interface security | |
| CN117749524A (en) | Data access authority management and control method, system and readable storage medium | |
| CN109413656A (en) | A kind of short message interface guard method based on application firewall | |
| KR101594315B1 (en) | Service providing method and server using third party's authentication |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |