[go: up one dir, main page]

WO2021035740A1 - Access control method, server, access device and storage medium - Google Patents

Access control method, server, access device and storage medium Download PDF

Info

Publication number
WO2021035740A1
WO2021035740A1 PCT/CN2019/103862 CN2019103862W WO2021035740A1 WO 2021035740 A1 WO2021035740 A1 WO 2021035740A1 CN 2019103862 W CN2019103862 W CN 2019103862W WO 2021035740 A1 WO2021035740 A1 WO 2021035740A1
Authority
WO
WIPO (PCT)
Prior art keywords
access device
sharing
server
access
local
Prior art date
Application number
PCT/CN2019/103862
Other languages
French (fr)
Chinese (zh)
Inventor
吕小强
Original Assignee
Oppo广东移动通信有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Oppo广东移动通信有限公司 filed Critical Oppo广东移动通信有限公司
Priority to CN201980095168.6A priority Critical patent/CN113678127B/en
Priority to PCT/CN2019/103862 priority patent/WO2021035740A1/en
Publication of WO2021035740A1 publication Critical patent/WO2021035740A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication

Definitions

  • the present invention relates to the Internet of Things (IoT) technology, and in particular to an access control method, server, access device and storage medium.
  • IoT Internet of Things
  • devices that are not in the same local network can communicate with each other through the cloud, and the cloud groups the devices belonging to the same user under the same user ID created in the cloud. All devices registered to the cloud and belonging to the same user ID can communicate according to the device authorization cloud permission policy (for example: ACE2 policy).
  • devices in the same local network can communicate with each other through the local network. Therefore, cloud communication and local network communication are isolated from each other, and the device can only be accessed by one user, which cannot meet the application scenario of multiple users.
  • the embodiments of the present invention provide an access control method, a server, an access device, and a storage medium, which can share the access authority of the device with other users, and realize multi-user access.
  • an embodiment of the present invention provides an access control method, including:
  • the server establishes a sharing record between the first device identification of the first access device, the second device identification of the second access device, and the target device identification of the target device associated with the second access device, and the sharing record is used to share Sharing the access permission of the target device to the first access device;
  • the server transmits a local shared credential between the first access device and the second access device, and the local shared credential is used for establishing a local connection between the first access device and the target device.
  • an embodiment of the present invention provides an access control method, including:
  • the first access device acquires the second device identifier of the second access device
  • the first access device sends the first device ID and the second device ID of the first access device to the server, and the first device ID and the second device ID are used by the server in the server.
  • a sharing record is established between the first device identifier, the second device identifier, and the target device identifier of the target device associated with the second access device, and the sharing record is used to share the access permission of the target device to The first access device;
  • the first access device and the server transmit a local shared credential, and the local shared credential is used for the first access device to establish a local connection with the target device.
  • an embodiment of the present invention provides an access control method, including:
  • the second access device acquires the first device identifier of the first access device
  • the second access device sends the first device identification and the second device identification of the second access device to the server, and the first device identification and the second device identification are used by the server in the A sharing record is established between the first device identifier, the second device identifier, and the target device identifier of the target device associated with the second access device, and the sharing record is used to share the access permission of the target device to The first access device;
  • the second access device transmits a local shared credential with the server, and the local shared credential is used for the first access device to establish a local connection with the target device.
  • an embodiment of the present invention provides a server, including:
  • the establishment unit is configured to establish a sharing record among the first device identification of the first access device, the second device identification of the second access device, and the target device identification of the target device associated with the second access device, the sharing The record is used to share the access permission of the target device to the first access device;
  • the transmission unit is configured to transmit a local shared credential between the first access device and the second access device, and the local shared credential is used for the first access device to establish a local connection with the target device.
  • an embodiment of the present invention provides an access device, including:
  • the first obtaining unit is configured to obtain the second device identifier of the second access device
  • the first sending unit is configured to send the first device identifier and the second device identifier of the first access device to the server, where the first device identifier and the second device identifier are used when the server is located at the server.
  • a sharing record is established between the first device identifier, the second device identifier, and the target device identifier of the target device associated with the second access device, and the sharing record is used to share the access authority of the target device To the first access device;
  • the first transmission unit is configured to transmit a local shared credential with the server, and the local shared credential is used for the first access device to establish a local connection with the target device.
  • an embodiment of the present invention provides an access device, including:
  • the second acquiring unit is configured to acquire the first device identifier of the first access device
  • the second sending unit is configured to send the first device ID and the second device ID of the second access device to the server, where the first device ID and the second device ID are used when the server is A sharing record is established between the first device identifier, the second device identifier, and the target device identifier of the target device associated with the second access device, and the sharing record is used to share the access authority of the target device To the first access device;
  • the second transmission unit is configured to transmit a local shared credential with the server, and the local shared credential is used for the first access device to establish a local connection with the target device.
  • an embodiment of the present invention provides a server, including: a processor and a memory for storing a computer program that can run on the processor, wherein the processor is configured to execute the server when the computer program is running. The steps of the access control method performed.
  • an embodiment of the present invention provides an access device, including: a processor and a memory configured to store a computer program that can run on the processor, wherein the processor is configured to execute the above-mentioned computer program when the computer program is running. Steps of the access control method executed by the first access device.
  • an embodiment of the present invention provides an access device, including: a processor and a memory configured to store a computer program that can run on the processor, wherein the processor is configured to execute the above-mentioned computer program when the computer program is running. Steps of the access control method executed by the second access device.
  • an embodiment of the present invention provides a storage medium storing an executable program, and when the executable program is executed by a processor, the access control method executed by the server is implemented.
  • an embodiment of the present invention provides a storage medium that stores an executable program, and when the executable program is executed by a processor, it implements the access control method executed by the first access device.
  • an embodiment of the present invention provides a storage medium storing an executable program, and when the executable program is executed by a processor, the above-mentioned access control method executed by the second access device is implemented.
  • the access control method provided by the embodiment of the present invention includes: the server is configured to select the first device identifier of the first access device, the second device identifier of the second access device, and the target device identifier of the target device associated with the second access device.
  • a sharing record is established between the target device, and the sharing record is used to share the access permission of the target device to the first access device; the server performs local operations between the first access device and the second access device.
  • the local shared credentials are used for the first access device to establish a local connection with the target device; thereby achieving access to the target access device by the first access device that is not associated with the target device based on the shared record, and Performing a local sharing credential that enables the first access device to perform local access to the target device between the first access device and the second access device corresponding to the shared record can prevent the target device from being accessed by a user ID that only has a binding relationship To achieve multi-user access, and the first access device's access to the target device is not restricted by the network.
  • FIG. 1 is an optional structural diagram of an Internet of Things system provided by an embodiment of the present invention
  • FIG. 2 is an optional flowchart of an access control method provided by an embodiment of the present invention.
  • FIG. 3 is an optional structural diagram of the Internet of Things system provided by an embodiment of the present invention.
  • FIG. 4A is an optional flowchart of an access control method provided by an embodiment of the present invention.
  • 4B is an optional flowchart of an access control method provided by an embodiment of the present invention.
  • 4C is an optional flowchart of an access control method provided by an embodiment of the present invention.
  • FIG. 5 is an optional flowchart of an access control method provided by an embodiment of the present invention.
  • FIG. 6 is an optional flowchart of an access control method provided by an embodiment of the present invention.
  • FIG. 7 is an optional flowchart of an access control method provided by an embodiment of the present invention.
  • FIG. 8 is a schematic diagram of an optional structure of a server provided by an embodiment of the present invention.
  • FIG. 9 is a schematic diagram of an optional structure of an access device provided by an embodiment of the present invention.
  • FIG. 10 is a schematic diagram of an optional structure of an access device provided by an embodiment of the present invention.
  • FIG. 11 is a schematic diagram of an optional structure of an electronic device provided by an embodiment of the present invention.
  • the access control of the Internet of Things system includes local access based on the home network and remote access based on the cloud.
  • the IoT device needs to be registered in the cloud after entering the Internet of Things.
  • the IoT device will get a corresponding user ID (UserID) during registration, and the IoT device will be in a remotely operable state after being registered in the cloud. If the IoT device is not registered in the cloud, remote operations cannot be performed, but operations can be performed locally.
  • UserID is the user ID of the IoT device in the cloud, not the device ID (device ID).
  • the local operation of the IoT device is related to the access policy of the IoT device, but not the UserID.
  • the configuration work is done by OBT. During the configuration process, you need to set the Owner ID of the IoT device to the Device ID of the OBT device. In addition, you need to configure the access credential of the IoT device.
  • the access credential is used for the two devices. Two-way authentication is performed when the connection is established.
  • the access credential can be a symmetric key, asymmetric key, certificate, etc.
  • the two parties can establish a secure communication connection, that is, they can interconnect and interoperate.
  • the structure of the cloud-based Internet of Things system is shown in Fig. 1, and includes: a client 101, a server 102, and a cloud 103.
  • the client 101 accesses resources of the server 102, and the server 102 provides the resources accessed by the client 101.
  • the client 101 and the server 102 communicate with each other through the cloud 103.
  • the client 101 When the client 101 requests a CRUDN operation to the resource referenced by the resource Links carried by the cloud 103, the client 101 sends a CRUDN request to the cloud 103, and the cloud 103 forwards the CRUDN request of the client 101 to the server 102 that actually carries the resource.
  • the client 102 responds to the CRUDN request of the cloud 103, and the cloud 103 forwards the response of the server 102 to the client 101, that is, the communication path is client 101->cloud 103->server 102->cloud 103->client 101.
  • the cloud 103 may include three functional entities:
  • Cloud interface 1031 Anchor on the cloud, responsible for server access management, and message routing for remote communication between the client and server.
  • the cloud interface provides a unified address and port number, such as coaps+tcp://example.com: 443.
  • Authorization server 1032 Responsible for server registration and authentication of the client and server.
  • Resource catalog 1033 the index of the server resources, the client can obtain the resources of the target device by retrieving the resource catalog.
  • authorization server 1032 and the cloud may be the same physical entity, or may be different physical entities.
  • each device can be a client, a server, or both a client and a server.
  • Step S201 The configurator obtains the user's access token (Access Token) from the authorization server.
  • Access Token Access Token
  • the mediator function is provided in the user APP to configure the device to connect to the cloud.
  • the configurator is configured with a uniform resource locator (URL) for cloud access, and the user has registered a user name and password, so that the authorization server can authorize the user and return an access token to the configurator.
  • the user APP can be located on the device as the client.
  • Step S202 The configurator is registered in the cloud.
  • the configurator provides an access token to the cloud for configurator registration, and the cloud verifies the Access Token provided by the configurator and assigns a user ID.
  • the authorization server will provide different Access Tokens, but any configurator used by the same user is associated with the same User ID.
  • Step S203 The configurator is connected to the device, and the device is configured.
  • the configurator connects to the device through the normal device discovery process, and then requests an Access Token from the cloud for the configured device.
  • the configurator uses the Access Token authorized from the cloud, the Uniform Resource Identifier (URI) and the Universal Unique Identifier (UUID) of the cloud to update the cloud configuration resources on the device for cloud information configuration, such as: "Oic.r.coapcloudconf" resource.
  • the Access Token provided by the cloud is used when the device performs initial registration with the cloud.
  • Step S204 The device establishes a Transport Layer Security (TLS) connection with the cloud.
  • TLS Transport Layer Security
  • the device uses a preset digital certificate to establish a TLS connection with the cloud.
  • the preset digital certificates include: the manufacturer's certificate of the device and the trust anchor certificate.
  • Step S205 the device is registered in the cloud.
  • the device To register in the cloud, the device needs to send an update (UPDATE) operation request to the account resource on the cloud.
  • the resource update request includes the Access Token and User ID configured in the cloud configuration resource.
  • the cloud maintains a unique instance of account resources for each device. Among them, the account resource can be the "/oic/sec/account" resource.
  • Step S206 to step S207 the cloud verifies the Access Token provided by the device.
  • the cloud sends the User ID and Access Token provided by the device to the authorization server. After the authorization server successfully verifies the update operation request, the cloud responds to the update operation. The response will provide the device with an updated Access Token and the validity period of the Access Token. In addition, the cloud also records the User ID that is associated with this device, that is, has a binding relationship.
  • step S201 is completed between the cloud and the configurator, and step S207 is not required.
  • the device needs to log in to the cloud to transfer data between the device and the cloud, and the device sends an update (UPDATE) operation request to the cloud session resource.
  • UPDATE update
  • the cloud session resource can be a "/oic/sec/session" resource.
  • the device in Figure 2 can be a client or a server. If the device is used as a server, after the device establishes a TLS connection with the cloud, the device will disclose the resources it carries in the resource directory of the cloud to facilitate remote access to these resources of the client.
  • Devices that are not in the same local network can communicate with each other through the cloud using the Limited Application (CoAP over TCP) protocol based on the Transmission Control Protocol (Transmission Control Protocol, TCP).
  • the cloud groups devices belonging to the same User ID under the same User ID. All devices registered to the cloud and belonging to the same User ID can communicate according to the ACE2 policy of the device authorization cloud.
  • a device under a User ID is referred to as a device that has a binding relationship with the User ID.
  • the access control entry method of the embodiment of the present invention can be applied to the Internet of Things system 300 shown in FIG. 3, including: a first access device 301, a second access device 302, and a target Device 303 and server 304; among them, the first access device 301 and the second access device are clients, the target device is the server, and the server 304 is the cloud.
  • the client accesses the resources of the server based on the cloud.
  • the first access device 301 logs in to the server 304 with the first user ID
  • the second access device 302 logs in to the server 304 with the second user ID.
  • the first user ID is not associated with the target device
  • the second user ID is associated with the target device, that is, the first access device and the target device are not devices under the same user ID, and the second access device and the target device are under the same user ID device of.
  • the client, server, and cloud in the Internet of Things system 300 can communicate based on various communication systems, such as: Global System of Mobile Communication (GSM) system, Code Division Multiple Access (CDMA) System, Wideband Code Division Multiple Access (WCDMA) system, General Packet Radio Service (GPRS), Long Term Evolution (LTE) system, LTE Frequency Division Duplex (Frequency Division) Duplex (FDD) system, LTE Time Division Duplex (TDD), Universal Mobile Telecommunication System (UMTS), Worldwide Interoperability for Microwave Access (WiMAX) communication system or 5G system Wait.
  • GSM Global System of Mobile Communication
  • CDMA Code Division Multiple Access
  • WCDMA Wideband Code Division Multiple Access
  • GPRS General Packet Radio Service
  • LTE Long Term Evolution
  • LTE Frequency Division Duplex Frequency Division
  • FDD Frequency Division Duplex
  • TDD Time Division Duplex
  • UMTS Universal Mobile Telecommunication System
  • WiMAX Worldwide Interoperability for Microwave Access
  • the first access device 301 and the second access device 302 may be terminal devices, which may refer to access terminals, user equipment (UE), user units, user stations, mobile stations, mobile stations, remote stations, and remote terminals , Mobile equipment, user terminal, terminal, wireless communication device, user agent or user device.
  • the access terminal can be a cellular phone, a cordless phone, a Session Initiation Protocol (SIP) phone, a wireless local loop (Wireless Local Loop, WLL) station, a personal digital processing (Personal Digital Assistant, PDA), with wireless communication Functional handheld devices, computing devices or other processing devices connected to wireless modems, in-vehicle devices, wearable devices, terminal devices in 5G networks, or terminal devices in the future evolution of PLMN, etc.
  • SIP Session Initiation Protocol
  • WLL Wireless Local Loop
  • PDA Personal Digital Assistant
  • the target device 303 may be IoT devices such as sensors, laser scanning systems, and smart home appliances.
  • Figure 3 exemplarily shows one server and two clients.
  • the IoT system 300 may include multiple servers and clients that have a binding relationship with the server or do not have a binding relationship with the server. Clients that define a relationship are not limited in this embodiment of the present invention.
  • An optional processing flow of the access control method provided by the embodiment of the present invention, as shown in FIG. 4A, includes the following steps:
  • Step S401 The server establishes a sharing record between the first device identification of the first access device, the second device identification of the second access device, and the target device identification of the target device associated with the second access device.
  • the server may receive the first device identification and the second device identification sent by the first access device or the second access device, and based on the acquired first device identification and second device identification
  • the second access device is associated with the target device of the same user ID to establish a correspondence between the target device identifiers, and the established correspondence is called a sharing record, and the sharing record is used to share the access permission of the target device to all the target devices.
  • the first access device is used to determine to share the access permission of at least one target device associated with the second access device to the first access device that is not associated with the target device.
  • the first access device and the target device are not associated with the same user identity, that is, the first access device is not associated with the target device, and the second access device and the target device are associated with the same user identity, that is, the second access device is associated with the target device.
  • the server receives the first device identification and the second device identification sent by the first access device, the first access device initiates the registration of device sharing to the server.
  • the second access device initiates the registration of device sharing to the server.
  • the server receives a registration request sent by the first access device or the second access device; the registration request carries the first device identifier and the second device identifier.
  • the registration request does not carry the target device identifier of the target device.
  • the server searches for all target devices associated with the second access device according to the second device identifier and/or the second user identifier corresponding to the second device identifier.
  • a sharing record is established between the target device identifiers of all target devices, the first device identifier, and the second device identifier. Among them, one sharing record can be established corresponding to all target device identifiers, or corresponding sharing records can be established respectively based on different target device identifiers.
  • the registration request also carries: the target device identifier.
  • the server establishes a sharing record among the first device identification, the second device identification, and the target device identification carried in the registration request.
  • the registration request may carry at least one target device identifier, and the server may establish a sharing record corresponding to all target device identifiers carried in the registration request, or may establish corresponding sharing records based on different target device identifiers.
  • the server stores the sharing record through an independent resource.
  • the resource storing the sharing record is referred to as a device share resource.
  • the server After the server establishes a new sharing record, it adds the established sharing record to the device's shared resources.
  • the registration request also carries one of the following information:
  • the first user identification of the first access device, the second user identification of the second access device, and sharing restriction conditions; correspondingly, the sharing record further includes one of the following information: the first access device The first user identification of the second access device, the second user identification of the second access device, and the sharing restriction conditions.
  • Sharing restriction conditions are used to restrict the access rights of the first access device to the target device.
  • Sharing restriction conditions can include: Only one time (Only One Time), which signifies permanent access, and Always, which signifies permission Sharing time period or other conditional content for a period of access.
  • different sharing restriction conditions can be represented by different sharing identifiers.
  • Step S402 The server transmits the local shared credential between the first access device and the second access device.
  • the local shared credential is used for the first access device to establish a local connection with the target device, so that the first shared credential and the target device can establish a local connection based on the local network after accessing the local network, and the first access device is based on The established local connection accesses the target device.
  • the transmission of the local shared credential is performed between the first access device, the second access device and the server.
  • the server sends the local sharing credentials to the first access device and the second access device respectively.
  • the server receives the local sharing credential sent by the first access device, and sends the received local sharing credential to the second access device.
  • the server receives the local sharing credential sent by the second access device, and sends the received local sharing credential to the first access device.
  • the local sharing credential can be generated by the server, the first access device, or the second access device.
  • the server sends the generated local sharing credential to the first access device and the second access device respectively, so that the second access device configures the local sharing credential to the target device.
  • the first access device and the target device have the same local shared credential, and local access is realized.
  • the first access device sends the generated local sharing credential to the server, and the server sends the received local sharing credential to the second access device, so that the second access device
  • the access device configures the local shared credential to the target device. In this way, the first access device and the target device have the same local shared credential, and local access is realized.
  • the second access device sends the generated local sharing credential to the server, and the server sends the received local sharing credential to the first access device, and the second access device
  • the access device configures the generated local shared credential to the target device. In this way, the first access device and the target device have the same local shared credential, and local access is realized.
  • the second access device configures the generated local sharing credential to the target device, the target device sends the generated local sharing credential to the server, and the server will receive the The local sharing certificate is sent to the first access device.
  • the first access device and the target device have the same local shared credential, and local access is realized.
  • the transmission of the local sharing credential and the creation of the sharing record can be performed interactively, or the creation of the sharing record can be performed first and then the transmission of the local sharing credential can be performed.
  • the process of the server establishing a sharing record may be as shown in FIG. 4B, including:
  • Step S4011a the first access device obtains the second device identifier of the second access device.
  • the first access device may obtain the second device identification of the second access device through out-of-band methods such as device discovery and identification scanning.
  • the scanned identification includes a two-dimensional code.
  • the embodiment of the present invention does not impose any limitation on the manner and way for the first access device to obtain the identification of the second device.
  • Step S4012a the first access device sends the first device identification of the first access device and the second device identification to the server.
  • the first device identifier and the second device identifier are used by the server to determine between the first device identifier, the second device identifier, and the target device identifier of the target device associated with the second access device
  • a sharing record is established, and the sharing record is used to share the access permission of the target device to the first access device.
  • step S4012a includes: the first access device sends the registration request to the server.
  • the first access device sends the first device identification and the second device identification to the server by sending a registration request to the server.
  • the target device identifier is not carried in the registration request.
  • the target device identifier is carried in the registration request.
  • the first access device may obtain the target device identification of the target device based on out-of-band methods such as device discovery and identification scanning.
  • the scanned identification includes a two-dimensional code.
  • the registration request also carries one of the following information:
  • the first user identification of the first access device, the second user identification of the second access device, and sharing restriction conditions; correspondingly, the sharing record further includes one of the following information: The first user identification, the second user identification of the second access device, and the sharing restriction condition.
  • the server after receiving the registration request sent by the first access device, the server creates a sharing record according to the information carried in the registration request, as shown in FIG. 4B, and executes step S4013a and step S4014a:
  • Step S4013a The server sends a first confirmation request to the second access device.
  • Step S4014a the server receives the first response of the second access device in response to the first confirmation request, and sets the sharing record to an active state.
  • step S4013a the sharing record established by the server is in an unavailable and inactive state.
  • the server receives the first response from the second access device, it sets the established sharing record to an available active state. At this time, the sharing record can be used to control the access of the first access device to the target device.
  • the second access device after receiving the first confirmation request sent by the server, the second access device confirms whether to approve sharing the access rights of the target device with the first access device, and when approved, returns the first response to the server .
  • the first confirmation request may carry the first device identification and the target device identification
  • the second access device sets the same in the second access device When the second access device establishes the same sharing record, it means that the second access device approves sharing the access rights of the target device to the first access device, and responds to the server with the first response.
  • step S4015a-1 may be executed:
  • Step S4015a-1 the server sends a first sharing completion notification to the first access device.
  • the first sharing completion notification is used to instruct the first access device to locally set the sharing record on the first access device.
  • the first access device performs step S4015a-1 and step S4015a-2:
  • Step S4015a-1 the first access device receives the first sharing completion notification sent by the server.
  • step S4015a-2 the first access is triggered based on the first sharing completion notification, and the sharing record is set.
  • the first sharing completion notification is used to notify the first access device that the server has shared the access permission of the target device to the first access device.
  • the first access device can synchronize the server to establish a sharing record locally.
  • the first sharing completion notification carries the sharing record.
  • the first sharing completion notification does not carry the sharing record.
  • step S4016a may be performed: the server sends a second sharing completion notification to the target device.
  • the second sharing completion notification is used to instruct the target device to set the sharing record locally on the target device.
  • the target device receives the second sharing completion notification sent by the server, and sets the sharing record based on the trigger of the second sharing completion notification.
  • the second sharing completion notification is used to notify the target device server that the access permission of the target device has been shared to the first access device.
  • the target device can synchronize the server to establish a sharing record locally.
  • the second sharing completion notification carries the sharing record.
  • the second sharing completion notification does not carry the sharing record.
  • the process for the server to establish a sharing record may be as shown in FIG. 4C, including:
  • Step S4011b the second access device obtains the first device identifier of the first access device.
  • the second access device may obtain the first device identification of the first access device through out-of-band methods such as device discovery and identification scanning.
  • the scanned identification includes a two-dimensional code.
  • the embodiment of the present invention does not impose any limitation on the manner and way for the second access device to obtain the identification of the first device.
  • Step S4012b the second access device sends the first device identifier and the second device identifier of the second access device to the server.
  • the first device identifier and the second device identifier are used by the server to determine between the first device identifier, the second device identifier, and the target device identifier of the target device associated with the second access device
  • a sharing record is established, and the sharing record is used to share the access permission of the target device to the first access device.
  • step S4012b includes: the second access device sends the registration request to the server.
  • the second access device sends the first device identification and the second device identification to the server by sending a registration request to the server.
  • the target device identifier is not carried in the registration request.
  • the target device identifier is carried in the registration request.
  • the registration request also carries one of the following information:
  • the first user identification of the first access device, the second user identification of the second access device, and sharing restriction conditions; correspondingly, the sharing record further includes one of the following information: The first user identification, the second user identification of the second access device, and the sharing restriction condition.
  • the server after receiving the registration request sent by the second access device, the server creates a sharing record according to the information carried in the registration request, as shown in FIG. 4C, and executes step S4013b and step S4014b:
  • Step S4013b the server sends a second confirmation request and a third confirmation request to the first access device and the target device respectively.
  • step S4013b includes:
  • Step S4013b-1 the server sends a second confirmation request to the first access device.
  • Step S4013b-2 the server sends a third confirmation request to the target device.
  • Step S4014b the server receives the second response of the first access device in response to the second confirmation request, and receives the third response of the target device in response to the third confirmation request, and records the sharing Set to active state.
  • step S4014b includes:
  • Step S4014b-1 the server receives a second response of the first access device in response to the second confirmation request.
  • Step S4014b-2 the server receives a third response of the target device in response to the third confirmation request.
  • step S4014b-3 the server sets the sharing record to an active state.
  • the sharing record established by the server Before performing step S4013b, the sharing record established by the server is in an unavailable and inactive state. After the server receives the second response from the first access device and the third response from the target device, it sets the created sharing record Active state is available. At this time, the sharing record can be used to control the access of the first access device to the target device.
  • the first access device after receiving the second confirmation request sent by the server, the first access device confirms whether to approve sharing the access rights of the target device with the first access device, and when approved, returns a second response to the server .
  • the second confirmation request may carry the second device identification and the target device identification, and after receiving the second device identification and the target device identification carried in the second confirmation request, the first access device sets the same in the first access device When the first access device establishes the same sharing record, it means that the first access device approves sharing the access rights of the target device to the first access device, and responds to the server with a second response.
  • the target device after receiving the third confirmation request sent by the server, the target device confirms whether to approve sharing the access permission of the target device with the first access device, and when approved, returns a third response to the server.
  • the third confirmation request may carry the first device identification and the second device identification, and after receiving the first device identification and the second device identification carried in the third confirmation request, the target device sets the same share in the target device Record, when the target device establishes the same sharing record, it indicates that the target device approves sharing the access permission of the target device to the first access device, and responds to the server with a third response.
  • step S4015b-1 may be executed:
  • step S4015b-1 the server sends a third sharing completion notification to the second access device.
  • the third sharing completion notification is used to instruct the second access device to locally set the sharing record on the second access device.
  • the second access device performs step S4015b-1 and step S4015b-2:
  • Step S4015b-1 the second access device receives the third sharing completion notification sent by the server.
  • step S4015b-2 the second access device sets the sharing record based on the trigger of the third sharing completion notification.
  • the third sharing completion notification is used to notify the second access device that the server has shared the access permission of the target device to the first access device.
  • the second access device can synchronize the server to establish a sharing record locally.
  • the third sharing completion notification carries the sharing record.
  • the third sharing completion notification does not carry the sharing record.
  • step S402 in the case that the local sharing credential is generated by the server, step S402 can complete the transmission between the first access device and the second access device through the information interaction in FIG. 4B or FIG. 4C.
  • step S402 the server performs the transmission of the local sharing credential between the first access device and the second access device includes : The server sends the local sharing credential to the second access device through the first confirmation request carrying the local sharing credential; the server sends the first sharing completion notification that carries the local sharing credential The local sharing credential is sent to the first access device.
  • the first confirmation request in step S4013a and the first sharing completion notification in step S4015a-1 shown in FIG. 4B respectively carry the local sharing credentials sent to the second access device and the first access device.
  • the transmission of the local sharing credential between the first access device and the server includes: the first access device receives the local share sent by the server through the first sharing completion notification carrying the local sharing credential Sharing credentials, and the local sharing credentials are generated by the server.
  • the second access device receives the local sharing credential sent by the server through the first confirmation request.
  • step S402 the server performs the transmission of the local sharing credential between the first access device and the second access device includes : The server sends the local sharing credential to the first access device through a second confirmation request that carries the local sharing credential; the server sends the local sharing credential to the first access device through a third sharing completion notification that carries the local sharing credential The local sharing credential is sent to the second access device.
  • the second confirmation request in step S4013b-1 and the third sharing completion in step S4015b-1 shown in FIG. 4C respectively carry the local sharing credentials sent to the first access device and the second access device.
  • the transmission of the local sharing credential between the second access device and the server includes: the second access device receives the local share sent by the server through the third sharing completion notification carrying the local sharing credential. Sharing credentials, and the local sharing credentials are generated by the server. The first access device requests to receive the local sharing credential sent by the server through the second confirmation.
  • the transmission of the local sharing credential between the first access device and the server includes: the first access device generates the local sharing credential; the first access The device sends the local sharing credential to the server, so that the server sends the local sharing credential to the second access device.
  • the server performing the transmission of the local shared credential between the first access device and the second access device includes: the server receives the local shared credential sent by the first access device; the server Sending the local sharing credential to the second access device.
  • the transmission of the local shared credential between the second access device and the server includes: the second access device receives the local shared credential generated by the first access device and sent by the server.
  • the transmission of the local sharing credential between the second access device and the server includes: the second access device generates the local sharing credential; the second access The device configures the local sharing credential to the target server, so that the server sends the local sharing credential to the first access device.
  • the second access device directly sends the local sharing credential to the server.
  • the second access device configures the local sharing credential to the target device, and the target device sends it to the server.
  • the second access device configures the local shared credential to the target device and the target device sends it to the server
  • the server is connected to the first access device and the server.
  • the transmission of the local shared credential between the second access devices includes: the server receives the local shared credential sent by the target device; and the server sends the local shared credential to the first access device.
  • the transmission of the local shared credential between the first access device and the server includes: the first access device receives the local shared credential generated by the second access device and sent by the server.
  • the local sharing credential received by the server is sent by the first access device
  • the local sharing credential is generated by the first access device; or on the server
  • the local sharing credential is generated by the second access device.
  • the first access device configures an access policy for the first access device to access the target device according to the local shared credential.
  • the second access device configures an access policy for the second access device to access the target device according to the local shared credential.
  • the first access device generates an access request based on the target device identifier, sends the access request to a server, and the server forwards the access request to For the target device, at this time, the server receives an access request sent by the first access device to access the target device; if the sharing record exists, the server forwards the access request to all The target device.
  • the first access device can initiate an access request to access the target device based on the target device identifier, and send the access request to the server, and the server determines based on the shared record that the target device’s If the access permission is shared to the first access device, the access request is sent to the target device.
  • the first access device may establish a local connection with the target device based on the local shared credential to access the target device.
  • the target device is Device A
  • OBT A is the client that has an association relationship with Device A, that is, the second access device, Device A and OBT A have the same User ID: User ID A
  • OBT B is a client that does not have an association relationship with Device A That is, the first access device, OBT B has User ID: User ID B.
  • Example 1 OBTA is used as the initiator of device sharing registration and the generator of local sharing credentials.
  • Step S501 OBTA obtains the device information of OBTB.
  • the device information of the OBTB may include: device identification and/or user identification.
  • Step S501 can be performed in an out-of-band manner, for example, OBTA scans the two-dimensional code generated by OBTB.
  • the embodiment of the present invention does not impose any limitation on the way and method for the OBTA to obtain the device information of the OBTB.
  • Step S502 The OBTA initiates a registration request to the cloud.
  • the information that OBTA sends to the cloud through the registration request includes: User ID A (optional), Device ID of OBTA, Device ID of Device A, User ID B (optional), Device ID of OBTB, etc.,
  • the registration request can also carry sharing restrictions: Only One Time ⁇ Always, etc. Sharing restrictions can also be time restrictions, such as from 8:00-10:00, and more complex restrictions.
  • the cloud platform generates a sharing record based on the information sent by the registration request. It should be noted that the sharing record is still available without being activated at this time.
  • a device share (deviceshare) resource can be set, and the deviceshare resource can be saved in the cloud and the device side at the same time, and its purpose is to save the sharing record.
  • the associated UserID for example: User ID A or User ID B
  • User ID A or User ID B can be accessed for the saved records saved in the cloud.
  • the cloud platform When the cloud platform receives an access request, it will check the deviceshare resource. If the access target specified in the message is a device that has a sharing relationship based on the sharing record, the cloud platform should forward the access request.
  • the content of the sharing record can be as shown in Table 1.
  • Step S503-Step S504 the cloud confirms the approval of Device A and OBT B.
  • Step S503 includes: step S503-1 and step S503-2.
  • step S503-1 the cloud sends a confirmation request to Device A to confirm whether the above registration request is approved by Device A.
  • Step S503-2 Device A sends a sharing confirmation to the cloud.
  • Device A When Device A approves the above registration request, it sends the sharing confirmation corresponding to the confirmation request to the cloud platform, which is the third response.
  • step S504-1 the cloud sends a confirmation request to OBT B to confirm whether the above registration request is approved by OBT B.
  • the way of confirmation is to add the same content as step S502 to the deviceshare resource saved on OBT B.
  • step S504-2 OBT B sends a sharing confirmation to the cloud.
  • OBT B approves the above registration request, it sends the sharing confirmation corresponding to the confirmation request to the cloud platform, which is the third response.
  • the way of confirmation is to add the same content as step S502 to the deviceshare resource saved on Device A.
  • step S505 the cloud changes the sharing attribute of the saved sharing record to true.
  • the cloud platform After the cloud platform is approved by Device A and OBTB, it changes the shareenabled of the saved sharing record to true to activate the sharing record.
  • the cloud sends a request to Device A and OBTB to modify the share enabled of the sharing records saved on Device A and OBTB to true.
  • step S506 the cloud sends a sharing completion notification to the OBTA.
  • OBT B and Device A have established a connection at the application layer, and OBT B can remotely access Device A.
  • step S505 the cloud platform can update the aforementioned sharing record to the deviceshare resource stored on OBT A, that is to say, the same sharing record is stored on all the aforementioned devices.
  • step S507 the OBTA generates a local sharing certificate.
  • OBTA After receiving the notification of completion of sharing from the cloud platform, OBTA initiates a local sharing process and generates a local sharing certificate. Two devices with locally shared credentials can be connected.
  • Local shared credentials may include various forms of credentials such as pin codes, shared keys, certificates, etc.
  • Step S508 OBT A configures Device A's access policy.
  • OBT A uses the local shared credential generated in step S506 to configure the access policy of Device A.
  • the shared key is saved as an access policy of Device A, and the credential is used to confirm both parties when the connection is subsequently established.
  • step S508 includes: step S508-1 and step S508-2.
  • step S508-1 OBT A configures the generated local shared credential to Device A.
  • Step S508-2 Device A sends a configuration complete message to OBT A.
  • step S509 OBT A shares the local sharing certificate to OBTB through the cloud.
  • OBT A After OBT A completes the configuration of Device A's access policy, it can share the local shared credentials to OBTB through the cloud platform.
  • step S509 includes: step S509-1, step S509-2, step 509-3, step S509-4, and step S509-5.
  • step S509-1 Device A notifies the cloud to update Device A's local sharing certificate.
  • step S509-2 the cloud notifies OBTB to update Device A's local sharing certificate.
  • Step S509-3 OBTB completes self-configuration according to Device A's local shared credentials.
  • step S509-4 the OBTB sends a self-configuration complete message to the cloud.
  • Step S509-5 the cloud forwards the self-configuration complete message sent by OBTB to Device A.
  • both Device A and OBTB have a local shared certificate, and Device A and OBTB can establish a connection locally.
  • OBT B is used as the initiator of the registration of device sharing and the generator of the local sharing credential.
  • Step S601 OBT B obtains device information of OBT A.
  • the device information of OBT A may include: device identification and/or user identification.
  • Step S601 may be performed in an out-of-band manner, for example, OBT B scans the two-dimensional code generated by OBT A.
  • the embodiment of the present invention does not impose any limitation on the way and method for the OBT B to obtain the device information of the OBT A.
  • Step S602 OBTB initiates a registration request to the cloud.
  • the information that OBT B sends to the cloud platform through the registration request includes: User ID A (optional), Device ID of OBTA, Device ID of Device A, User ID B (optional), Device ID of OBTB, etc.,
  • the registration request can also carry sharing restrictions: Only One Time ⁇ Always, etc. Sharing restrictions can also be time restrictions, such as from 8:00-10:00, and more complex restrictions.
  • the cloud platform generates a sharing record based on the information sent by the registration request, and the sharing limit in the sharing record can be modified by OBT. It should be noted that at this time, the sharing record is not available if it has not been activated.
  • a device share (deviceshare) resource can be set, and the deviceshare resource can be saved in the cloud and the device side at the same time, and its purpose is to save the sharing record.
  • the associated UserID for example: User ID A or User ID B
  • User ID A or User ID B can be accessed for the saved records saved in the cloud.
  • the cloud platform When the cloud platform receives an access request, it will check the deviceshare resource. If the access target specified in the message is a device that has a sharing relationship based on the sharing record, the cloud platform should forward the access request.
  • step S603 the cloud confirms the approval of OBT A.
  • Step S603 includes: step S603-1 and step S603-2.
  • step S603-1 the cloud sends a confirmation request to OBT A to confirm whether the above registration request is approved by OBT A.
  • Step S603-2 OBT A sends a sharing confirmation to the cloud.
  • OBT A approves the above registration request, it sends the sharing confirmation corresponding to the confirmation request to the cloud platform, which is the first response.
  • step S604 the sharing attribute of the sharing record saved in the cloud is changed to true.
  • Step S605 The cloud sends a sharing notification to Device A.
  • the cloud platform sends a sharing notification to Device A, and Device A saves the sharing record on it and changes the shareenabled attribute to true.
  • step S606 the cloud sends a sharing completion notification to OBT B.
  • the cloud platform sends a sharing completion notification for the registration request in step S602 to the OBTB.
  • OBTB After OBTB receives the notification of completion of sharing, it can also modify the shareenabled attribute of the corresponding shared record it saved to become true.
  • OBT B and Device A have established a connection at the application layer, and OBT B can remotely access Device A.
  • step S607 OBT B generates a local sharing certificate.
  • OBTB After receiving the notification of completion of sharing from the cloud platform, OBTB initiates a local sharing process and generates a local sharing certificate. Two devices with locally shared credentials can be connected.
  • Local shared credentials may include various forms of credentials such as pin codes, shared keys, certificates, etc.
  • Step S608 OBT B completes self-configuration according to Device A's local shared credential.
  • step S609 OBT B notifies the cloud to update Device A's local sharing certificate.
  • step S610 the cloud notifies OBT A to update Device A's local sharing certificate.
  • Step S611 OBT A configures Device A's access policy.
  • OBT A uses the local shared credential received in step S610 to configure the access policy of Device A.
  • step S611 includes: step S6011-1 and step S6011-2.
  • step S611-1 OBT A configures the received local shared credential to Device A.
  • step S611-2 Device A sends a configuration complete message to OBT A.
  • Step S612 OBT A sends a self-configuration complete message to the cloud.
  • step S613 the cloud forwards the self-configuration completion message sent by OBT A to OBT B.
  • both Device A and OBTB have a local shared certificate, and Device A and OBTB can establish a connection locally.
  • Example 3 the cloud is the generator of the local shared credential.
  • Step S701 OBTA obtains the device information of OBTB.
  • Step S702 OBTA initiates a registration request to the cloud.
  • Step S703-Step S704 the cloud confirms the approval of Device A and OBT B.
  • Step S703 includes: step S703-1 and step S703-2.
  • step S703-1 the cloud sends a confirmation request to Device A to confirm whether the above registration request is approved by Device A.
  • Step S703-2 Device A sends a sharing confirmation to the cloud.
  • Step 704-1 The cloud sends a confirmation request to OBT B to confirm whether the above registration request is approved by OBT B.
  • the cloud platform may carry the local sharing certificate in the confirmation request sent to the OBTB.
  • step S704-2 OBT B sends a sharing confirmation to the cloud.
  • step S705 the sharing attribute of the sharing record saved in the cloud is changed to true.
  • step S706 the cloud sends a sharing completion notification to the OBTA.
  • OBTA After OBTA receives the above request, it can also modify the shareenabled attribute of the corresponding shared record it saves to become true. At the same time, the sharing completion notification sent by the cloud platform to OBTA carries the local sharing credentials.
  • OBT B and Device A have established a connection at the application layer, and OBT B can remotely access Device A.
  • Step S707 OBT B completes self-configuration according to the received local sharing credential.
  • step S708-1 OBT A configures the received local shared credential to Device A.
  • Step S708-2 Device A sends a configuration complete message to OBT A.
  • both Device A and OBTB have a local shared certificate, and Device A and OBTB can establish a connection locally.
  • Example 1 and Example 2 can be cross-combined.
  • the OBTA identifier can be carried in the registration request, and the identifier of Device A does not need to be carried, which means that all devices associated with the OBTA can be shared with OBTB.
  • it can also be extended to share multiple devices at once.
  • an embodiment of the present invention further provides a server 800, as the server 304 in FIG. 3, the composition structure of the server 800, as shown in FIG. 8, the server 800 includes:
  • the establishing unit 801 is configured to establish a sharing record between the first device identifier of the first access device, the second device identifier of the second access device, and the target device identifier of the target device associated with the second access device, the The sharing record is used to share the access permission of the target device to the first access device;
  • the credential transmission unit 802 is configured to transmit a local shared credential between the first access device and the second access device, and the local shared credential is used to establish a local connection between the first access device and the target device. connection.
  • the server 800 further includes:
  • the receiving unit is configured to receive a registration request sent by the first access device or the second access device; the registration request carries the first device identifier and the second device identifier.
  • the registration request also carries: the target device identifier.
  • the registration request also carries one of the following information:
  • the first user identification of the first access device the second user identification of the second access device, and sharing restriction conditions;
  • the sharing record also includes one of the following information: the first user identification of the first access device, the second user identification of the second access device, and sharing restriction conditions.
  • the server 800 further includes:
  • the first confirmation unit is configured as:
  • the registration request is sent by the first access device, sending a first confirmation request to the second access device;
  • the first response of the second access device in response to the first confirmation request is received, and the sharing record is set to an active state.
  • the server 800 further includes: a first notification unit configured to send a first sharing completion notification to the first access device, where the first sharing completion notification is used to indicate that the first access device is in the place
  • the first access device locally sets the sharing record.
  • the server 800 further includes:
  • the second notification unit is configured to send a second sharing completion notification to the target device, where the second sharing completion notification is used to instruct the target device to locally set the sharing record on the target device.
  • the server 800 further includes: a second confirmation unit configured to:
  • the registration request is sent by the second access device, sending a second confirmation request and a third confirmation request to the first access device and the target device respectively;
  • the second response of the first access device in response to the second confirmation request is received, and the third response of the target device in response to the third confirmation request is received, and the sharing record is set to an active state.
  • the server 800 further includes:
  • the server sends a third sharing completion notification to the second access device, where the third sharing completion notification is used to instruct the second access device to locally set the sharing record on the second access device.
  • the credential transmission unit 802 is further configured to:
  • the local sharing credential is sent to the first access device through the first sharing completion notification carrying the local sharing credential.
  • the credential transmission unit 802 is further configured to: when the server generates the local shared credential,
  • the local sharing credential is sent to the second access device through a third sharing completion notification carrying the local sharing credential.
  • the credential transmission unit 802 is further configured to:
  • the local sharing credential is generated by the first access device
  • the local sharing credential is generated by the second access device.
  • the server 800 further includes:
  • the first access unit is configured as:
  • An embodiment of the present invention also provides a server, including a processor and a memory for storing a computer program that can run on the processor, wherein the processor is used to execute the access control performed by the server when the computer program is running. Method steps.
  • the embodiment of the present invention also provides an access device 900, as the first access device 301 in FIG. 3, a schematic diagram of the composition structure of the access device 900, as shown in FIG. 9, includes:
  • the first obtaining unit 901 is configured to obtain the second device identifier of the second access device
  • the first sending unit 902 is configured to send the first device identifier and the second device identifier of the first access device to the server, where the first device identifier and the second device identifier are used by the server when the server is A sharing record is established between the first device identifier, the second device identifier, and the target device identifier of the target device associated with the second access device, and the sharing record is used to use the access authority of the target device Share to the first access device;
  • the first transmission unit 903 is configured to transmit a local shared credential with the server, and the local shared credential is used for the first access device to establish a local connection with the target device.
  • the access device 900 further includes:
  • a first generating unit configured to generate a registration request according to the first device identifier and the second device identifier
  • the first sending unit is configured to send the registration request to the server.
  • the registration request also carries: the target device identifier.
  • the registration request also carries one of the following information:
  • the first user identification of the first access device the second user identification of the second access device, and sharing restriction conditions;
  • the sharing record further includes one of the following information: the first user identification of the first access device, the second user identification of the second access device, and sharing restriction conditions.
  • the access device 900 further includes: a first setting unit configured to:
  • the sharing record is set.
  • the first transmission unit 903 is further configured to receive a local sharing credential sent by the server through the first sharing completion notification carrying the local sharing credential, and the local sharing credential is the server Generated.
  • the first transmission unit 903 is further configured to:
  • the first transmission unit 903 is further configured to receive the local sharing credential generated by the second access device and sent by the server.
  • the access device 900 further includes:
  • the second access unit is configured to generate an access request based on the target device identifier, send the access request to a server, and if the sharing record exists, the server forwards the access request to the target device .
  • the access device 900 further includes:
  • the first configuration unit is configured to configure an access policy for the access device to access the target device according to the local shared credential.
  • An embodiment of the present invention also provides an access device, including a processor and a memory for storing a computer program that can run on the processor.
  • the access device 900 executes The steps of the access control method.
  • the embodiment of the present invention also provides an access device 1000, as the second access device 302 in FIG. 3, a schematic diagram of the composition structure of the access device 1000, as shown in FIG. 10, includes:
  • the second obtaining unit 1001 is configured to obtain the first device identifier of the first access device
  • the second sending unit 1002 is configured to send the first device identification and the second device identification of the second access device to a server, where the first device identification and the second device identification are used by the server to A sharing record is established between the first device identifier, the second device identifier, and the target device identifier of the target device associated with the second access device, and the sharing record is used to use the access authority of the target device Share to the first access device;
  • the second transmission unit 1003 is configured to transmit a local shared credential with the server, and the local shared credential is used for the first access device to establish a local connection with the target device.
  • the access device 1000 further includes:
  • a second generating unit configured to generate a registration request according to the first device identifier and the second device identifier
  • the second sending unit is configured to send the registration request to the server.
  • the registration request also carries: the target device identifier.
  • the registration request also carries one of the following information:
  • the first user identification of the first access device the second user identification of the second access device, and sharing restriction conditions;
  • the sharing record further includes one of the following information: the first user identification of the first access device, the second user identification of the second access device, and sharing restriction conditions.
  • the access device 1000 further includes: a second setting unit configured to:
  • the sharing record is set.
  • the second transmission unit 1003 is further configured to receive the local sharing credential sent by the server through the third sharing completion notification carrying the local sharing credential, and the local sharing credential is The server generated.
  • the second transmission unit 1003 is further configured to:
  • the second transmission unit 1003 is further configured to receive the local sharing credential generated by the first access device and sent by the server.
  • the access device 1000 further includes:
  • the second configuration unit is configured to configure an access policy for the second access device to access the target device according to the local shared credential.
  • An embodiment of the present invention also provides an access device, including a processor and a memory for storing a computer program that can run on the processor, wherein, when the processor is used to run the computer program, the access device 1000 executes The steps of the access control method.
  • the electronic device 1100 includes: at least one processor 1101, a memory 1102, and at least one network interface 1104.
  • the various components in the electronic device 1100 are coupled together through the bus system 1105.
  • the bus system 1105 is used to implement connection and communication between these components.
  • the bus system 1105 also includes a power bus, a control bus, and a status signal bus.
  • various buses are marked as the bus system 1105 in FIG. 11.
  • the memory 1102 may be a volatile memory or a non-volatile memory, and may also include both volatile and non-volatile memory.
  • non-volatile memory can be ROM, Programmable Read-Only Memory (PROM), Erasable Programmable Read-Only Memory (EPROM), and electrically erasable Programmable read-only memory (EEPROM, Electrically Erasable Programmable Read-Only Memory), magnetic random access memory (FRAM, ferromagnetic random access memory), flash memory (Flash Memory), magnetic surface memory, optical disk, or CD-ROM -ROM, Compact Disc Read-Only Memory); Magnetic surface memory can be disk storage or tape storage.
  • the volatile memory may be a random access memory (RAM, Random Access Memory), which is used as an external cache.
  • RAM random access memory
  • SRAM static random access memory
  • SSRAM synchronous static random access memory
  • Synchronous Static Random Access Memory Synchronous Static Random Access Memory
  • DRAM Dynamic Random Access Memory
  • SDRAM Synchronous Dynamic Random Access Memory
  • DDRSDRAM Double Data Rate Synchronous Dynamic Random Access Memory
  • ESDRAM Enhanced Synchronous Dynamic Random Access Memory
  • SLDRAM synchronous connection dynamic random access memory
  • DRRAM Direct Rambus Random Access Memory
  • the memory 1102 described in the embodiment of the present invention is intended to include, but is not limited to, these and any other suitable types of memory.
  • the memory 1102 in the embodiment of the present invention is used to store various types of data to support the operation of the electronic device 1100. Examples of such data include: any computer program used to operate on the electronic device 1100, such as an application program 11021.
  • the program for implementing the method of the embodiment of the present invention may be included in the application program 11021.
  • the method disclosed in the foregoing embodiment of the present invention may be applied to the processor 1101 or implemented by the processor 1101.
  • the processor 1101 may be an integrated circuit chip with signal processing capabilities. In the implementation process, the steps of the foregoing method can be completed by an integrated logic circuit of hardware in the processor 1101 or instructions in the form of software.
  • the aforementioned processor 1101 may be a general-purpose processor, a digital signal processor (DSP, Digital Signal Processor), or other programmable logic devices, discrete gates or transistor logic devices, discrete hardware components, and the like.
  • the processor 1101 may implement or execute various methods, steps, and logical block diagrams disclosed in the embodiments of the present invention.
  • the general-purpose processor may be a microprocessor or any conventional processor or the like.
  • the steps of the method disclosed in the embodiments of the present invention may be directly embodied as being executed and completed by a hardware decoding processor, or executed and completed by a combination of hardware and software modules in the decoding processor.
  • the software module may be located in a storage medium, and the storage medium is located in the memory 1102.
  • the processor 1101 reads the information in the memory 1102, and completes the steps of the foregoing method in combination with its hardware.
  • the electronic device 1100 may be used by one or more application specific integrated circuits (ASIC, Application Specific Integrated Circuit), DSP, programmable logic device (PLD, Programmable Logic Device), and complex programmable logic device (CPLD). , Complex Programmable Logic Device), FPGA, general-purpose processor, controller, MCU, MPU, or other electronic components to implement the foregoing method.
  • ASIC Application Specific Integrated Circuit
  • DSP digital signal processor
  • PLD programmable logic device
  • CPLD complex programmable logic device
  • FPGA field-programmable Logic Device
  • controller MCU
  • MPU or other electronic components to implement the foregoing method.
  • the embodiment of the present invention also provides a storage medium for storing computer programs.
  • the storage medium may be applied to the server in the embodiment of the present invention, and the computer program causes the computer to execute the corresponding process in each method of the embodiment of the present invention.
  • the computer program causes the computer to execute the corresponding process in each method of the embodiment of the present invention.
  • the storage medium can be applied to the access device in the embodiment of the present invention, and the computer program causes the computer to execute the corresponding process in each method of the embodiment of the present invention.
  • the computer program causes the computer to execute the corresponding process in each method of the embodiment of the present invention.
  • These computer program instructions can also be stored in a computer-readable memory that can guide a computer or other programmable data processing equipment to work in a specific manner, so that the instructions stored in the computer-readable memory produce an article of manufacture including the instruction device.
  • the device implements the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.
  • These computer program instructions can also be loaded on a computer or other programmable data processing equipment, so that a series of operation steps are executed on the computer or other programmable equipment to produce computer-implemented processing, so as to execute on the computer or other programmable equipment.
  • the instructions provide steps for implementing the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

An access control method, comprising: a server (304) establishing a sharing record among a first device identifier of a first access device (301), a second device identifier of a second access device (302) and a target device identifier of a target device (303) associated with the second access device (302), the sharing record being used for sharing the access right to the target device (303) to the first access device (301) (S401); and the server (304) transmitting a local sharing credential between the first access device (301) and the second access device (302), the local sharing credential being used for the first access device (301) to establish a local connection with the target device (303) (S402).

Description

访问控制方法、服务器、访问设备及存储介质Access control method, server, access equipment and storage medium 技术领域Technical field
本发明涉及物联网(Internet of Things,IoT)技术,尤其涉及一种访问控制方法、服务器、访问设备及存储介质。The present invention relates to the Internet of Things (IoT) technology, and in particular to an access control method, server, access device and storage medium.
背景技术Background technique
在物联网中,不在同一个本地网络中的设备可以通过云端互相通信,云端将属于同一个用户的设备分组到同一个云端创建的用户ID下。注册到云端并且属于同一用户ID的所有设备可以按设备授权云的权限策略(例如:ACE2策略)进行通信。在物联网中,在同一个本地网络中的设备可以通过本地网络相互通信。因此,云端通信和本地网络通信之间是相互隔离的,设备只能由一个用户访问,无法满足多用户的应用场景。In the Internet of Things, devices that are not in the same local network can communicate with each other through the cloud, and the cloud groups the devices belonging to the same user under the same user ID created in the cloud. All devices registered to the cloud and belonging to the same user ID can communicate according to the device authorization cloud permission policy (for example: ACE2 policy). In the Internet of Things, devices in the same local network can communicate with each other through the local network. Therefore, cloud communication and local network communication are isolated from each other, and the device can only be accessed by one user, which cannot meet the application scenario of multiple users.
发明内容Summary of the invention
本发明实施例提供一种访问控制方法、服务器、访问设备及存储介质,能够将设备的被访问权限分享给其他用户,实现多用户的访问。The embodiments of the present invention provide an access control method, a server, an access device, and a storage medium, which can share the access authority of the device with other users, and realize multi-user access.
本发明实施例的技术方案是这样实现的:The technical solution of the embodiment of the present invention is realized as follows:
第一方面,本发明实施例提供一种访问控制方法,包括:In the first aspect, an embodiment of the present invention provides an access control method, including:
服务器在第一访问设备的第一设备标识、第二访问设备的第二设备标识以及与所述第二访问设备关联的目标设备的目标设备标识之间建立分享记录,所述分享记录用于将所述目标设备的被访问权限分享至所述第一访问设备;The server establishes a sharing record between the first device identification of the first access device, the second device identification of the second access device, and the target device identification of the target device associated with the second access device, and the sharing record is used to share Sharing the access permission of the target device to the first access device;
所述服务器在所述第一访问设备和所述第二访问设备之间进行本地分享凭证的传输,所述本地分享凭证用于所述第一访问设备与所述目标设备建立本地连接。The server transmits a local shared credential between the first access device and the second access device, and the local shared credential is used for establishing a local connection between the first access device and the target device.
第二方面,本发明实施例提供一种访问控制方法,包括:In the second aspect, an embodiment of the present invention provides an access control method, including:
第一访问设备获取第二访问设备的第二设备标识;The first access device acquires the second device identifier of the second access device;
所述第一访问设备将所述第一访问设备的第一设备标识和所述第二设备标识发送至服务器,所述第一设备标识和所述第二设备标识用于所述服务器在所述第一设备标识、所述第二设备标识以及与所述第二访问设备关联的目标设备的目标设备标识之间建立分享记录,所述分享记录用于将所述目标设备的被访问权限分享至所述第一访问设备;The first access device sends the first device ID and the second device ID of the first access device to the server, and the first device ID and the second device ID are used by the server in the server. A sharing record is established between the first device identifier, the second device identifier, and the target device identifier of the target device associated with the second access device, and the sharing record is used to share the access permission of the target device to The first access device;
所述第一访问设备与所述服务器进行本地分享凭证的传输,所述本地分享凭证用于所述第一访问设备与所述目标设备建立本地连接。The first access device and the server transmit a local shared credential, and the local shared credential is used for the first access device to establish a local connection with the target device.
第三方面,本发明实施例提供一种访问控制方法,包括:In a third aspect, an embodiment of the present invention provides an access control method, including:
第二访问设备获取第一访问设备的第一设备标识;The second access device acquires the first device identifier of the first access device;
所述第二访问设备将所述第一设备标识和所述第二访问设备的第二设备标识发送至服务器,所述第一设备标识和所述第二设备标识用于所述服务器在所述第一设备标识、所述第二设备标识以及与所述第二访问设备关联的目标设备的目标设备标识之间建立分享记录,所述分享记录用于将所述目标设备的被访问权限分享至所述第一访问设备;The second access device sends the first device identification and the second device identification of the second access device to the server, and the first device identification and the second device identification are used by the server in the A sharing record is established between the first device identifier, the second device identifier, and the target device identifier of the target device associated with the second access device, and the sharing record is used to share the access permission of the target device to The first access device;
所述第二访问设备与所述服务器进行本地分享凭证的传输,所述本地分享凭证用于所述第一访问设备与所述目标设备建立本地连接。The second access device transmits a local shared credential with the server, and the local shared credential is used for the first access device to establish a local connection with the target device.
第四方面,本发明实施例提供一种服务器,包括:In a fourth aspect, an embodiment of the present invention provides a server, including:
建立单元,配置为在第一访问设备的第一设备标识、第二访问设备的第二设备标识以及与所述第二访问设备关联的目标设备的目标设备标识之间建立分享记录,所述分享记录用于将所述目标设备的被访问权限分享至所述第一访问设备;The establishment unit is configured to establish a sharing record among the first device identification of the first access device, the second device identification of the second access device, and the target device identification of the target device associated with the second access device, the sharing The record is used to share the access permission of the target device to the first access device;
传输单元,配置为在所述第一访问设备和所述第二访问设备之间进行本地分享凭证的传输,所述本地分享凭证用于所述第一访问设备与所述目标设备建立本地连接。The transmission unit is configured to transmit a local shared credential between the first access device and the second access device, and the local shared credential is used for the first access device to establish a local connection with the target device.
第五方面,本发明实施例提供一种访问设备,包括:In a fifth aspect, an embodiment of the present invention provides an access device, including:
第一获取单元,配置为获取第二访问设备的第二设备标识;The first obtaining unit is configured to obtain the second device identifier of the second access device;
第一发送单元,配置为将所述第一访问设备的第一设备标识和所述第二设备标识发送至服务器,所述第一设备标识和所述第二设备标识用于所述服务器在所述第一设备标识、所述第二设备标识以及与所述第二访问设备关联的目标设备的目标设备标识之间建立分享记录,所述分享记录用于将所述目标设备的被访问权限分享至所述第一访问设备;The first sending unit is configured to send the first device identifier and the second device identifier of the first access device to the server, where the first device identifier and the second device identifier are used when the server is located at the server. A sharing record is established between the first device identifier, the second device identifier, and the target device identifier of the target device associated with the second access device, and the sharing record is used to share the access authority of the target device To the first access device;
第一传输单元,配置为与所述服务器进行本地分享凭证的传输,所述本地分享凭证用于所述第一访问设备与所述目标设备建立本地连接。The first transmission unit is configured to transmit a local shared credential with the server, and the local shared credential is used for the first access device to establish a local connection with the target device.
第六方面,本发明实施例提供一种访问设备,包括:In a sixth aspect, an embodiment of the present invention provides an access device, including:
第二获取单元,配置为获取第一访问设备的第一设备标识;The second acquiring unit is configured to acquire the first device identifier of the first access device;
第二发送单元,配置为将所述第一设备标识和所述第二访问设备的第二设备标识发送至服务器,所述第一设备标识和所述第二设备标识用于所述服务器在所述第一设备标识、所述第二设备标识以及与所述第二访问设备关联的目标设备的目标设备标识之间建立分享记录,所述分享记录用于将所述目标设备的被访问权限分享至所述第一访问设备;The second sending unit is configured to send the first device ID and the second device ID of the second access device to the server, where the first device ID and the second device ID are used when the server is A sharing record is established between the first device identifier, the second device identifier, and the target device identifier of the target device associated with the second access device, and the sharing record is used to share the access authority of the target device To the first access device;
第二传输单元,配置为与所述服务器进行本地分享凭证的传输,所述本地分享凭证用于所述第一访问设备与所述目标设备建立本地连接。The second transmission unit is configured to transmit a local shared credential with the server, and the local shared credential is used for the first access device to establish a local connection with the target device.
第七方面,本发明实施例提供一种服务器,包括:处理器和用于存储能够在处理器上运行的计算机程序的存储器,其中,所述处理器用于运行所述计算机程序时,执行上述服务器执行的访问控制方法的步骤。In a seventh aspect, an embodiment of the present invention provides a server, including: a processor and a memory for storing a computer program that can run on the processor, wherein the processor is configured to execute the server when the computer program is running. The steps of the access control method performed.
第八方面,本发明实施例提供一种访问设备,包括:处理器和用于存储能够在处理器上运行的计算机程序的存储器,其中,所述处理器用于运行所述计算机程序时,执行上述第一访问设备执行的访问控制方法的步骤。In an eighth aspect, an embodiment of the present invention provides an access device, including: a processor and a memory configured to store a computer program that can run on the processor, wherein the processor is configured to execute the above-mentioned computer program when the computer program is running. Steps of the access control method executed by the first access device.
第九方面,本发明实施例提供一种访问设备,包括:处理器和用于存储能够在处理器上运行的计算机程序的存储器,其中,所述处理器用于运行所述计算机程序时,执行上述第二访问设备执行的访问控制方法的步骤。In a ninth aspect, an embodiment of the present invention provides an access device, including: a processor and a memory configured to store a computer program that can run on the processor, wherein the processor is configured to execute the above-mentioned computer program when the computer program is running. Steps of the access control method executed by the second access device.
第十方面,本发明实施例提供一种存储介质,存储有可执行程序,所述可执行程序被处理器执行时,实现上述服务器执行的访问控制方法。In a tenth aspect, an embodiment of the present invention provides a storage medium storing an executable program, and when the executable program is executed by a processor, the access control method executed by the server is implemented.
第十一方面,本发明实施例提供一种存储介质,存储有可执行程序,所述可执行程序被处理器执行时,实现上述第一访问设备执行的访问控制方法。In an eleventh aspect, an embodiment of the present invention provides a storage medium that stores an executable program, and when the executable program is executed by a processor, it implements the access control method executed by the first access device.
第十二方面,本发明实施例提供一种存储介质,存储有可执行程序,所述可执行程序被处理器执行时,实现上述第二访问设备执行的访问控制方法。In a twelfth aspect, an embodiment of the present invention provides a storage medium storing an executable program, and when the executable program is executed by a processor, the above-mentioned access control method executed by the second access device is implemented.
本发明实施例提供的访问控制方法,包括:服务器在第一访问设备的第一设备标识、第二访问设备的第二设备标识以及与所述第二访问设备关联的目标设备的目标设备标识之间建立分享记录,所述分享记录用于将所述目标设备的被访问权限分享至所述第一 访问设备;所述服务器在所述第一访问设备和所述第二访问设备之间进行本地分享凭证的传输,所述本地分享凭证用于所述第一访问设备与所述目标设备建立本地连接;从而基于分享记录实现未与目标设备关联的第一访问设备对目标访问设备的访问,且在分享记录对应的第一访问设备和第二访问设备之间进行能够使得第一访问设备对目标设备执行本地访问的本地分享凭证,能够使得目标设备不受仅具有绑定关系的用户标识的访问的限制,实现多用户的访问,且第一访问设备对目标设备的访问不受网络的限制。The access control method provided by the embodiment of the present invention includes: the server is configured to select the first device identifier of the first access device, the second device identifier of the second access device, and the target device identifier of the target device associated with the second access device. A sharing record is established between the target device, and the sharing record is used to share the access permission of the target device to the first access device; the server performs local operations between the first access device and the second access device. Transmission of shared credentials, where the local shared credentials are used for the first access device to establish a local connection with the target device; thereby achieving access to the target access device by the first access device that is not associated with the target device based on the shared record, and Performing a local sharing credential that enables the first access device to perform local access to the target device between the first access device and the second access device corresponding to the shared record can prevent the target device from being accessed by a user ID that only has a binding relationship To achieve multi-user access, and the first access device's access to the target device is not restricted by the network.
附图说明Description of the drawings
图1是本发明实施例提供物联网系统的一个可选的结构示意图;FIG. 1 is an optional structural diagram of an Internet of Things system provided by an embodiment of the present invention;
图2是本发明实施例提供的访问控制方法的一个可选的流程示意图;FIG. 2 is an optional flowchart of an access control method provided by an embodiment of the present invention;
图3是本发明实施例提供的物联网系统的一个可选的结构示意图;FIG. 3 is an optional structural diagram of the Internet of Things system provided by an embodiment of the present invention;
图4A是本发明实施例提供的访问控制方法的一个可选的流程示意图;4A is an optional flowchart of an access control method provided by an embodiment of the present invention;
图4B是本发明实施例提供的访问控制方法的一个可选的流程示意图;4B is an optional flowchart of an access control method provided by an embodiment of the present invention;
图4C是本发明实施例提供的访问控制方法的一个可选的流程示意图;4C is an optional flowchart of an access control method provided by an embodiment of the present invention;
图5是本发明实施例提供的访问控制方法的一个可选的流程示意图;FIG. 5 is an optional flowchart of an access control method provided by an embodiment of the present invention;
图6是本发明实施例提供的访问控制方法的一个可选的流程示意图;FIG. 6 is an optional flowchart of an access control method provided by an embodiment of the present invention;
图7是本发明实施例提供的访问控制方法的一个可选的流程示意图;FIG. 7 is an optional flowchart of an access control method provided by an embodiment of the present invention;
图8是本发明实施例提供的服务器的一个可选的结构示意图;FIG. 8 is a schematic diagram of an optional structure of a server provided by an embodiment of the present invention;
图9是本发明实施例提供的访问设备的一个可选的结构示意图;FIG. 9 is a schematic diagram of an optional structure of an access device provided by an embodiment of the present invention;
图10是本发明实施例提供的访问设备的一个可选的结构示意图;FIG. 10 is a schematic diagram of an optional structure of an access device provided by an embodiment of the present invention;
图11是本发明实施例提供的电子设备的一个可选的结构示意图。FIG. 11 is a schematic diagram of an optional structure of an electronic device provided by an embodiment of the present invention.
具体实施方式detailed description
为了使本发明的目的、技术方案和优点更加清楚,下面将结合附图对本发明作进一步地详细描述,所描述的实施例不应视为对本发明的限制,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其它实施例,都属于本发明保护的范围。In order to make the objectives, technical solutions and advantages of the present invention clearer, the present invention will be further described in detail below in conjunction with the accompanying drawings. The described embodiments should not be regarded as limiting the present invention. Those of ordinary skill in the art have not made All other embodiments obtained under the premise of creative work belong to the protection scope of the present invention.
在对本发明实施例提供的访问控制方法进行详细说明之前,先对物联网系统的访问控制进行简要说明。Before describing in detail the access control method provided by the embodiment of the present invention, a brief description of the access control of the Internet of Things system will be given first.
物联网系统的访问控制包括基于家庭网络的本地访问和基于云端的远程访问。The access control of the Internet of Things system includes local access based on the home network and remote access based on the cloud.
物联网设备在进入物联网后需要进行云端的注册,在注册时物联网设备会得到对应的用户标识(UserID),并且物联网设备在云端注册之后处于可远程操作的状态。如果物联网设备未在云端注册则不可执行远程操作,但是可以在本地操作。造成这个结果的原因是UserID是物联网设备在云端的用户标识,并非设备ID(device ID),物联网设备在本地的操作与物联网设备的访问策略相关,而与UserID不相关。The IoT device needs to be registered in the cloud after entering the Internet of Things. The IoT device will get a corresponding user ID (UserID) during registration, and the IoT device will be in a remotely operable state after being registered in the cloud. If the IoT device is not registered in the cloud, remote operations cannot be performed, but operations can be performed locally. The reason for this result is that UserID is the user ID of the IoT device in the cloud, not the device ID (device ID). The local operation of the IoT device is related to the access policy of the IoT device, but not the UserID.
下面,分别对本地访问和远程访问进行说明。In the following, local access and remote access are explained separately.
本地访问Local access
物联网设备在接入家庭网络之后,会直接进行配置。配置工作由OBT来完成。在配置过程中需要设定物联网设备的所属者标识(Owner ID)为OBT设备的Device ID,另外,还需配置物联网设备的访问接入凭证,该访问接入凭证用于在两个设备建立连接时进行双向认证。访问接入凭证可以是对称密钥、非对称密钥、证书等方式。After the IoT device is connected to the home network, it will be directly configured. The configuration work is done by OBT. During the configuration process, you need to set the Owner ID of the IoT device to the Device ID of the OBT device. In addition, you need to configure the access credential of the IoT device. The access credential is used for the two devices. Two-way authentication is performed when the connection is established. The access credential can be a symmetric key, asymmetric key, certificate, etc.
两个设备通过认证之后双方可以建立安全的通信连接,即可以互联互通互操作。After the two devices pass the authentication, the two parties can establish a secure communication connection, that is, they can interconnect and interoperate.
远程访问remote access
基于云端的物联网系统的结构如图1所示,包括:客户端101、服务端102和云端103。客户端101访问服务端102的资源,服务端102提供客户端101访问的资源。且客户端101和服务端102通过云端103相互通信。The structure of the cloud-based Internet of Things system is shown in Fig. 1, and includes: a client 101, a server 102, and a cloud 103. The client 101 accesses resources of the server 102, and the server 102 provides the resources accessed by the client 101. And the client 101 and the server 102 communicate with each other through the cloud 103.
当客户端101向云端103承载的资源Links引用的资源请求执行CRUDN操作时,客户端101向云端103发送CRUDN请求,云端103将客户端101的CRUDN请求转发给实际承载资源的服务端102,服务端102对云端103的CRUDN请求进行响应,云端103再将服务端102的响应转发给客户端101,即通信路径是客户端101->云端103->服务端102->云端103->客户端101。When the client 101 requests a CRUDN operation to the resource referenced by the resource Links carried by the cloud 103, the client 101 sends a CRUDN request to the cloud 103, and the cloud 103 forwards the CRUDN request of the client 101 to the server 102 that actually carries the resource. The client 102 responds to the CRUDN request of the cloud 103, and the cloud 103 forwards the response of the server 102 to the client 101, that is, the communication path is client 101->cloud 103->server 102->cloud 103->client 101.
示例性地,云端103可包括三个功能实体:Exemplarily, the cloud 103 may include three functional entities:
云端接口1031:云上锚点,负责服务端的接入管理,客户端和服务端远程通信的消息路由,云端接口对外提供一个统一的地址和端口号,如coaps+tcp://example.com:443。Cloud interface 1031: Anchor on the cloud, responsible for server access management, and message routing for remote communication between the client and server. The cloud interface provides a unified address and port number, such as coaps+tcp://example.com: 443.
授权服务器1032:负责服务端注册、对客户端和服务端的鉴权。Authorization server 1032: Responsible for server registration and authentication of the client and server.
资源目录1033:服务端资源的索引,客户端通过检索资源目录可以获取目标设备的资源。Resource catalog 1033: the index of the server resources, the client can obtain the resources of the target device by retrieving the resource catalog.
其中,授权服务器1032可与云端为同一物理实体,也可为不同的物理实体。Wherein, the authorization server 1032 and the cloud may be the same physical entity, or may be different physical entities.
其中,每个设备可以是客户端、服务端、或既是客户端又是服务端。Among them, each device can be a client, a server, or both a client and a server.
设备在云端的注册流程如图2所示,包括:The registration process of the device in the cloud is shown in Figure 2, including:
步骤S201、配置器从授权服务器获取用户的访问令牌(Access Token)。Step S201: The configurator obtains the user's access token (Access Token) from the authorization server.
用户APP中提供配置器(Mediator)功能,用于配置设备连接云端。配置器中配置了云端接入统一资源定位符(Uniform Resource Locator,URL),用户已注册用户名和密码,使得授权服务器可以对用户进行授权,向配置器返回访问令牌。其中,用户APP可位于作为客户端的设备上。The mediator function is provided in the user APP to configure the device to connect to the cloud. The configurator is configured with a uniform resource locator (URL) for cloud access, and the user has registered a user name and password, so that the authorization server can authorize the user and return an access token to the configurator. Among them, the user APP can be located on the device as the client.
步骤S202、配置器在云端注册。Step S202: The configurator is registered in the cloud.
配置器向云端提供访问令牌进行配置器注册,云端验证配置器提供的Access Token并分配一个用户标识User ID。同一个用户用不同的配置器,授权服务器会提供不同的Access Token,但同一个用户用任何配置器都与同一个User ID关联。The configurator provides an access token to the cloud for configurator registration, and the cloud verifies the Access Token provided by the configurator and assigns a user ID. The same user uses different configurators, the authorization server will provide different Access Tokens, but any configurator used by the same user is associated with the same User ID.
步骤S203、配置器连接至设备,对设备进行配置。Step S203: The configurator is connected to the device, and the device is configured.
配置器通过正常的设备发现流程连接到设备,然后从云端为所配置的设备请求Access Token。配置器使用从云端授权的Access Token、云端接入统一资源标识(Uniform Resource Identifier,URI)和云端通用唯一识别码(Universally Unique Identifier,UUID)更新设备上的进行云端信息配置的云配置资源如:“oic.r.coapcloudconf”资源。云端提供的该Access Token用于设备向云端进行初始注册时使用。The configurator connects to the device through the normal device discovery process, and then requests an Access Token from the cloud for the configured device. The configurator uses the Access Token authorized from the cloud, the Uniform Resource Identifier (URI) and the Universal Unique Identifier (UUID) of the cloud to update the cloud configuration resources on the device for cloud information configuration, such as: "Oic.r.coapcloudconf" resource. The Access Token provided by the cloud is used when the device performs initial registration with the cloud.
步骤S204、设备与云端建立传输层安全协议(Transport Layer Security,TLS)连接。Step S204: The device establishes a Transport Layer Security (TLS) connection with the cloud.
配置器配置了设备的配置资源后,设备使用预置的数字证书和云端建立TLS连接。预置的数字证书包括:设备的制造商证书、信任锚证书(trust anchor certificate)。After the configurator configures the configuration resources of the device, the device uses a preset digital certificate to establish a TLS connection with the cloud. The preset digital certificates include: the manufacturer's certificate of the device and the trust anchor certificate.
步骤S205、设备在云端注册。Step S205, the device is registered in the cloud.
设备要在云端注册,需要向云端上账号资源发送更新(UPDATE)操作请求,资源更新请求中包括了云配置资源中所配置的Access Token以及User ID。云端为每个设备维护账号资源的唯一实例。其中,账号资源可为“/oic/sec/account”资源。To register in the cloud, the device needs to send an update (UPDATE) operation request to the account resource on the cloud. The resource update request includes the Access Token and User ID configured in the cloud configuration resource. The cloud maintains a unique instance of account resources for each device. Among them, the account resource can be the "/oic/sec/account" resource.
步骤S206至步骤S207、云端验证设备提供的Access Token。Step S206 to step S207, the cloud verifies the Access Token provided by the device.
云端将设备提供的User ID和Access Token发送至授权服务器,当授权服务器成功验证该更新操作请求后,云端进行更新操作的响应,该响应会为设备提供一个更新的Access Token以及Access Token的有效期。另外,云端还记录了与此设备关联即具有绑定关系的User ID。The cloud sends the User ID and Access Token provided by the device to the authorization server. After the authorization server successfully verifies the update operation request, the cloud responds to the update operation. The response will provide the device with an updated Access Token and the validity period of the Access Token. In addition, the cloud also records the User ID that is associated with this device, that is, has a binding relationship.
需要说明的是,当云端集成有授权服务器,在云端与配置器之间完成步骤S201,且不需要步骤S207。It should be noted that when the cloud is integrated with the authorization server, step S201 is completed between the cloud and the configurator, and step S207 is not required.
设备需要在云端登录才能在设备和云端之间传输数据,设备向云端的会话资源发送更新(UPDATE)操作请求。云端成功验证更新操作请求后,设备和云端建立了TLS连接,可以开始交换数据。其中,会话资源可为“/oic/sec/session”资源。The device needs to log in to the cloud to transfer data between the device and the cloud, and the device sends an update (UPDATE) operation request to the cloud session resource. After the cloud successfully verifies the update operation request, the device and the cloud establish a TLS connection, and data can be exchanged. Among them, the session resource can be a "/oic/sec/session" resource.
图2中的设备可为客户端,也可为服务端。如果设备作为服务端,设备和云端建立TLS连接后,设备在云端的资源目录中公开其承载的资源,以便于对客户端这些资源进行远程访问。The device in Figure 2 can be a client or a server. If the device is used as a server, after the device establishes a TLS connection with the cloud, the device will disclose the resources it carries in the resource directory of the cloud to facilitate remote access to these resources of the client.
不在同一个本地网络中的设备可以通过云端,使用基于传输控制协议(Transmission Control Protocol,TCP)的受限应用(CoAP over TCP)协议互相通信。云端将属于同一个User ID的设备分组到同一个User ID下。注册到云端并且属于同一User ID的所有设备可以按设备授权云的ACE2策略进行通信。在本发明实施例中,将一User ID下的设备称为与该User ID具有绑定关系的设备。Devices that are not in the same local network can communicate with each other through the cloud using the Limited Application (CoAP over TCP) protocol based on the Transmission Control Protocol (Transmission Control Protocol, TCP). The cloud groups devices belonging to the same User ID under the same User ID. All devices registered to the cloud and belonging to the same User ID can communicate according to the ACE2 policy of the device authorization cloud. In the embodiment of the present invention, a device under a User ID is referred to as a device that has a binding relationship with the User ID.
但是,在远程访问中,只有关联相同的User ID的设备之间才能够互相访问,则设备只能由一个User ID通过云端远程访问。在一个多成员的家庭中,这种方案限制了只能有一个User ID控制家庭中的设备,其他家庭成员也只能用同一User ID登录。若多个家庭成员分别在云端注册了User ID,则只能各自控制自身User ID所管理的设备,无法通过云端控制家庭中其他User ID下所关联的设备,无法满足多用户的应用场景,且在本地通信和远程通信架构割裂的条件下,是无法完成设备的远程分享和本地分享的。However, in remote access, only devices associated with the same User ID can access each other, and the devices can only be remotely accessed by one User ID through the cloud. In a multi-member family, this solution restricts only one User ID to control the devices in the family, and other family members can only log in with the same User ID. If multiple family members have registered User IDs in the cloud, they can only control the devices managed by their User IDs, and cannot control the devices associated with other User IDs in the family through the cloud, which cannot meet the multi-user application scenarios, and Under the condition that the local communication and remote communication architecture are separated, it is impossible to complete the remote sharing and local sharing of the equipment.
基于上述问题,本发明提供一种访问控制方法,本发明实施例的访问控制入方法可以应用于图3所示的物联网系统300,包括:第一访问设备301、第二访问设备302、目标设备303和服务器304;其中,第一访问设备301和第二访问设备为客户端,目标设备为服务端,服务器304为云端。客户端基于云端访问服务端的资源。Based on the above problems, the present invention provides an access control method. The access control entry method of the embodiment of the present invention can be applied to the Internet of Things system 300 shown in FIG. 3, including: a first access device 301, a second access device 302, and a target Device 303 and server 304; among them, the first access device 301 and the second access device are clients, the target device is the server, and the server 304 is the cloud. The client accesses the resources of the server based on the cloud.
第一访问设备301以第一用户标识登陆服务器304,第二访问设备302以第二用户标识登陆服务器304。第一用户标识与目标设备未关联,第二用户标识与目标设备关联,也就是说,第一访问设备和目标设备不是同一用户标识下的设备,第二访问设备和目标设备为同一用户标识下的设备。The first access device 301 logs in to the server 304 with the first user ID, and the second access device 302 logs in to the server 304 with the second user ID. The first user ID is not associated with the target device, and the second user ID is associated with the target device, that is, the first access device and the target device are not devices under the same user ID, and the second access device and the target device are under the same user ID device of.
物联网系统300中的客户端、服务端和云端可基于各种通信系统进行通信,例如:全球移动通讯(Global System of Mobile communication,GSM)系统、码分多址(Code Division Multiple Access,CDMA)系统、宽带码分多址(Wideband Code Division Multiple Access,WCDMA)系统、通用分组无线业务(General Packet Radio Service,GPRS)、长期演进(Long Term Evolution,LTE)系统、LTE频分双工(Frequency Division Duplex,FDD)系统、LTE时分双工(Time Division Duplex,TDD)、通用移动通信系统(Universal Mobile Telecommunication System,UMTS)、全球互联微波接入(Worldwide Interoperability for Microwave Access,WiMAX)通信系统或5G系统等。The client, server, and cloud in the Internet of Things system 300 can communicate based on various communication systems, such as: Global System of Mobile Communication (GSM) system, Code Division Multiple Access (CDMA) System, Wideband Code Division Multiple Access (WCDMA) system, General Packet Radio Service (GPRS), Long Term Evolution (LTE) system, LTE Frequency Division Duplex (Frequency Division) Duplex (FDD) system, LTE Time Division Duplex (TDD), Universal Mobile Telecommunication System (UMTS), Worldwide Interoperability for Microwave Access (WiMAX) communication system or 5G system Wait.
第一访问设备301和第二访问设备302可为终端设备,终端设备可以指接入终端、用户设备(User Equipment,UE)、用户单元、用户站、移动站、移动台、远方站、远程终端、移动设备、用户终端、终端、无线通信设备、用户代理或用户装置。接入终端可以是蜂窝电话、无绳电话、会话启动协议(Session Initiation Protocol,SIP)电话、无线本地环路(Wireless Local Loop,WLL)站、个人数字处理(Personal Digital Assistant,PDA)、具有无线通信功能的手持设备、计算设备或连接到无线调制解调器的其它处理设备、车载设备、可穿戴设备、5G网络中的终端设备或者未来演进的PLMN中的终端设备等。The first access device 301 and the second access device 302 may be terminal devices, which may refer to access terminals, user equipment (UE), user units, user stations, mobile stations, mobile stations, remote stations, and remote terminals , Mobile equipment, user terminal, terminal, wireless communication device, user agent or user device. The access terminal can be a cellular phone, a cordless phone, a Session Initiation Protocol (SIP) phone, a wireless local loop (Wireless Local Loop, WLL) station, a personal digital processing (Personal Digital Assistant, PDA), with wireless communication Functional handheld devices, computing devices or other processing devices connected to wireless modems, in-vehicle devices, wearable devices, terminal devices in 5G networks, or terminal devices in the future evolution of PLMN, etc.
目标设备303可以为传感器、激光扫描系统和智能家电等物联网设备。The target device 303 may be IoT devices such as sensors, laser scanning systems, and smart home appliances.
图3示例性地示出了一个服务端和两个客户端,可选地,该物联网系统300可以包括多个服务端以及与服务端具有绑定关系的客户端或与服务端不具有绑定关系的客户端,本发明实施例对此不做限定。Figure 3 exemplarily shows one server and two clients. Optionally, the IoT system 300 may include multiple servers and clients that have a binding relationship with the server or do not have a binding relationship with the server. Clients that define a relationship are not limited in this embodiment of the present invention.
本发明实施例提供的访问控制方法的一种可选的处理流程,如图4A所示,包括以下步骤:An optional processing flow of the access control method provided by the embodiment of the present invention, as shown in FIG. 4A, includes the following steps:
步骤S401,服务器在第一访问设备的第一设备标识、第二访问设备的第二设备标识以及与所述第二访问设备关联的目标设备的目标设备标识之间建立分享记录。Step S401: The server establishes a sharing record between the first device identification of the first access device, the second device identification of the second access device, and the target device identification of the target device associated with the second access device.
服务器可接收第一访问设备或第二访问设备发送的第一设备标识和第二设备标识,并基于所获取的第一设备标识和第二设备标识在第一设备标识、第二设备标识以及与第二访问设备关联同一用户标识的目标设备的目标设备标识之间建立对应关系,将所建立的对应关系称为分享记录,所述分享记录用于将所述目标设备的被访问权限分享至所述第一访问设备,以确定将与第二访问设备关联的至少一个目标设备的被访问权限分享给未与目标设备关联的第一访问设备。The server may receive the first device identification and the second device identification sent by the first access device or the second access device, and based on the acquired first device identification and second device identification The second access device is associated with the target device of the same user ID to establish a correspondence between the target device identifiers, and the established correspondence is called a sharing record, and the sharing record is used to share the access permission of the target device to all the target devices. The first access device is used to determine to share the access permission of at least one target device associated with the second access device to the first access device that is not associated with the target device.
这里,第一访问设备和目标设备未关联同一用户标识,即第一访问设备未与目标设备关联,第二访问设备和目标设备关联同一用户标识,即第二访问设备与目标设备关联。Here, the first access device and the target device are not associated with the same user identity, that is, the first access device is not associated with the target device, and the second access device and the target device are associated with the same user identity, that is, the second access device is associated with the target device.
在服务器接收第一访问设备发送的第一设备标识和第二设备标识的情况下,由第一访问设备向服务器发起设备分享的注册。In the case where the server receives the first device identification and the second device identification sent by the first access device, the first access device initiates the registration of device sharing to the server.
在服务器接收第二访问设备发送的第一设备标识和第二设备标识的情况下,由第二访问设备向服务器发起设备分享的注册。In the case where the server receives the first device identification and the second device identification sent by the second access device, the second access device initiates the registration of device sharing to the server.
在本发明实施例中,服务器接收第一访问设备或第二访问设备发送的注册请求;所述注册请求中携带有所述第一设备标识和所述第二设备标识。In the embodiment of the present invention, the server receives a registration request sent by the first access device or the second access device; the registration request carries the first device identifier and the second device identifier.
可选地,注册请求未携带目标设备的目标设备标识,此时,服务器根据第二设备标识和/或第二设备标识对应的第二用户标识查找与第二访问设备关联的所有的目标设备,基于所有的目标设备的目标设备标识与第一设备标识、第二设备标识之间建立分享记录。其中,可对应所有的目标设备标识建立一条分享记录,也可基于不同的目标设备标志分别建立对应的分享记录。Optionally, the registration request does not carry the target device identifier of the target device. At this time, the server searches for all target devices associated with the second access device according to the second device identifier and/or the second user identifier corresponding to the second device identifier. A sharing record is established between the target device identifiers of all target devices, the first device identifier, and the second device identifier. Among them, one sharing record can be established corresponding to all target device identifiers, or corresponding sharing records can be established respectively based on different target device identifiers.
可选地,所述注册请求中还携带有:所述目标设备标识。此时,服务器在注册请求携带的第一设备标识、第二设备标识以及目标设备标识之间建立分享记录。其中,注册请求可携带至少一个目标设备标识,服务器可对应注册请求携带的所有的目标设备标识建立一条分享记录,也可基于不同的目标设备标志分别建立对应的分享记录。Optionally, the registration request also carries: the target device identifier. At this time, the server establishes a sharing record among the first device identification, the second device identification, and the target device identification carried in the registration request. The registration request may carry at least one target device identifier, and the server may establish a sharing record corresponding to all target device identifiers carried in the registration request, or may establish corresponding sharing records based on different target device identifiers.
在本发明实施例中,服务器通过独立的资源来存储分享记录。可选地,将存储分享记录的资源称为设备分享(deviceshare)资源。In the embodiment of the present invention, the server stores the sharing record through an independent resource. Optionally, the resource storing the sharing record is referred to as a device share resource.
服务器在建立新的分享记录后,将建立的分享记录添加到设备分享资源中。After the server establishes a new sharing record, it adds the established sharing record to the device's shared resources.
在本发明实施例中,所述注册请求中还携带有以下信息之一:In the embodiment of the present invention, the registration request also carries one of the following information:
所述第一访问设备的第一用户标识、所述第二访问设备的第二用户标识、分享限制条件;对应地,所述分享记录中还包括有以下信息之一:所述第一访问设备的第一用户标识、所述第二访问设备的第二用户标识、分享限制条件。The first user identification of the first access device, the second user identification of the second access device, and sharing restriction conditions; correspondingly, the sharing record further includes one of the following information: the first access device The first user identification of the second access device, the second user identification of the second access device, and the sharing restriction conditions.
分享限制条件用于限制第一访问设备对目标设备的访问权限,分享限制条件可包括:表征仅访问一次的仅分享一次(Only One Time)、表征永久访问的总是分享(Always),表征允许一段时间访问的分享时间段、或其他的条件内容。这里,不同的分享限制条件可通过不同的分享标识来表示。Sharing restriction conditions are used to restrict the access rights of the first access device to the target device. Sharing restriction conditions can include: Only one time (Only One Time), which signifies permanent access, and Always, which signifies permission Sharing time period or other conditional content for a period of access. Here, different sharing restriction conditions can be represented by different sharing identifiers.
步骤S402、所述服务器在所述第一访问设备和所述第二访问设备之间进行本地分享凭证的传输。Step S402: The server transmits the local shared credential between the first access device and the second access device.
所述本地分享凭证用于所述第一访问设备与所述目标设备建立本地连接,使得第一分享凭证与目标设备在接入本地网络后,能够基于本地网络建立本地连接,第一访问设备基于建立的本地连接对目标设备进行访问。The local shared credential is used for the first access device to establish a local connection with the target device, so that the first shared credential and the target device can establish a local connection based on the local network after accessing the local network, and the first access device is based on The established local connection accesses the target device.
在执行步骤S402的过程中,在第一访问设备、第二访问设备和服务器之间进行本地分享凭证的传输。可选地,服务器将本地分享凭证分别发送至第一访问设备和第二访问设备。可选地。服务器接收第一访问设备发送的本地分享凭证,并将接收的本地分享凭证发送至第二访问设备。可选地,服务器接收第二访问设备发送的本地分享凭证,并将接收的本地分享凭证发送至第一访问设备。In the process of performing step S402, the transmission of the local shared credential is performed between the first access device, the second access device and the server. Optionally, the server sends the local sharing credentials to the first access device and the second access device respectively. Optionally. The server receives the local sharing credential sent by the first access device, and sends the received local sharing credential to the second access device. Optionally, the server receives the local sharing credential sent by the second access device, and sends the received local sharing credential to the first access device.
本地分享凭证可由服务器、第一访问设备或第二访问设备生成。The local sharing credential can be generated by the server, the first access device, or the second access device.
可选地,在本地分享凭证由服务器生成的情况下,服务器将生成的本地分享凭证分别发送至第一访问设备和第二访问设备,使得第二访问设备将本地分享凭证配置给目标设备。这样,第一访问设备和目标设备存在相同的本地分享凭证,实现本地访问。Optionally, in the case where the local sharing credential is generated by the server, the server sends the generated local sharing credential to the first access device and the second access device respectively, so that the second access device configures the local sharing credential to the target device. In this way, the first access device and the target device have the same local shared credential, and local access is realized.
可选地,在本地分享凭证由第一访问设备生成的情况下,第一访问设备将生成的本地分享凭证发送至服务器,且服务器将接收的本地分享凭证发送至第二访问设备,使得第二访问设备将本地分享凭证配置给目标设备。这样,第一访问设备和目标设备存在相同的本地分享凭证,实现本地访问。Optionally, in a case where the local sharing credential is generated by the first access device, the first access device sends the generated local sharing credential to the server, and the server sends the received local sharing credential to the second access device, so that the second access device The access device configures the local shared credential to the target device. In this way, the first access device and the target device have the same local shared credential, and local access is realized.
可选地,在本地分享凭证由第二访问设备生成的情况下,第二访问设备将生成的本地分享凭证发送至服务器,且服务器将接收的本地分享凭证发送至第一访问设备,且第二访问设备将生成的本地分享凭证配置给目标设备。这样,第一访问设备和目标设备存在相同的本地分享凭证,实现本地访问。Optionally, in the case where the local sharing credential is generated by the second access device, the second access device sends the generated local sharing credential to the server, and the server sends the received local sharing credential to the first access device, and the second access device The access device configures the generated local shared credential to the target device. In this way, the first access device and the target device have the same local shared credential, and local access is realized.
可选地,在本地分享凭证由第二访问设备生成的情况下,第二访问设备将生成的本地分享凭证配置给目标设备,目标设备将生成的本地分享凭证发送至服务器,且服务器将接收的本地分享凭证发送至第一访问设备。这样,第一访问设备和目标设备存在相同的本地分享凭证,实现本地访问。Optionally, in the case that the local sharing credential is generated by the second access device, the second access device configures the generated local sharing credential to the target device, the target device sends the generated local sharing credential to the server, and the server will receive the The local sharing certificate is sent to the first access device. In this way, the first access device and the target device have the same local shared credential, and local access is realized.
在本发明实施例中,本地分享凭证的传输和分享记录的建立过程可交互执行,也可先执行分享记录的建立后执行本地分享凭证的传输。In the embodiment of the present invention, the transmission of the local sharing credential and the creation of the sharing record can be performed interactively, or the creation of the sharing record can be performed first and then the transmission of the local sharing credential can be performed.
以第一访问设备向服务器发起设备分享的注册即服务器接收第一访问设备发送的第一设备标识和第二设备标识为例,服务器建立分享记录的流程可如图4B所示,包括:Taking the first access device to initiate the registration of device sharing with the server, that is, the server receives the first device identification and the second device identification sent by the first access device as an example, the process of the server establishing a sharing record may be as shown in FIG. 4B, including:
步骤S4011a,第一访问设备获取第二访问设备的第二设备标识。Step S4011a, the first access device obtains the second device identifier of the second access device.
第一访问设备可通过设备发现、标识扫描等带外方式获取第二访问设备的第二设备标识。可选地,扫描的标识包括二维码。本发明实施例对第一访问设备获取第二设备标识的方式和途径不进行任何的限定。The first access device may obtain the second device identification of the second access device through out-of-band methods such as device discovery and identification scanning. Optionally, the scanned identification includes a two-dimensional code. The embodiment of the present invention does not impose any limitation on the manner and way for the first access device to obtain the identification of the second device.
步骤S4012a,所述第一访问设备将所述第一访问设备的第一设备标识和所述第二设备标识发送至服务器。Step S4012a, the first access device sends the first device identification of the first access device and the second device identification to the server.
所述第一设备标识和所述第二设备标识用于所述服务器在所述第一设备标识、所述第二设备标识以及与所述第二访问设备关联的目标设备的目标设备标识之间建立分享记录,所述分享记录用于将所述目标设备的被访问权限分享至所述第一访问设备。The first device identifier and the second device identifier are used by the server to determine between the first device identifier, the second device identifier, and the target device identifier of the target device associated with the second access device A sharing record is established, and the sharing record is used to share the access permission of the target device to the first access device.
可选地,所述第一访问设备根据所述第一设备标识和所述第二设备标识生成注册请求;对应的,步骤S4012a包括:所述第一访问设备将所述注册请求发送至所述服务器。Optionally, the first access device generates a registration request according to the first device identification and the second device identification; correspondingly, step S4012a includes: the first access device sends the registration request to the server.
这里,第一访问设备通过向服务器发送注册请求向服务器发送第一设备标识和第二设备标识。可选地,注册请求中不携带目标设备标识。可选地,注册请求中携带目标设备标识。Here, the first access device sends the first device identification and the second device identification to the server by sending a registration request to the server. Optionally, the target device identifier is not carried in the registration request. Optionally, the target device identifier is carried in the registration request.
在注册请求中携带目标设备标识时,第一访问设备可基于设备发现、标识扫描等带外方式获取目标设备的目标设备标识。可选地,扫描的标识包括二维码。When the target device identification is carried in the registration request, the first access device may obtain the target device identification of the target device based on out-of-band methods such as device discovery and identification scanning. Optionally, the scanned identification includes a two-dimensional code.
在本发明实施例中,所述注册请求中还携带有以下信息之一:In the embodiment of the present invention, the registration request also carries one of the following information:
所述第一访问设备的第一用户标识、所述第二访问设备的第二用户标识、分享限制条件;对应的,所述分享记录中还包括以下信息之一:所述第一访问设备的第一用户标识、所述第二访问设备的第二用户标识、分享限制条件。The first user identification of the first access device, the second user identification of the second access device, and sharing restriction conditions; correspondingly, the sharing record further includes one of the following information: The first user identification, the second user identification of the second access device, and the sharing restriction condition.
可选地,服务器在接收到第一访问设备发送的注册请求后,根据注册请求携带的信息建立分享记录后,如图4B所示,执行步骤S4013a和步骤S4014a:Optionally, after receiving the registration request sent by the first access device, the server creates a sharing record according to the information carried in the registration request, as shown in FIG. 4B, and executes step S4013a and step S4014a:
步骤S4013a,服务器向所述第二访问设备发送第一确认请求。Step S4013a: The server sends a first confirmation request to the second access device.
步骤S4014a,所述服务器接收到所述第二访问设备响应所述第一确认请求的第一应答,将所述分享记录设置为激活状态。Step S4014a, the server receives the first response of the second access device in response to the first confirmation request, and sets the sharing record to an active state.
在执行步骤S4013a之前,服务器建立的分享记录处于不可用的未激活状态,当服务器接收到第二访问设备响应的第一应答后,将所建立的分享记录置为可用的激活状态。此时,该分享记录可用于控制第一访问设备对目标设备的访问。Before step S4013a is executed, the sharing record established by the server is in an unavailable and inactive state. When the server receives the first response from the second access device, it sets the established sharing record to an available active state. At this time, the sharing record can be used to control the access of the first access device to the target device.
在本发明实施例中,第二访问设备在接收到服务器发送的第一确认请求后,确认是否认可将目标设备的被访问权限分享给第一访问设备,当认可时,向服务器返回第一响应。可选地,第一确认请求中可携带第一设备标识和目标设备标识,第二访问设备接收到第一确认请求携带的第一设备标识和目标设备标识后,在第二访问设备中设置相同的分享记录,当第二访问设备建立相同的分享记录,表征第二访问设备认可将目标设备的被访问权限分享给第一访问设备,向服务器响应第一响应。In the embodiment of the present invention, after receiving the first confirmation request sent by the server, the second access device confirms whether to approve sharing the access rights of the target device with the first access device, and when approved, returns the first response to the server . Optionally, the first confirmation request may carry the first device identification and the target device identification, and after receiving the first device identification and the target device identification carried in the first confirmation request, the second access device sets the same in the second access device When the second access device establishes the same sharing record, it means that the second access device approves sharing the access rights of the target device to the first access device, and responds to the server with the first response.
在本发明实施例中,服务器基于步骤S4014a确定得到第二访问设备的认可后,如图4B所示,可执行步骤S4015a-1:In the embodiment of the present invention, after the server determines to obtain the approval of the second access device based on step S4014a, as shown in FIG. 4B, step S4015a-1 may be executed:
步骤S4015a-1,所述服务器向所述第一访问设备发送第一分享完成通知。Step S4015a-1, the server sends a first sharing completion notification to the first access device.
所述第一分享完成通知用于指示所述第一访问设备在所述第一访问设备本地设置所述分享记录。The first sharing completion notification is used to instruct the first access device to locally set the sharing record on the first access device.
此时,第一访问设备执行步骤S4015a-1和步骤S4015a-2:At this time, the first access device performs step S4015a-1 and step S4015a-2:
步骤S4015a-1,所述第一访问设备接收所述服务器发送的第一分享完成通知。Step S4015a-1, the first access device receives the first sharing completion notification sent by the server.
步骤S4015a-2,所述第一访问基于所述第一分享完成通知的触发,设置所述分享记录。In step S4015a-2, the first access is triggered based on the first sharing completion notification, and the sharing record is set.
这里,第一分享完成通知用于通知第一访问设备服务器已将目标设备的被访问权限分享至第一访问设备。第一访问设备可同步服务器在本地建立分享记录。Here, the first sharing completion notification is used to notify the first access device that the server has shared the access permission of the target device to the first access device. The first access device can synchronize the server to establish a sharing record locally.
可选地,第一分享完成通知中携带分享记录。可选地,第一分享完成通知中未携带分享记录。Optionally, the first sharing completion notification carries the sharing record. Optionally, the first sharing completion notification does not carry the sharing record.
在本发明实施例中,服务器基于步骤S4014a确定得到第二访问设备的认可后,如图4B所示,可执行步骤S4016a:所述服务器向所述目标设备发送第二分享完成通知。所述第二分享完成通知用于指示所述目标设备在所述目标设备本地设置所述分享记录。In the embodiment of the present invention, after the server determines that the second access device is approved based on step S4014a, as shown in FIG. 4B, step S4016a may be performed: the server sends a second sharing completion notification to the target device. The second sharing completion notification is used to instruct the target device to set the sharing record locally on the target device.
此时,目标设备接收所述服务器发送的第二分享完成通知,基于所述第二分享完成通知的触发,设置所述分享记录。At this time, the target device receives the second sharing completion notification sent by the server, and sets the sharing record based on the trigger of the second sharing completion notification.
这里,第二分享完成通知用于通知目标设备服务器已将目标设备的被访问权限分享至第一访问设备。目标设备可同步服务器在本地建立分享记录。Here, the second sharing completion notification is used to notify the target device server that the access permission of the target device has been shared to the first access device. The target device can synchronize the server to establish a sharing record locally.
可选地,第二分享完成通知中携带分享记录。可选地,第二分享完成通知中未携带分享记录。Optionally, the second sharing completion notification carries the sharing record. Optionally, the second sharing completion notification does not carry the sharing record.
以第二访问设备向服务器发起设备分享的注册即服务器接收第二访问设备发送的第一设备标识和第二设备标识为例,服务器建立分享记录的流程可如图4C所示,包括:Taking the second access device to initiate the registration of device sharing to the server, that is, the server receives the first device identification and the second device identification sent by the second access device as an example, the process for the server to establish a sharing record may be as shown in FIG. 4C, including:
步骤S4011b,第二访问设备获取第一访问设备的第一设备标识。Step S4011b, the second access device obtains the first device identifier of the first access device.
第二访问设备可通过设备发现、标识扫描等带外方式获取第一访问设备的第一设备 标识。可选地,扫描的标识包括二维码。本发明实施例对第二访问设备获取第一设备标识的方式和途径不进行任何的限定。The second access device may obtain the first device identification of the first access device through out-of-band methods such as device discovery and identification scanning. Optionally, the scanned identification includes a two-dimensional code. The embodiment of the present invention does not impose any limitation on the manner and way for the second access device to obtain the identification of the first device.
步骤S4012b,所述第二访问设备将所述第一设备标识和所述第二访问设备的第二设备标识发送至服务器。Step S4012b, the second access device sends the first device identifier and the second device identifier of the second access device to the server.
所述第一设备标识和所述第二设备标识用于所述服务器在所述第一设备标识、所述第二设备标识以及与所述第二访问设备关联的目标设备的目标设备标识之间建立分享记录,所述分享记录用于将所述目标设备的被访问权限分享至所述第一访问设备。The first device identifier and the second device identifier are used by the server to determine between the first device identifier, the second device identifier, and the target device identifier of the target device associated with the second access device A sharing record is established, and the sharing record is used to share the access permission of the target device to the first access device.
可选地,所述第二访问设备根据所述第一设备标识和所述第二设备标识生成注册请求;对应的,步骤S4012b包括:所述第二访问设备将所述注册请求发送至所述服务器。Optionally, the second access device generates a registration request according to the first device identifier and the second device identifier; correspondingly, step S4012b includes: the second access device sends the registration request to the server.
这里,第二访问设备通过向服务器发送注册请求向服务器发送第一设备标识和第二设备标识。可选地,注册请求中不携带目标设备标识。可选地,注册请求中携带目标设备标识。Here, the second access device sends the first device identification and the second device identification to the server by sending a registration request to the server. Optionally, the target device identifier is not carried in the registration request. Optionally, the target device identifier is carried in the registration request.
在本发明实施例中,所述注册请求中还携带有以下信息之一:In the embodiment of the present invention, the registration request also carries one of the following information:
所述第一访问设备的第一用户标识、所述第二访问设备的第二用户标识、分享限制条件;对应的,所述分享记录中还包括以下信息之一:所述第一访问设备的第一用户标识、所述第二访问设备的第二用户标识、分享限制条件。The first user identification of the first access device, the second user identification of the second access device, and sharing restriction conditions; correspondingly, the sharing record further includes one of the following information: The first user identification, the second user identification of the second access device, and the sharing restriction condition.
可选地,服务器在接收到第二访问设备发送的注册请求后,根据注册请求携带的信息建立分享记录后,如图4C所示,执行步骤S4013b和步骤S4014b:Optionally, after receiving the registration request sent by the second access device, the server creates a sharing record according to the information carried in the registration request, as shown in FIG. 4C, and executes step S4013b and step S4014b:
步骤S4013b,所述服务器分别向所述第一访问设备和所述目标设备发送第二确认请求和第三确认请求。Step S4013b, the server sends a second confirmation request and a third confirmation request to the first access device and the target device respectively.
其中,步骤S4013b包括:Wherein, step S4013b includes:
步骤S4013b-1,所述服务器向所述第一访问设备发送第二确认请求。Step S4013b-1, the server sends a second confirmation request to the first access device.
步骤S4013b-2,所述服务器向所述目标设备发送第三确认请求。Step S4013b-2, the server sends a third confirmation request to the target device.
步骤S4014b,所述服务器接收到所述第一访问设备响应所述第二确认请求的第二应答,且接收到所述目标设备响应所述第三确认请求的第三应答,将所述分享记录设置为激活状态。Step S4014b, the server receives the second response of the first access device in response to the second confirmation request, and receives the third response of the target device in response to the third confirmation request, and records the sharing Set to active state.
其中,步骤S4014b包括:Wherein, step S4014b includes:
步骤S4014b-1,所述服务器接收所述第一访问设备响应所述第二确认请求的第二应答。Step S4014b-1, the server receives a second response of the first access device in response to the second confirmation request.
步骤S4014b-2,所述服务器接收到所述目标设备响应所述第三确认请求的第三应答。Step S4014b-2, the server receives a third response of the target device in response to the third confirmation request.
步骤S4014b-3,所述服务器将所述分享记录设置为激活状态。In step S4014b-3, the server sets the sharing record to an active state.
在执行步骤S4013b之前,服务器建立的分享记录处于不可用的未激活状态,当服务器接收到第一访问设备响应的第二应答后和目标设备响应的第三应答后,将所建立的分享记录置为可用的激活状态。此时,该分享记录可用于控制第一访问设备对目标设备的访问。Before performing step S4013b, the sharing record established by the server is in an unavailable and inactive state. After the server receives the second response from the first access device and the third response from the target device, it sets the created sharing record Active state is available. At this time, the sharing record can be used to control the access of the first access device to the target device.
在本发明实施例中,第一访问设备在接收到服务器发送的第二确认请求后,确认是否认可将目标设备的被访问权限分享给第一访问设备,当认可时,向服务器返回第二响应。可选地,第二确认请求中可携带第二设备标识和目标设备标识,第一访问设备接收到第二确认请求携带的第二设备标识和目标设备标识后,在第一访问设备中设置相同的分享记录,当第一访问设备建立相同的分享记录,表征第一访问设备认可将目标设备的被访问权限分享给第一访问设备,向服务器响应第二响应。In the embodiment of the present invention, after receiving the second confirmation request sent by the server, the first access device confirms whether to approve sharing the access rights of the target device with the first access device, and when approved, returns a second response to the server . Optionally, the second confirmation request may carry the second device identification and the target device identification, and after receiving the second device identification and the target device identification carried in the second confirmation request, the first access device sets the same in the first access device When the first access device establishes the same sharing record, it means that the first access device approves sharing the access rights of the target device to the first access device, and responds to the server with a second response.
在本发明实施例中,目标设备在接收到服务器发送的第三确认请求后,确认是否认可将目标设备的被访问权限分享给第一访问设备,当认可时,向服务器返回第三响应。 可选地,第三确认请求中可携带第一设备标识和第二设备标识,目标设备接收到第三确认请求携带的第一设备标识和第二设备标识后,在目标设备中设置相同的分享记录,当目标设备建立相同的分享记录,表征目标备认可将目标设备的被访问权限分享给第一访问设备,向服务器响应第三响应。In the embodiment of the present invention, after receiving the third confirmation request sent by the server, the target device confirms whether to approve sharing the access permission of the target device with the first access device, and when approved, returns a third response to the server. Optionally, the third confirmation request may carry the first device identification and the second device identification, and after receiving the first device identification and the second device identification carried in the third confirmation request, the target device sets the same share in the target device Record, when the target device establishes the same sharing record, it indicates that the target device approves sharing the access permission of the target device to the first access device, and responds to the server with a third response.
在本发明实施例中,服务器基于步骤S4014b确定得到第一访问设备和目标设备的认可后,如图4C所示,可执行步骤S4015b-1:In the embodiment of the present invention, after the server determines that the first access device and the target device are approved based on step S4014b, as shown in FIG. 4C, step S4015b-1 may be executed:
步骤S4015b-1,所述服务器向所述第二访问设备发送第三分享完成通知。In step S4015b-1, the server sends a third sharing completion notification to the second access device.
所述第三分享完成通知用于指示所述第二访问设备在所述第二访问设备本地设置所述分享记录。The third sharing completion notification is used to instruct the second access device to locally set the sharing record on the second access device.
此时,第二访问设备执行步骤S4015b-1和步骤S4015b-2:At this time, the second access device performs step S4015b-1 and step S4015b-2:
步骤S4015b-1,所述第二访问设备接收所述服务器发送的第三分享完成通知。Step S4015b-1, the second access device receives the third sharing completion notification sent by the server.
步骤S4015b-2,所述第二访问设备基于所述第三分享完成通知的触发,设置所述分享记录。In step S4015b-2, the second access device sets the sharing record based on the trigger of the third sharing completion notification.
这里,第三分享完成通知用于通知第二访问设备服务器已将目标设备的被访问权限分享至第一访问设备。第二访问设备可同步服务器在本地建立分享记录。Here, the third sharing completion notification is used to notify the second access device that the server has shared the access permission of the target device to the first access device. The second access device can synchronize the server to establish a sharing record locally.
可选地,第三分享完成通知中携带分享记录。可选地,第三分享完成通知中未携带分享记录。Optionally, the third sharing completion notification carries the sharing record. Optionally, the third sharing completion notification does not carry the sharing record.
在本发明实施例中,在本地分享凭证由服务器生成的情况下,步骤S402可通过图4B或图4C中的信息交互完成在第一访问设备和第二访问设备之间的传输。In the embodiment of the present invention, in the case that the local sharing credential is generated by the server, step S402 can complete the transmission between the first access device and the second access device through the information interaction in FIG. 4B or FIG. 4C.
以本地分享凭证由服务器生成,由第一访问设备向服务器发起设备分享的注册为例,步骤S402服务器在所述第一访问设备和所述第二访问设备之间进行本地分享凭证的传输,包括:所述服务器通过携带所述本地分享凭证的第一确认请求将所述本地分享凭证发送至所述第二访问设备;所述服务器通过携带所述本地分享凭证的所述第一分享完成通知将所述本地分享凭证发送至所述第一访问设备。Taking the local sharing credential generated by the server and the registration of device sharing initiated by the first access device to the server as an example, step S402 the server performs the transmission of the local sharing credential between the first access device and the second access device includes : The server sends the local sharing credential to the second access device through the first confirmation request carrying the local sharing credential; the server sends the first sharing completion notification that carries the local sharing credential The local sharing credential is sent to the first access device.
这里,图4B所示的步骤S4013a中的第一确认请求和步骤S4015a-1中的第一分享完成通知中分别携带有发送至第二访问设备和第一访问设备的本地分享凭证。Here, the first confirmation request in step S4013a and the first sharing completion notification in step S4015a-1 shown in FIG. 4B respectively carry the local sharing credentials sent to the second access device and the first access device.
此时,所述第一访问设备与所述服务器进行本地分享凭证的传输,包括:所述第一访问设备通过携带所述本地分享凭证的所述第一分享完成通知接收所述服务器发送的本地分享凭证,所述本地分享凭证为所述服务器生成的。第二访问设备通过第一确认请求接收服务器发送的本地分享凭证。At this time, the transmission of the local sharing credential between the first access device and the server includes: the first access device receives the local share sent by the server through the first sharing completion notification carrying the local sharing credential Sharing credentials, and the local sharing credentials are generated by the server. The second access device receives the local sharing credential sent by the server through the first confirmation request.
以本地分享凭证由服务器生成,由第二访问设备向服务器发起设备分享的注册为例,步骤S402服务器在所述第一访问设备和所述第二访问设备之间进行本地分享凭证的传输,包括:所述服务器通过携带所述本地分享凭证的第二确认请求将所述本地分享凭证发送至所述第一访问设备;所述服务器通过携带所述本地分享凭证的第三分享完成通知将所述本地分享凭证发送至所述第二访问设备。Taking the local sharing credential generated by the server and the registration of device sharing initiated by the second access device to the server as an example, step S402 the server performs the transmission of the local sharing credential between the first access device and the second access device includes : The server sends the local sharing credential to the first access device through a second confirmation request that carries the local sharing credential; the server sends the local sharing credential to the first access device through a third sharing completion notification that carries the local sharing credential The local sharing credential is sent to the second access device.
这里,图4C所示的步骤S4013b-1中的第二确认请求,以及步骤S4015b-1中的第三分享完成中分别携带有发送至第一访问设备和第二访问设备的本地分享凭证。Here, the second confirmation request in step S4013b-1 and the third sharing completion in step S4015b-1 shown in FIG. 4C respectively carry the local sharing credentials sent to the first access device and the second access device.
此时,所述第二访问设备与所述服务器进行本地分享凭证的传输,包括:所述第二访问设备通过携带所述本地分享凭证的所述第三分享完成通知接收所述服务器发送的本地分享凭证,所述本地分享凭证为所述服务器生成的。第一访问设备通过第二确认请求接收服务器发送的本地分享凭证。At this time, the transmission of the local sharing credential between the second access device and the server includes: the second access device receives the local share sent by the server through the third sharing completion notification carrying the local sharing credential. Sharing credentials, and the local sharing credentials are generated by the server. The first access device requests to receive the local sharing credential sent by the server through the second confirmation.
以本地分享凭证由第一访问设备生成为例,所述第一访问设备与所述服务器进行本地分享凭证的传输,包括:所述第一访问设备生成所述本地分享凭证;所述第一访问设备将所述本地分享凭证发送至所述服务器,以使得所述服务器将所述本地分享凭证发送 至所述第二访问设备。此时,所述服务器在所述第一访问设备和所述第二访问设备之间进行本地分享凭证的传输,包括:所述服务器接收所述第一访问设备发送的本地分享凭证;所述服务器将所述本地分享凭证发送至所述第二访问设备。所述第二访问设备与所述服务器进行本地分享凭证的传输,包括:所述第二访问设备接收所述服务器发送的所述第一访问设备生成的本地分享凭证。Taking the local sharing credential generated by the first access device as an example, the transmission of the local sharing credential between the first access device and the server includes: the first access device generates the local sharing credential; the first access The device sends the local sharing credential to the server, so that the server sends the local sharing credential to the second access device. At this time, the server performing the transmission of the local shared credential between the first access device and the second access device includes: the server receives the local shared credential sent by the first access device; the server Sending the local sharing credential to the second access device. The transmission of the local shared credential between the second access device and the server includes: the second access device receives the local shared credential generated by the first access device and sent by the server.
以本地分享凭证由第二访问设备生成为例,所述第二访问设备与所述服务器进行本地分享凭证的传输,包括:所述第二访问设备生成所述本地分享凭证;所述第二访问设备将所述本地分享凭证配置至所述目标服务器,以使得所述服务器将所述本地分享凭证发送至所述第一访问设备。Taking the local sharing credential generated by the second access device as an example, the transmission of the local sharing credential between the second access device and the server includes: the second access device generates the local sharing credential; the second access The device configures the local sharing credential to the target server, so that the server sends the local sharing credential to the first access device.
可选地,第二访问设备直接将本地分享凭证发送至服务器。可选地,第二访问设备将本地分享凭证配置给目标设备,由目标设备发送至服务器。Optionally, the second access device directly sends the local sharing credential to the server. Optionally, the second access device configures the local sharing credential to the target device, and the target device sends it to the server.
在第二访问设备将本地分享凭证配置给目标设备,由目标设备发送至服务器的情况下,在所述服务器生成所述本地分享凭证的情况下,所述服务器在所述第一访问设备和所述第二访问设备之间进行本地分享凭证的传输,包括:所述服务器接收所述目标设备发送的本地分享凭证;所述服务器将所述本地分享凭证发送至所述第一访问设备。此时,所述第一访问设备与所述服务器进行本地分享凭证的传输,包括:所述第一访问设备接收所述服务器发送的所述第二访问设备生成的本地分享凭证。In the case that the second access device configures the local shared credential to the target device and the target device sends it to the server, in the case where the server generates the local shared credential, the server is connected to the first access device and the server. The transmission of the local shared credential between the second access devices includes: the server receives the local shared credential sent by the target device; and the server sends the local shared credential to the first access device. At this time, the transmission of the local shared credential between the first access device and the server includes: the first access device receives the local shared credential generated by the second access device and sent by the server.
在本发明实施例中,在所述服务器接收的所述本地分享凭证为所述第一访问设备发送的情况下,所述本地分享凭证为所述第一访问设备生成的;或在所述服务器接收的所述本地分享凭证为所述目标设备发送的情况下,所述本地分享凭证为所述第二访问设备生成的。In the embodiment of the present invention, in the case that the local sharing credential received by the server is sent by the first access device, the local sharing credential is generated by the first access device; or on the server In a case where the received local sharing credential is sent by the target device, the local sharing credential is generated by the second access device.
在本发明实施例中,第一访问设备根据所述本地分享凭证配置用于所述第一访问设备对所述目标设备进行访问的访问策略。所述第二访问设备根据所述本地分享凭证配置用于所述第二访问设备对所述目标设备进行访问的访问策略。In the embodiment of the present invention, the first access device configures an access policy for the first access device to access the target device according to the local shared credential. The second access device configures an access policy for the second access device to access the target device according to the local shared credential.
在本发明实施例中,第一访问设备基于所述目标设备标识生成访问请求,将所述访问请求发送至服务器,所述服务器在存在所述分享记录的情况下,将所述访问请求转发至所述目标设备,此时,所述服务器接收所述第一访问设备发送的访问所述目标设备的访问请求;在存在所述分享记录的情况下,所述服务器将所述访问请求转发至所述目标设备。In the embodiment of the present invention, the first access device generates an access request based on the target device identifier, sends the access request to a server, and the server forwards the access request to For the target device, at this time, the server receives an access request sent by the first access device to access the target device; if the sharing record exists, the server forwards the access request to all The target device.
第一访问设备与目标设备不在一个本地网络的情况下,第一访问设备可基于目标设备标识发起访问目标设备的访问请求,并将访问请求发送至服务器,服务器基于分享记录确定已将目标设备的被访问权限分享至第一访问设备的情况下,将访问请求发送至目标设备。When the first access device and the target device are not in the same local network, the first access device can initiate an access request to access the target device based on the target device identifier, and send the access request to the server, and the server determines based on the shared record that the target device’s If the access permission is shared to the first access device, the access request is sent to the target device.
第一访问设备与目标设备在一个本地网络的情况下,第一访问设备可基于本地分享凭证与目标设备建立本地连接,对目标设备进行访问。When the first access device and the target device are in a local network, the first access device may establish a local connection with the target device based on the local shared credential to access the target device.
下面,结合具体实施例对本发明进行详细描述。其中,目标设备为Device A,OBT A为与DeviceA具有关联关系的客户端即第二访问设备,DeviceA与OBT A具有同一User ID:User ID A,OBT B为与DeviceA不具有关联关系的客户端即第一访问设备,OBT B具有User ID:User ID B。Hereinafter, the present invention will be described in detail with reference to specific embodiments. Among them, the target device is Device A, OBT A is the client that has an association relationship with Device A, that is, the second access device, Device A and OBT A have the same User ID: User ID A, OBT B is a client that does not have an association relationship with Device A That is, the first access device, OBT B has User ID: User ID B.
实例一Example one
在实例一中,以OBTA作为设备分享的注册的发起方和本地分享凭证的生成方。In Example 1, OBTA is used as the initiator of device sharing registration and the generator of local sharing credentials.
步骤S501、OBTA获取OBTB的设备信息。Step S501: OBTA obtains the device information of OBTB.
OBTB的设备信息可包括:设备标识和/或用户标识。步骤S501可以通过带外的方 式执行,例如,OBTA扫描OBTB生成的二维码。The device information of the OBTB may include: device identification and/or user identification. Step S501 can be performed in an out-of-band manner, for example, OBTA scans the two-dimensional code generated by OBTB.
本发明实施例对OBTA获取OBTB的设备信息的途径和方式不进行任何的限定。The embodiment of the present invention does not impose any limitation on the way and method for the OBTA to obtain the device information of the OBTB.
步骤S502、OBTA向云端发起注册请求。Step S502: The OBTA initiates a registration request to the cloud.
OBTA通过注册请求向云端即云平台发送的信息包括:User ID A(可选)、OBTA的Device ID、Device A的Device ID、User ID B(可选)、OBTB的Device ID等,The information that OBTA sends to the cloud through the registration request includes: User ID A (optional), Device ID of OBTA, Device ID of Device A, User ID B (optional), Device ID of OBTB, etc.,
注册请求还可以携带分享限制:允许一次(Only One Time)\总是允许(Always)等。分享限制还可以是时间限制,例如从8:00-10:00,以及更复杂的限制条件。The registration request can also carry sharing restrictions: Only One Time\Always, etc. Sharing restrictions can also be time restrictions, such as from 8:00-10:00, and more complex restrictions.
云平台基于注册请求发送的信息生成分享记录,需要说明的是,此时该条分享记录还没有被激活即还可用。The cloud platform generates a sharing record based on the information sent by the registration request. It should be noted that the sharing record is still available without being activated at this time.
在实现过程中可以设定一个设备分享(deviceshare)资源,该deviceshare资源可以同时在云端和设备侧保存,其目的用于保存分享记录。但是在云端保存的保存记录只有相关联的UserID(例如:User ID A或User ID B)才可以访问。In the implementation process, a device share (deviceshare) resource can be set, and the deviceshare resource can be saved in the cloud and the device side at the same time, and its purpose is to save the sharing record. However, only the associated UserID (for example: User ID A or User ID B) can be accessed for the saved records saved in the cloud.
当云平台接收一个访问请求之后,会检查该deviceshare资源,如果该消息指定的访问目标为基于分享记录存在分享关系的设备,则云平台应转发该访问请求。When the cloud platform receives an access request, it will check the deviceshare resource. If the access target specified in the message is a device that has a sharing relationship based on the sharing record, the cloud platform should forward the access request.
其中,分享记录的内容可如表1所示。Among them, the content of the sharing record can be as shown in Table 1.
Figure PCTCN2019103862-appb-000001
Figure PCTCN2019103862-appb-000001
表1Table 1
步骤S503-步骤S504,云端确认Device A和OBT B的认可。Step S503-Step S504, the cloud confirms the approval of Device A and OBT B.
步骤S503包括:步骤S503-1和步骤S503-2。Step S503 includes: step S503-1 and step S503-2.
步骤S503-1,云端向Device A发送确认请求,以确认上述注册请求是否获得Device A的认可。In step S503-1, the cloud sends a confirmation request to Device A to confirm whether the above registration request is approved by Device A.
确认的方式是向Device A上保存的deviceshare资源添加与步骤S502相同的内容The way to confirm is to add the same content as step S502 to the deviceshare resource saved on Device A
步骤S503-2,Device A向云端发送分享确认。Step S503-2, Device A sends a sharing confirmation to the cloud.
Device A认可上述注册请求时,向云平台发送相应确认请求的分享确认即第三应答。When Device A approves the above registration request, it sends the sharing confirmation corresponding to the confirmation request to the cloud platform, which is the third response.
步骤S504-1,云端向OBT B发送确认请求,以确认上述注册请求是否获得OBT B的认可。In step S504-1, the cloud sends a confirmation request to OBT B to confirm whether the above registration request is approved by OBT B.
确认的方式是向OBT B上保存的deviceshare资源添加与步骤S502相同的内容。The way of confirmation is to add the same content as step S502 to the deviceshare resource saved on OBT B.
步骤S504-2,OBT B向云端发送分享确认。In step S504-2, OBT B sends a sharing confirmation to the cloud.
OBT B认可上述注册请求时,向云平台发送相应确认请求的分享确认即第三应答。When OBT B approves the above registration request, it sends the sharing confirmation corresponding to the confirmation request to the cloud platform, which is the third response.
确认的方式是向Device A上保存的deviceshare资源添加与步骤S502相同的内容。The way of confirmation is to add the same content as step S502 to the deviceshare resource saved on Device A.
步骤S505,云端将保存的分享记录的分享属性变更为真。In step S505, the cloud changes the sharing attribute of the saved sharing record to true.
云平台得到Device A和OBTB的认可之后,将保存的分享记录的shareenabled变更为true,以激活该条分享记录。After the cloud platform is approved by Device A and OBTB, it changes the shareenabled of the saved sharing record to true to activate the sharing record.
可选地,在步骤S505之后,云端分别Device A、OBTB向发送请求以修改Device A、OBTB上保存的分享记录的shareenabled为true。Optionally, after step S505, the cloud sends a request to Device A and OBTB to modify the share enabled of the sharing records saved on Device A and OBTB to true.
步骤S506,云端向OBTA发送分享完成通知。In step S506, the cloud sends a sharing completion notification to the OBTA.
OBTA收到上述请求之后也可以修改其保存的对应的分享记录的shareenabled属性变为true。至此OBT B与Device A在应用层建立了连接,OBT B可以远程访问Device A。After OBTA receives the above request, it can also modify the shareenabled attribute of the corresponding shared record it saves to become true. So far, OBT B and Device A have established a connection at the application layer, and OBT B can remotely access Device A.
在实际应用中,在步骤S505之后,云平台可以向OBT A上保存的deviceshare资源更新上述分享记录,也就是说上述所有设备上都保存了相同的分享记录。In practical applications, after step S505, the cloud platform can update the aforementioned sharing record to the deviceshare resource stored on OBT A, that is to say, the same sharing record is stored on all the aforementioned devices.
步骤S507,OBTA生成本地分享凭证。In step S507, the OBTA generates a local sharing certificate.
OBTA在收到云平台发送的分享完成通知之后,发起本地分享的流程,生成一个本地分享凭证。具有本地分享凭证的两台设备是可以建立连接的。After receiving the notification of completion of sharing from the cloud platform, OBTA initiates a local sharing process and generates a local sharing certificate. Two devices with locally shared credentials can be connected.
本地分享凭证可包括:pin码、共享密钥、证书等各种形式的凭证。Local shared credentials may include various forms of credentials such as pin codes, shared keys, certificates, etc.
步骤S508,OBT A配置Device A的访问策略。Step S508: OBT A configures Device A's access policy.
OBT A使用步骤S506生成的本地分享凭证配置Device A的访问策略。OBT A uses the local shared credential generated in step S506 to configure the access policy of Device A.
以本地分享凭证为共享密钥为例,将共享密钥保存为Device A的一个访问策略,后续建立连接时使用该凭证进行双方的确认。Taking the local shared credential as the shared key as an example, the shared key is saved as an access policy of Device A, and the credential is used to confirm both parties when the connection is subsequently established.
其中,步骤S508包括:步骤S508-1和步骤S508-2。Among them, step S508 includes: step S508-1 and step S508-2.
步骤S508-1,OBT A将生成的本地分享凭证配置给Device A。In step S508-1, OBT A configures the generated local shared credential to Device A.
步骤S508-2,Device A向OBT A发送配置完成消息。Step S508-2, Device A sends a configuration complete message to OBT A.
步骤S509,OBT A通过云端将本地分享凭证分享给OBTB。In step S509, OBT A shares the local sharing certificate to OBTB through the cloud.
OBT A在完成Device A的访问策略的配置之后,可以通过云平台将本地分享凭证分享给OBTB。After OBT A completes the configuration of Device A's access policy, it can share the local shared credentials to OBTB through the cloud platform.
需要说明的是,仅有DeviceA与OBTB保存有该本地分享凭证,因此该凭证仅可用于上述两设备。It should be noted that only DeviceA and OBTB save the local shared credentials, so the credentials can only be used for the above two devices.
其中,步骤S509包括:步骤S509-1、步骤S509-2、步骤509-3、步骤S509-4和步骤S509-5。Wherein, step S509 includes: step S509-1, step S509-2, step 509-3, step S509-4, and step S509-5.
步骤S509-1,Device A通知云端更新Device A的本地分享凭证。In step S509-1, Device A notifies the cloud to update Device A's local sharing certificate.
步骤S509-2,云端通知OBTB更新Device A的本地分享凭证。In step S509-2, the cloud notifies OBTB to update Device A's local sharing certificate.
步骤S509-3,OBTB根据Device A的本地分享凭证完成自配置。Step S509-3, OBTB completes self-configuration according to Device A's local shared credentials.
步骤S509-4,OBTB向云端发送自配置完成消息。In step S509-4, the OBTB sends a self-configuration complete message to the cloud.
步骤S509-5,云端向Device A转发OBTB发送的自配置完成消息。Step S509-5, the cloud forwards the self-configuration complete message sent by OBTB to Device A.
至此,Device A与OBTB都具有了本地分享凭证,DeviceA与OBTB可以在本地建立连接。At this point, both Device A and OBTB have a local shared certificate, and Device A and OBTB can establish a connection locally.
实例二Example two
在实例二中,以OBT B作为设备分享的注册的发起方和本地分享凭证的生成方。In the second example, OBT B is used as the initiator of the registration of device sharing and the generator of the local sharing credential.
步骤S601、OBT B获取OBT A的设备信息。Step S601: OBT B obtains device information of OBT A.
OBT A的设备信息可包括:设备标识和/或用户标识。步骤S601可以通过带外的方式执行,例如,OBT B扫描OBT A生成的二维码。The device information of OBT A may include: device identification and/or user identification. Step S601 may be performed in an out-of-band manner, for example, OBT B scans the two-dimensional code generated by OBT A.
本发明实施例对OBT B获取OBT A的设备信息的途径和方式不进行任何的限定。The embodiment of the present invention does not impose any limitation on the way and method for the OBT B to obtain the device information of the OBT A.
步骤S602、OBTB向云端发起注册请求。Step S602: OBTB initiates a registration request to the cloud.
OBT B通过注册请求向云平台发送的信息包括:User ID A(可选)、OBTA的Device ID、Device A的Device ID、User ID B(可选)、OBTB的Device ID等,The information that OBT B sends to the cloud platform through the registration request includes: User ID A (optional), Device ID of OBTA, Device ID of Device A, User ID B (optional), Device ID of OBTB, etc.,
注册请求还可以携带分享限制:允许一次(Only One Time)\总是允许(Always)等。分享限制还可以是时间限制,例如从8:00-10:00,以及更复杂的限制条件。The registration request can also carry sharing restrictions: Only One Time\Always, etc. Sharing restrictions can also be time restrictions, such as from 8:00-10:00, and more complex restrictions.
云平台基于注册请求发送的信息生成分享记录,分享记录中的分享限制可由OBT修改。需要说明的是,此时该条分享记录还没有被激活即不可用。The cloud platform generates a sharing record based on the information sent by the registration request, and the sharing limit in the sharing record can be modified by OBT. It should be noted that at this time, the sharing record is not available if it has not been activated.
在实现过程中可以设定一个设备分享(deviceshare)资源,该deviceshare资源可以同时在云端和设备侧保存,其目的用于保存分享记录。但是在云端保存的保存记录只有相关联的UserID(例如:User ID A或User ID B)才可以访问。In the implementation process, a device share (deviceshare) resource can be set, and the deviceshare resource can be saved in the cloud and the device side at the same time, and its purpose is to save the sharing record. However, only the associated UserID (for example: User ID A or User ID B) can be accessed for the saved records saved in the cloud.
当云平台接收一个访问请求之后,会检查该deviceshare资源,如果该消息指定的访问目标为基于分享记录存在分享关系的设备,则云平台应转发该访问请求。When the cloud platform receives an access request, it will check the deviceshare resource. If the access target specified in the message is a device that has a sharing relationship based on the sharing record, the cloud platform should forward the access request.
步骤S603,云端确认OBT A的认可。In step S603, the cloud confirms the approval of OBT A.
步骤S603包括:步骤S603-1和步骤S603-2。Step S603 includes: step S603-1 and step S603-2.
步骤S603-1,云端向OBT A发送确认请求,以确认上述注册请求是否获得OBT A的认可。In step S603-1, the cloud sends a confirmation request to OBT A to confirm whether the above registration request is approved by OBT A.
确认的方式是向OBT A上保存的deviceshare资源添加与步骤S602相同的内容The way to confirm is to add the same content as step S602 to the deviceshare resource saved on OBT A
步骤S603-2,OBT A向云端发送分享确认。Step S603-2, OBT A sends a sharing confirmation to the cloud.
OBT A认可上述注册请求时,向云平台发送相应确认请求的分享确认即第一应答。When OBT A approves the above registration request, it sends the sharing confirmation corresponding to the confirmation request to the cloud platform, which is the first response.
步骤S604,云端保存的分享记录的分享属性变更为真。In step S604, the sharing attribute of the sharing record saved in the cloud is changed to true.
云平台得到OBT A的认可之后,将保存的分享记录的shareenabled变更为true,以激活该条分享记录。After the cloud platform is approved by OBT A, it changes the shareenabled of the saved sharing record to true to activate the sharing record.
步骤S605,云端向Device A发送分享通知。Step S605: The cloud sends a sharing notification to Device A.
云平台发送分享通知给Device A,Device A在其上保存分享记录以及将shareenabled属性变更为true。The cloud platform sends a sharing notification to Device A, and Device A saves the sharing record on it and changes the shareenabled attribute to true.
步骤S606,云端向OBT B发送分享完成通知。In step S606, the cloud sends a sharing completion notification to OBT B.
云平台向OBTB发送针对步骤S602中的注册请求的分享完成通知。OBTB收到分享完成通知之后也可以修改其保存的对应的分享记录的shareenabled属性变为true。The cloud platform sends a sharing completion notification for the registration request in step S602 to the OBTB. After OBTB receives the notification of completion of sharing, it can also modify the shareenabled attribute of the corresponding shared record it saved to become true.
至此,OBT B与Device A在应用层建立了连接,OBT B可以远程访问Device A。So far, OBT B and Device A have established a connection at the application layer, and OBT B can remotely access Device A.
步骤S607,OBT B生成本地分享凭证。In step S607, OBT B generates a local sharing certificate.
OBTB在收到云平台发送的分享完成通知之后,发起本地分享的流程,生成一个本地分享凭证。具有本地分享凭证的两台设备是可以建立连接的。After receiving the notification of completion of sharing from the cloud platform, OBTB initiates a local sharing process and generates a local sharing certificate. Two devices with locally shared credentials can be connected.
本地分享凭证可包括:pin码、共享密钥、证书等各种形式的凭证。Local shared credentials may include various forms of credentials such as pin codes, shared keys, certificates, etc.
步骤S608,OBT B根据Device A的本地分享凭证完成自配置。Step S608, OBT B completes self-configuration according to Device A's local shared credential.
步骤S609,OBT B通知云端更新Device A的本地分享凭证。In step S609, OBT B notifies the cloud to update Device A's local sharing certificate.
步骤S610,云端通知OBT A更新Device A的本地分享凭证。In step S610, the cloud notifies OBT A to update Device A's local sharing certificate.
步骤S611,OBT A配置Device A的访问策略。Step S611: OBT A configures Device A's access policy.
OBT A使用步骤S610接收的本地分享凭证配置Device A的访问策略。OBT A uses the local shared credential received in step S610 to configure the access policy of Device A.
其中,步骤S611包括:步骤S6011-1和步骤S6011-2。Wherein, step S611 includes: step S6011-1 and step S6011-2.
步骤S611-1,OBT A将接收的本地分享凭证配置给Device A。In step S611-1, OBT A configures the received local shared credential to Device A.
步骤S611-2,Device A向OBT A发送配置完成消息。In step S611-2, Device A sends a configuration complete message to OBT A.
步骤S612,OBT A向云端发送的自配置完成消息。Step S612, OBT A sends a self-configuration complete message to the cloud.
步骤S613,云端向OBT B转发OBT A发送自配置完成消息。In step S613, the cloud forwards the self-configuration completion message sent by OBT A to OBT B.
至此,Device A与OBTB都具有了本地分享凭证,DeviceA与OBTB可以在本地建立连接。At this point, both Device A and OBTB have a local shared certificate, and Device A and OBTB can establish a connection locally.
实例三Example three
在实例三中,云端为本地分享凭证的生成方。In Example 3, the cloud is the generator of the local shared credential.
步骤S701、OBTA获取OBTB的设备信息。Step S701: OBTA obtains the device information of OBTB.
步骤S702、OBTA向云端发起注册请求。Step S702: OBTA initiates a registration request to the cloud.
步骤S703-步骤S704,云端确认Device A和OBT B的认可。Step S703-Step S704, the cloud confirms the approval of Device A and OBT B.
步骤S703包括:步骤S703-1和步骤S703-2。Step S703 includes: step S703-1 and step S703-2.
步骤S703-1,云端向Device A发送确认请求,以确认上述注册请求是否获得Device A的认可。In step S703-1, the cloud sends a confirmation request to Device A to confirm whether the above registration request is approved by Device A.
步骤S703-2,Device A向云端发送分享确认。Step S703-2, Device A sends a sharing confirmation to the cloud.
步骤704-1,云端向OBT B发送确认请求,以确认上述注册请求是否获得OBT B的认可。Step 704-1: The cloud sends a confirmation request to OBT B to confirm whether the above registration request is approved by OBT B.
其中,云平台在向OBTB发送的确认请求中可以携带本地分享凭证。Among them, the cloud platform may carry the local sharing certificate in the confirmation request sent to the OBTB.
步骤S704-2,OBT B向云端发送分享确认。In step S704-2, OBT B sends a sharing confirmation to the cloud.
步骤S705,云端保存的分享记录的分享属性变更为真。In step S705, the sharing attribute of the sharing record saved in the cloud is changed to true.
步骤S706,云端向OBTA发送分享完成通知。In step S706, the cloud sends a sharing completion notification to the OBTA.
OBTA收到上述请求之后也可以修改其保存的对应的分享记录的shareenabled属性变为true。同时,云平台向OBTA发送的分享完成通知中携带本地分享凭证。After OBTA receives the above request, it can also modify the shareenabled attribute of the corresponding shared record it saves to become true. At the same time, the sharing completion notification sent by the cloud platform to OBTA carries the local sharing credentials.
至此OBT B与Device A在应用层建立了连接,OBT B可以远程访问Device A。So far, OBT B and Device A have established a connection at the application layer, and OBT B can remotely access Device A.
步骤S707,OBT B根据接收的本地分享凭证完成自配置。Step S707: OBT B completes self-configuration according to the received local sharing credential.
步骤S708-1,OBT A将接收的本地分享凭证配置给Device A。In step S708-1, OBT A configures the received local shared credential to Device A.
步骤S708-2,Device A向OBT A发送配置完成消息。Step S708-2, Device A sends a configuration complete message to OBT A.
至此,Device A与OBTB都具有了本地分享凭证,DeviceA与OBTB可以在本地建立连接。At this point, both Device A and OBTB have a local shared certificate, and Device A and OBTB can establish a connection locally.
需要说明的是,在本发明实施例中,图5至图8中的虚线所示的步骤为可选地。It should be noted that, in the embodiment of the present invention, the steps shown by the dotted lines in FIGS. 5 to 8 are optional.
在实际应用中,实例一和实例二中的远程分享和本地分享可以交叉组合。上述实例中,可以在注册请求中仅携带OBTA的标识,不需要携带Device A的标识,表示可以把OBTA关联的所有设备分享给OBTB。当然也可以扩展为一次分享为多设备。In practical applications, the remote sharing and local sharing in Example 1 and Example 2 can be cross-combined. In the above example, only the OBTA identifier can be carried in the registration request, and the identifier of Device A does not need to be carried, which means that all devices associated with the OBTA can be shared with OBTB. Of course, it can also be extended to share multiple devices at once.
为实现上述访问控制方法,本发明实施例还提供一种服务器800,作为图3中的服务器304,服务器800的组成结构,如图8所示,服务器800包括:In order to implement the foregoing access control method, an embodiment of the present invention further provides a server 800, as the server 304 in FIG. 3, the composition structure of the server 800, as shown in FIG. 8, the server 800 includes:
建立单元801,配置为在第一访问设备的第一设备标识、第二访问设备的第二设备标识以及与所述第二访问设备关联的目标设备的目标设备标识之间建立分享记录,所述分享记录用于将所述目标设备的被访问权限分享至所述第一访问设备;The establishing unit 801 is configured to establish a sharing record between the first device identifier of the first access device, the second device identifier of the second access device, and the target device identifier of the target device associated with the second access device, the The sharing record is used to share the access permission of the target device to the first access device;
凭证传输单元802,配置为在所述第一访问设备和所述第二访问设备之间进行本地分享凭证的传输,所述本地分享凭证用于所述第一访问设备与所述目标设备建立本地连接。The credential transmission unit 802 is configured to transmit a local shared credential between the first access device and the second access device, and the local shared credential is used to establish a local connection between the first access device and the target device. connection.
本发明实施例中,服务器800还包括:In the embodiment of the present invention, the server 800 further includes:
接收单元,配置为接收第一访问设备或第二访问设备发送的注册请求;所述注册请求中携带有所述第一设备标识和所述第二设备标识。The receiving unit is configured to receive a registration request sent by the first access device or the second access device; the registration request carries the first device identifier and the second device identifier.
本发明实施例中,所述注册请求中还携带有:所述目标设备标识。In the embodiment of the present invention, the registration request also carries: the target device identifier.
本发明实施例中,所述注册请求中还携带有以下信息之一:In the embodiment of the present invention, the registration request also carries one of the following information:
所述第一访问设备的第一用户标识、所述第二访问设备的第二用户标识、分享限制条件;The first user identification of the first access device, the second user identification of the second access device, and sharing restriction conditions;
对应地,所述分享记录中还包括有以下信息之一:所述第一访问设备的第一用户标识、所述第二访问设备的第二用户标识、分享限制条件。Correspondingly, the sharing record also includes one of the following information: the first user identification of the first access device, the second user identification of the second access device, and sharing restriction conditions.
本发明实施例中,服务器800还包括:In the embodiment of the present invention, the server 800 further includes:
第一确认单元,配置为:The first confirmation unit is configured as:
在所述注册请求为所述第一访问设备发送的情况下,向所述第二访问设备发送第一确认请求;In the case that the registration request is sent by the first access device, sending a first confirmation request to the second access device;
接收到所述第二访问设备响应所述第一确认请求的第一应答,将所述分享记录设置为激活状态。The first response of the second access device in response to the first confirmation request is received, and the sharing record is set to an active state.
本发明实施例中,服务器800还包括:第一通知单元,配置为向所述第一访问设备发送第一分享完成通知,所述第一分享完成通知用于指示所述第一访问设备在所述第一访问设备本地设置所述分享记录。In the embodiment of the present invention, the server 800 further includes: a first notification unit configured to send a first sharing completion notification to the first access device, where the first sharing completion notification is used to indicate that the first access device is in the place The first access device locally sets the sharing record.
本发明实施例中,服务器800还包括:In the embodiment of the present invention, the server 800 further includes:
第二通知单元,配置为向所述目标设备发送第二分享完成通知,所述第二分享完成通知用于指示所述目标设备在所述目标设备本地设置所述分享记录。The second notification unit is configured to send a second sharing completion notification to the target device, where the second sharing completion notification is used to instruct the target device to locally set the sharing record on the target device.
本发明实施例中,服务器800还包括:第二确认单元,配置为:In the embodiment of the present invention, the server 800 further includes: a second confirmation unit configured to:
在所述注册请求为所述第二访问设备发送的情况下,分别向所述第一访问设备和所述目标设备发送第二确认请求和第三确认请求;In a case where the registration request is sent by the second access device, sending a second confirmation request and a third confirmation request to the first access device and the target device respectively;
接收到所述第一访问设备响应所述第二确认请求的第二应答,且接收到所述目标设备响应所述第三确认请求的第三应答,将所述分享记录设置为激活状态。The second response of the first access device in response to the second confirmation request is received, and the third response of the target device in response to the third confirmation request is received, and the sharing record is set to an active state.
本发明实施例中,服务器800还包括:In the embodiment of the present invention, the server 800 further includes:
第三通知所述服务器向所述第二访问设备发送第三分享完成通知,所述第三分享完成通知用于指示所述第二访问设备在所述第二访问设备本地设置所述分享记录。Third notification The server sends a third sharing completion notification to the second access device, where the third sharing completion notification is used to instruct the second access device to locally set the sharing record on the second access device.
本发明实施例中,凭证传输单元802,还配置为:In the embodiment of the present invention, the credential transmission unit 802 is further configured to:
在所述服务器生成所述本地分享凭证的情况下,In the case that the server generates the local sharing credential,
通过携带所述本地分享凭证的第一确认请求将所述本地分享凭证发送至所述第二访问设备;Sending the local sharing credential to the second access device through a first confirmation request carrying the local sharing credential;
通过携带所述本地分享凭证的所述第一分享完成通知将所述本地分享凭证发送至所述第一访问设备。The local sharing credential is sent to the first access device through the first sharing completion notification carrying the local sharing credential.
本发明实施例中,凭证传输单元802,还配置为:在所述服务器生成所述本地分享凭证的情况下,In the embodiment of the present invention, the credential transmission unit 802 is further configured to: when the server generates the local shared credential,
通过携带所述本地分享凭证的第二确认请求将所述本地分享凭证发送至所述第一访问设备;Sending the local sharing credential to the first access device through a second confirmation request carrying the local sharing credential;
通过携带所述本地分享凭证的第三分享完成通知将所述本地分享凭证发送至所述第二访问设备。The local sharing credential is sent to the second access device through a third sharing completion notification carrying the local sharing credential.
本发明实施例中,凭证传输单元802,还配置为:In the embodiment of the present invention, the credential transmission unit 802 is further configured to:
接收所述第一访问设备或目标设备发送的本地分享凭证;Receiving the local sharing credential sent by the first access device or the target device;
将所述本地分享凭证发送至所述第二访问设备或所述第一访问设备。Sending the local sharing credential to the second access device or the first access device.
本发明实施例中,In the embodiment of the present invention,
在接收的所述本地分享凭证为所述第一访问设备发送的情况下,所述本地分享凭证为所述第一访问设备生成的;或In the case that the received local sharing credential is sent by the first access device, the local sharing credential is generated by the first access device; or
在接收的所述本地分享凭证为所述目标设备发送的情况下,所述本地分享凭证为所述第二访问设备生成的。In the case that the received local sharing credential is sent by the target device, the local sharing credential is generated by the second access device.
本发明实施例中,服务器800还包括:In the embodiment of the present invention, the server 800 further includes:
第一访问单元,配置为:The first access unit is configured as:
接收所述第一访问设备发送的访问所述目标设备的访问请求;Receiving an access request for accessing the target device sent by the first access device;
在存在所述分享记录的情况下,将所述访问请求转发至所述目标设备。If the sharing record exists, forward the access request to the target device.
本发明实施例还提供一种服务器,包括处理器和用于存储能够在处理器上运行的计算机程序的存储器,其中,所述处理器用于运行所述计算机程序时,执行上述服务器执行的访问控制方法的步骤。An embodiment of the present invention also provides a server, including a processor and a memory for storing a computer program that can run on the processor, wherein the processor is used to execute the access control performed by the server when the computer program is running. Method steps.
本发明实施例还提供一种访问设备900,作为图3中的第一访问设备301,访问设备900的组成结构示意图,如图9所示,包括:The embodiment of the present invention also provides an access device 900, as the first access device 301 in FIG. 3, a schematic diagram of the composition structure of the access device 900, as shown in FIG. 9, includes:
第一获取单元901,配置为获取第二访问设备的第二设备标识;The first obtaining unit 901 is configured to obtain the second device identifier of the second access device;
第一发送单元902,配置为将所述第一访问设备的第一设备标识和所述第二设备标识发送至服务器,所述第一设备标识和所述第二设备标识用于所述服务器在所述第一设备标识、所述第二设备标识以及与所述第二访问设备关联的目标设备的目标设备标识之间建立分享记录,所述分享记录用于将所述目标设备的被访问权限分享至所述第一访问设备;The first sending unit 902 is configured to send the first device identifier and the second device identifier of the first access device to the server, where the first device identifier and the second device identifier are used by the server when the server is A sharing record is established between the first device identifier, the second device identifier, and the target device identifier of the target device associated with the second access device, and the sharing record is used to use the access authority of the target device Share to the first access device;
第一传输单元903,配置为与所述服务器进行本地分享凭证的传输,所述本地分享凭证用于所述第一访问设备与所述目标设备建立本地连接。The first transmission unit 903 is configured to transmit a local shared credential with the server, and the local shared credential is used for the first access device to establish a local connection with the target device.
在本发明实施例中,访问设备900还包括:In the embodiment of the present invention, the access device 900 further includes:
第一生成单元,配置为根据所述第一设备标识和所述第二设备标识生成注册请求;A first generating unit, configured to generate a registration request according to the first device identifier and the second device identifier;
对应的,所述第一发送单元,配置为将所述注册请求发送至所述服务器。Correspondingly, the first sending unit is configured to send the registration request to the server.
在本发明实施例中,所述注册请求中还携带有:所述目标设备标识。In the embodiment of the present invention, the registration request also carries: the target device identifier.
在本发明实施例中,所述注册请求中还携带有以下信息之一:In the embodiment of the present invention, the registration request also carries one of the following information:
所述第一访问设备的第一用户标识、所述第二访问设备的第二用户标识、分享限制条件;The first user identification of the first access device, the second user identification of the second access device, and sharing restriction conditions;
对应的,所述分享记录中还包括以下信息之一:所述第一访问设备的第一用户标识、所述第二访问设备的第二用户标识、分享限制条件。Correspondingly, the sharing record further includes one of the following information: the first user identification of the first access device, the second user identification of the second access device, and sharing restriction conditions.
在本发明实施例中,访问设备900还包括:第一设置单元,配置为:In the embodiment of the present invention, the access device 900 further includes: a first setting unit configured to:
接收所述服务器发送的第一分享完成通知;Receiving the first sharing completion notification sent by the server;
基于所述第一分享完成通知的触发,设置所述分享记录。Based on the trigger of the first sharing completion notification, the sharing record is set.
在本发明实施例中,第一传输单元903,还配置为通过携带所述本地分享凭证的所述第一分享完成通知接收所述服务器发送的本地分享凭证,所述本地分享凭证为所述服务器生成的。In the embodiment of the present invention, the first transmission unit 903 is further configured to receive a local sharing credential sent by the server through the first sharing completion notification carrying the local sharing credential, and the local sharing credential is the server Generated.
在本发明实施例中,第一传输单元903,还配置为:In the embodiment of the present invention, the first transmission unit 903 is further configured to:
生成所述本地分享凭证;Generating the local sharing certificate;
将所述本地分享凭证发送至所述服务器,以使得所述服务器将所述本地分享凭证发送至所述第二访问设备。Sending the local sharing credential to the server, so that the server sends the local sharing credential to the second access device.
在本发明实施例中,第一传输单元903,还配置为接收所述服务器发送的所述第二访问设备生成的本地分享凭证。In the embodiment of the present invention, the first transmission unit 903 is further configured to receive the local sharing credential generated by the second access device and sent by the server.
在本发明实施例中,访问设备900还包括:In the embodiment of the present invention, the access device 900 further includes:
第二访问单元,配置为基于所述目标设备标识生成访问请求,将所述访问请求发送至服务器,所述服务器在存在所述分享记录的情况下,将所述访问请求转发至所述目标设备。The second access unit is configured to generate an access request based on the target device identifier, send the access request to a server, and if the sharing record exists, the server forwards the access request to the target device .
在本发明实施例中,访问设备900还包括:In the embodiment of the present invention, the access device 900 further includes:
第一配置单元,配置为根据所述本地分享凭证配置用于所述访问设备对所述目标设备进行访问的访问策略。The first configuration unit is configured to configure an access policy for the access device to access the target device according to the local shared credential.
本发明实施例还提供一种访问设备,包括处理器和用于存储能够在处理器上运行的计算机程序的存储器,其中,所述处理器用于运行所述计算机程序时,执行上述访问设备900执行的访问控制方法的步骤。An embodiment of the present invention also provides an access device, including a processor and a memory for storing a computer program that can run on the processor. When the processor is used to run the computer program, the access device 900 executes The steps of the access control method.
本发明实施例还提供一种访问设备1000,作为图3中的第二访问设备302,访问设备1000的组成结构示意图,如图10所示,包括:The embodiment of the present invention also provides an access device 1000, as the second access device 302 in FIG. 3, a schematic diagram of the composition structure of the access device 1000, as shown in FIG. 10, includes:
第二获取单元1001,配置为获取第一访问设备的第一设备标识;The second obtaining unit 1001 is configured to obtain the first device identifier of the first access device;
第二发送单元1002,配置为将所述第一设备标识和所述第二访问设备的第二设备标识发送至服务器,所述第一设备标识和所述第二设备标识用于所述服务器在所述第一设备标识、所述第二设备标识以及与所述第二访问设备关联的目标设备的目标设备标识之间建立分享记录,所述分享记录用于将所述目标设备的被访问权限分享至所述第一访问设备;The second sending unit 1002 is configured to send the first device identification and the second device identification of the second access device to a server, where the first device identification and the second device identification are used by the server to A sharing record is established between the first device identifier, the second device identifier, and the target device identifier of the target device associated with the second access device, and the sharing record is used to use the access authority of the target device Share to the first access device;
第二传输单元1003,配置为与所述服务器进行本地分享凭证的传输,所述本地分享凭证用于所述第一访问设备与所述目标设备建立本地连接。The second transmission unit 1003 is configured to transmit a local shared credential with the server, and the local shared credential is used for the first access device to establish a local connection with the target device.
在本发明实施例中,访问设备1000还包括:In the embodiment of the present invention, the access device 1000 further includes:
第二生成单元,配置为根据所述第一设备标识和所述第二设备标识生成注册请求;A second generating unit, configured to generate a registration request according to the first device identifier and the second device identifier;
对应的,所述第二发送单元,配置为将所述注册请求发送至所述服务器。Correspondingly, the second sending unit is configured to send the registration request to the server.
在本发明实施例中,所述注册请求中还携带有:所述目标设备标识。In the embodiment of the present invention, the registration request also carries: the target device identifier.
在本发明实施例中,所述注册请求中还携带有以下信息之一:In the embodiment of the present invention, the registration request also carries one of the following information:
所述第一访问设备的第一用户标识、所述第二访问设备的第二用户标识、分享限制条件;The first user identification of the first access device, the second user identification of the second access device, and sharing restriction conditions;
对应的,所述分享记录中还包括以下信息之一:所述第一访问设备的第一用户标识、所述第二访问设备的第二用户标识、分享限制条件。Correspondingly, the sharing record further includes one of the following information: the first user identification of the first access device, the second user identification of the second access device, and sharing restriction conditions.
在本发明实施例中,访问设备1000还包括:第二设置单元,配置为:In the embodiment of the present invention, the access device 1000 further includes: a second setting unit configured to:
接收所述服务器发送的第三分享完成通知;Receiving a third sharing completion notification sent by the server;
基于所述第三分享完成通知的触发,设置所述分享记录。Based on the trigger of the third sharing completion notification, the sharing record is set.
在本发明实施例中,所述第二传输单元1003,还配置为通过携带所述本地分享凭证的所述第三分享完成通知接收所述服务器发送的本地分享凭证,所述本地分享凭证为所述服务器生成的。In the embodiment of the present invention, the second transmission unit 1003 is further configured to receive the local sharing credential sent by the server through the third sharing completion notification carrying the local sharing credential, and the local sharing credential is The server generated.
在本发明实施例中,第二传输单元1003,还配置为:In the embodiment of the present invention, the second transmission unit 1003 is further configured to:
生成所述本地分享凭证;Generating the local sharing certificate;
将所述本地分享凭证发送至所述服务器,以使得所述服务器将所述本地分享凭证发送至所述第一访问设备。Sending the local sharing credential to the server, so that the server sends the local sharing credential to the first access device.
在本发明实施例中,第二传输单元1003,还配置为接收所述服务器发送的所述第一访问设备生成的本地分享凭证。In the embodiment of the present invention, the second transmission unit 1003 is further configured to receive the local sharing credential generated by the first access device and sent by the server.
在本发明实施例中,访问设备1000还包括:In the embodiment of the present invention, the access device 1000 further includes:
第二配置单元,配置为根据所述本地分享凭证配置用于所述第二访问设备对所述目标设备进行访问的访问策略。The second configuration unit is configured to configure an access policy for the second access device to access the target device according to the local shared credential.
本发明实施例还提供一种访问设备,包括处理器和用于存储能够在处理器上运行的计算机程序的存储器,其中,所述处理器用于运行所述计算机程序时,执行上述访问设备1000执行的访问控制方法的步骤。An embodiment of the present invention also provides an access device, including a processor and a memory for storing a computer program that can run on the processor, wherein, when the processor is used to run the computer program, the access device 1000 executes The steps of the access control method.
图11是本发明实施例的电子设备(访问设备或服务器)的硬件组成结构示意图,电子设备1100包括:至少一个处理器1101、存储器1102和至少一个网络接口1104。电子设备1100中的各个组件通过总线系统1105耦合在一起。可理解,总线系统1105用于实现这些组件之间的连接通信。总线系统1105除包括数据总线之外,还包括电源总线、控制总线和状态信号总线。但是为了清楚说明起见,在图11中将各种总线都标为总线系统1105。11 is a schematic diagram of the hardware composition structure of an electronic device (access device or server) according to an embodiment of the present invention. The electronic device 1100 includes: at least one processor 1101, a memory 1102, and at least one network interface 1104. The various components in the electronic device 1100 are coupled together through the bus system 1105. It can be understood that the bus system 1105 is used to implement connection and communication between these components. In addition to the data bus, the bus system 1105 also includes a power bus, a control bus, and a status signal bus. However, for the sake of clear description, various buses are marked as the bus system 1105 in FIG. 11.
可以理解,存储器1102可以是易失性存储器或非易失性存储器,也可包括易失性和非易失性存储器两者。其中,非易失性存储器可以是ROM、可编程只读存储器(PROM,Programmable Read-Only Memory)、可擦除可编程只读存储器(EPROM,Erasable Programmable Read-Only Memory)、电可擦除可编程只读存储器(EEPROM,Electrically  Erasable Programmable Read-Only Memory)、磁性随机存取存储器(FRAM,ferromagnetic random access memory)、快闪存储器(Flash Memory)、磁表面存储器、光盘、或只读光盘(CD-ROM,Compact Disc Read-Only Memory);磁表面存储器可以是磁盘存储器或磁带存储器。易失性存储器可以是随机存取存储器(RAM,Random Access Memory),其用作外部高速缓存。通过示例性但不是限制性说明,许多形式的RAM可用,例如静态随机存取存储器(SRAM,Static Random Access Memory)、同步静态随机存取存储器(SSRAM,Synchronous Static Random Access Memory)、动态随机存取存储器(DRAM,Dynamic Random Access Memory)、同步动态随机存取存储器(SDRAM,Synchronous Dynamic Random Access Memory)、双倍数据速率同步动态随机存取存储器(DDRSDRAM,Double Data Rate Synchronous Dynamic Random Access Memory)、增强型同步动态随机存取存储器(ESDRAM,Enhanced Synchronous Dynamic Random Access Memory)、同步连接动态随机存取存储器(SLDRAM,SyncLink Dynamic Random Access Memory)、直接内存总线随机存取存储器(DRRAM,Direct Rambus Random Access Memory)。本发明实施例描述的存储器1102旨在包括但不限于这些和任意其它适合类型的存储器。It can be understood that the memory 1102 may be a volatile memory or a non-volatile memory, and may also include both volatile and non-volatile memory. Among them, non-volatile memory can be ROM, Programmable Read-Only Memory (PROM), Erasable Programmable Read-Only Memory (EPROM), and electrically erasable Programmable read-only memory (EEPROM, Electrically Erasable Programmable Read-Only Memory), magnetic random access memory (FRAM, ferromagnetic random access memory), flash memory (Flash Memory), magnetic surface memory, optical disk, or CD-ROM -ROM, Compact Disc Read-Only Memory); Magnetic surface memory can be disk storage or tape storage. The volatile memory may be a random access memory (RAM, Random Access Memory), which is used as an external cache. By way of exemplary but not restrictive description, many forms of RAM are available, such as static random access memory (SRAM, Static Random Access Memory), synchronous static random access memory (SSRAM, Synchronous Static Random Access Memory), and dynamic random access memory. Memory (DRAM, Dynamic Random Access Memory), Synchronous Dynamic Random Access Memory (SDRAM, Synchronous Dynamic Random Access Memory), Double Data Rate Synchronous Dynamic Random Access Memory (DDRSDRAM, Double Data Rate Synchronous Dynamic Random Access Memory), enhanced Type synchronous dynamic random access memory (ESDRAM, Enhanced Synchronous Dynamic Random Access Memory), synchronous connection dynamic random access memory (SLDRAM, SyncLink Dynamic Random Access Memory), direct memory bus random access memory (DRRAM, Direct Rambus Random Access Memory) ). The memory 1102 described in the embodiment of the present invention is intended to include, but is not limited to, these and any other suitable types of memory.
本发明实施例中的存储器1102用于存储各种类型的数据以支持电子设备1100的操作。这些数据的示例包括:用于在电子设备1100上操作的任何计算机程序,如应用程序11021。实现本发明实施例方法的程序可以包含在应用程序11021中。The memory 1102 in the embodiment of the present invention is used to store various types of data to support the operation of the electronic device 1100. Examples of such data include: any computer program used to operate on the electronic device 1100, such as an application program 11021. The program for implementing the method of the embodiment of the present invention may be included in the application program 11021.
上述本发明实施例揭示的方法可以应用于处理器1101中,或者由处理器1101实现。处理器1101可能是一种集成电路芯片,具有信号的处理能力。在实现过程中,上述方法的各步骤可以通过处理器1101中的硬件的集成逻辑电路或者软件形式的指令完成。上述的处理器1101可以是通用处理器、数字信号处理器(DSP,Digital Signal Processor),或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。处理器1101可以实现或者执行本发明实施例中的公开的各方法、步骤及逻辑框图。通用处理器可以是微处理器或者任何常规的处理器等。结合本发明实施例所公开的方法的步骤,可以直接体现为硬件译码处理器执行完成,或者用译码处理器中的硬件及软件模块组合执行完成。软件模块可以位于存储介质中,该存储介质位于存储器1102,处理器1101读取存储器1102中的信息,结合其硬件完成前述方法的步骤。The method disclosed in the foregoing embodiment of the present invention may be applied to the processor 1101 or implemented by the processor 1101. The processor 1101 may be an integrated circuit chip with signal processing capabilities. In the implementation process, the steps of the foregoing method can be completed by an integrated logic circuit of hardware in the processor 1101 or instructions in the form of software. The aforementioned processor 1101 may be a general-purpose processor, a digital signal processor (DSP, Digital Signal Processor), or other programmable logic devices, discrete gates or transistor logic devices, discrete hardware components, and the like. The processor 1101 may implement or execute various methods, steps, and logical block diagrams disclosed in the embodiments of the present invention. The general-purpose processor may be a microprocessor or any conventional processor or the like. The steps of the method disclosed in the embodiments of the present invention may be directly embodied as being executed and completed by a hardware decoding processor, or executed and completed by a combination of hardware and software modules in the decoding processor. The software module may be located in a storage medium, and the storage medium is located in the memory 1102. The processor 1101 reads the information in the memory 1102, and completes the steps of the foregoing method in combination with its hardware.
在示例性实施例中,电子设备1100可以被一个或多个应用专用集成电路(ASIC,Application Specific Integrated Circuit)、DSP、可编程逻辑器件(PLD,Programmable Logic Device)、复杂可编程逻辑器件(CPLD,Complex Programmable Logic Device)、FPGA、通用处理器、控制器、MCU、MPU、或其他电子元件实现,用于执行前述方法。In an exemplary embodiment, the electronic device 1100 may be used by one or more application specific integrated circuits (ASIC, Application Specific Integrated Circuit), DSP, programmable logic device (PLD, Programmable Logic Device), and complex programmable logic device (CPLD). , Complex Programmable Logic Device), FPGA, general-purpose processor, controller, MCU, MPU, or other electronic components to implement the foregoing method.
本发明实施例还提供了一种存储介质,用于存储计算机程序。The embodiment of the present invention also provides a storage medium for storing computer programs.
可选的,该存储介质可应用于本发明实施例中的服务器,并且该计算机程序使得计算机执行本发明实施例的各个方法中的相应流程,为了简洁,在此不再赘述。Optionally, the storage medium may be applied to the server in the embodiment of the present invention, and the computer program causes the computer to execute the corresponding process in each method of the embodiment of the present invention. For brevity, details are not described herein again.
可选的,该存储介质可应用于本发明实施例中的访问设备,并且该计算机程序使得计算机执行本发明实施例的各个方法中的相应流程,为了简洁,在此不再赘述。Optionally, the storage medium can be applied to the access device in the embodiment of the present invention, and the computer program causes the computer to execute the corresponding process in each method of the embodiment of the present invention. For brevity, details are not described herein again.
本发明是参照根据本发明实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present invention is described with reference to flowcharts and/or block diagrams of methods, devices (systems), and computer program products according to embodiments of the present invention. It should be understood that each process and/or block in the flowchart and/or block diagram, and the combination of processes and/or blocks in the flowchart and/or block diagram can be implemented by computer program instructions. These computer program instructions can be provided to the processor of a general-purpose computer, a special-purpose computer, an embedded processor, or other programmable data processing equipment to generate a machine, so that the instructions executed by the processor of the computer or other programmable data processing equipment are generated It is a device that realizes the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions can also be stored in a computer-readable memory that can guide a computer or other programmable data processing equipment to work in a specific manner, so that the instructions stored in the computer-readable memory produce an article of manufacture including the instruction device. The device implements the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded on a computer or other programmable data processing equipment, so that a series of operation steps are executed on the computer or other programmable equipment to produce computer-implemented processing, so as to execute on the computer or other programmable equipment. The instructions provide steps for implementing the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.
以上所述,仅为本发明的实施例而已,并非用于限定本发明的保护范围。凡在本发明的精神和范围之内所作的任何修改、等同替换和改进等,均包含在本发明的保护范围之内。The above are only the embodiments of the present invention and are not used to limit the protection scope of the present invention. Any modification, equivalent replacement and improvement made within the spirit and scope of the present invention are all included in the protection scope of the present invention.

Claims (72)

  1. 一种访问控制方法,包括:An access control method, including:
    服务器在第一访问设备的第一设备标识、第二访问设备的第二设备标识以及与所述第二访问设备关联的目标设备的目标设备标识之间建立分享记录,所述分享记录用于将所述目标设备的被访问权限分享至所述第一访问设备;The server establishes a sharing record between the first device identification of the first access device, the second device identification of the second access device, and the target device identification of the target device associated with the second access device, and the sharing record is used to share Sharing the access permission of the target device to the first access device;
    所述服务器在所述第一访问设备和所述第二访问设备之间进行本地分享凭证的传输,所述本地分享凭证用于所述第一访问设备与所述目标设备建立本地连接。The server transmits a local shared credential between the first access device and the second access device, and the local shared credential is used for establishing a local connection between the first access device and the target device.
  2. 根据权利要求1所述的方法,其中,所述方法还包括:The method according to claim 1, wherein the method further comprises:
    服务器接收第一访问设备或第二访问设备发送的注册请求;所述注册请求中携带有所述第一设备标识和所述第二设备标识。The server receives a registration request sent by the first access device or the second access device; the registration request carries the first device identifier and the second device identifier.
  3. 根据权利要求2所述的方法,其中,所述注册请求中还携带有:所述目标设备标识。The method according to claim 2, wherein the registration request also carries: the target device identifier.
  4. 根据权利要求2或3所述的方法,其中,所述注册请求中还携带有以下信息之一:The method according to claim 2 or 3, wherein the registration request also carries one of the following information:
    所述第一访问设备的第一用户标识、所述第二访问设备的第二用户标识、分享限制条件;The first user identification of the first access device, the second user identification of the second access device, and sharing restriction conditions;
    对应地,所述分享记录中还包括有以下信息之一:所述第一访问设备的第一用户标识、所述第二访问设备的第二用户标识、分享限制条件。Correspondingly, the sharing record also includes one of the following information: the first user identification of the first access device, the second user identification of the second access device, and sharing restriction conditions.
  5. 根据权利要求2至4任一项所述的方法,其中,在所述注册请求为所述第一访问设备发送的情况下,所述方法还包括:The method according to any one of claims 2 to 4, wherein, in the case that the registration request is sent by the first access device, the method further comprises:
    所述服务器向所述第二访问设备发送第一确认请求;Sending, by the server, a first confirmation request to the second access device;
    所述服务器接收到所述第二访问设备响应所述第一确认请求的第一应答,将所述分享记录设置为激活状态。The server receives the first response of the second access device in response to the first confirmation request, and sets the sharing record to an active state.
  6. 根据权利要求5所述的方法,其中,所述方法还包括:The method according to claim 5, wherein the method further comprises:
    所述服务器向所述第一访问设备发送第一分享完成通知,所述第一分享完成通知用于指示所述第一访问设备在所述第一访问设备本地设置所述分享记录。The server sends a first sharing completion notification to the first access device, where the first sharing completion notification is used to instruct the first access device to locally set the sharing record on the first access device.
  7. 根据权利要求5所述的方法,其中,所述方法还包括:The method according to claim 5, wherein the method further comprises:
    所述服务器向所述目标设备发送第二分享完成通知,所述第二分享完成通知用于指示所述目标设备在所述目标设备本地设置所述分享记录。The server sends a second sharing completion notification to the target device, where the second sharing completion notification is used to instruct the target device to locally set the sharing record on the target device.
  8. 根据权利要求2至4任一项所述的方法,其中,在所述注册请求为所述第二访问设备发送的情况下,所述方法还包括:The method according to any one of claims 2 to 4, wherein, in the case that the registration request is sent by the second access device, the method further comprises:
    所述服务器分别向所述第一访问设备和所述目标设备发送第二确认请求和第三确认请求;The server sends a second confirmation request and a third confirmation request to the first access device and the target device respectively;
    所述服务器接收到所述第一访问设备响应所述第二确认请求的第二应答,且接收到所述目标设备响应所述第三确认请求的第三应答,将所述分享记录设置为激活状态。The server receives the second response of the first access device in response to the second confirmation request, and receives the third response of the target device in response to the third confirmation request, and sets the sharing record as active status.
  9. 根据权利要求8所述的方法,其中,所述方法还包括:The method according to claim 8, wherein the method further comprises:
    所述服务器向所述第二访问设备发送第三分享完成通知,所述第三分享完成通知用于指示所述第二访问设备在所述第二访问设备本地设置所述分享记录。The server sends a third sharing completion notification to the second access device, where the third sharing completion notification is used to instruct the second access device to locally set the sharing record on the second access device.
  10. 根据权利要求6所述的方法,其中,在所述服务器生成所述本地分享凭证的情况下,所述服务器在所述第一访问设备和所述第二访问设备之间进行本地分享凭证的传输,包括:7. The method according to claim 6, wherein, in the case that the server generates the local shared credential, the server transmits the local shared credential between the first access device and the second access device ,include:
    所述服务器通过携带所述本地分享凭证的第一确认请求将所述本地分享凭证发送 至所述第二访问设备;The server sends the local sharing credential to the second access device through a first confirmation request carrying the local sharing credential;
    所述服务器通过携带所述本地分享凭证的所述第一分享完成通知将所述本地分享凭证发送至所述第一访问设备。The server sends the local sharing credential to the first access device through the first sharing completion notification carrying the local sharing credential.
  11. 根据权利要求9所述的方法,其中,在所述服务器生成所述本地分享凭证的情况下,所述服务器在所述第一访问设备和所述第二访问设备之间进行本地分享凭证的传输,包括:9. The method according to claim 9, wherein, in the case that the server generates the local shared credential, the server transmits the local shared credential between the first access device and the second access device ,include:
    所述服务器通过携带所述本地分享凭证的第二确认请求将所述本地分享凭证发送至所述第一访问设备;Sending, by the server, the local sharing credential to the first access device through a second confirmation request carrying the local sharing credential;
    所述服务器通过携带所述本地分享凭证的第三分享完成通知将所述本地分享凭证发送至所述第二访问设备。The server sends the local sharing credential to the second access device through a third sharing completion notification carrying the local sharing credential.
  12. 根据权利要求1至9任一项所述的方法,其中,所述服务器在所述第一访问设备和所述第二访问设备之间进行本地分享凭证的传输,包括:The method according to any one of claims 1 to 9, wherein the server performing the transmission of the local shared credential between the first access device and the second access device includes:
    所述服务器接收所述第一访问设备或目标设备发送的本地分享凭证;The server receives the local sharing credential sent by the first access device or the target device;
    所述服务器将所述本地分享凭证发送至所述第二访问设备或所述第一访问设备。The server sends the local sharing credential to the second access device or the first access device.
  13. 根据权利要求12所述的方法,其中,The method of claim 12, wherein:
    在所述服务器接收的所述本地分享凭证为所述第一访问设备发送的情况下,所述本地分享凭证为所述第一访问设备生成的;或In the case that the local sharing credential received by the server is sent by the first access device, the local sharing credential is generated by the first access device; or
    在所述服务器接收的所述本地分享凭证为所述目标设备发送的情况下,所述本地分享凭证为所述第二访问设备生成的。In the case that the local sharing credential received by the server is sent by the target device, the local sharing credential is generated by the second access device.
  14. 根据权利要求1至13任一项所述的方法,其中,所述方法还包括:The method according to any one of claims 1 to 13, wherein the method further comprises:
    所述服务器接收所述第一访问设备发送的访问所述目标设备的访问请求;Receiving, by the server, an access request sent by the first access device to access the target device;
    在存在所述分享记录的情况下,所述服务器将所述访问请求转发至所述目标设备。In the case where the sharing record exists, the server forwards the access request to the target device.
  15. 一种访问控制方法,包括:An access control method, including:
    第一访问设备获取第二访问设备的第二设备标识;The first access device acquires the second device identifier of the second access device;
    所述第一访问设备将所述第一访问设备的第一设备标识和所述第二设备标识发送至服务器,所述第一设备标识和所述第二设备标识用于所述服务器在所述第一设备标识、所述第二设备标识以及与所述第二访问设备关联的目标设备的目标设备标识之间建立分享记录,所述分享记录用于将所述目标设备的被访问权限分享至所述第一访问设备;The first access device sends the first device ID and the second device ID of the first access device to the server, and the first device ID and the second device ID are used by the server in the server. A sharing record is established between the first device identifier, the second device identifier, and the target device identifier of the target device associated with the second access device, and the sharing record is used to share the access permission of the target device to The first access device;
    所述第一访问设备与所述服务器进行本地分享凭证的传输,所述本地分享凭证用于所述第一访问设备与所述目标设备建立本地连接。The first access device and the server transmit a local shared credential, and the local shared credential is used for the first access device to establish a local connection with the target device.
  16. 根据权利要求15所述的方法,其中,所述方法还包括:The method according to claim 15, wherein the method further comprises:
    所述第一访问设备根据所述第一设备标识和所述第二设备标识生成注册请求;Generating, by the first access device, a registration request according to the first device identifier and the second device identifier;
    对应的,所述第一访问设备将所述第一访问设备的第一设备标识和所述第二设备标识发送至服务器,包括:Correspondingly, the sending, by the first access device, the first device identifier and the second device identifier of the first access device to the server, includes:
    所述第一访问设备将所述注册请求发送至所述服务器。The first access device sends the registration request to the server.
  17. 根据权利要求16所述的方法,其中,所述注册请求中还携带有:所述目标设备标识。The method according to claim 16, wherein the registration request also carries: the target device identifier.
  18. 根据权利要求16或17所述的方法,其中,所述注册请求中还携带有以下信息之一:The method according to claim 16 or 17, wherein the registration request also carries one of the following information:
    所述第一访问设备的第一用户标识、所述第二访问设备的第二用户标识、分享限制条件;The first user identification of the first access device, the second user identification of the second access device, and sharing restriction conditions;
    对应的,所述分享记录中还包括以下信息之一:所述第一访问设备的第一用户标识、所述第二访问设备的第二用户标识、分享限制条件。Correspondingly, the sharing record further includes one of the following information: the first user identification of the first access device, the second user identification of the second access device, and sharing restriction conditions.
  19. 根据权利要求16至18任一项所述的方法,其中,所述方法还包括:The method according to any one of claims 16 to 18, wherein the method further comprises:
    所述第一访问设备接收所述服务器发送的第一分享完成通知;Receiving, by the first access device, a first sharing completion notification sent by the server;
    所述第一访问基于所述第一分享完成通知的触发,设置所述分享记录。The first access is triggered based on the first sharing completion notification, and the sharing record is set.
  20. 根据权利要求19所述的方法,其中,所述第一访问设备与所述服务器进行本地分享凭证的传输,包括:The method according to claim 19, wherein the transmission of the local shared credential between the first access device and the server comprises:
    所述第一访问设备通过携带所述本地分享凭证的所述第一分享完成通知接收所述服务器发送的本地分享凭证,所述本地分享凭证为所述服务器生成的。The first access device receives the local sharing credential sent by the server through the first sharing completion notification carrying the local sharing credential, and the local sharing credential is generated by the server.
  21. 根据权利要求15至19任一项所述的方法,其中,所述第一访问设备与所述服务器进行本地分享凭证的传输,包括:The method according to any one of claims 15 to 19, wherein the transmission of the local shared credential between the first access device and the server comprises:
    所述第一访问设备生成所述本地分享凭证;Generating the local sharing credential by the first access device;
    所述第一访问设备将所述本地分享凭证发送至所述服务器,以使得所述服务器将所述本地分享凭证发送至所述第二访问设备。The first access device sends the local sharing credential to the server, so that the server sends the local sharing credential to the second access device.
  22. 根据权利要求15至19任一项所述的方法,其中,所述第一访问设备与所述服务器进行本地分享凭证的传输,包括:The method according to any one of claims 15 to 19, wherein the transmission of the local shared credential between the first access device and the server comprises:
    所述第一访问设备接收所述服务器发送的所述第二访问设备生成的本地分享凭证。The first access device receives the local sharing credential generated by the second access device and sent by the server.
  23. 根据权利要求15至22任一项所述的方法,其中,所述方法还包括:The method according to any one of claims 15 to 22, wherein the method further comprises:
    第一访问设备基于所述目标设备标识生成访问请求,将所述访问请求发送至服务器,所述服务器在存在所述分享记录的情况下,将所述访问请求转发至所述目标设备。The first access device generates an access request based on the target device identifier, sends the access request to a server, and the server forwards the access request to the target device if the sharing record exists.
  24. 根据权利要求15至23任一项所述的方法,其中,所述方法还包括:The method according to any one of claims 15 to 23, wherein the method further comprises:
    所述第一访问设备根据所述本地分享凭证配置用于所述第一访问设备对所述目标设备进行访问的访问策略。The first access device configures an access policy for the first access device to access the target device according to the local shared credential.
  25. 一种访问控制方法,所述方法包括:An access control method, the method includes:
    第二访问设备获取第一访问设备的第一设备标识;The second access device acquires the first device identifier of the first access device;
    所述第二访问设备将所述第一设备标识和所述第二访问设备的第二设备标识发送至服务器,所述第一设备标识和所述第二设备标识用于所述服务器在所述第一设备标识、所述第二设备标识以及与所述第二访问设备关联的目标设备的目标设备标识之间建立分享记录,所述分享记录用于将所述目标设备的被访问权限分享至所述第一访问设备;The second access device sends the first device identification and the second device identification of the second access device to the server, and the first device identification and the second device identification are used by the server in the A sharing record is established between the first device identifier, the second device identifier, and the target device identifier of the target device associated with the second access device, and the sharing record is used to share the access permission of the target device to The first access device;
    所述第二访问设备与所述服务器进行本地分享凭证的传输,所述本地分享凭证用于所述第一访问设备与所述目标设备建立本地连接。The second access device transmits a local shared credential with the server, and the local shared credential is used for the first access device to establish a local connection with the target device.
  26. 根据权利要求25所述的方法,其中,所述方法还包括:The method of claim 25, wherein the method further comprises:
    所述第二访问设备根据所述第一设备标识和所述第二设备标识生成注册请求;Generating, by the second access device, a registration request according to the first device identifier and the second device identifier;
    对应的,所述第二访问设备将所述第一设备标识和所述第二访问设备的第二设备标识发送至服务器,包括:Correspondingly, the sending of the first device identifier and the second device identifier of the second access device to the server by the second access device includes:
    所述第二访问设备将所述注册请求发送至所述服务器。The second access device sends the registration request to the server.
  27. 根据权利要求26所述的方法,其中,所述注册请求中还携带有:所述目标设备标识。The method according to claim 26, wherein the registration request further carries: the target device identifier.
  28. 根据权利要求26或27所述的方法,其中,所述注册请求中还携带有以下信息之一:The method according to claim 26 or 27, wherein the registration request also carries one of the following information:
    所述第一访问设备的第一用户标识、所述第二访问设备的第二用户标识、分享限制条件;The first user identification of the first access device, the second user identification of the second access device, and sharing restriction conditions;
    对应的,所述分享记录中还包括以下信息之一:所述第一访问设备的第一用户标识、所述第二访问设备的第二用户标识、分享限制条件。Correspondingly, the sharing record further includes one of the following information: the first user identification of the first access device, the second user identification of the second access device, and sharing restriction conditions.
  29. 根据权利要求26至28任一项所述的方法,其中,所述方法还包括:The method according to any one of claims 26 to 28, wherein the method further comprises:
    所述第二访问设备接收所述服务器发送的第三分享完成通知;Receiving, by the second access device, a third sharing completion notification sent by the server;
    所述第二访问设备基于所述第三分享完成通知的触发,设置所述分享记录。The second access device sets the sharing record based on the trigger of the third sharing completion notification.
  30. 根据权利要求29所述的方法,其中,所述第二访问设备与所述服务器进行本地分享凭证的传输,包括:The method according to claim 29, wherein the transmission of the local shared credential between the second access device and the server comprises:
    所述第二访问设备通过携带所述本地分享凭证的所述第三分享完成通知接收所述服务器发送的本地分享凭证,所述本地分享凭证为所述服务器生成的。The second access device receives the local sharing credential sent by the server through the third sharing completion notification carrying the local sharing credential, and the local sharing credential is generated by the server.
  31. 根据权利要求25至29任一项所述的方法,其中,所述第二访问设备与所述服务器进行本地分享凭证的传输,包括:The method according to any one of claims 25 to 29, wherein the transmission of the local shared credential between the second access device and the server includes:
    所述第二访问设备生成所述本地分享凭证;Generating the local sharing credential by the second access device;
    所述第二访问设备将所述本地分享凭证配置至所述目标服务器,以使得所述服务器将所述本地分享凭证发送至所述第一访问设备。The second access device configures the local sharing credential to the target server, so that the server sends the local sharing credential to the first access device.
  32. 根据权利要求25至29任一项所述的方法,其中,所述第二访问设备与所述服务器进行本地分享凭证的传输,包括:The method according to any one of claims 25 to 29, wherein the transmission of the local shared credential between the second access device and the server includes:
    所述第二访问设备接收所述服务器发送的所述第一访问设备生成的本地分享凭证。The second access device receives the local sharing credential generated by the first access device and sent by the server.
  33. 根据权利要求25至32任一项所述的方法,其中,所述方法还包括:The method according to any one of claims 25 to 32, wherein the method further comprises:
    所述第二访问设备根据所述本地分享凭证配置用于所述第二访问设备对所述目标设备进行访问的访问策略。The second access device configures an access policy for the second access device to access the target device according to the local shared credential.
  34. 一种服务器,包括:A server that includes:
    建立单元,配置为在第一访问设备的第一设备标识、第二访问设备的第二设备标识以及与所述第二访问设备关联的目标设备的目标设备标识之间建立分享记录,所述分享记录用于将所述目标设备的被访问权限分享至所述第一访问设备;The establishment unit is configured to establish a sharing record among the first device identification of the first access device, the second device identification of the second access device, and the target device identification of the target device associated with the second access device, the sharing The record is used to share the access permission of the target device to the first access device;
    凭证传输单元,配置为在所述第一访问设备和所述第二访问设备之间进行本地分享凭证的传输,所述本地分享凭证用于所述第一访问设备与所述目标设备建立本地连接。A credential transmission unit configured to transmit a local shared credential between the first access device and the second access device, where the local shared credential is used for establishing a local connection between the first access device and the target device .
  35. 根据权利要求34所述的服务器,其中,所述服务器还包括:The server according to claim 34, wherein the server further comprises:
    接收单元,配置为接收第一访问设备或第二访问设备发送的注册请求;所述注册请求中携带有所述第一设备标识和所述第二设备标识。The receiving unit is configured to receive a registration request sent by the first access device or the second access device; the registration request carries the first device identifier and the second device identifier.
  36. 根据权利要求35所述的服务器,其中,所述注册请求中还携带有:所述目标设备标识。The server according to claim 35, wherein the registration request further carries: the target device identifier.
  37. 根据权利要求35或36所述的服务器,其中,所述注册请求中还携带有以下信息之一:The server according to claim 35 or 36, wherein the registration request also carries one of the following information:
    所述第一访问设备的第一用户标识、所述第二访问设备的第二用户标识、分享限制条件;The first user identification of the first access device, the second user identification of the second access device, and sharing restriction conditions;
    对应地,所述分享记录中还包括有以下信息之一:所述第一访问设备的第一用户标识、所述第二访问设备的第二用户标识、分享限制条件。Correspondingly, the sharing record also includes one of the following information: the first user identification of the first access device, the second user identification of the second access device, and sharing restriction conditions.
  38. 根据权利要求35至37任一项所述的服务器,其中,所述服务器还包括:The server according to any one of claims 35 to 37, wherein the server further comprises:
    第一确认单元,配置为:The first confirmation unit is configured as:
    在所述注册请求为所述第一访问设备发送的情况下,向所述第二访问设备发送第一确认请求;In the case that the registration request is sent by the first access device, sending a first confirmation request to the second access device;
    接收到所述第二访问设备响应所述第一确认请求的第一应答,将所述分享记录设置为激活状态。The first response of the second access device in response to the first confirmation request is received, and the sharing record is set to an active state.
  39. 根据权利要求38所述的服务器,其中,所述服务器还包括:第一通知单元,配置为向所述第一访问设备发送第一分享完成通知,所述第一分享完成通知用于指示所述第一访问设备在所述第一访问设备本地设置所述分享记录。The server according to claim 38, wherein the server further comprises: a first notification unit configured to send a first sharing completion notification to the first access device, the first sharing completion notification being used to instruct the The first access device locally sets the sharing record on the first access device.
  40. 根据权利要求38所述的服务器,其中,所述服务器还包括:The server according to claim 38, wherein the server further comprises:
    第二通知单元,配置为向所述目标设备发送第二分享完成通知,所述第二分享完成通知用于指示所述目标设备在所述目标设备本地设置所述分享记录。The second notification unit is configured to send a second sharing completion notification to the target device, where the second sharing completion notification is used to instruct the target device to locally set the sharing record on the target device.
  41. 根据权利要求35至37任一项所述的服务器,其中,所述服务器还包括:第二确认单元,配置为:The server according to any one of claims 35 to 37, wherein the server further comprises: a second confirmation unit configured to:
    在所述注册请求为所述第二访问设备发送的情况下,分别向所述第一访问设备和所述目标设备发送第二确认请求和第三确认请求;In a case where the registration request is sent by the second access device, sending a second confirmation request and a third confirmation request to the first access device and the target device respectively;
    接收到所述第一访问设备响应所述第二确认请求的第二应答,且接收到所述目标设备响应所述第三确认请求的第三应答,将所述分享记录设置为激活状态。The second response of the first access device in response to the second confirmation request is received, and the third response of the target device in response to the third confirmation request is received, and the sharing record is set to an active state.
  42. 根据权利要求41所述的服务器,其中,所述服务器还包括:The server according to claim 41, wherein the server further comprises:
    第三通知所述服务器向所述第二访问设备发送第三分享完成通知,所述第三分享完成通知用于指示所述第二访问设备在所述第二访问设备本地设置所述分享记录。Third notification The server sends a third sharing completion notification to the second access device, where the third sharing completion notification is used to instruct the second access device to locally set the sharing record on the second access device.
  43. 根据权利要求39所述的服务器,其中,所述凭证传输单元,还配置为:The server according to claim 39, wherein the credential transmission unit is further configured to:
    在所述服务器生成所述本地分享凭证的情况下,In the case that the server generates the local sharing credential,
    通过携带所述本地分享凭证的第一确认请求将所述本地分享凭证发送至所述第二访问设备;Sending the local sharing credential to the second access device through a first confirmation request carrying the local sharing credential;
    通过携带所述本地分享凭证的所述第一分享完成通知将所述本地分享凭证发送至所述第一访问设备。The local sharing credential is sent to the first access device through the first sharing completion notification carrying the local sharing credential.
  44. 根据权利要求42所述的服务器,其中,所述凭证传输单元,还配置为:在所述服务器生成所述本地分享凭证的情况下,The server according to claim 42, wherein the credential transmission unit is further configured to: when the server generates the local shared credential,
    通过携带所述本地分享凭证的第二确认请求将所述本地分享凭证发送至所述第一访问设备;Sending the local sharing credential to the first access device through a second confirmation request carrying the local sharing credential;
    通过携带所述本地分享凭证的第三分享完成通知将所述本地分享凭证发送至所述第二访问设备。The local sharing credential is sent to the second access device through a third sharing completion notification carrying the local sharing credential.
  45. 根据权利要求34至42任一项所述的服务器,其中,所述凭证传输单元,还配置为:The server according to any one of claims 34 to 42, wherein the credential transmission unit is further configured to:
    接收所述第一访问设备或目标设备发送的本地分享凭证;Receiving the local sharing credential sent by the first access device or the target device;
    将所述本地分享凭证发送至所述第二访问设备或所述第一访问设备。Sending the local sharing credential to the second access device or the first access device.
  46. 根据权利要求45所述的服务器,其中,The server according to claim 45, wherein:
    在接收的所述本地分享凭证为所述第一访问设备发送的情况下,所述本地分享凭证为所述第一访问设备生成的;或In the case that the received local sharing credential is sent by the first access device, the local sharing credential is generated by the first access device; or
    在接收的所述本地分享凭证为所述目标设备发送的情况下,所述本地分享凭证为所述第二访问设备生成的。In the case that the received local sharing credential is sent by the target device, the local sharing credential is generated by the second access device.
  47. 根据权利要求34至46任一项所述的服务器,其中,所述服务器还包括:The server according to any one of claims 34 to 46, wherein the server further comprises:
    第一访问单元,配置为:The first access unit is configured as:
    接收所述第一访问设备发送的访问所述目标设备的访问请求;Receiving an access request for accessing the target device sent by the first access device;
    在存在所述分享记录的情况下,将所述访问请求转发至所述目标设备。If the sharing record exists, forward the access request to the target device.
  48. 一种访问设备,包括:An access device including:
    第一获取单元,配置为获取第二访问设备的第二设备标识;The first obtaining unit is configured to obtain the second device identifier of the second access device;
    第一发送单元,配置为将所述第一访问设备的第一设备标识和所述第二设备标识发送至服务器,所述第一设备标识和所述第二设备标识用于所述服务器在所述第一设备标识、所述第二设备标识以及与所述第二访问设备关联的目标设备的目标设备标识之间建立分享记录,所述分享记录用于将所述目标设备的被访问权限分享至所述第一访问设备;The first sending unit is configured to send the first device identifier and the second device identifier of the first access device to the server, where the first device identifier and the second device identifier are used when the server is located at the server. A sharing record is established between the first device identifier, the second device identifier, and the target device identifier of the target device associated with the second access device, and the sharing record is used to share the access authority of the target device To the first access device;
    第一传输单元,配置为与所述服务器进行本地分享凭证的传输,所述本地分享凭证 用于所述第一访问设备与所述目标设备建立本地连接。The first transmission unit is configured to transmit a local shared credential with the server, and the local shared credential is used for the first access device to establish a local connection with the target device.
  49. 根据权利要求48所述的访问设备,其中,所述访问设备还包括:The access device according to claim 48, wherein the access device further comprises:
    第一生成单元,配置为根据所述第一设备标识和所述第二设备标识生成注册请求;A first generating unit, configured to generate a registration request according to the first device identifier and the second device identifier;
    对应的,所述第一发送单元,配置为将所述注册请求发送至所述服务器。Correspondingly, the first sending unit is configured to send the registration request to the server.
  50. 根据权利要求49所述的访问设备,其中,所述注册请求中还携带有:所述目标设备标识。The access device according to claim 49, wherein the registration request further carries: the target device identifier.
  51. 根据权利要求49或50所述的访问设备,其中,所述注册请求中还携带有以下信息之一:The access device according to claim 49 or 50, wherein the registration request also carries one of the following information:
    所述第一访问设备的第一用户标识、所述第二访问设备的第二用户标识、分享限制条件;The first user identification of the first access device, the second user identification of the second access device, and sharing restriction conditions;
    对应的,所述分享记录中还包括以下信息之一:所述第一访问设备的第一用户标识、所述第二访问设备的第二用户标识、分享限制条件。Correspondingly, the sharing record further includes one of the following information: the first user identification of the first access device, the second user identification of the second access device, and sharing restriction conditions.
  52. 根据权利要求49至51任一项所述的访问设备,其中,所述访问设备还包括:第一设置单元,配置为:The access device according to any one of claims 49 to 51, wherein the access device further comprises: a first setting unit configured to:
    接收所述服务器发送的第一分享完成通知;Receiving the first sharing completion notification sent by the server;
    基于所述第一分享完成通知的触发,设置所述分享记录。Based on the trigger of the first sharing completion notification, the sharing record is set.
  53. 根据权利要求52所述的访问设备,其中,所述第一传输单元,还配置为通过携带所述本地分享凭证的所述第一分享完成通知接收所述服务器发送的本地分享凭证,所述本地分享凭证为所述服务器生成的。The access device according to claim 52, wherein the first transmission unit is further configured to receive the local sharing credential sent by the server through the first sharing completion notification carrying the local sharing credential, and the local The sharing credential is generated by the server.
  54. 根据权利要求48至52任一项所述的访问设备,其中,所述第一传输单元,还配置为:The access device according to any one of claims 48 to 52, wherein the first transmission unit is further configured to:
    生成所述本地分享凭证;Generating the local sharing certificate;
    将所述本地分享凭证发送至所述服务器,以使得所述服务器将所述本地分享凭证发送至所述第二访问设备。Sending the local sharing credential to the server, so that the server sends the local sharing credential to the second access device.
  55. 根据权利要求48至52任一项所述的访问设备,其中,所述第一传输单元,还配置为接收所述服务器发送的所述第二访问设备生成的本地分享凭证。The access device according to any one of claims 48 to 52, wherein the first transmission unit is further configured to receive a local sharing credential generated by the second access device and sent by the server.
  56. 根据权利要求48至55任一项所述的访问设备,其中,所述访问设备还包括:The access device according to any one of claims 48 to 55, wherein the access device further comprises:
    第二访问单元,配置为基于所述目标设备标识生成访问请求,将所述访问请求发送至服务器,所述服务器在存在所述分享记录的情况下,将所述访问请求转发至所述目标设备。The second access unit is configured to generate an access request based on the target device identifier, send the access request to a server, and if the sharing record exists, the server forwards the access request to the target device .
  57. 根据权利要求48至56任一项所述的访问设备,其中,所述访问设备还包括:The access device according to any one of claims 48 to 56, wherein the access device further comprises:
    第一配置单元,配置为根据所述本地分享凭证配置用于所述访问设备对所述目标设备进行访问的访问策略。The first configuration unit is configured to configure an access policy for the access device to access the target device according to the local shared credential.
  58. 一种访问设备,包括:An access device including:
    第二获取单元,配置为获取第一访问设备的第一设备标识;The second acquiring unit is configured to acquire the first device identifier of the first access device;
    第二发送单元,配置为将所述第一设备标识和所述第二访问设备的第二设备标识发送至服务器,所述第一设备标识和所述第二设备标识用于所述服务器在所述第一设备标识、所述第二设备标识以及与所述第二访问设备关联的目标设备的目标设备标识之间建立分享记录,所述分享记录用于将所述目标设备的被访问权限分享至所述第一访问设备;The second sending unit is configured to send the first device ID and the second device ID of the second access device to the server, where the first device ID and the second device ID are used when the server is A sharing record is established between the first device identifier, the second device identifier, and the target device identifier of the target device associated with the second access device, and the sharing record is used to share the access authority of the target device To the first access device;
    第二传输单元,配置为与所述服务器进行本地分享凭证的传输,所述本地分享凭证用于所述第一访问设备与所述目标设备建立本地连接。The second transmission unit is configured to transmit a local shared credential with the server, and the local shared credential is used for the first access device to establish a local connection with the target device.
  59. 根据权利要求58所述的访问设备,其中,所述访问设备还包括:The access device according to claim 58, wherein the access device further comprises:
    第二生成单元,配置为根据所述第一设备标识和所述第二设备标识生成注册请求;A second generating unit, configured to generate a registration request according to the first device identifier and the second device identifier;
    对应的,所述第二发送单元,配置为将所述注册请求发送至所述服务器。Correspondingly, the second sending unit is configured to send the registration request to the server.
  60. 根据权利要求59所述的访问设备,其中,所述注册请求中还携带有:所述目标设备标识。The access device according to claim 59, wherein the registration request further carries: the target device identifier.
  61. 根据权利要求59或60所述的访问设备,其中,所述注册请求中还携带有以下信息之一:The access device according to claim 59 or 60, wherein the registration request also carries one of the following information:
    所述第一访问设备的第一用户标识、所述第二访问设备的第二用户标识、分享限制条件;The first user identification of the first access device, the second user identification of the second access device, and sharing restriction conditions;
    对应的,所述分享记录中还包括以下信息之一:所述第一访问设备的第一用户标识、所述第二访问设备的第二用户标识、分享限制条件。Correspondingly, the sharing record further includes one of the following information: the first user identification of the first access device, the second user identification of the second access device, and sharing restriction conditions.
  62. 根据权利要求59至60任一项所述的访问设备,其中,所述访问设备还包括:第二设置单元,配置为:The access device according to any one of claims 59 to 60, wherein the access device further comprises: a second setting unit configured to:
    接收所述服务器发送的第三分享完成通知;Receiving a third sharing completion notification sent by the server;
    基于所述第三分享完成通知的触发,设置所述分享记录。Based on the trigger of the third sharing completion notification, the sharing record is set.
  63. 根据权利要求62所述的访问设备,其中,所述第二传输单元,还配置为通过携带所述本地分享凭证的所述第三分享完成通知接收所述服务器发送的本地分享凭证,所述本地分享凭证为所述服务器生成的。The access device according to claim 62, wherein the second transmission unit is further configured to receive the local sharing credential sent by the server through the third sharing completion notification carrying the local sharing credential, and the local The sharing credential is generated by the server.
  64. 根据权利要求58至62任一项所述的访问设备,其中,所述第二传输单元,还配置为:The access device according to any one of claims 58 to 62, wherein the second transmission unit is further configured to:
    生成所述本地分享凭证;Generating the local sharing certificate;
    将所述本地分享凭证发送至所述服务器,以使得所述服务器将所述本地分享凭证发送至所述第一访问设备。Sending the local sharing credential to the server, so that the server sends the local sharing credential to the first access device.
  65. 根据权利要求58至62任一项所述的访问设备,其中,所述第二传输单元,还配置为接收所述服务器发送的所述第一访问设备生成的本地分享凭证。The access device according to any one of claims 58 to 62, wherein the second transmission unit is further configured to receive a local sharing credential generated by the first access device and sent by the server.
  66. 根据权利要求58至65任一项所述的访问设备,其中,所述访问设备还包括:The access device according to any one of claims 58 to 65, wherein the access device further comprises:
    第二配置单元,配置为根据所述本地分享凭证配置用于所述第二访问设备对所述目标设备进行访问的访问策略。The second configuration unit is configured to configure an access policy for the second access device to access the target device according to the local shared credential.
  67. 一种服务器,包括处理器和用于存储能够在处理器上运行的计算机程序的存储器,其中,A server including a processor and a memory for storing computer programs that can run on the processor, wherein:
    所述处理器用于运行所述计算机程序时,执行权利要求1至14任一项所述的访问控制方法的步骤。When the processor is used to run the computer program, it executes the steps of the access control method according to any one of claims 1 to 14.
  68. 一种访问设备,包括处理器和用于存储能够在处理器上运行的计算机程序的存储器,其中,An access device, including a processor and a memory for storing a computer program that can run on the processor, wherein:
    所述处理器用于运行所述计算机程序时,执行权利要求15至24任一项所述的访问控制方法的步骤。When the processor is used to run the computer program, it executes the steps of the access control method according to any one of claims 15 to 24.
  69. 一种访问设备,包括处理器和用于存储能够在处理器上运行的计算机程序的存储器,其中,An access device, including a processor and a memory for storing a computer program that can run on the processor, wherein:
    所述处理器用于运行所述计算机程序时,执行权利要求25至33任一项所述的访问控制方法的步骤。When the processor is used to run the computer program, it executes the steps of the access control method according to any one of claims 25 to 33.
  70. 一种存储介质,存储有可执行程序,所述可执行程序被处理器执行时,实现权利要求1至14任一项所述的访问控制方法。A storage medium storing an executable program, and when the executable program is executed by a processor, the access control method according to any one of claims 1 to 14 is implemented.
  71. 一种存储介质,存储有可执行程序,所述可执行程序被处理器执行时,实现权利要求15至24任一项所述的访问控制方法。A storage medium storing an executable program, and when the executable program is executed by a processor, the access control method according to any one of claims 15 to 24 is implemented.
  72. 一种存储介质,存储有可执行程序,所述可执行程序被处理器执行时,实现权利要求25至33任一项所述的访问控制方法。A storage medium storing an executable program, and when the executable program is executed by a processor, the access control method according to any one of claims 25 to 33 is implemented.
PCT/CN2019/103862 2019-08-30 2019-08-30 Access control method, server, access device and storage medium WO2021035740A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201980095168.6A CN113678127B (en) 2019-08-30 2019-08-30 Access control method, server, access device and storage medium
PCT/CN2019/103862 WO2021035740A1 (en) 2019-08-30 2019-08-30 Access control method, server, access device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2019/103862 WO2021035740A1 (en) 2019-08-30 2019-08-30 Access control method, server, access device and storage medium

Publications (1)

Publication Number Publication Date
WO2021035740A1 true WO2021035740A1 (en) 2021-03-04

Family

ID=74684447

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/103862 WO2021035740A1 (en) 2019-08-30 2019-08-30 Access control method, server, access device and storage medium

Country Status (2)

Country Link
CN (1) CN113678127B (en)
WO (1) WO2021035740A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2023240587A1 (en) * 2022-06-17 2023-12-21 Oppo广东移动通信有限公司 Device permission configuration method and apparatus, and terminal device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105187377A (en) * 2015-06-25 2015-12-23 联想(北京)有限公司 Data processing method, data processing device, data access method and data access device
CN106468886A (en) * 2016-09-30 2017-03-01 海尔优家智能科技(北京)有限公司 A kind of method and apparatus of third-party control devices
US20170366558A1 (en) * 2015-03-07 2017-12-21 Huawei Technologies Co., Ltd. Verification method, apparatus, and system used for network application access
CN108595941A (en) * 2018-03-30 2018-09-28 联想(北京)有限公司 A kind of data processing method, system and electronic equipment

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
AP2013006967A0 (en) * 2011-01-13 2013-07-31 Infosys Ltd System and method for accessing integrated applications in a single sign-on enabled enterprise solution

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170366558A1 (en) * 2015-03-07 2017-12-21 Huawei Technologies Co., Ltd. Verification method, apparatus, and system used for network application access
CN105187377A (en) * 2015-06-25 2015-12-23 联想(北京)有限公司 Data processing method, data processing device, data access method and data access device
CN106468886A (en) * 2016-09-30 2017-03-01 海尔优家智能科技(北京)有限公司 A kind of method and apparatus of third-party control devices
CN108595941A (en) * 2018-03-30 2018-09-28 联想(北京)有限公司 A kind of data processing method, system and electronic equipment

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2023240587A1 (en) * 2022-06-17 2023-12-21 Oppo广东移动通信有限公司 Device permission configuration method and apparatus, and terminal device

Also Published As

Publication number Publication date
CN113678127B (en) 2024-05-31
CN113678127A (en) 2021-11-19

Similar Documents

Publication Publication Date Title
WO2021197347A1 (en) Communication system, method and apparatus
CN108476226B (en) Application authorization method, terminal and server
CN110046001B (en) A method and device for withdrawing authorization
CN107637011B (en) Self-configuration key management system for internet of things network
CN113169970B (en) An access control method, device and storage medium
CN110519760B (en) Network access method, device, device and storage medium
CN103858457A (en) Multi-hop single sign-on (sso) for identity provider (idp) roaming/proxy
KR20070108365A (en) Remote access system and method for allowing a user to remotely access a terminal device from a subscriber terminal
TW201345217A (en) Identity management with local functionality
CN112311543B (en) GBA key generation method, terminal and NAF network element
CN107205208B (en) Authentication method, terminal and server
WO2022110843A1 (en) Communication system, communication method and communication apparatus
CN115136631A (en) Method for providing communication function in user equipment
WO2022116695A1 (en) Method and apparatus for sending user identifier
WO2021047403A1 (en) Authorization method and device in a plurality of nrf scenarios
EP2741465A1 (en) Method and device for managing secure communications in dynamic network environments
WO2022110836A1 (en) Communication method and communication apparatus
WO2021035740A1 (en) Access control method, server, access device and storage medium
CN112887965A (en) Method and device for sending user identification
CN118827017A (en) Confidential communication method, key distribution center, equipment, medium and product
WO2023040611A1 (en) Communication method and related apparatus
WO2016090927A1 (en) Management method and system for sharing wlan and wlan sharing registration server
CN116528234A (en) Virtual machine security and credibility verification method and device
CN114640992B (en) Method and device for updating user identity
WO2023124680A1 (en) Subscription management method and related apparatus

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19943544

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19943544

Country of ref document: EP

Kind code of ref document: A1