[go: up one dir, main page]

WO2023116028A1 - Cross-domain access method on blockchain and server - Google Patents

Cross-domain access method on blockchain and server Download PDF

Info

Publication number
WO2023116028A1
WO2023116028A1 PCT/CN2022/115786 CN2022115786W WO2023116028A1 WO 2023116028 A1 WO2023116028 A1 WO 2023116028A1 CN 2022115786 W CN2022115786 W CN 2022115786W WO 2023116028 A1 WO2023116028 A1 WO 2023116028A1
Authority
WO
WIPO (PCT)
Prior art keywords
node
domain
resource
server
access
Prior art date
Application number
PCT/CN2022/115786
Other languages
French (fr)
Chinese (zh)
Inventor
王云浩
过晓冰
Original Assignee
联想(北京)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 联想(北京)有限公司 filed Critical 联想(北京)有限公司
Publication of WO2023116028A1 publication Critical patent/WO2023116028A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Definitions

  • the present application relates to the technical field of block chain, and in particular to a cross-domain access method and server on the block chain.
  • the blockchain can be divided into a public chain and a permissioned chain, and the permissioned chain can be divided into a consortium chain and a private chain according to whether the data maintainer is a single entity. .
  • this application provides a cross-domain access method and server on the blockchain, as follows:
  • the resource access request indicates that the first node requests to access the first resource in the second node, and the first node is in the first domain, the second node is not in the first domain;
  • the record information corresponding to the resource access request is recorded in the record list in the following manner:
  • the resource authorization request indicating that the second node authorizes the first node to access the first resource with authorization information
  • the record information corresponding to the resource access request further represents the target access type of the first node accessing the first resource
  • the target access type is recorded in the record list in the following manner:
  • the authorization setting request indicating that the second node authorizes the first node to access the first resource with a target access type
  • the record information corresponding to the authorization setting request is added to the record list, and the record information corresponding to the authorization setting request not only indicates that the first node is authorized to access the first resource in the second node, but also indicates that the The first node is authorized to access the first resource with the target access type.
  • the above method preferably, also includes:
  • the authorization revocation request indicating that the second node does not allow the first node to access the first resource
  • obtaining the record information corresponding to the resource access request in the record list of the global server includes:
  • the global server registers the global node identifier for the first node in the following manner:
  • the node registration request sent by the first node through the coordinating server in the block chain; the node registration request at least includes the local node identifier of the first node in the first domain;
  • transmitting the authorization information to the first node includes:
  • the authorization information is at least sent to the first node through the first server.
  • the resource access request representing that the first node requests to access the first resource in the second node, and the first node is in the first domain;
  • a cross-domain access device on the block chain, applied to the global server on the block chain, the device includes:
  • a request receiving unit configured to receive a resource access request sent by a first server in the first domain on the blockchain, the resource access request indicates that the first node requests to access the first resource in the second node, and the first the node is in the first domain and the second node is not in the first domain;
  • a record obtaining unit configured to obtain record information corresponding to the resource access request in the record list of the global server
  • a request transmission unit configured to transmit the resource access request to a second server in the second domain where the second node is located according to the record information
  • an authorization receiving unit configured to receive authorization information corresponding to the resource access request transmitted by the second server
  • An authorization transmission unit configured to transmit the authorization information to the first node, where the authorization information is used to instruct the first node to access the first resource.
  • a cross-domain access device on the block chain, applied to the first server in the first domain on the block chain, the device includes:
  • a request receiving unit configured to receive a resource access request sent by a coordinating server in the block chain, the resource access request indicates that the first node requests to access the first resource in the second node, and the first node is in the first domain;
  • a node determining unit configured to determine that the second node is in the second domain
  • a request sending unit configured to send the resource access request to the global server on the block chain
  • an authorization receiving unit configured to receive authorization information sent by the global server
  • An authorization sending unit configured to send the authorization information to the first node through the coordinating server, where the authorization information is used to instruct the first node to access the first resource.
  • a server as a global server on the blockchain, including:
  • a processor configured to execute the computer program, so as to: receive a resource access request sent by a first server in the first domain on the block chain, the resource access request indicates that the first node requests to access the resource in the second node For the first resource, the first node is in the first domain, and the second node is not in the first domain; in the record list of the global server, record information corresponding to the resource access request is obtained; According to the record information, transmit the resource access request to a second server in the second domain where the second node is located; receive authorization information corresponding to the resource access request transmitted by the second server; transmit the resource access request; Authorization information is transmitted to the first node, where the authorization information is used to instruct the first node to access the first resource.
  • a server as the first server in the first domain on the blockchain, comprising:
  • a processor configured to execute the computer program, so as to: receive a resource access request sent by a coordinating server in the blockchain, where the resource access request indicates that the first node requests to access the first resource in the second node, The first node is in the first domain; determine that the second node is in the second domain; send the resource access request to the global server on the block chain; receive authorization information sent by the global server ; Send the authorization information to the first node through the coordinating server, where the authorization information is used to instruct the first node to access the first resource.
  • nodes in each domain on the blockchain generate authorization information for nodes in other domains, and The corresponding authorized access relationship is recorded on the global server set on the blockchain, and then when the blockchain node in the current domain needs to access the resources in the blockchain node in the other domain, the global server can search for the corresponding record information.
  • the blockchain node in the current domain can access the resources in the blockchain node in the opposite domain, thus realizing Access across domains.
  • FIG. 1 is a flow chart of a cross-domain access method on a blockchain provided in Embodiment 1 of the present application;
  • Figure 2 is an example diagram of realizing cross-domain access on the blockchain
  • Figures 3-7 are partial flowcharts of a cross-domain access method on a blockchain provided in Embodiment 1 of the present application;
  • FIG. 8 is a flow chart of a cross-domain access method on a blockchain provided in Embodiment 2 of the present application.
  • FIG. 9 is a schematic structural diagram of a server provided in Embodiment 3 of the present application.
  • FIG. 10 is a schematic structural diagram of a server provided in Embodiment 4 of the present application.
  • FIG. 11 is a schematic diagram of deployment in a domain that implements cross-domain access in this application.
  • FIG. 12 is an overall architecture diagram for realizing cross-domain access in this application.
  • FIG. 13 is a schematic diagram of the interaction of registering a global domain identifier for a domain in this application.
  • FIG. 14 is an interactive schematic diagram of registering a global node identifier for a node user in this application.
  • Fig. 15 is a flow chart of issuing delegation policies between node users in this application.
  • Fig. 16 and Fig. 17 are respectively schematic diagrams of cross-domain access between blockchain nodes in this application.
  • FIG. 1 it is a flow chart of the implementation of a cross-domain access method on the blockchain provided by Embodiment 1 of the present application.
  • This method can be applied to the global server on the blockchain, and the nodes on the blockchain are Divided into multiple domains, each domain can be regarded as a consortium chain. Nodes in the same domain trust each other based on the same root of trust, and nodes in different domains do not trust each other.
  • this application is based on blockchain Set up a global server, such as the global smart contract server shown in Figure 2. Therefore, in the technical solution of this application, the global server establishes a trust relationship between nodes in different domains to achieve cross-domain access.
  • the method in this embodiment may include the following steps:
  • Step 101 Receive a resource access request sent by a first server in a first domain on the blockchain.
  • the resource access request indicates that the first node requests to access the first resource in the second node, the first node is in the first domain, and the second node is not in the first domain, that is, the second node is in a different domain from the first node , the domain where the second node is located is recorded as the second domain, that is, the resource access request is a global access request, that is, entities in different domains request to access resources.
  • the resource access request includes at least the resource identifier of the first resource and the global node identifier of the second node where the first resource is located, and of course, may also include the global node identifier of the first node.
  • the resource identifier of the first resource may be an address identifier or a name identifier of the first resource.
  • the global node identifier of the second node indicates that the second node is in the second domain and uniquely indicates the second node in the second domain.
  • the global node identifier of the first node indicates that the first node is in the first domain and uniquely indicates the first node in the first domain.
  • the first server in the first domain can be a local smart contract server in the first domain, that is, the first consortium chain, and the first server receives the resource access request sent by the first node through the cross-domain coordination server. Specifically, after the first node generates a resource access request, it sends it to the cross-domain coordination server on the blockchain through addressing, and the cross-domain coordination server generates a corresponding cross-domain transaction for the resource access request, and the cross-domain transaction form The resource access request is sent to the first server in the first domain, and the first server sends the resource access request to the global server on the blockchain.
  • Step 102 Obtain the record information corresponding to the resource access request in the record list of the global server.
  • the global server may search for record information matching the resource access request in the record list, for example: combine the global node ID of the first node, the global node ID of the second node, and the resource ID in the resource access request with the record
  • the record information in the list is compared to obtain the record information matching the resource access request, and the record information indicates that the second node authorizes the first node to access the first resource in the second node.
  • the local authorization list in each domain contains authorization information generated by nodes in this domain for nodes in this domain and other domains, such as the resource identifier of the resource authorized to access, and the public key information required for authorized access
  • the authorization information generated by a node for nodes in its own domain can be called a local delegation policy
  • the authorization information generated by a node for nodes in other domains can be called a global delegation policy.
  • the authorized access relationship in which nodes in each domain generate authorization information for nodes in other domains is recorded, which can be called a global delegation policy.
  • the authorization information is not recorded. For example, the authorization status of the second node authorizing the first node to access the first resource is recorded but the public key information generated by the second node for the first node is not recorded.
  • the local authorization list in each domain is stored on the blockchain
  • the record list of the global server is stored on the blockchain.
  • Step 103 According to the record information, transmit the resource access request to the second server in the second domain where the second node is located.
  • resource access requests can be broadcast to servers in domains other than the first domain on the blockchain according to the found record information, and servers in each domain can receive resource access requests.
  • Access request only the second server in the second domain where the second node is located finds that the global node ID of the node in the current domain matches the global node ID contained in the resource access request.
  • the second server in the second domain can Find the corresponding authorization information in the local authorization list according to the resource access request.
  • the local authorization list here contains the authorization information for each node in the second domain to provide resource access for other nodes (including nodes in the current domain and nodes in other domains). , based on this, the second server in the second domain returns the found authorization information to the global server after searching the local authorization list for authorization information that matches the content in the resource access request.
  • the record information may be unicast to the second server in the second domain where the second node is located, for example,
  • the addressing method can be used to transmit the record information to the second server in the second domain where the second node is located according to the path between domains, so that the second server in the second domain finds the resource in the local authorization list.
  • the content in the access request matches the authorization information, and then returns the found authorization information to the global server.
  • the second server may be a local smart contract server in the second domain, such as a local smart contract server in domain 2 as shown in FIG. 2 .
  • Step 104 Receive authorization information corresponding to the resource access request transmitted by the second server.
  • the global server may receive the access prohibition message returned by the second server, and at this time, the global server returns the access prohibition message to to the first node.
  • Step 105 Transmit the authorization information to the first node.
  • the authorization information is used to instruct the first node to access the first resource.
  • the authorization information is the public key information generated by the second node for the first node to access the first resource. Therefore, after receiving the authorization information, the first node can use the authorization information to access the first resource, such as using The public key information decrypts data encrypted by the second node using the corresponding private key.
  • the global server may directly send the authorization information to the first node through the connected link layer when the link layer between the global server and the first node is connected;
  • the global server may at least send the authorization information to the first node through the first server when the link layer between the global server and the first node is not connected, for example, first send the authorization The information is sent to the first server in the first domain, and then the first server in the first domain sends the authorization information to the cross-domain coordination server, so that the cross-domain coordination server sends the authorization information to the first node.
  • the global server before the global server directly sends the authorization information to the first node or before the global server sends the authorization information to the first server, it first sends a wake-up command to the first node to wake up the first node, and then Authorization information is transmitted to the first node.
  • nodes in each domain on the blockchain generate authorization information for nodes in other domains, and in The corresponding authorized access relationship is recorded on the global server set on the blockchain, and then when the blockchain node in the current domain needs to access the resources in the blockchain node in the other domain, the global server can search for the corresponding record information , to instruct the server in the opposite domain to return the authorization information, and then return the authorization information to the blockchain node in the current domain, the blockchain node in the current domain can access the resources in the blockchain node in the opposite domain, thus Realize cross-domain access.
  • the following is the implementation process of recording the record information corresponding to the resource access request in the record list corresponding to the global server, as shown in FIG. 3 :
  • Step 301 Receive a resource authorization request sent by the second node through the second server.
  • the resource authorization request indicates that the second node authorizes the first node to access the first resource with authorization information.
  • the resource authorization request may include the global node identifier of the second node, the global node identifier of the first node, the resource identifier of the first resource, and authorization information.
  • the authorization information may be that the second node can access Public key information generated by the first resource.
  • the second node after the second node generates the resource authorization request, it can first send it to the cross-domain coordination server on the blockchain.
  • the cross-domain coordination server generates a corresponding cross-domain transaction for the resource authorization request, and the cross-domain transaction form
  • the resource authorization request is sent to the second server in the second domain where the second node is located.
  • the second server determines that the first node and the second node are in different domains, the second server records the authorization information in the resource authorization request At the same time as the local authorization list, resource authorization requests are sent to the global server.
  • the second server determines that the first node and the second node are in the same domain, then the second server only needs to record the authorization information in the resource authorization request in the local authorization list.
  • the second server may compare the global node ID of the first node with all node IDs in the second domain, and if the node ID of a node in the second domain matches the global node ID of the first node, then the Determine that the first node is in the second domain; if there is no node ID in the second domain that matches the global node ID of the first node, it can be determined that the first node is not in the same domain as the second node, that is, the first node is in first domain.
  • Step 302 Add record information corresponding to the resource authorization request in the record list.
  • the record information corresponding to the resource authorization request at least indicates that the first node is authorized to access the first resource in the second node.
  • the record information corresponding to the resource authorization request includes the global node identifier of the second node, the global node identifier of the first node, and the resource identifier of the first resource, so as to indicate that the first node is authorized to access the resource identifier of the second node. a resource.
  • the global server can find corresponding record information in the record list according to the global node identifier and resource identifier contained in the resource access request.
  • the record information corresponding to the resource access request also represents the target access type of the first node's access to the first resource. Based on this, taking the record information corresponding to the resource access request as an example, as shown in FIG. 4, after step 302, the following implementation steps of recording the target access type in the record list corresponding to the global server may be included:
  • Step 303 Receive an authorization setting request sent by the second node through the second server.
  • the authorization setting request indicates that the second node authorizes the first node to access the first resource with the target access type.
  • the target access type here may be read-only, write-only, or both readable and writable.
  • the authorization setting request may include the global node identifier of the second node, the global node identifier of the first node, the resource identifier of the first resource, and the target access type.
  • the second node after the second node generates the authorization setting request, it can first send it to the cross-domain coordination server on the blockchain.
  • the cross-domain coordination server generates a corresponding cross-domain transaction for the authorization setting request, and the The authorization setting request is sent to the second server in the second domain where the second node is located.
  • the second server judges that the first node and the second node are in different domains, the second server sends the target access type in the authorization setting request to While recording in the local authorization list, an authorization setting request is sent to the global server.
  • Step 304 Add record information corresponding to the authorization setting request in the record list.
  • the record information corresponding to the authorization setting request not only indicates that the first node is authorized to access the first resource in the second node, but also indicates that the first node is authorized to access the first resource in the target access type.
  • the record information corresponding to the authorization setting request includes the global node ID of the second node, the global node ID of the first node, the resource ID of the first resource, and the target access type, so as to indicate that the first node is authorized to access type accesses the first resource in the second node.
  • the global server can find the corresponding record information in the record list according to the global node identifier and resource identifier contained in the resource access request, so as to determine that the first node is authorized by the second node to access the first resource and the Target access type.
  • the global server can not only record the authorization access relationship of nodes in each domain to generate authorization information for nodes in other domains in the record list, but also record the authorization of nodes in each domain to revoke authorization information for nodes in other domains Access relationship, specifically, after step 302 or after step 304, the following implementation steps may also be included on the global server, as shown in Figure 5:
  • Step 305 Receive an authorization revocation request sent by the second node through the second server.
  • the authorization revocation request indicates that the second node does not allow the first node to access the first resource.
  • the authorization revocation request may include the global node identifier of the second node, the global node identifier of the first node, the resource identifier of the first resource, and prohibition information, and the prohibition information may be represented by specific symbols.
  • the second node after the second node generates the authorization revocation request, it can first send it to the cross-domain coordination server on the blockchain.
  • the cross-domain coordination server generates a corresponding cross-domain transaction for the authorization revocation request, and the The authorization revocation request is sent to the second server in the second domain where the second node is located.
  • the second server determines that the first node and the second node are in different domains, the second server records the record information corresponding to the authorization revocation request.
  • resource authorization requests are sent to the global server.
  • the second server can find the corresponding record information in the local authorization list according to the global node ID and resource ID contained in the resource access request, which can include authorization information, target access type and prohibition information, so as to determine the first
  • the second node authorizes the first node to access the first resource with the target access type by using the authorization information, and then revokes the authorization to the first node again, that is, the second node prohibits the first node from accessing the first resource.
  • Step 306 Add record information corresponding to the authorization revocation request in the record list.
  • the record information corresponding to the authorization revocation request indicates that the first node is prohibited from accessing the first resource in the second node.
  • the record information corresponding to the authorization revocation request includes the global node identifier of the second node, the global node identifier of the first node, the resource identifier of the first resource, and prohibition information, so as to indicate that the second node revokes access to the first node.
  • Authorization of the first resource Based on this, the global server can find the corresponding record information in the record list according to the global node identifier and resource identifier contained in the resource access request, so as to determine that the first node is authorized by the second node to access the first resource and the After the target access type, the first node is revoked by the second node to access the first resource.
  • the global node ID of each node in each domain can be registered and recorded on the global server, taking the global node ID of the first node as an example, registering the global node ID for the first node on the global server.
  • Step 601 Receive a node registration request sent by the first node through the cross-domain coordination server in the blockchain.
  • the node registration request includes at least the local node identifier of the first node in the first domain, the local node identifier of the first node is used to uniquely represent the first node in the first domain, and the local node identifier of the first node is used as the second
  • the identity of a node is recognized by other nodes in the first domain in the first domain, but in other domains, nodes in other domains cannot recognize the local node ID of the first node.
  • the first node after the first node generates a node registration request, it can first send it to the cross-domain coordination server on the blockchain.
  • the cross-domain coordination server generates a corresponding cross-domain transaction for the node registration request, and the cross-domain transaction form
  • the node registration request is sent to the first server in the first domain where the first node is located, and the first server sends the node registration request to the global server.
  • Step 602 Generate a global node identifier for the first node according to the local node identifier of the first node in the node registration request.
  • the global server based on the local node identification of the first node, the global server generates for the first node a global node identification that can uniquely represent the first node among nodes in all domains on the blockchain, and the global node identification of the first node is in the block
  • the global node identifiers of each node in each domain on the chain are unique.
  • Step 603 Return the global node identifier of the first node to the first node through the cross-domain coordination server.
  • the global server may first send the global node ID of the first node to the first server in the first domain, and then the first server sends the global node ID of the first node to the cross-domain coordination server, and the cross-domain coordination server passes After the wake-up instruction wakes up the first node, the global node identifier of the first node is sent to the first node.
  • both the global node ID of the second node and the global node ID of any node in any other domain can be registered on the global server through the above method.
  • the above is how the global server registers the global node ID for the nodes in each domain.
  • the implementation of registering the global domain ID for each domain is similar. Take the global server as an example to register the global domain ID for the first domain. The specific implementation steps are shown in the figure Shown in 7:
  • Step 701 Receive a domain registration request sent by the management server in the first domain through the cross-domain coordination server in the blockchain.
  • the domain registration request includes at least the local domain identifier of the first domain, and the local domain identifier of the first domain is used to represent the first domain, but in other domains, the local domain identifier of the first domain cannot be identified.
  • the management server in the first domain can first send it to the cross-domain coordination server on the blockchain, and the cross-domain coordination server generates a corresponding cross-domain transaction for the domain registration request, and the cross-domain
  • the domain registration request in the form of a domain transaction is sent to the first server in the first domain, and the first server sends the domain registration request to the global server.
  • Step 702 Generate a global domain identifier for the first domain according to the local domain identifier of the first domain in the domain registration request.
  • the global server generates a global domain identifier for the first domain that can uniquely represent the first domain among all domains on the blockchain based on the local domain identifier of the first domain, and the global domain identifier of the first domain is stored on the blockchain Unique within the global domain ID of each domain.
  • Step 703 Return the global domain identifier of the first domain to the management server in the first domain through the cross-domain coordination server.
  • the global server may first send the global domain identifier of the first domain to the first server in the first domain, and then the first server sends the global domain identifier of the first domain to the cross-domain coordination server, and the cross-domain coordination server passes After the wake-up instruction wakes up the management server in the first domain, the global domain identifier of the first domain is sent to the management server of the first domain.
  • both the global domain ID of the second domain and the global domain ID of any other domain can be registered on the global server through the above methods.
  • FIG. 8 it is a flowchart of an implementation of a cross-domain access method on a blockchain provided by Embodiment 2 of the present application. This method can be applied to the first server in the first domain on the blockchain, as shown in FIG. 2
  • the local smart contract server in Domain 1 is shown.
  • a global server is used to establish a trust relationship between nodes in different domains, so as to realize cross-domain access.
  • the method in this embodiment may include the following steps:
  • Step 801 Receive the resource access request sent by the coordinating server in the blockchain.
  • the resource access request indicates that the first node requests to access the first resource in the second node, and the first node is in the first domain.
  • the resource access request includes at least the resource identifier of the first resource and the global node identifier of the second node where the first resource is located, and of course, may also include the global node identifier of the first node.
  • the first node After the first node generates a resource access request, it sends it to the cross-domain coordination server on the blockchain by addressing, and the cross-domain coordination server generates a corresponding cross-domain transaction for the resource access request, and the cross-domain A resource access request in the form of a transaction is sent to the first server in the first domain.
  • Step 802 Determine that the second node is in the second domain.
  • the first server may compare the global node ID of the second node in the resource access request with the node IDs of all nodes in the first domain, and if there is a node ID in the first domain that matches the global node ID of the second node If the node ID matches, it can be determined that the second node is in the first domain; if there is no node ID in the first domain that matches the global node ID of the second node, then it can be determined that the second node is not in the same domain as the first node. domain, that is, the second node is in the second domain.
  • the first server can query the corresponding authorization information in the local authorization list according to the content in the resource access request, and pass the found authorization information through the cross-domain
  • the coordinating server sends it to the first node, so that the first node uses the authorization information to access the first resource in the second node.
  • Step 803 Send the resource access request to the global server on the blockchain.
  • the global server can obtain the record information corresponding to the resource access request in its record list, for example, in the resource access request, the global node ID of the first node, the global node ID of the second node, and the resource ID in the record list
  • the record information is compared to obtain the record information that matches the resource access request, and the record information indicates that the second node authorizes the first node to access the first resource in the second node. If the global server finds the record information corresponding to the resource access request in the record list and there is no prohibition information set by the second node in the record information, it can be determined that the second node authorizes the first node to access the first resource. If the record information corresponding to the resource access request is not found in the record list or the record information corresponding to the resource access request contains prohibition information set by the second node, it can be determined that the second node does not authorize the first node to access the first resource.
  • the global server can send the resource access request to the second server in the second domain where the second node is located, and the second server in the second domain will locally Find the authorization information that matches the content in the resource access request in the authorization list, and then return the found authorization information to the global server, and the global server will return the authorization information to the first server, or the global server will directly send the authorization information to Return to the first node.
  • the global server may return an access prohibition message to the first server, and the first server transmits the access prohibition message to the first node through the cross-domain coordination server , or, the global server can directly return an access prohibition message to the first node when the link layer between the global server and the first node is connected; if the second server does not find the resource access request in the local authorization list If the contents of the authorization information all match, the second server returns a message of prohibiting access to the global server, and the global server returns a message of prohibiting access to the first server, and the first server transmits the message of prohibiting access to the first node through the cross-domain coordination server.
  • the global server may directly return an access prohibition message to the first node when the link layer between the global server and the first node is connected.
  • the global server before the global server sends the authorization information or the access prohibition message, it first transmits a wake-up instruction to the first node, so as to wake up the first node.
  • Step 804 Receive authorization information sent by the global server.
  • Step 805 Send the authorization information to the first node through the coordinating server.
  • the authorization information is used to instruct the first node to access the first resource.
  • nodes in each domain on the blockchain generate authorization information for nodes in other domains, and in The corresponding authorized access relationship is recorded on the global server set on the blockchain, and then when the blockchain node in the current domain needs to access the resources in the blockchain node in the other domain, the resources can be uploaded to the server in the current domain.
  • the access request is forwarded to the global server, and then the global server searches for the corresponding record information to instruct the server in the other domain to return the authorization information, and then returns the authorization information to the blockchain node of the current domain, the blockchain in the current domain Nodes can access resources in blockchain nodes in the other party's domain, thereby achieving cross-domain access.
  • FIG. 9 it is a schematic structural diagram of a server provided in Embodiment 3 of the present application, and the server serves as a global server on the blockchain.
  • a global smart contract server as shown in Figure 2.
  • a global server is used to establish a trust relationship between nodes in different domains, so as to realize cross-domain access.
  • the global server in this embodiment may include the following structure:
  • the memory 901 is used to store computer programs and data generated by running the computer programs
  • the processor 902 is configured to execute a computer program to realize: receiving a resource access request sent by a first server in the first domain on the blockchain, where the resource access request represents that the first node requests to access the first resource in the second node, and the second One node is in the first domain, and the second node is not in the first domain; in the record list of the global server, the record information corresponding to the resource access request is obtained; according to the record information, the resource access request is transmitted to the second node where the second node is located.
  • the second server in the domain receiving authorization information corresponding to the resource access request transmitted by the second server; transmitting the authorization information to the first node, where the authorization information is used to instruct the first node to access the first resource.
  • the global server in this embodiment may also include structures such as a communication module to realize interaction with the first server and the second server.
  • the processor 902 receives the resource access request sent by the first server in the first domain on the blockchain by triggering the communication module, transmits the resource access request to the second server in the second domain where the second node is located, and receives the resource access request from the second server. Transmitting authorization information corresponding to the resource access request, transmitting the authorization information to the first node, and so on.
  • the nodes in each domain on the blockchain generate authorization information for nodes in other domains, and the global server set on the blockchain Record the corresponding authorized access relationship on the network, and then when the blockchain node in the current domain needs to access the resources in the blockchain node in the other domain, the global server can look up the corresponding record information to instruct the server in the other domain to return After the authorization information is returned to the blockchain node in the current domain, the blockchain node in the current domain can access the resources in the blockchain node in the other domain, thus realizing cross-domain access.
  • the record information corresponding to the resource access request is recorded in the record list by the processor 902 .
  • the processor 902 is specifically configured to: receive a resource authorization request sent by the second node through the second server, the resource authorization request indicates that the second node authorizes the first node to access the first resource with authorization information; add the resource authorization request corresponding to the resource authorization request in the record list Record information, the record information corresponding to the resource authorization request at least indicates that the first node is authorized to access the first resource in the second node.
  • the record information corresponding to the resource access request further represents a target access type of the first node's access to the first resource; wherein, the target access type is recorded in the record list by the processor 902 .
  • the processor 902 is specifically configured to: receive an authorization setting request sent by the second node through the second server, the authorization setting request indicates that the second node authorizes the first node to access the first resource with the target access type; add the authorization setting request corresponding to the record list
  • the record information corresponding to the authorization setting request not only indicates that the first node is authorized to access the first resource in the second node, but also indicates that the first node is authorized to access the first resource in the target access type.
  • the processor 902 is further configured to: receive an authorization revocation request sent by the second node through the second server, where the authorization revocation request indicates that the second node does not allow the first node to access the first resource; add Record information corresponding to the authorization revocation request, wherein the record information corresponding to the authorization revocation request indicates that the first node is prohibited from accessing the first resource in the second node.
  • the processor 902 when the processor 902 obtains the record information corresponding to the resource access request in the record list of the global server, it is specifically configured to: use the global node identifier of the first node in the resource access request, the The global node ID and the resource ID are compared with the record information in the record list to obtain the record information matching the resource access request.
  • the processor 902 registers the global node identifier for the first node in the following manner: receiving the node registration request sent by the first node through the coordinating server in the blockchain; the node registration request includes at least local node ID in the first domain; generate a global node ID for the first node according to the local node ID of the first node in the node registration request; return the global node ID of the first node to the first node through the coordinating server.
  • the processor 902 when the processor 902 transmits the authorization information to the first node, it is specifically configured to: when the link layer between the global server and the first node is connected, transmit the authorization information through the link The authorization information is sent to the first node at least through the first server when the link layer between the global server and the first node is not connected.
  • the embodiment of the present application also provides a cross-domain access device on the blockchain, which is applied to the global server on the blockchain, and the device includes:
  • the request receiving unit is configured to receive the resource access request sent by the first server in the first domain on the block chain, the resource access request indicates that the first node requests to access the first resource in the second node, and the first node is in the first domain, the second node is not in the first domain;
  • a record obtaining unit configured to obtain record information corresponding to the resource access request in the record list of the global server
  • a request transmission unit configured to transmit the resource access request to a second server in the second domain where the second node is located according to the record information
  • An authorization receiving unit configured to receive authorization information corresponding to the resource access request transmitted by the second server
  • An authorization transmission unit configured to transmit authorization information to the first node, where the authorization information is used to instruct the first node to access the first resource.
  • FIG. 10 it is a schematic structural diagram of a server provided in Embodiment 4 of the present application.
  • the server serves as the first server in the first domain on the blockchain.
  • a local smart contract server in Domain 1 as shown in Figure 2.
  • a global server is used to establish a trust relationship between nodes in different domains, so as to realize cross-domain access.
  • the first server in this embodiment may include the following structure:
  • Memory 1001 used to store computer programs and data generated by running computer programs
  • the processor 1002 is configured to execute a computer program to realize: receiving a resource access request sent by a coordinating server in the block chain, the resource access request indicates that the first node requests to access the first resource in the second node, and the first node is in the first node One domain; determine that the second node is in the second domain; send the resource access request to the global server on the block chain; receive the authorization information sent by the global server; send the authorization information to the first node through the coordination server, and the authorization information is used for The first node is instructed to access the first resource.
  • the global server in this embodiment may also include structures such as a communication module to realize interaction with the first server and the second server.
  • the processor 1002 receives the resource access request sent by the coordination server in the blockchain by triggering the communication module, sends the resource access request to the global server on the blockchain, receives the authorization information sent by the global server, and sends the authorization information through the coordination server.
  • the server sends to the first node, and so on.
  • the nodes in each domain on the blockchain generate authorization information for nodes in other domains, and the global server set on the blockchain Record the corresponding authorized access relationship on the network, and then when the blockchain node in the current domain needs to access the resources in the blockchain node in the other domain, the resource access request can be forwarded to the global server on the server in the current domain, Then, the global server searches for the corresponding record information to instruct the server in the other domain to return the authorization information, and then returns the authorization information to the blockchain node in the current domain, and the blockchain node in the current domain can access the zone in the other domain. Resources in the block chain nodes, thus achieving cross-domain access.
  • the embodiment of the present application also provides a cross-domain access device on the blockchain, which is applied to the first server in the first domain on the blockchain, and the device includes:
  • the request receiving unit is configured to receive a resource access request sent by the coordinating server in the blockchain, the resource access request indicates that the first node requests to access the first resource in the second node, and the first node is in the first domain;
  • a node determining unit configured to determine that the second node is in the second domain
  • the request sending unit is used to send the resource access request to the global server on the block chain;
  • An authorization receiving unit configured to receive authorization information sent by the global server
  • An authorization sending unit configured to send authorization information to the first node through the coordinating server, where the authorization information is used to instruct the first node to access the first resource.
  • each domain contains the basic modules that run the fabric, which can be Realize complete smart contract calls, including at least electronic certification service CA (Certificate Authority), sorting server ordering service, peer node peer node, membership server (Membership service), etc.
  • CA Certificate Authority
  • sorting server ordering service peer node peer node
  • membership server Membership server
  • the global smart contract server Global smart contract referred to as the global smart contract
  • the local smart contract server Local smart contract referred to as the local smart contract
  • the cross-domain coordination server Cross Domain Coordinator also known as the cross domain coordinator
  • the overall architecture is shown in Figure 12.
  • the underlying network Underlay and the overlay network Overlay are constructed on the blockchain.
  • all blockchain nodes on the blockchain form the Global Blockchain, which is the Overlay
  • the peer-to-peer network on the Internet is the Global hyperledger fabric network
  • each consortium chain forms a local chain Local Blockchain, namely Domain1, Domain2, Domain..., which is the peer-to-peer network on the Underlay, That is, Local hyperledger fabric network.
  • Node users operate on the blockchain nodes to implement operations such as node registration, domain registration, entrusted release, revoked entrustment, and access.
  • the cross-domain coordination server allows users to access within a single domain and across domains.
  • the cross-domain coordination server receives a request from a user on a node, it generates a cross-domain CD (CrossDomain) transaction. Then, the cross-domain coordination server forwards the cross-domain transaction to the local smart contract of the node's domain.
  • CD Cross-domain CD
  • the cross-domain coordination server After receiving the registration request (node registration request, domain registration request), the cross-domain coordination server generates a cross-domain transaction to register the global identifier "CD.register” to register the global identifier of the node or domain on the blockchain.
  • the owner is allowed to publish and revoke the delegation policy of its resources using the cross-domain transaction of the publishing delegation policy "CD.delegate” and the cross-domain transaction of the revoking delegation policy "CD.revoke”, respectively.
  • smart contracts on the blockchain define all operations of the access control system.
  • Two types of smart contracts are proposed in this application, namely local smart contracts and global smart contracts. These local smart contracts and global smart contracts are deployed in the underlay and overlay networks respectively. These smart contracts define authentication and authorization operations for internal and external users, respectively.
  • the smart contract performs corresponding processing operations when receiving cross-domain transactions from the cross-domain coordination server.
  • the local smart contract stores the local delegation policy and the global delegation policy in two different data structures, that is, the authorization information authorized to nodes in the domain to access resources and the authorization information authorized to nodes in other domains to access resources in the local authorization list above.
  • the global smart contract stores the global delegation strategy in its data structure, which is the record information in the record list mentioned above.
  • the Domain owner such as the management server in Domain 1
  • the CrossDomain coordinator sends a domain registration request to the CrossDomain coordinator.
  • Domain registration requests contain information such as domain names, IP addresses, and other metadata.
  • the CrossDomain coordinator generates a cross-domain transaction of "CD.register", and then sends the cross-domain transaction to the global smart contract through the local smart contract Local smart contract of domain 1.
  • the Global smart contract registers the global domain identifier for the Domain owner
  • the CrossDomain coordinator wakes up the Domain owner
  • the global domain identifier is returned to the Domain owner through the Local smart contract and the CrossDomain coordinator.
  • the node user user in the Domain sends a node registration request to the CrossDomain coordinator, and the node registration request includes information such as the local node ID, IP address and other metadata.
  • the CrossDomain coordinator generates a "CD.register" cross-domain transaction, and then sends the cross-domain transaction to the global smart contract through the local smart contract Local smart contract of the current domain, and the Global smart contract is registering the node user user in the Domain After the global node identification, when the CrossDomain coordinator wakes up the Domain user, the Global smart contract returns the global node identification to the node user user in the Domain through the Local smart contract and the CrossDomain coordinator.
  • FIG. 15 it is a flow chart of node user o j issuing delegation policies to node user s j , specifically as follows:
  • the node user o in the Domain sends a resource authorization request to the CrossDomain coordinator.
  • the resource authorization request includes at least the global node ID of the node user o j , the authorized node user s j , the authorized public key p k and the resources authorized to be accessed logo.
  • the CrossDomain coordinator generates a "CD.delegate" cross-domain transaction for the resource authorization request, and then sends the cross-domain transaction to the Local smart contract of the current domain;
  • the Local smart contract judges whether the node user o j and the node user s j are in the same domain, that is, whether the node user s j is a node user on the global blockchain or a node user on the local blockchain;
  • the Local smart contract stores the authorization delegation policy in the local authorization list as the local delegation policy
  • the Local smart contract returns to the CrossDomain coordinator a message indicating that the local authorization policy is successfully saved;
  • the Local smart contract sends the authorization delegation policy to the Global smart contract, and stores the authorization delegation policy in the local authorization list as the global delegation policy;
  • the Global smart contract stores the authorization delegation strategy in the record list as the global delegation strategy.
  • FIG. 16 and Figure 17 it is a schematic diagram of cross-domain access between blockchain nodes in domain 1 and domain 2.
  • the node user user in Domain1 sends a resource access request to the CrossDomain coordinator. There are two situations as follows:
  • the Local smart contract judges the After the global node identifier is determined as a resource access request to a node in the domain, the Local smart contract searches the local authorization list for the local authorization policy corresponding to the resource access request, and then obtains the corresponding authorization information.
  • the Local smart contract returns the authorization information or the access-forbidden message to the node user user in Domain1 through the CrossDomain coordinator, so that the node user user in Domain1 can use the authorization information to access the nodes in the domain
  • the data
  • the Local smart contract judges the resource access request based on the request After the global node identifier of the node is determined as a resource access request for nodes in other domains, the Local smart contract sends the resource access request to the Global smart contract, and the Global smart contract broadcasts the resource access request to nodes in other domains, such as node users in Domain2 And the node users in Domain3, etc., thus, the Local smart contract in each domain can obtain the corresponding authorization information after finding the local authorization policy corresponding to the resource access request.
  • the Local smart contract in each domain returns the authorization information or the message of prohibiting access to the Global smart contract.
  • the Global smart contract wakes up the node user user in Domain1, it will authorize through the CrossDomain coordinator Information or a message of prohibiting access is returned to the node user user in Domain1, so that the node user user in Domain1 can use the authorization information to access the data on the node in the corresponding domain.
  • each embodiment in this specification is described in a progressive manner, each embodiment focuses on the difference from other embodiments, and the same and similar parts of each embodiment can be referred to each other.
  • the description is relatively simple, and for relevant details, please refer to the description of the method part.
  • RAM random access memory
  • ROM read-only memory
  • EEPROM electrically programmable ROM
  • EEPROM electrically erasable programmable ROM
  • registers hard disk, removable disk, CD-ROM, or any other Any other known storage medium.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The present application discloses a cross-domain access method on a blockchain and a server. The method is applied to a global server on the blockchain and comprises: receiving a resource access request sent by a first server in a first domain on the blockchain, the resource access request representing that a first node requests to access a first resource in a second node, the first node being in the first domain and the second node being not in the first domain; in a record list of the global server, obtaining record information corresponding to the resource access request; transmitting, according to the record information, the resource access request to a second server in a second domain where the second node is located; receiving authorization information corresponding to the resource access request transmitted by the second server; and transmitting the authorization information to the first node, the authorization information being used for indicating the first node to access the first resource.

Description

区块链上的跨域访问方法及服务器Cross-domain access method and server on block chain

本申请要求于2021年12月21日提交中国专利局、申请号为CN202111575402.0、发明名称为“区块链上的跨域访问方法及服务器”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of the Chinese patent application with the application number CN202111575402.0 and the title of the invention "Cross-domain access method and server on the block chain" submitted to the China Patent Office on December 21, 2021, the entire content of which is passed References are incorporated in this application.

技术领域technical field

本申请涉及区块链技术领域,尤其涉及一种区块链上的跨域访问方法及服务器。The present application relates to the technical field of block chain, and in particular to a cross-domain access method and server on the block chain.

背景技术Background technique

区块链上可以分为公有链(public chain)和许可链(permissioned chain),其中许可链又可以根据数据维护方是否为单一个体(entity)分成联盟链(consortium)和私有链(private chain)。The blockchain can be divided into a public chain and a permissioned chain, and the permissioned chain can be divided into a consortium chain and a private chain according to whether the data maintainer is a single entity. .

在许可链上,同一个联盟链内可以实现节点之间的资源访问,但不同联盟链中的节点之间互相不信任,导致不能进行资源访问。On the permissioned chain, resource access between nodes can be realized in the same consortium chain, but nodes in different consortium chains do not trust each other, resulting in inability to access resources.

发明内容Contents of the invention

有鉴于此,本申请提供一种区块链上的跨域访问方法及服务器,如下:In view of this, this application provides a cross-domain access method and server on the blockchain, as follows:

一种区块链上的跨域访问方法,应用于区块链上的全局服务器,所述方法包括:A cross-domain access method on the blockchain, applied to a global server on the blockchain, the method comprising:

接收所述区块链上第一域内的第一服务器发送的资源访问请求,所述资源访问请求表征第一节点请求访问第二节点中的第一资源,所述第一节点处于所述第一域,所述第二节点不处于所述第一域;Receiving a resource access request sent by a first server in the first domain on the blockchain, the resource access request indicates that the first node requests to access the first resource in the second node, and the first node is in the first domain, the second node is not in the first domain;

在所述全局服务器的记录列表中,获得所述资源访问请求对应的记录信息;In the record list of the global server, obtain record information corresponding to the resource access request;

根据所述记录信息,将所述资源访问请求传输给所述第二节点所在的第二域内的第二服务器;transmitting the resource access request to a second server in the second domain where the second node is located according to the record information;

接收所述第二服务器传输的所述资源访问请求对应的授权信息;receiving authorization information corresponding to the resource access request transmitted by the second server;

将所述授权信息传输给所述第一节点,所述授权信息用于指示所述第一节点访问所述第一资源。transmitting the authorization information to the first node, where the authorization information is used to instruct the first node to access the first resource.

上述方法,优选的,所述资源访问请求对应的记录信息通过以下方式被记录在所述记录列表中:In the above method, preferably, the record information corresponding to the resource access request is recorded in the record list in the following manner:

接收所述第二节点通过所述第二服务器发送的资源授权请求,所述资源授权请求表征所述第二节点授权所述第一节点以授权信息访问所述第一资源;receiving a resource authorization request sent by the second node through the second server, the resource authorization request indicating that the second node authorizes the first node to access the first resource with authorization information;

在所述记录列表中添加所述资源授权请求对应的记录信息,所述资源授权请求对应的记录信息至少表征所述第一节点被授权访问所述第二节点中的第一资源。Add record information corresponding to the resource authorization request to the record list, where the record information corresponding to the resource authorization request at least indicates that the first node is authorized to access the first resource in the second node.

上述方法,优选的,所述资源访问请求对应的记录信息还表征所述第一节点访问所述第一资源的目标访问类型;In the above method, preferably, the record information corresponding to the resource access request further represents the target access type of the first node accessing the first resource;

其中,所述目标访问类型通过以下方式被记录在所述记录列表中:Wherein, the target access type is recorded in the record list in the following manner:

接收所述第二节点通过所述第二服务器发送的授权设置请求,所述授权设置请求 表征所述第二节点授权第一节点以目标访问类型访问所述第一资源;receiving an authorization setting request sent by the second node through the second server, the authorization setting request indicating that the second node authorizes the first node to access the first resource with a target access type;

在所述记录列表中添加所述授权设置请求对应的记录信息,所述授权设置请求对应的记录信息不仅表征所述第一节点被授权访问所述第二节点中的第一资源,还表征所述第一节点被授权以目标访问类型访问所述第一资源。The record information corresponding to the authorization setting request is added to the record list, and the record information corresponding to the authorization setting request not only indicates that the first node is authorized to access the first resource in the second node, but also indicates that the The first node is authorized to access the first resource with the target access type.

上述方法,优选的,还包括:The above method, preferably, also includes:

接收所述第二节点通过所述第二服务器发送的授权撤销请求,所述授权撤销请求表征所述第二节点不允许所述第一节点访问所述第一资源;receiving an authorization revocation request sent by the second node through the second server, the authorization revocation request indicating that the second node does not allow the first node to access the first resource;

在所述记录列表中添加所述授权撤销请求对应的记录信息,所述授权撤销请求对应的记录信息表征所述第一节点被禁止访问所述第二节点中的第一资源。Add record information corresponding to the authorization revocation request to the record list, where the record information corresponding to the authorization revocation request indicates that the first node is prohibited from accessing the first resource in the second node.

上述方法,优选的,在所述全局服务器的记录列表中,获得所述资源访问请求对应的记录信息,包括:In the above method, preferably, obtaining the record information corresponding to the resource access request in the record list of the global server includes:

将所述资源访问请求中的第一节点的全局节点标识、第二节点的全局节点标识和所述资源标识与所述记录列表中的记录信息进行比对,以获得与所述资源访问请求相匹配的记录信息。Comparing the global node identifier of the first node, the global node identifier of the second node, and the resource identifier in the resource access request with the record information in the record list to obtain information related to the resource access request Matching record information.

上述方法,优选的,所述全局服务器上通过以下方式为所述第一节点注册全局节点标识:In the above method, preferably, the global server registers the global node identifier for the first node in the following manner:

接收所述第一节点通过所述区块链中的协调服务器发送的节点注册请求;所述节点注册请求中至少包含所述第一节点在所述第一域中的本地节点标识;receiving the node registration request sent by the first node through the coordinating server in the block chain; the node registration request at least includes the local node identifier of the first node in the first domain;

按照所述节点注册请求中所述第一节点的本地节点标识,为所述第一节点生成全局节点标识;generating a global node identifier for the first node according to the local node identifier of the first node in the node registration request;

将所述第一节点的全局节点标识通过所述协调服务器返回给所述第一节点。Returning the global node identifier of the first node to the first node through the coordinating server.

上述方法,优选的,将所述授权信息传输给所述第一节点,包括:In the above method, preferably, transmitting the authorization information to the first node includes:

在所述全局服务器和所述第一节点之间的链路层导通的情况下,将所述授权信息通过所述链路层发送给所述第一节点;When the link layer between the global server and the first node is connected, send the authorization information to the first node through the link layer;

在所述全局服务器和所述第一节点之间的链路层没有导通的情况下,将所述授权信息至少通过所述第一服务器发送给所述第一节点。When the link layer between the global server and the first node is not connected, the authorization information is at least sent to the first node through the first server.

一种区块链上的跨域访问方法,应用于区块链上第一域内的第一服务器,所述方法包括:A cross-domain access method on a block chain, applied to a first server in a first domain on the block chain, the method comprising:

接收所述区块链内的协调服务器发送的资源访问请求,所述资源访问请求表征第一节点请求访问第二节点中的第一资源,所述第一节点处于所述第一域;receiving a resource access request sent by a coordinating server in the blockchain, the resource access request representing that the first node requests to access the first resource in the second node, and the first node is in the first domain;

确定所述第二节点处于第二域;determining that the second node is in a second domain;

将所述资源访问请求发送给所述区块链上的全局服务器;sending the resource access request to the global server on the block chain;

接收所述全局服务器发送的授权信息;receiving authorization information sent by the global server;

将所述授权信息通过所述协调服务器发送给所述第一节点,所述授权信息用于指示所述第一节点访问所述第一资源。sending the authorization information to the first node through the coordinating server, where the authorization information is used to instruct the first node to access the first resource.

一种区块链上的跨域访问装置,应用于区块链上的全局服务器,所述装置包括:A cross-domain access device on the block chain, applied to the global server on the block chain, the device includes:

请求接收单元,用于接收所述区块链上第一域内的第一服务器发送的资源访问请 求,所述资源访问请求表征第一节点请求访问第二节点中的第一资源,所述第一节点处于所述第一域,所述第二节点不处于所述第一域;A request receiving unit, configured to receive a resource access request sent by a first server in the first domain on the blockchain, the resource access request indicates that the first node requests to access the first resource in the second node, and the first the node is in the first domain and the second node is not in the first domain;

记录获得单元,用于在所述全局服务器的记录列表中,获得所述资源访问请求对应的记录信息;a record obtaining unit, configured to obtain record information corresponding to the resource access request in the record list of the global server;

请求传输单元,用于根据所述记录信息,将所述资源访问请求传输给所述第二节点所在的第二域内的第二服务器;a request transmission unit, configured to transmit the resource access request to a second server in the second domain where the second node is located according to the record information;

授权接收单元,用于接收所述第二服务器传输的所述资源访问请求对应的授权信息;an authorization receiving unit, configured to receive authorization information corresponding to the resource access request transmitted by the second server;

授权传输单元,用于将所述授权信息传输给所述第一节点,所述授权信息用于指示所述第一节点访问所述第一资源。An authorization transmission unit, configured to transmit the authorization information to the first node, where the authorization information is used to instruct the first node to access the first resource.

一种区块链上的跨域访问装置,应用于区块链上第一域内的第一服务器,所述装置包括:A cross-domain access device on the block chain, applied to the first server in the first domain on the block chain, the device includes:

请求接收单元,用于接收所述区块链内的协调服务器发送的资源访问请求,所述资源访问请求表征第一节点请求访问第二节点中的第一资源,所述第一节点处于所述第一域;A request receiving unit, configured to receive a resource access request sent by a coordinating server in the block chain, the resource access request indicates that the first node requests to access the first resource in the second node, and the first node is in the first domain;

节点确定单元,用于确定所述第二节点处于第二域;a node determining unit, configured to determine that the second node is in the second domain;

请求发送单元,用于将所述资源访问请求发送给所述区块链上的全局服务器;a request sending unit, configured to send the resource access request to the global server on the block chain;

授权接收单元,用于接收所述全局服务器发送的授权信息;an authorization receiving unit, configured to receive authorization information sent by the global server;

授权发送单元,用于将所述授权信息通过所述协调服务器发送给所述第一节点,所述授权信息用于指示所述第一节点访问所述第一资源。An authorization sending unit, configured to send the authorization information to the first node through the coordinating server, where the authorization information is used to instruct the first node to access the first resource.

一种服务器,作为区块链上的全局服务器,包括:A server, as a global server on the blockchain, including:

存储器,用于存储计算机程序和所述计算机程序运行所产生的数据;memory for storing computer programs and data generated by running the computer programs;

处理器,用于执行所述计算机程序,以实现:接收所述区块链上第一域内的第一服务器发送的资源访问请求,所述资源访问请求表征第一节点请求访问第二节点中的第一资源,所述第一节点处于所述第一域,所述第二节点不处于所述第一域;在所述全局服务器的记录列表中,获得所述资源访问请求对应的记录信息;根据所述记录信息,将所述资源访问请求传输给所述第二节点所在的第二域内的第二服务器;接收所述第二服务器传输的所述资源访问请求对应的授权信息;将所述授权信息传输给所述第一节点,所述授权信息用于指示所述第一节点访问所述第一资源。A processor, configured to execute the computer program, so as to: receive a resource access request sent by a first server in the first domain on the block chain, the resource access request indicates that the first node requests to access the resource in the second node For the first resource, the first node is in the first domain, and the second node is not in the first domain; in the record list of the global server, record information corresponding to the resource access request is obtained; According to the record information, transmit the resource access request to a second server in the second domain where the second node is located; receive authorization information corresponding to the resource access request transmitted by the second server; transmit the resource access request; Authorization information is transmitted to the first node, where the authorization information is used to instruct the first node to access the first resource.

一种服务器,作为区块链上第一域内的第一服务器,包括:A server, as the first server in the first domain on the blockchain, comprising:

存储器,用于存储计算机程序和所述计算机程序运行所产生的数据;memory for storing computer programs and data generated by running the computer programs;

处理器,用于执行所述计算机程序,以实现:接收所述区块链内的协调服务器发送的资源访问请求,所述资源访问请求表征第一节点请求访问第二节点中的第一资源,所述第一节点处于所述第一域;确定所述第二节点处于第二域;将所述资源访问请求发送给所述区块链上的全局服务器;接收所述全局服务器发送的授权信息;将所述授权信息通过所述协调服务器发送给所述第一节点,所述授权信息用于指示所述第一节点访问所述第一资源。a processor, configured to execute the computer program, so as to: receive a resource access request sent by a coordinating server in the blockchain, where the resource access request indicates that the first node requests to access the first resource in the second node, The first node is in the first domain; determine that the second node is in the second domain; send the resource access request to the global server on the block chain; receive authorization information sent by the global server ; Send the authorization information to the first node through the coordinating server, where the authorization information is used to instruct the first node to access the first resource.

从上述技术方案可以看出,本申请公开的一种区块链上的跨域访问方法及服务器中,通过由区块链上各个域中的节点为其他域内的节点生成授权信息,并在区块链上设置的全局服务器上记录相应的授权访问关系,进而在当前域中的区块链节点需要访问对方域中的区块链节点中的资源时,可以由全局服务器查找相应的记录信息,以指示对方域的服务器返回授权信息,再将授权信息返回给当前域的区块链节点后,当前域中的区块链节点可以访问对方域中的区块链节点中的资源,由此实现跨域访问。It can be seen from the above technical solution that in the cross-domain access method and server on the blockchain disclosed in this application, nodes in each domain on the blockchain generate authorization information for nodes in other domains, and The corresponding authorized access relationship is recorded on the global server set on the blockchain, and then when the blockchain node in the current domain needs to access the resources in the blockchain node in the other domain, the global server can search for the corresponding record information. To instruct the server in the opposite domain to return the authorization information, and then return the authorization information to the blockchain node in the current domain, the blockchain node in the current domain can access the resources in the blockchain node in the opposite domain, thus realizing Access across domains.

附图说明Description of drawings

为了更清楚地说明本申请实施例的技术方案,下面将对实施例描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本申请的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions of the embodiments of the present application, the following will briefly introduce the drawings that need to be used in the description of the embodiments. Obviously, the drawings in the following description are only some embodiments of the present application. Those of ordinary skill in the art can also obtain other drawings based on these drawings without making creative efforts.

图1为本申请实施例一提供的一种区块链上的跨域访问方法的流程图;FIG. 1 is a flow chart of a cross-domain access method on a blockchain provided in Embodiment 1 of the present application;

图2为在区块链上实现跨域访问的示例图;Figure 2 is an example diagram of realizing cross-domain access on the blockchain;

图3-图7分别为本申请实施例一提供的一种区块链上的跨域访问方法的部分流程图;Figures 3-7 are partial flowcharts of a cross-domain access method on a blockchain provided in Embodiment 1 of the present application;

图8为本申请实施例二提供的一种区块链上的跨域访问方法的流程图;FIG. 8 is a flow chart of a cross-domain access method on a blockchain provided in Embodiment 2 of the present application;

图9为本申请实施例三提供的一种服务器的结构示意图;FIG. 9 is a schematic structural diagram of a server provided in Embodiment 3 of the present application;

图10为本申请实施例四提供的一种服务器的结构示意图;FIG. 10 is a schematic structural diagram of a server provided in Embodiment 4 of the present application;

图11为本申请中实现跨域访问的域内的部署示意图;FIG. 11 is a schematic diagram of deployment in a domain that implements cross-domain access in this application;

图12为本申请中实现跨域访问的总体架构图;FIG. 12 is an overall architecture diagram for realizing cross-domain access in this application;

图13为本申请中为域注册全局域标识的交互示意图;FIG. 13 is a schematic diagram of the interaction of registering a global domain identifier for a domain in this application;

图14为本申请中为节点用户注册全局节点标识的交互示意图;FIG. 14 is an interactive schematic diagram of registering a global node identifier for a node user in this application;

图15为本申请中节点用户之间发布委托策略的流程图;Fig. 15 is a flow chart of issuing delegation policies between node users in this application;

图16和图17分别为本申请中区块链节点之间进行跨域访问的交互示意图。Fig. 16 and Fig. 17 are respectively schematic diagrams of cross-domain access between blockchain nodes in this application.

具体实施方式Detailed ways

下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本申请保护的范围。The following will clearly and completely describe the technical solutions in the embodiments of the application with reference to the drawings in the embodiments of the application. Apparently, the described embodiments are only some of the embodiments of the application, not all of them. Based on the embodiments in this application, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts belong to the scope of protection of this application.

参考图1所示,为本申请实施例一提供的一种区块链上的跨域访问方法的实现流程图,该方法可以适用于区块链上的全局服务器,区块链上的节点被划分到多个域中,每个域可以视为一个联盟链,同一域内的节点之间基于相同的信任根互相信任,不同域之间的节点互不信任,基于此,本申请在区块链上设置全局服务器,如图2中所示的全局智能合约服务器,由此,本申请的技术方案中通过全局服务器为不同域的节点之间建立信任关系,以实现跨域访问。Referring to Figure 1, it is a flow chart of the implementation of a cross-domain access method on the blockchain provided by Embodiment 1 of the present application. This method can be applied to the global server on the blockchain, and the nodes on the blockchain are Divided into multiple domains, each domain can be regarded as a consortium chain. Nodes in the same domain trust each other based on the same root of trust, and nodes in different domains do not trust each other. Based on this, this application is based on blockchain Set up a global server, such as the global smart contract server shown in Figure 2. Therefore, in the technical solution of this application, the global server establishes a trust relationship between nodes in different domains to achieve cross-domain access.

具体的,本实施例中的方法可以包括如下步骤:Specifically, the method in this embodiment may include the following steps:

步骤101:接收区块链上第一域内的第一服务器发送的资源访问请求。Step 101: Receive a resource access request sent by a first server in a first domain on the blockchain.

其中,资源访问请求表征第一节点请求访问第二节点中的第一资源,第一节点处于第一域,第二节点不处于第一域,即第二节点与第一节点处于不同的域中,第二节点所处的域记为第二域,也就是说,该资源访问请求为全局访问请求,即不同域的实体之间请求访问资源。Wherein, the resource access request indicates that the first node requests to access the first resource in the second node, the first node is in the first domain, and the second node is not in the first domain, that is, the second node is in a different domain from the first node , the domain where the second node is located is recorded as the second domain, that is, the resource access request is a global access request, that is, entities in different domains request to access resources.

具体的,资源访问请求中至少包含第一资源的资源标识和第一资源所在的第二节点的全局节点标识,当然,还可以包含有第一节点的全局节点标识。第一资源的资源标识可以第一资源的地址标识或名称标识等。第二节点的全局节点标识表征第二节点处于第二域且在第二域中唯一表征第二节点。第一节点的全局节点标识表征第一节点处于第一域且在第一域中唯一表征第一节点。Specifically, the resource access request includes at least the resource identifier of the first resource and the global node identifier of the second node where the first resource is located, and of course, may also include the global node identifier of the first node. The resource identifier of the first resource may be an address identifier or a name identifier of the first resource. The global node identifier of the second node indicates that the second node is in the second domain and uniquely indicates the second node in the second domain. The global node identifier of the first node indicates that the first node is in the first domain and uniquely indicates the first node in the first domain.

需要说明的是,第一域内的第一服务器可以为第一域即第一联盟链内的本地智能合约服务器,第一服务器接收第一节点通过跨域协调服务器发送的资源访问请求。具体的,第一节点在生成资源访问请求之后,通过寻址的方式发送给区块链上的跨域协调服务器,跨域协调服务器针对资源访问请求生成相应的跨域事务,将跨域事务形式的资源访问请求发送给第一域内的第一服务器,由第一服务器将资源访问请求发送给区块链上的全局服务器。It should be noted that the first server in the first domain can be a local smart contract server in the first domain, that is, the first consortium chain, and the first server receives the resource access request sent by the first node through the cross-domain coordination server. Specifically, after the first node generates a resource access request, it sends it to the cross-domain coordination server on the blockchain through addressing, and the cross-domain coordination server generates a corresponding cross-domain transaction for the resource access request, and the cross-domain transaction form The resource access request is sent to the first server in the first domain, and the first server sends the resource access request to the global server on the blockchain.

步骤102:在全局服务器的记录列表中,获得资源访问请求对应的记录信息。Step 102: Obtain the record information corresponding to the resource access request in the record list of the global server.

具体的,全局服务器可以在记录列表中,查找与资源访问请求相匹配的记录信息,例如:将资源访问请求中的第一节点的全局节点标识、第二节点的全局节点标识和资源标识与记录列表中的记录信息进行比对,以获得与资源访问请求相匹配的记录信息,该记录信息表征第二节点授权给第一节点可以访问第二节点中的第一资源。Specifically, the global server may search for record information matching the resource access request in the record list, for example: combine the global node ID of the first node, the global node ID of the second node, and the resource ID in the resource access request with the record The record information in the list is compared to obtain the record information matching the resource access request, and the record information indicates that the second node authorizes the first node to access the first resource in the second node.

需要说明的是,在各个域内的本地授权列表中包含有该域内的节点为本域以及其他域内的节点生成的授权信息,如授权访问的资源的资源标识、授权访问所需要使用的公钥信息以及被授权访问的访问类型等信息,节点为本域内的节点生成的授权信息可以称为本地委托策略,节点为其他域的节点生成的授权信息可以称为全局委托策略。而在全局服务器的记录列表中记录各个域内的节点为其他域内的节点生成授权信息的授权访问关系,可以称为全局委托策略。为了保障安全性,记录列表中仅记录授权状态,但不记录授权信息,如记录第二节点授权第一节点访问第一资源的授权状态但不记录第二节点为第一节点生成的公钥信息。It should be noted that the local authorization list in each domain contains authorization information generated by nodes in this domain for nodes in this domain and other domains, such as the resource identifier of the resource authorized to access, and the public key information required for authorized access As well as information such as the type of access authorized to access, the authorization information generated by a node for nodes in its own domain can be called a local delegation policy, and the authorization information generated by a node for nodes in other domains can be called a global delegation policy. In the record list of the global server, the authorized access relationship in which nodes in each domain generate authorization information for nodes in other domains is recorded, which can be called a global delegation policy. In order to ensure security, only the authorization status is recorded in the record list, but the authorization information is not recorded. For example, the authorization status of the second node authorizing the first node to access the first resource is recorded but the public key information generated by the second node for the first node is not recorded. .

其中,各个域内的本地授权列表存储在区块链上,全局服务器的记录列表存储在区块链上。Among them, the local authorization list in each domain is stored on the blockchain, and the record list of the global server is stored on the blockchain.

步骤103:根据记录信息,将资源访问请求传输给第二节点所在的第二域内的第二服务器。Step 103: According to the record information, transmit the resource access request to the second server in the second domain where the second node is located.

在一种实现方式中,本实施例中可以按照查找到的记录信息,将资源访问请求广播给区块链上除第一域之外的其他域内的服务器,各个域内的服务器均能够接收到资源访问请求,只有第二节点所在的第二域内的第二服务器发现当前域内有节点的全局 节点标识与资源访问请求中所包含的全局节点标识相匹配,此时,第二域内的第二服务器可以按照资源访问请求在本地授权列表中查找相应的授权信息,这里的本地授权列表中包含有第二域内的各个节点为其他节点(包含当前域的节点和其他域的节点)提供资源访问的授权信息,基于此,第二域内的第二服务器在本地授权列表中查找到与资源访问请求中的内容均相匹配的授权信息后,将查找到的授权信息返回给全局服务器。In one implementation, in this embodiment, resource access requests can be broadcast to servers in domains other than the first domain on the blockchain according to the found record information, and servers in each domain can receive resource access requests. Access request, only the second server in the second domain where the second node is located finds that the global node ID of the node in the current domain matches the global node ID contained in the resource access request. At this time, the second server in the second domain can Find the corresponding authorization information in the local authorization list according to the resource access request. The local authorization list here contains the authorization information for each node in the second domain to provide resource access for other nodes (including nodes in the current domain and nodes in other domains). , based on this, the second server in the second domain returns the found authorization information to the global server after searching the local authorization list for authorization information that matches the content in the resource access request.

在另一种实现方式中,本实施例中可以根据查找到的记录信息中的第二节点的全局节点标识,将记录信息单播给第二节点所在的第二域内的第二服务器,例如,可以采用寻址的方式,按照域之间的路径将记录信息传输给第二节点所在的第二域内的第二服务器,由此,第二域内的第二服务器在本地授权列表中查找到与资源访问请求中的内容均相匹配的授权信息,之后,将查找到的授权信息返回给全局服务器。In another implementation manner, in this embodiment, according to the global node identifier of the second node in the found record information, the record information may be unicast to the second server in the second domain where the second node is located, for example, The addressing method can be used to transmit the record information to the second server in the second domain where the second node is located according to the path between domains, so that the second server in the second domain finds the resource in the local authorization list. The content in the access request matches the authorization information, and then returns the found authorization information to the global server.

其中,第二服务器可以为第二域内的本地智能合约服务器,如图2中所示的域2内的本地智能合约服务器。Wherein, the second server may be a local smart contract server in the second domain, such as a local smart contract server in domain 2 as shown in FIG. 2 .

步骤104:接收第二服务器传输的资源访问请求对应的授权信息。Step 104: Receive authorization information corresponding to the resource access request transmitted by the second server.

其中,如果第二服务器在本地授权列表中没有查找到资源访问请求对应的授权信息,那么全局服务器可以接收到第二服务器所返回的禁止访问的消息,此时,全局服务器将禁止访问的消息返回给第一节点。Wherein, if the second server does not find the authorization information corresponding to the resource access request in the local authorization list, then the global server may receive the access prohibition message returned by the second server, and at this time, the global server returns the access prohibition message to to the first node.

步骤105:将授权信息传输给第一节点。Step 105: Transmit the authorization information to the first node.

其中,授权信息用于指示第一节点访问第一资源。例如,授权信息为第二节点为第一节点访问第一资源所生成的公钥信息,由此,第一节点在接收到授权信息之后,可以使用该授权信息对第一资源进行访问,如使用公钥信息解密出被第二节点使用相应的私钥加密的数据。Wherein, the authorization information is used to instruct the first node to access the first resource. For example, the authorization information is the public key information generated by the second node for the first node to access the first resource. Therefore, after receiving the authorization information, the first node can use the authorization information to access the first resource, such as using The public key information decrypts data encrypted by the second node using the corresponding private key.

在一种实现方式中,全局服务器可以在全局服务器和第一节点之间的链路层导通的情况下,将授权信息通过导通的链路层直接发送给第一节点;In an implementation manner, the global server may directly send the authorization information to the first node through the connected link layer when the link layer between the global server and the first node is connected;

在另一种实现方式中,全局服务器可以在全局服务器和第一节点之间的链路层没有导通的情况下,将授权信息至少通过第一服务器发送给第一节点,例如,先将授权信息发送给第一域内的第一服务器,再由第一域内的第一服务器将授权信息发送给跨域协调服务器,以使得跨域协调服务器将授权信息发送给第一节点。In another implementation, the global server may at least send the authorization information to the first node through the first server when the link layer between the global server and the first node is not connected, for example, first send the authorization The information is sent to the first server in the first domain, and then the first server in the first domain sends the authorization information to the cross-domain coordination server, so that the cross-domain coordination server sends the authorization information to the first node.

需要说明的是,在全局服务器将授权信息直接发送给第一节点之前或者在全局服务器将授权信息发送给第一服务器之前,先发送唤醒指令给第一节点,以将第一节点唤醒,再将授权信息传输给第一节点。It should be noted that before the global server directly sends the authorization information to the first node or before the global server sends the authorization information to the first server, it first sends a wake-up command to the first node to wake up the first node, and then Authorization information is transmitted to the first node.

从上述技术方案可以看出,本申请实施例一提供的一种区块链上的跨域访问方法中,通过由区块链上各个域中的节点为其他域内的节点生成授权信息,并在区块链上设置的全局服务器上记录相应的授权访问关系,进而在当前域中的区块链节点需要访问对方域中的区块链节点中的资源时,可以由全局服务器查找相应的记录信息,以指示对方域的服务器返回授权信息,再将授权信息返回给当前域的区块链节点后,当前域中的区块链节点可以访问对方域中的区块链节点中的资源,由此实现跨域访问。It can be seen from the above technical solution that in the cross-domain access method on the blockchain provided by Embodiment 1 of the present application, nodes in each domain on the blockchain generate authorization information for nodes in other domains, and in The corresponding authorized access relationship is recorded on the global server set on the blockchain, and then when the blockchain node in the current domain needs to access the resources in the blockchain node in the other domain, the global server can search for the corresponding record information , to instruct the server in the opposite domain to return the authorization information, and then return the authorization information to the blockchain node in the current domain, the blockchain node in the current domain can access the resources in the blockchain node in the opposite domain, thus Realize cross-domain access.

在一种实现方式中,以资源访问请求对应的记录信息为例,以下为全局服务器对应的记录列表中记录资源访问请求对应的记录信息的实现过程,如图3中所示:In one implementation, taking the record information corresponding to the resource access request as an example, the following is the implementation process of recording the record information corresponding to the resource access request in the record list corresponding to the global server, as shown in FIG. 3 :

步骤301:接收第二节点通过第二服务器发送的资源授权请求。Step 301: Receive a resource authorization request sent by the second node through the second server.

其中,资源授权请求表征第二节点授权第一节点以授权信息访问第一资源。Wherein, the resource authorization request indicates that the second node authorizes the first node to access the first resource with authorization information.

具体的,资源授权请求中可以包含有第二节点的全局节点标识、第一节点的全局节点标识、第一资源的资源标识和授权信息,该授权信息可以为第二节点为第一节点能够访问第一资源所生成的公钥信息。Specifically, the resource authorization request may include the global node identifier of the second node, the global node identifier of the first node, the resource identifier of the first resource, and authorization information. The authorization information may be that the second node can access Public key information generated by the first resource.

需要说明的是,第二节点在生成资源授权请求之后,可以先发送给区块链上的跨域协调服务器,该跨域协调服务器针对资源授权请求生成相应的跨域事务,将跨域事务形式的资源授权请求发送给第二节点所在第二域内的第二服务器,在第二服务器判断出第一节点与第二节点处于不同域的情况下,第二服务器将资源授权请求中的授权信息记录在本地授权列表的同时,将资源授权请求发送给全局服务器。It should be noted that after the second node generates the resource authorization request, it can first send it to the cross-domain coordination server on the blockchain. The cross-domain coordination server generates a corresponding cross-domain transaction for the resource authorization request, and the cross-domain transaction form The resource authorization request is sent to the second server in the second domain where the second node is located. When the second server determines that the first node and the second node are in different domains, the second server records the authorization information in the resource authorization request At the same time as the local authorization list, resource authorization requests are sent to the global server.

其中,如果第二服务器判断出第一节点与第二节点处于同一域,那么第二服务器将资源授权请求中的授权信息记录在本地授权列表即可。Wherein, if the second server determines that the first node and the second node are in the same domain, then the second server only needs to record the authorization information in the resource authorization request in the local authorization list.

具体的,第二服务器可以将第一节点的全局节点标识与第二域内的所有节点标识进行比对,如果在第二域内有节点的节点标识与第一节点的全局节点标识相匹配,那么可以确定第一节点处于第二域;如果在第二域内没有节点的节点标识与第一节点的全局节点标识相匹配,那么可以确定第一节点与第二节点没有处于同一域,即第一节点处于第一域。Specifically, the second server may compare the global node ID of the first node with all node IDs in the second domain, and if the node ID of a node in the second domain matches the global node ID of the first node, then the Determine that the first node is in the second domain; if there is no node ID in the second domain that matches the global node ID of the first node, it can be determined that the first node is not in the same domain as the second node, that is, the first node is in first domain.

步骤302:在记录列表中添加资源授权请求对应的记录信息。Step 302: Add record information corresponding to the resource authorization request in the record list.

其中,资源授权请求对应的记录信息至少表征第一节点被授权访问第二节点中的第一资源。Wherein, the record information corresponding to the resource authorization request at least indicates that the first node is authorized to access the first resource in the second node.

具体的,资源授权请求对应的记录信息中包含第二节点的全局节点标识、第一节点的全局节点标识和第一资源的资源标识,以此表征第一节点被授权访问第二节点中的第一资源。基于此,全局服务器可以在记录列表中按照资源访问请求中所包含的全局节点标识和资源标识查找到对应的记录信息。Specifically, the record information corresponding to the resource authorization request includes the global node identifier of the second node, the global node identifier of the first node, and the resource identifier of the first resource, so as to indicate that the first node is authorized to access the resource identifier of the second node. a resource. Based on this, the global server can find corresponding record information in the record list according to the global node identifier and resource identifier contained in the resource access request.

进一步的,资源访问请求对应的记录信息还表征第一节点访问第一资源的目标访问类型。基于此,以资源访问请求对应的记录信息为例,如图4中所示,在步骤302之后,还可以包含如下在全局服务器对应的记录列表中记录目标访问类型的实现步骤:Further, the record information corresponding to the resource access request also represents the target access type of the first node's access to the first resource. Based on this, taking the record information corresponding to the resource access request as an example, as shown in FIG. 4, after step 302, the following implementation steps of recording the target access type in the record list corresponding to the global server may be included:

步骤303:接收第二节点通过第二服务器发送的授权设置请求。Step 303: Receive an authorization setting request sent by the second node through the second server.

其中,授权设置请求表征第二节点授权第一节点以目标访问类型访问第一资源。这里的目标访问类型可以为只读、只写或者可读可写的访问类型。Wherein, the authorization setting request indicates that the second node authorizes the first node to access the first resource with the target access type. The target access type here may be read-only, write-only, or both readable and writable.

具体的,授权设置请求中可以包含有第二节点的全局节点标识、第一节点的全局节点标识、第一资源的资源标识和目标访问类型。Specifically, the authorization setting request may include the global node identifier of the second node, the global node identifier of the first node, the resource identifier of the first resource, and the target access type.

需要说明的是,第二节点在生成授权设置请求之后,可以先发送给区块链上的跨域协调服务器,该跨域协调服务器针对授权设置请求生成相应的跨域事务,将跨域事 务形式的授权设置请求发送给第二节点所在第二域内的第二服务器,在第二服务器判断出第一节点与第二节点处于不同域的情况下,第二服务器将授权设置请求中的目标访问类型记录在本地授权列表的同时,将授权设置请求发送给全局服务器。It should be noted that after the second node generates the authorization setting request, it can first send it to the cross-domain coordination server on the blockchain. The cross-domain coordination server generates a corresponding cross-domain transaction for the authorization setting request, and the The authorization setting request is sent to the second server in the second domain where the second node is located. When the second server judges that the first node and the second node are in different domains, the second server sends the target access type in the authorization setting request to While recording in the local authorization list, an authorization setting request is sent to the global server.

步骤304:在记录列表中添加授权设置请求对应的记录信息。Step 304: Add record information corresponding to the authorization setting request in the record list.

其中,授权设置请求对应的记录信息不仅表征第一节点被授权访问第二节点中的第一资源,还表征第一节点被授权以目标访问类型访问第一资源。Wherein, the record information corresponding to the authorization setting request not only indicates that the first node is authorized to access the first resource in the second node, but also indicates that the first node is authorized to access the first resource in the target access type.

具体的,授权设置请求对应的记录信息中包含第二节点的全局节点标识、第一节点的全局节点标识、第一资源的资源标识和目标访问类型,以此表征第一节点被授权以目标访问类型访问第二节点中的第一资源。基于此,全局服务器可以在记录列表中按照资源访问请求中所包含的全局节点标识和资源标识查找到对应的记录信息,以确定第一节点被第二节点授权访问第一资源以及被授权访问的目标访问类型。Specifically, the record information corresponding to the authorization setting request includes the global node ID of the second node, the global node ID of the first node, the resource ID of the first resource, and the target access type, so as to indicate that the first node is authorized to access type accesses the first resource in the second node. Based on this, the global server can find the corresponding record information in the record list according to the global node identifier and resource identifier contained in the resource access request, so as to determine that the first node is authorized by the second node to access the first resource and the Target access type.

基于以上实现,全局服务器上不仅可以在记录列表中记录各个域中的节点为其他域内的节点生成授权信息的授权访问关系,还可以记录各个域中的节点为其他域内的节点撤销授权信息的授权访问关系,具体的,在步骤302之后或步骤304之后,在全局服务器上还可以包含如下实现步骤,如图5中所示:Based on the above implementation, the global server can not only record the authorization access relationship of nodes in each domain to generate authorization information for nodes in other domains in the record list, but also record the authorization of nodes in each domain to revoke authorization information for nodes in other domains Access relationship, specifically, after step 302 or after step 304, the following implementation steps may also be included on the global server, as shown in Figure 5:

步骤305:接收第二节点通过第二服务器发送的授权撤销请求。Step 305: Receive an authorization revocation request sent by the second node through the second server.

其中,授权撤销请求表征第二节点不允许第一节点访问第一资源。Wherein, the authorization revocation request indicates that the second node does not allow the first node to access the first resource.

具体的,授权撤销请求中可以包含有第二节点的全局节点标识、第一节点的全局节点标识、第一资源的资源标识和禁止信息,该禁止信息可以用特定的标记符号来表示。Specifically, the authorization revocation request may include the global node identifier of the second node, the global node identifier of the first node, the resource identifier of the first resource, and prohibition information, and the prohibition information may be represented by specific symbols.

需要说明的是,第二节点在生成授权撤销请求之后,可以先发送给区块链上的跨域协调服务器,该跨域协调服务器针对授权撤销请求生成相应的跨域事务,将跨域事务形式的授权撤销请求发送给第二节点所在第二域内的第二服务器,在第二服务器判断出第一节点与第二节点处于不同域的情况下,第二服务器将授权撤销请求对应的记录信息记录在本地授权列表的同时,将资源授权请求发送给全局服务器。基于此,第二服务器可以在本地授权列表中按照资源访问请求中所包含的全局节点标识和资源标识查找到对应的记录信息,其中可以包含有授权信息、目标访问类型以及禁止信息,以确定第二节点以授权信息授权第一节点以目标访问类型访问第一资源之后再次撤销对第一节点的授权,即第二节点禁止第一节点访问第一资源。It should be noted that after the second node generates the authorization revocation request, it can first send it to the cross-domain coordination server on the blockchain. The cross-domain coordination server generates a corresponding cross-domain transaction for the authorization revocation request, and the The authorization revocation request is sent to the second server in the second domain where the second node is located. When the second server determines that the first node and the second node are in different domains, the second server records the record information corresponding to the authorization revocation request. At the same time as the local authorization list, resource authorization requests are sent to the global server. Based on this, the second server can find the corresponding record information in the local authorization list according to the global node ID and resource ID contained in the resource access request, which can include authorization information, target access type and prohibition information, so as to determine the first The second node authorizes the first node to access the first resource with the target access type by using the authorization information, and then revokes the authorization to the first node again, that is, the second node prohibits the first node from accessing the first resource.

步骤306:在记录列表中添加授权撤销请求对应的记录信息。Step 306: Add record information corresponding to the authorization revocation request in the record list.

其中,授权撤销请求对应的记录信息表征第一节点被禁止访问第二节点中的第一资源。Wherein, the record information corresponding to the authorization revocation request indicates that the first node is prohibited from accessing the first resource in the second node.

具体的,授权撤销请求对应的记录信息中包含第二节点的全局节点标识、第一节点的全局节点标识、第一资源的资源标识和禁止信息,以此表征第二节点撤销对第一节点访问第一资源的授权。基于此,全局服务器可以在记录列表中按照资源访问请求中所包含的全局节点标识和资源标识查找到对应的记录信息,以确定第一节点被第二节点授权访问第一资源以及被授权访问的目标访问类型之后,第一节点被第二节点撤 销授权访问第一资源。Specifically, the record information corresponding to the authorization revocation request includes the global node identifier of the second node, the global node identifier of the first node, the resource identifier of the first resource, and prohibition information, so as to indicate that the second node revokes access to the first node. Authorization of the first resource. Based on this, the global server can find the corresponding record information in the record list according to the global node identifier and resource identifier contained in the resource access request, so as to determine that the first node is authorized by the second node to access the first resource and the After the target access type, the first node is revoked by the second node to access the first resource.

在一种实现方式中,各个域中的各个节点的全局节点标识可以在全局服务器上进行注册并记录,以第一节点的全局节点标识为例,在全局服务器上为第一节点注册全局节点标识的实现步骤如图6中所示:In one implementation, the global node ID of each node in each domain can be registered and recorded on the global server, taking the global node ID of the first node as an example, registering the global node ID for the first node on the global server The implementation steps are shown in Figure 6:

步骤601:接收第一节点通过区块链中的跨域协调服务器发送的节点注册请求。Step 601: Receive a node registration request sent by the first node through the cross-domain coordination server in the blockchain.

其中,节点注册请求中至少包含第一节点在第一域中的本地节点标识,第一节点的本地节点标识用于在第一域中唯一表征第一节点,第一节点的本地节点标识作为第一节点的身份标识在第一域中被第一域中的其他节点识别,但在其他域中,其他域中的节点不能识别第一节点的本地节点标识。Wherein, the node registration request includes at least the local node identifier of the first node in the first domain, the local node identifier of the first node is used to uniquely represent the first node in the first domain, and the local node identifier of the first node is used as the second The identity of a node is recognized by other nodes in the first domain in the first domain, but in other domains, nodes in other domains cannot recognize the local node ID of the first node.

需要说明的是,第一节点在生成节点注册请求之后,可以先发送给区块链上的跨域协调服务器,该跨域协调服务器针对节点注册请求生成相应的跨域事务,将跨域事务形式的节点注册请求发送给第一节点所在第一域内的第一服务器,第一服务器将节点注册请求发送给全局服务器。It should be noted that after the first node generates a node registration request, it can first send it to the cross-domain coordination server on the blockchain. The cross-domain coordination server generates a corresponding cross-domain transaction for the node registration request, and the cross-domain transaction form The node registration request is sent to the first server in the first domain where the first node is located, and the first server sends the node registration request to the global server.

步骤602:按照节点注册请求中第一节点的本地节点标识,为第一节点生成全局节点标识。Step 602: Generate a global node identifier for the first node according to the local node identifier of the first node in the node registration request.

其中,全局服务器基于第一节点的本地节点标识,为第一节点生成能够在区块链上所有域的节点中能够唯一表示第一节点的全局节点标识,第一节点的全局节点标识在区块链上各个域的各个节点的全局节点标识中唯一。Wherein, based on the local node identification of the first node, the global server generates for the first node a global node identification that can uniquely represent the first node among nodes in all domains on the blockchain, and the global node identification of the first node is in the block The global node identifiers of each node in each domain on the chain are unique.

步骤603:将第一节点的全局节点标识通过跨域协调服务器返回给第一节点。Step 603: Return the global node identifier of the first node to the first node through the cross-domain coordination server.

具体的,全局服务器可以将第一节点的全局节点标识先发送给第一域内的第一服务器,再由第一服务器将第一节点的全局节点标识发送给跨域协调服务器,跨域协调服务器通过唤醒指令将第一节点唤醒之后,再将第一节点的全局节点标识发送给第一节点。Specifically, the global server may first send the global node ID of the first node to the first server in the first domain, and then the first server sends the global node ID of the first node to the cross-domain coordination server, and the cross-domain coordination server passes After the wake-up instruction wakes up the first node, the global node identifier of the first node is sent to the first node.

同理,第二节点的全局节点标识和其他任意域中的任意节点的全局节点标识均可以通过以上方式实现在全局服务器上的注册。Similarly, both the global node ID of the second node and the global node ID of any node in any other domain can be registered on the global server through the above method.

以上为全局服务器为各个域中的节点注册全局节点标识的实现方式,对各个域注册全局域标识的实现方式类似,以全局服务器为第一域注册全局域标识为例,具体的实现步骤如图7中所示:The above is how the global server registers the global node ID for the nodes in each domain. The implementation of registering the global domain ID for each domain is similar. Take the global server as an example to register the global domain ID for the first domain. The specific implementation steps are shown in the figure Shown in 7:

步骤701:接收第一域内的管理服务器通过区块链中的跨域协调服务器发送的域注册请求。Step 701: Receive a domain registration request sent by the management server in the first domain through the cross-domain coordination server in the blockchain.

其中,域注册请求中至少包含第一域的本地域标识,第一域的本地域标识用于表示第一域,但在其他域中,不能识别第一域的本地域标识。Wherein, the domain registration request includes at least the local domain identifier of the first domain, and the local domain identifier of the first domain is used to represent the first domain, but in other domains, the local domain identifier of the first domain cannot be identified.

需要说明的是,第一域内的管理服务器在生成域注册请求之后,可以先发送给区块链上的跨域协调服务器,该跨域协调服务器针对域注册请求生成相应的跨域事务,将跨域事务形式的域注册请求发送给第一域内的第一服务器,第一服务器将域注册请求发送给全局服务器。It should be noted that after the management server in the first domain generates a domain registration request, it can first send it to the cross-domain coordination server on the blockchain, and the cross-domain coordination server generates a corresponding cross-domain transaction for the domain registration request, and the cross-domain The domain registration request in the form of a domain transaction is sent to the first server in the first domain, and the first server sends the domain registration request to the global server.

步骤702:按照域注册请求中所述第一域的本地域标识,为第一域生成全局域标识。Step 702: Generate a global domain identifier for the first domain according to the local domain identifier of the first domain in the domain registration request.

其中,全局服务器基于第一域的本地域标识,为第一域生成能够在区块链上所有域中能够唯一表示第一域的全局域标识,第一域的全局域标识在区块链上各个域的全局域标识中唯一。Wherein, the global server generates a global domain identifier for the first domain that can uniquely represent the first domain among all domains on the blockchain based on the local domain identifier of the first domain, and the global domain identifier of the first domain is stored on the blockchain Unique within the global domain ID of each domain.

步骤703:将第一域的全局域标识通过跨域协调服务器返回给第一域内的管理服务器。Step 703: Return the global domain identifier of the first domain to the management server in the first domain through the cross-domain coordination server.

具体的,全局服务器可以将第一域的全局域标识先发送给第一域内的第一服务器,再由第一服务器将第一域的全局域标识发送给跨域协调服务器,跨域协调服务器通过唤醒指令将第一域内的管理服务器唤醒之后,再将第一域的全局域标识发送给第一域的管理服务器。Specifically, the global server may first send the global domain identifier of the first domain to the first server in the first domain, and then the first server sends the global domain identifier of the first domain to the cross-domain coordination server, and the cross-domain coordination server passes After the wake-up instruction wakes up the management server in the first domain, the global domain identifier of the first domain is sent to the management server of the first domain.

同理,第二域的全局域标识和其他任意域的全局域标识均可以通过以上方式实现在全局服务器上的注册。Similarly, both the global domain ID of the second domain and the global domain ID of any other domain can be registered on the global server through the above methods.

参考图8,为本申请实施例二提供的一种区块链上的跨域访问方法的实现流程图,该方法可以适用于区块链上第一域内的第一服务器,如图2中所示的域1中的本地智能合约服务器。本申请的技术方案中通过全局服务器为不同域的节点之间建立信任关系,以实现跨域访问。Referring to FIG. 8 , it is a flowchart of an implementation of a cross-domain access method on a blockchain provided by Embodiment 2 of the present application. This method can be applied to the first server in the first domain on the blockchain, as shown in FIG. 2 The local smart contract server in Domain 1 is shown. In the technical solution of the present application, a global server is used to establish a trust relationship between nodes in different domains, so as to realize cross-domain access.

具体的,本实施例中的方法可以包含如下步骤:Specifically, the method in this embodiment may include the following steps:

步骤801:接收区块链内的协调服务器发送的资源访问请求。Step 801: Receive the resource access request sent by the coordinating server in the blockchain.

其中,资源访问请求表征第一节点请求访问第二节点中的第一资源,第一节点处于第一域。Wherein, the resource access request indicates that the first node requests to access the first resource in the second node, and the first node is in the first domain.

具体的,资源访问请求中至少包含第一资源的资源标识和第一资源所在的第二节点的全局节点标识,当然,还可以包含有第一节点的全局节点标识。Specifically, the resource access request includes at least the resource identifier of the first resource and the global node identifier of the second node where the first resource is located, and of course, may also include the global node identifier of the first node.

需要说明的是,第一节点在生成资源访问请求之后,通过寻址的方式发送给区块链上的跨域协调服务器,跨域协调服务器针对资源访问请求生成相应的跨域事务,将跨域事务形式的资源访问请求发送给第一域内的第一服务器。It should be noted that after the first node generates a resource access request, it sends it to the cross-domain coordination server on the blockchain by addressing, and the cross-domain coordination server generates a corresponding cross-domain transaction for the resource access request, and the cross-domain A resource access request in the form of a transaction is sent to the first server in the first domain.

步骤802:确定第二节点处于第二域。Step 802: Determine that the second node is in the second domain.

具体的,第一服务器可以将资源访问请求中的第二节点的全局节点标识与第一域内的所有节点的节点标识进行比对,如果在第一域内有节点的节点标识与第二节点的全局节点标识相匹配,那么可以确定第二节点处于第一域;如果在第一域内没有节点的节点标识与第二节点的全局节点标识相匹配,那么可以确定第二节点与第一节点没有处于同一域,即第二节点处于第二域。Specifically, the first server may compare the global node ID of the second node in the resource access request with the node IDs of all nodes in the first domain, and if there is a node ID in the first domain that matches the global node ID of the second node If the node ID matches, it can be determined that the second node is in the first domain; if there is no node ID in the first domain that matches the global node ID of the second node, then it can be determined that the second node is not in the same domain as the first node. domain, that is, the second node is in the second domain.

其中,如果第二节点处于第一域,如图9中所示,第一服务器可以根据资源访问请求中的内容在本地授权列表中查询对应的授权信息,并将查找到的授权信息通过跨域协调服务器发送给第一节点,以便于第一节点使用授权信息访问第二节点中的第一资源。Wherein, if the second node is in the first domain, as shown in Figure 9, the first server can query the corresponding authorization information in the local authorization list according to the content in the resource access request, and pass the found authorization information through the cross-domain The coordinating server sends it to the first node, so that the first node uses the authorization information to access the first resource in the second node.

而如果第二节点处于第二域,则执行如下流程。However, if the second node is in the second domain, the following process is performed.

步骤803:将资源访问请求发送给区块链上的全局服务器。Step 803: Send the resource access request to the global server on the blockchain.

其中,全局服务器可以在其记录列表中获得资源访问请求对应的记录信息,例如,在将资源访问请求中的第一节点的全局节点标识、第二节点的全局节点标识和资源标识与记录列表中的记录信息进行比对,以获得与资源访问请求相匹配的记录信息,该记录信息表征第二节点授权给第一节点可以访问第二节点中的第一资源。如果全局服务器在记录列表中查找到资源访问请求对应的记录信息且记录信息中没有被第二节点设置的禁止信息,则可以确定第二节点授权给第一节点访问第一资源,如果全局服务器在记录列表中没有查找到资源访问请求对应的记录信息或者资源访问请求对应的记录信息中有被第二节点设置的禁止信息,则可以确定第二节点没有授权给第一节点访问第一资源。Wherein, the global server can obtain the record information corresponding to the resource access request in its record list, for example, in the resource access request, the global node ID of the first node, the global node ID of the second node, and the resource ID in the record list The record information is compared to obtain the record information that matches the resource access request, and the record information indicates that the second node authorizes the first node to access the first resource in the second node. If the global server finds the record information corresponding to the resource access request in the record list and there is no prohibition information set by the second node in the record information, it can be determined that the second node authorizes the first node to access the first resource. If the record information corresponding to the resource access request is not found in the record list or the record information corresponding to the resource access request contains prohibition information set by the second node, it can be determined that the second node does not authorize the first node to access the first resource.

基于此,如果确定第二节点授权给第一节点访问第一资源,那么全局服务器可以将资源访问请求发送给第二节点所在第二域内的第二服务器,由第二域内的第二服务器在本地授权列表中查找到与资源访问请求中的内容均相匹配的授权信息,之后,将查找到的授权信息返回给全局服务器,全局服务器将授权信息返回给第一服务器,或者全局服务器将授权信息直接返回给第一节点。Based on this, if it is determined that the second node authorizes the first node to access the first resource, then the global server can send the resource access request to the second server in the second domain where the second node is located, and the second server in the second domain will locally Find the authorization information that matches the content in the resource access request in the authorization list, and then return the found authorization information to the global server, and the global server will return the authorization information to the first server, or the global server will directly send the authorization information to Return to the first node.

当然,如果确定第二节点没有授权给第一节点访问第一资源,那么全局服务器可以向第一服务器返回禁止访问的消息,由第一服务器通过跨域协调服务器向第一节点传输禁止访问的消息,或者,全局服务器可以在全局服务器和第一节点之间的链路层导通的情况下直接向第一节点返回禁止访问的消息;如果第二服务器在本地授权列表中没有查找到资源访问请求中的内容均相匹配的授权信息,那么第二服务器向全局服务器返回禁止访问的消息,全局服务器向第一服务器返回禁止访问的消息,由第一服务器通过跨域协调服务器向第一节点传输禁止访问的消息,或者,全局服务器可以在全局服务器和第一节点之间的链路层导通的情况下直接向第一节点返回禁止访问的消息。Certainly, if it is determined that the second node does not authorize the first node to access the first resource, then the global server may return an access prohibition message to the first server, and the first server transmits the access prohibition message to the first node through the cross-domain coordination server , or, the global server can directly return an access prohibition message to the first node when the link layer between the global server and the first node is connected; if the second server does not find the resource access request in the local authorization list If the contents of the authorization information all match, the second server returns a message of prohibiting access to the global server, and the global server returns a message of prohibiting access to the first server, and the first server transmits the message of prohibiting access to the first node through the cross-domain coordination server. Alternatively, the global server may directly return an access prohibition message to the first node when the link layer between the global server and the first node is connected.

需要说明的是,在全局服务器发送授权信息或禁止访问的消息之前,先向第一节点传输唤醒指令,以将第一节点唤醒。It should be noted that, before the global server sends the authorization information or the access prohibition message, it first transmits a wake-up instruction to the first node, so as to wake up the first node.

步骤804:接收全局服务器发送的授权信息。Step 804: Receive authorization information sent by the global server.

步骤805:将授权信息通过协调服务器发送给第一节点。Step 805: Send the authorization information to the first node through the coordinating server.

其中,授权信息用于指示所述第一节点访问第一资源。Wherein, the authorization information is used to instruct the first node to access the first resource.

从上述技术方案可以看出,本申请实施例二提供的一种区块链上的跨域访问方法中,通过由区块链上各个域中的节点为其他域内的节点生成授权信息,并在区块链上设置的全局服务器上记录相应的授权访问关系,进而在当前域中的区块链节点需要访问对方域中的区块链节点中的资源时,可以在当前域的服务器上将资源访问请求转发到全局服务器上,进而由全局服务器查找相应的记录信息,以指示对方域的服务器返回授权信息,再将授权信息返回给当前域的区块链节点后,当前域中的区块链节点可以访问对方域中的区块链节点中的资源,由此实现跨域访问。It can be seen from the above technical solution that in the cross-domain access method on the blockchain provided by Embodiment 2 of the present application, nodes in each domain on the blockchain generate authorization information for nodes in other domains, and in The corresponding authorized access relationship is recorded on the global server set on the blockchain, and then when the blockchain node in the current domain needs to access the resources in the blockchain node in the other domain, the resources can be uploaded to the server in the current domain. The access request is forwarded to the global server, and then the global server searches for the corresponding record information to instruct the server in the other domain to return the authorization information, and then returns the authorization information to the blockchain node of the current domain, the blockchain in the current domain Nodes can access resources in blockchain nodes in the other party's domain, thereby achieving cross-domain access.

需要说明的是,第一域内的第一服务器的其他实现方式可以参考前文中关于第二 域内的第二服务器的实现功能,此处不再详述。It should be noted that for other implementations of the first server in the first domain, reference may be made to the implementation of the functions of the second server in the second domain above, which will not be described in detail here.

参考图9,为本申请实施例三提供的一种服务器的结构示意图,该服务器作为区块链上的全局服务器。例如,如图2中所示的全局智能合约服务器。本申请的技术方案中通过全局服务器为不同域的节点之间建立信任关系,以实现跨域访问。Referring to FIG. 9 , it is a schematic structural diagram of a server provided in Embodiment 3 of the present application, and the server serves as a global server on the blockchain. For example, a global smart contract server as shown in Figure 2. In the technical solution of the present application, a global server is used to establish a trust relationship between nodes in different domains, so as to realize cross-domain access.

具体的,本实施例中的全局服务器可以包含如下结构:Specifically, the global server in this embodiment may include the following structure:

存储器901,用于存储计算机程序和计算机程序运行所产生的数据;The memory 901 is used to store computer programs and data generated by running the computer programs;

处理器902,用于执行计算机程序,以实现:接收区块链上第一域内的第一服务器发送的资源访问请求,资源访问请求表征第一节点请求访问第二节点中的第一资源,第一节点处于第一域,第二节点不处于第一域;在全局服务器的记录列表中,获得资源访问请求对应的记录信息;根据记录信息,将资源访问请求传输给第二节点所在的第二域内的第二服务器;接收第二服务器传输的资源访问请求对应的授权信息;将授权信息传输给第一节点,授权信息用于指示第一节点访问第一资源。The processor 902 is configured to execute a computer program to realize: receiving a resource access request sent by a first server in the first domain on the blockchain, where the resource access request represents that the first node requests to access the first resource in the second node, and the second One node is in the first domain, and the second node is not in the first domain; in the record list of the global server, the record information corresponding to the resource access request is obtained; according to the record information, the resource access request is transmitted to the second node where the second node is located. The second server in the domain; receiving authorization information corresponding to the resource access request transmitted by the second server; transmitting the authorization information to the first node, where the authorization information is used to instruct the first node to access the first resource.

另外,本实施例中的全局服务器中还可以包含有通信模块等结构,用以实现与第一服务器和第二服务器之间的交互。例如,处理器902通过触发通信模块接收区块链上第一域内的第一服务器发送的资源访问请求、将资源访问请求传输给第二节点所在的第二域内的第二服务器、接收第二服务器传输的资源访问请求对应的授权信息、将授权信息传输给第一节点,等等。In addition, the global server in this embodiment may also include structures such as a communication module to realize interaction with the first server and the second server. For example, the processor 902 receives the resource access request sent by the first server in the first domain on the blockchain by triggering the communication module, transmits the resource access request to the second server in the second domain where the second node is located, and receives the resource access request from the second server. Transmitting authorization information corresponding to the resource access request, transmitting the authorization information to the first node, and so on.

从上述技术方案可以看出,本申请实施例三提供的一种服务器中,通过由区块链上各个域中的节点为其他域内的节点生成授权信息,并在区块链上设置的全局服务器上记录相应的授权访问关系,进而在当前域中的区块链节点需要访问对方域中的区块链节点中的资源时,可以由全局服务器查找相应的记录信息,以指示对方域的服务器返回授权信息,再将授权信息返回给当前域的区块链节点后,当前域中的区块链节点可以访问对方域中的区块链节点中的资源,由此实现跨域访问。It can be seen from the above technical solution that in the server provided by Embodiment 3 of the present application, the nodes in each domain on the blockchain generate authorization information for nodes in other domains, and the global server set on the blockchain Record the corresponding authorized access relationship on the network, and then when the blockchain node in the current domain needs to access the resources in the blockchain node in the other domain, the global server can look up the corresponding record information to instruct the server in the other domain to return After the authorization information is returned to the blockchain node in the current domain, the blockchain node in the current domain can access the resources in the blockchain node in the other domain, thus realizing cross-domain access.

在一种实现方式中,资源访问请求对应的记录信息由处理器902记录在记录列表中。处理器902具体用于:接收第二节点通过第二服务器发送的资源授权请求,资源授权请求表征第二节点授权第一节点以授权信息访问第一资源;在记录列表中添加资源授权请求对应的记录信息,资源授权请求对应的记录信息至少表征第一节点被授权访问第二节点中的第一资源。In an implementation manner, the record information corresponding to the resource access request is recorded in the record list by the processor 902 . The processor 902 is specifically configured to: receive a resource authorization request sent by the second node through the second server, the resource authorization request indicates that the second node authorizes the first node to access the first resource with authorization information; add the resource authorization request corresponding to the resource authorization request in the record list Record information, the record information corresponding to the resource authorization request at least indicates that the first node is authorized to access the first resource in the second node.

在一种实现方式中,资源访问请求对应的记录信息还表征第一节点访问第一资源的目标访问类型;其中,目标访问类型由处理器902记录在记录列表中。处理器902具体用于:接收第二节点通过第二服务器发送的授权设置请求,授权设置请求表征第二节点授权第一节点以目标访问类型访问第一资源;在记录列表中添加授权设置请求对应的记录信息,授权设置请求对应的记录信息不仅表征第一节点被授权访问第二节点中的第一资源,还表征第一节点被授权以目标访问类型访问第一资源。In an implementation manner, the record information corresponding to the resource access request further represents a target access type of the first node's access to the first resource; wherein, the target access type is recorded in the record list by the processor 902 . The processor 902 is specifically configured to: receive an authorization setting request sent by the second node through the second server, the authorization setting request indicates that the second node authorizes the first node to access the first resource with the target access type; add the authorization setting request corresponding to the record list The record information corresponding to the authorization setting request not only indicates that the first node is authorized to access the first resource in the second node, but also indicates that the first node is authorized to access the first resource in the target access type.

在一种实现方式中,处理器902还用于:接收第二节点通过第二服务器发送的授权撤销请求,授权撤销请求表征第二节点不允许第一节点访问第一资源;在记录列表 中添加授权撤销请求对应的记录信息,授权撤销请求对应的记录信息表征第一节点被禁止访问第二节点中的第一资源。In one implementation, the processor 902 is further configured to: receive an authorization revocation request sent by the second node through the second server, where the authorization revocation request indicates that the second node does not allow the first node to access the first resource; add Record information corresponding to the authorization revocation request, wherein the record information corresponding to the authorization revocation request indicates that the first node is prohibited from accessing the first resource in the second node.

在一种实现方式中,处理器902在全局服务器的记录列表中,获得资源访问请求对应的记录信息时,具体用于:将资源访问请求中的第一节点的全局节点标识、第二节点的全局节点标识和资源标识与记录列表中的记录信息进行比对,以获得与资源访问请求相匹配的记录信息。In an implementation manner, when the processor 902 obtains the record information corresponding to the resource access request in the record list of the global server, it is specifically configured to: use the global node identifier of the first node in the resource access request, the The global node ID and the resource ID are compared with the record information in the record list to obtain the record information matching the resource access request.

在一种实现方式中,处理器902通过以下方式为第一节点注册全局节点标识:接收第一节点通过区块链中的协调服务器发送的节点注册请求;节点注册请求中至少包含第一节点在第一域中的本地节点标识;按照节点注册请求中第一节点的本地节点标识,为第一节点生成全局节点标识;将第一节点的全局节点标识通过协调服务器返回给第一节点。In one implementation, the processor 902 registers the global node identifier for the first node in the following manner: receiving the node registration request sent by the first node through the coordinating server in the blockchain; the node registration request includes at least local node ID in the first domain; generate a global node ID for the first node according to the local node ID of the first node in the node registration request; return the global node ID of the first node to the first node through the coordinating server.

在一种实现方式中,处理器902在将授权信息传输给第一节点时,具体用于:在全局服务器和第一节点之间的链路层导通的情况下,将授权信息通过链路层发送给第一节点;在全局服务器和第一节点之间的链路层没有导通的情况下,将授权信息至少通过第一服务器发送给第一节点。In an implementation manner, when the processor 902 transmits the authorization information to the first node, it is specifically configured to: when the link layer between the global server and the first node is connected, transmit the authorization information through the link The authorization information is sent to the first node at least through the first server when the link layer between the global server and the first node is not connected.

需要说明的是,本实施例中处理器的具体实现可以参考前文中的相应内容,此处不再详述。It should be noted that, for the specific implementation of the processor in this embodiment, reference may be made to the corresponding contents above, and details are not described here again.

相对应的,本申请实施例还提供了一种区块链上的跨域访问装置,应用于区块链上的全局服务器,装置包括:Correspondingly, the embodiment of the present application also provides a cross-domain access device on the blockchain, which is applied to the global server on the blockchain, and the device includes:

请求接收单元,用于接收区块链上第一域内的第一服务器发送的资源访问请求,资源访问请求表征第一节点请求访问第二节点中的第一资源,第一节点处于第一域,第二节点不处于第一域;The request receiving unit is configured to receive the resource access request sent by the first server in the first domain on the block chain, the resource access request indicates that the first node requests to access the first resource in the second node, and the first node is in the first domain, the second node is not in the first domain;

记录获得单元,用于在全局服务器的记录列表中,获得资源访问请求对应的记录信息;a record obtaining unit, configured to obtain record information corresponding to the resource access request in the record list of the global server;

请求传输单元,用于根据记录信息,将资源访问请求传输给第二节点所在的第二域内的第二服务器;a request transmission unit, configured to transmit the resource access request to a second server in the second domain where the second node is located according to the record information;

授权接收单元,用于接收第二服务器传输的资源访问请求对应的授权信息;An authorization receiving unit, configured to receive authorization information corresponding to the resource access request transmitted by the second server;

授权传输单元,用于将授权信息传输给第一节点,授权信息用于指示第一节点访问第一资源。An authorization transmission unit, configured to transmit authorization information to the first node, where the authorization information is used to instruct the first node to access the first resource.

参考图10,为本申请实施例四提供的一种服务器的结构示意图,该服务器作为区块链上第一域内的第一服务器。例如,如图2中所示的域1中的本地智能合约服务器。本申请的技术方案中通过全局服务器为不同域的节点之间建立信任关系,以实现跨域访问。Referring to FIG. 10 , it is a schematic structural diagram of a server provided in Embodiment 4 of the present application. The server serves as the first server in the first domain on the blockchain. For example, a local smart contract server in Domain 1 as shown in Figure 2. In the technical solution of the present application, a global server is used to establish a trust relationship between nodes in different domains, so as to realize cross-domain access.

具体的,本实施例中的第一服务器可以包含如下结构:Specifically, the first server in this embodiment may include the following structure:

存储器1001,用于存储计算机程序和计算机程序运行所产生的数据;Memory 1001, used to store computer programs and data generated by running computer programs;

处理器1002,用于执行计算机程序,以实现:接收区块链内的协调服务器发送的 资源访问请求,资源访问请求表征第一节点请求访问第二节点中的第一资源,第一节点处于第一域;确定第二节点处于第二域;将资源访问请求发送给区块链上的全局服务器;接收全局服务器发送的授权信息;将授权信息通过协调服务器发送给第一节点,授权信息用于指示第一节点访问第一资源。The processor 1002 is configured to execute a computer program to realize: receiving a resource access request sent by a coordinating server in the block chain, the resource access request indicates that the first node requests to access the first resource in the second node, and the first node is in the first node One domain; determine that the second node is in the second domain; send the resource access request to the global server on the block chain; receive the authorization information sent by the global server; send the authorization information to the first node through the coordination server, and the authorization information is used for The first node is instructed to access the first resource.

另外,本实施例中的全局服务器中还可以包含有通信模块等结构,用以实现与第一服务器和第二服务器之间的交互。例如,处理器1002通过触发通信模块接收区块链内的协调服务器发送的资源访问请求、将资源访问请求发送给区块链上的全局服务器、接收全局服务器发送的授权信息、将授权信息通过协调服务器发送给第一节点,等等。In addition, the global server in this embodiment may also include structures such as a communication module to realize interaction with the first server and the second server. For example, the processor 1002 receives the resource access request sent by the coordination server in the blockchain by triggering the communication module, sends the resource access request to the global server on the blockchain, receives the authorization information sent by the global server, and sends the authorization information through the coordination server. The server sends to the first node, and so on.

从上述技术方案可以看出,本申请实施例四提供的一种服务器中,通过由区块链上各个域中的节点为其他域内的节点生成授权信息,并在区块链上设置的全局服务器上记录相应的授权访问关系,进而在当前域中的区块链节点需要访问对方域中的区块链节点中的资源时,可以在当前域的服务器上将资源访问请求转发到全局服务器上,进而由全局服务器查找相应的记录信息,以指示对方域的服务器返回授权信息,再将授权信息返回给当前域的区块链节点后,当前域中的区块链节点可以访问对方域中的区块链节点中的资源,由此实现跨域访问。It can be seen from the above technical solution that in the server provided in Embodiment 4 of the present application, the nodes in each domain on the blockchain generate authorization information for nodes in other domains, and the global server set on the blockchain Record the corresponding authorized access relationship on the network, and then when the blockchain node in the current domain needs to access the resources in the blockchain node in the other domain, the resource access request can be forwarded to the global server on the server in the current domain, Then, the global server searches for the corresponding record information to instruct the server in the other domain to return the authorization information, and then returns the authorization information to the blockchain node in the current domain, and the blockchain node in the current domain can access the zone in the other domain. Resources in the block chain nodes, thus achieving cross-domain access.

相对应的,本申请实施例还提供了一种区块链上的跨域访问装置,应用于区块链上第一域内的第一服务器,装置包括:Correspondingly, the embodiment of the present application also provides a cross-domain access device on the blockchain, which is applied to the first server in the first domain on the blockchain, and the device includes:

请求接收单元,用于接收区块链内的协调服务器发送的资源访问请求,资源访问请求表征第一节点请求访问第二节点中的第一资源,第一节点处于第一域;The request receiving unit is configured to receive a resource access request sent by the coordinating server in the blockchain, the resource access request indicates that the first node requests to access the first resource in the second node, and the first node is in the first domain;

节点确定单元,用于确定第二节点处于第二域;a node determining unit, configured to determine that the second node is in the second domain;

请求发送单元,用于将资源访问请求发送给区块链上的全局服务器;The request sending unit is used to send the resource access request to the global server on the block chain;

授权接收单元,用于接收全局服务器发送的授权信息;An authorization receiving unit, configured to receive authorization information sent by the global server;

授权发送单元,用于将授权信息通过协调服务器发送给第一节点,授权信息用于指示第一节点访问第一资源。An authorization sending unit, configured to send authorization information to the first node through the coordinating server, where the authorization information is used to instruct the first node to access the first resource.

以第一域和第二域之间如域1和域2的区块链节点之间进行跨域访问为例,如图11中所示,每个域domain包含运行fabric的基本模块,是可以实现完整智能合约调用,至少包括电子认证服务CA(Certificate Authority)、排序服务器ordering service、对等节点peer node、成员资格服务器(Membership service),等等。在此基础上,在区块链上添加全局智能合约服务器Global smart contract(简称全局智能合约)、本地智能合约服务器Local smart contract(简称本地智能合约)和跨域协调服务器Cross Domain Coordinator(也成为跨域协调者)的组件,以完成跨域的访问。Take the cross-domain access between the first domain and the second domain, such as the blockchain nodes of domain 1 and domain 2, as an example. As shown in Figure 11, each domain contains the basic modules that run the fabric, which can be Realize complete smart contract calls, including at least electronic certification service CA (Certificate Authority), sorting server ordering service, peer node peer node, membership server (Membership service), etc. On this basis, the global smart contract server Global smart contract (referred to as the global smart contract), the local smart contract server Local smart contract (referred to as the local smart contract) and the cross-domain coordination server Cross Domain Coordinator (also known as the cross domain coordinator) are added to the blockchain. domain coordinator) to complete cross-domain access.

总体架构如图12中所示,对区块链上构建底层网络Underlay和覆盖网络Overlay,在Overlay的网络中,区块链上所有的区块链节点组成全局区块链Global Blockchain,也就是Overlay上的peer to peer的network,即Global hyperledger fabric network,而在Underlay的网络中,各个联盟链各自形成本地链Local Blockchain,即Domain1、Domain2、Domain…,也就是Underlay上的peer to peer的network,即Local hyperledger fabric network。节点用户在区块链节点上进行操作,以实现节点注册、域注册、委托发 布、撤销委托以及访问等操作。The overall architecture is shown in Figure 12. The underlying network Underlay and the overlay network Overlay are constructed on the blockchain. In the Overlay network, all blockchain nodes on the blockchain form the Global Blockchain, which is the Overlay The peer-to-peer network on the Internet is the Global hyperledger fabric network, while in the Underlay network, each consortium chain forms a local chain Local Blockchain, namely Domain1, Domain2, Domain..., which is the peer-to-peer network on the Underlay, That is, Local hyperledger fabric network. Node users operate on the blockchain nodes to implement operations such as node registration, domain registration, entrusted release, revoked entrustment, and access.

首先,跨域协调服务器上允许用户在单个域内和跨域访问。当跨域协调服务器收到节点上用户的请求时,它会生成一个跨域CD(CrossDomain)事务。然后,跨域协调服务器将跨域事务转发到该节点所在域的本地智能合约。First, the cross-domain coordination server allows users to access within a single domain and across domains. When the cross-domain coordination server receives a request from a user on a node, it generates a cross-domain CD (CrossDomain) transaction. Then, the cross-domain coordination server forwards the cross-domain transaction to the local smart contract of the node's domain.

以下是跨域协调服务器的处理内容:Here's what the cross-domain coordination server does:

1、收到注册请求(节点注册请求、域注册请求)后,跨域协调服务器生成注册全局标识“CD.register”的跨域事务以在区块链上注册节点或域的全局标识。1. After receiving the registration request (node registration request, domain registration request), the cross-domain coordination server generates a cross-domain transaction to register the global identifier "CD.register" to register the global identifier of the node or domain on the blockchain.

2、允许所有者分别使用发布委托策略“CD.delegate”的跨域事务和撤销委托策略“CD.revoke”的跨域事务发布发布和撤销其资源的委托策略。2. The owner is allowed to publish and revoke the delegation policy of its resources using the cross-domain transaction of the publishing delegation policy "CD.delegate" and the cross-domain transaction of the revoking delegation policy "CD.revoke", respectively.

3、生成设置访问类型“CD.access”的跨域事务,以设置访问/操作同一域内或其他域中的链上信息。3. Generate a cross-domain transaction that sets the access type "CD.access" to set access/operate on-chain information in the same domain or in other domains.

其次,区块链上的智能合约定义访问控制系统的所有操作。本申请中提出了两种类型的智能合约,即本地智能合约和全局智能合约。这些本地智能合约和全局智能合约分别部署在底层(underlay)和覆盖(overlay)网络中。这些智能合约分别为内部和外部用户定义了身份验证和授权操作。智能合约在收到来自跨域协调服务器的跨域事务时执行相应的处理操作。本地智能合约以两种不同的数据结构分别存储本地委托策略和全局委托策略,即前文中的本地授权列表中授权给本域内节点访问资源的授权信息和授权给其他域节点访问资源的授权信息。同样,全局智能合约在其数据结构中存储全局委托策略,即前文中的记录列表中的记录信息。Second, smart contracts on the blockchain define all operations of the access control system. Two types of smart contracts are proposed in this application, namely local smart contracts and global smart contracts. These local smart contracts and global smart contracts are deployed in the underlay and overlay networks respectively. These smart contracts define authentication and authorization operations for internal and external users, respectively. The smart contract performs corresponding processing operations when receiving cross-domain transactions from the cross-domain coordination server. The local smart contract stores the local delegation policy and the global delegation policy in two different data structures, that is, the authorization information authorized to nodes in the domain to access resources and the authorization information authorized to nodes in other domains to access resources in the local authorization list above. Similarly, the global smart contract stores the global delegation strategy in its data structure, which is the record information in the record list mentioned above.

最后,基于以上跨域协调服务器、全局智能合约和各个域内的本地智能合约,至少可以执行以下操作:Finally, based on the above cross-domain coordination server, global smart contracts and local smart contracts within each domain, at least the following operations can be performed:

1、在全局智能合约中注册全局节点标识和全局域标识,实现域注册。1. Register the global node ID and the global domain ID in the global smart contract to realize domain registration.

2、在本地智能合约中注册本地节点标识,实现用户节点的注册。2. Register the local node ID in the local smart contract to realize the registration of user nodes.

3、发布委托策略、撤销委托策略和设置委托动作(即前文中设置目标访问类型)。3. Publish the delegation policy, revoke the delegation policy and set the delegation action (that is, set the target access type in the previous article).

4、跨域的资源访问。4. Cross-domain resource access.

以下分别以全局节点标识的注册、全局域标识的注册、发布委托策略和资源访问为例进行说明:The following take the registration of the global node ID, the registration of the global domain ID, publishing delegation policy and resource access as examples to illustrate:

参考图13,为了在Hyperledger Fabric联盟中注册全局域标识,Domain owner如域1内的管理服务器向CrossDomain coordinator发送域注册请求。域注册请求中包含域名、IP地址和其他元数据等信息。CrossDomain coordinator生成“CD.register”的跨域事务,然后,将跨域事务通过域1的本地智能合约Local smart contract发送到全局智能合约Global smart contract,Global smart contract在为Domain owner注册全局域标识之后,在CrossDomain coordinator唤醒Domain owner的情况下,通过Local smart contract和CrossDomain coordinator将全局域标识返回给Domain owner。Referring to Figure 13, in order to register the global domain identity in the Hyperledger Fabric alliance, the Domain owner, such as the management server in Domain 1, sends a domain registration request to the CrossDomain coordinator. Domain registration requests contain information such as domain names, IP addresses, and other metadata. The CrossDomain coordinator generates a cross-domain transaction of "CD.register", and then sends the cross-domain transaction to the global smart contract through the local smart contract Local smart contract of domain 1. After the Global smart contract registers the global domain identifier for the Domain owner , when the CrossDomain coordinator wakes up the Domain owner, the global domain identifier is returned to the Domain owner through the Local smart contract and the CrossDomain coordinator.

参考图14,Domain内的节点用户user向CrossDomain coordinator发送节点注册请求,节点注册请求中包含本地节点标识、IP地址和其他元数据等信息。CrossDomain coordinator生成“CD.register”的跨域事务,然后,将跨域事务通过当前域的本地智能 合约Local smart contract发送到全局智能合约Global smart contract,Global smart contract在为Domain内的节点用户user注册全局节点标识之后,在CrossDomain coordinator唤醒Domain user的情况下,Global smart contract通过Local smart contract和CrossDomain coordinator将全局节点标识返回给Domain内的节点用户user。Referring to Figure 14, the node user user in the Domain sends a node registration request to the CrossDomain coordinator, and the node registration request includes information such as the local node ID, IP address and other metadata. The CrossDomain coordinator generates a "CD.register" cross-domain transaction, and then sends the cross-domain transaction to the global smart contract through the local smart contract Local smart contract of the current domain, and the Global smart contract is registering the node user user in the Domain After the global node identification, when the CrossDomain coordinator wakes up the Domain user, the Global smart contract returns the global node identification to the node user user in the Domain through the Local smart contract and the CrossDomain coordinator.

参考图15,为节点用户o j向节点用户s j发布委托策略的流程图,具体如下: Referring to Figure 15, it is a flow chart of node user o j issuing delegation policies to node user s j , specifically as follows:

1、Domain内的节点用户o向CrossDomain coordinator发送资源授权请求,资源授权请求中至少包含节点用户o j的全局节点标识、被授权的节点用户s j、授权的公钥p k以及授权访问的资源标识。 1. The node user o in the Domain sends a resource authorization request to the CrossDomain coordinator. The resource authorization request includes at least the global node ID of the node user o j , the authorized node user s j , the authorized public key p k and the resources authorized to be accessed logo.

2、CrossDomain coordinator为资源授权请求生成“CD.delegate”的跨域事务,然后,将跨域事务发送给当前域的本地智能合约Local smart contract;2. The CrossDomain coordinator generates a "CD.delegate" cross-domain transaction for the resource authorization request, and then sends the cross-domain transaction to the Local smart contract of the current domain;

3、Local smart contract判断节点用户o j和节点用户s j是否处于同一域,即节点用户s j为全局区块链上的节点用户还是本地区块链上的节点用户; 3. The Local smart contract judges whether the node user o j and the node user s j are in the same domain, that is, whether the node user s j is a node user on the global blockchain or a node user on the local blockchain;

4a、如果节点用户s j与节点用户o j在同一域,Local smart contract将该授权委托策略存储到本地授权列表中,以作为本地委托策略; 4a. If the node user s j is in the same domain as the node user o j , the Local smart contract stores the authorization delegation policy in the local authorization list as the local delegation policy;

5a、如果节点用户s j与节点用户o j在同一域,Local smart contract向CrossDomain coordinator返回表征本地授权策略保存成功的消息; 5a. If the node user s j is in the same domain as the node user o j , the Local smart contract returns to the CrossDomain coordinator a message indicating that the local authorization policy is successfully saved;

4b、如果节点用户s j与节点用户o j不在同一域,Local smart contract将该授权委托策略发送给Global smart contract,同时将该授权委托策略存储到本地授权列表中,以作为全局委托策略; 4b. If the node user s j is not in the same domain as the node user o j , the Local smart contract sends the authorization delegation policy to the Global smart contract, and stores the authorization delegation policy in the local authorization list as the global delegation policy;

5b、Global smart contract将授权委托策略存储到记录列表中,以作为全局委托策略。5b. The Global smart contract stores the authorization delegation strategy in the record list as the global delegation strategy.

参考图16和图17,为域1和域2的区块链节点之间进行跨域访问的交互示意图,Domain1内的节点用户user向CrossDomain coordinator发送资源访问请求,以下分两种情况:Referring to Figure 16 and Figure 17, it is a schematic diagram of cross-domain access between blockchain nodes in domain 1 and domain 2. The node user user in Domain1 sends a resource access request to the CrossDomain coordinator. There are two situations as follows:

如图16所示,如果资源访问请求为对本域内的节点的资源访问请求,在CrossDomain coordinator将跨域事务形式的资源访问请求发送给域1的Local smart contract之后,Local smart contract判断根据请求中的全局节点标识确定为对本域内节点的资源访问请求后,Local smart contract在本地授权列表中查找与资源访问请求对应的本地授权策略,即可得到相应的授权信息,如果没有查找到对应的本地授权策略,那么生成禁止访问的消息,之后,Local smart contract通过CrossDomain coordinator将授权信息或禁止访问的消息返回给Domain1内的节点用户user,以使得Domain1内的节点用户user可以使用授权信息访问本域内节点上的数据;As shown in Figure 16, if the resource access request is a resource access request for a node in the domain, after the CrossDomain coordinator sends the resource access request in the form of a cross-domain transaction to the Local smart contract of domain 1, the Local smart contract judges the After the global node identifier is determined as a resource access request to a node in the domain, the Local smart contract searches the local authorization list for the local authorization policy corresponding to the resource access request, and then obtains the corresponding authorization information. If no corresponding local authorization policy is found , then generate an access-forbidden message, and then the Local smart contract returns the authorization information or the access-forbidden message to the node user user in Domain1 through the CrossDomain coordinator, so that the node user user in Domain1 can use the authorization information to access the nodes in the domain The data;

如图17所示,如果资源访问请求为对其他域内的节点的资源访问请求,在CrossDomain coordinator将跨域事务形式的资源访问请求发送给域1的Local smart contract之后,Local smart contract判断根据请求中的全局节点标识确定为对其他域内节点的资源访问请求后,Local smart contract将资源访问请求发送给Global smart contract,由Global smart contract将资源访问请求广播给其他域内的节点,如Domain2 内的节点用户和Domain3内的节点用户,等等,由此,各个域内的Local smart contract在查找到与资源访问请求对应的本地授权策略,即可得到相应的授权信息,如果没有查找到对应的本地授权策略,那么生成禁止访问的消息,之后,各个域内的Local smart contract将授权信息或禁止访问的消息返回给Global smart contract,由Global smart contract在唤醒Domain1内的节点用户user之后,将,通过CrossDomain coordinator将授权信息或禁止访问的消息返回给Domain1内的节点用户user,以使得Domain1内的节点用户user可以使用授权信息访问相应域内节点上的数据。As shown in Figure 17, if the resource access request is a resource access request to a node in another domain, after the CrossDomain coordinator sends the resource access request in the form of a cross-domain transaction to the Local smart contract of domain 1, the Local smart contract judges the resource access request based on the request After the global node identifier of the node is determined as a resource access request for nodes in other domains, the Local smart contract sends the resource access request to the Global smart contract, and the Global smart contract broadcasts the resource access request to nodes in other domains, such as node users in Domain2 And the node users in Domain3, etc., thus, the Local smart contract in each domain can obtain the corresponding authorization information after finding the local authorization policy corresponding to the resource access request. If the corresponding local authorization policy is not found, Then, a message of prohibiting access is generated. After that, the Local smart contract in each domain returns the authorization information or the message of prohibiting access to the Global smart contract. After the Global smart contract wakes up the node user user in Domain1, it will authorize through the CrossDomain coordinator Information or a message of prohibiting access is returned to the node user user in Domain1, so that the node user user in Domain1 can use the authorization information to access the data on the node in the corresponding domain.

本说明书中各个实施例采用递进的方式描述,每个实施例重点说明的都是与其他实施例的不同之处,各个实施例之间相同相似部分互相参见即可。对于实施例公开的装置而言,由于其与实施例公开的方法相对应,所以描述的比较简单,相关之处参见方法部分说明即可。Each embodiment in this specification is described in a progressive manner, each embodiment focuses on the difference from other embodiments, and the same and similar parts of each embodiment can be referred to each other. As for the device disclosed in the embodiment, since it corresponds to the method disclosed in the embodiment, the description is relatively simple, and for relevant details, please refer to the description of the method part.

专业人员还可以进一步意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,能够以电子硬件、计算机软件或者二者的结合来实现,为了清楚地说明硬件和软件的可互换性,在上述说明中已经按照功能一般性地描述了各示例的组成及步骤。这些功能究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本申请的范围。Professionals can further realize that the units and algorithm steps of the examples described in conjunction with the embodiments disclosed herein can be implemented by electronic hardware, computer software or a combination of the two. In order to clearly illustrate the possible For interchangeability, in the above description, the composition and steps of each example have been generally described according to their functions. Whether these functions are executed by hardware or software depends on the specific application and design constraints of the technical solution. Skilled artisans may use different methods to implement the described functions for each specific application, but such implementation should not be regarded as exceeding the scope of the present application.

结合本文中所公开的实施例描述的方法或算法的步骤可以直接用硬件、处理器执行的软件模块,或者二者的结合来实施。软件模块可以置于随机存储器(RAM)、内存、只读存储器(ROM)、电可编程ROM、电可擦除可编程ROM、寄存器、硬盘、可移动磁盘、CD-ROM、或技术领域内所公知的任意其它形式的存储介质中。The steps of the methods or algorithms described in connection with the embodiments disclosed herein may be directly implemented by hardware, software modules executed by a processor, or a combination of both. Software modules can be placed in random access memory (RAM), internal memory, read-only memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, removable disk, CD-ROM, or any other Any other known storage medium.

对所公开的实施例的上述说明,使本领域专业技术人员能够实现或使用本申请。对这些实施例的多种修改对本领域的专业技术人员来说将是显而易见的,本文中所定义的一般原理可以在不脱离本申请的精神或范围的情况下,在其它实施例中实现。因此,本申请将不会被限制于本文所示的这些实施例,而是要符合与本文所公开的原理和新颖特点相一致的最宽的范围。The above description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the general principles defined herein may be implemented in other embodiments without departing from the spirit or scope of the application. Therefore, the present application will not be limited to the embodiments shown herein, but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (10)

一种区块链上的跨域访问方法,应用于区块链上的全局服务器,所述方法包括:A cross-domain access method on the blockchain, applied to a global server on the blockchain, the method comprising: 接收所述区块链上第一域内的第一服务器发送的资源访问请求,所述资源访问请求表征第一节点请求访问第二节点中的第一资源,所述第一节点处于所述第一域,所述第二节点不处于所述第一域;Receiving a resource access request sent by a first server in the first domain on the blockchain, the resource access request indicates that the first node requests to access the first resource in the second node, and the first node is in the first domain, the second node is not in the first domain; 在所述全局服务器的记录列表中,获得所述资源访问请求对应的记录信息;In the record list of the global server, obtain record information corresponding to the resource access request; 根据所述记录信息,将所述资源访问请求传输给所述第二节点所在的第二域内的第二服务器;transmitting the resource access request to a second server in the second domain where the second node is located according to the record information; 接收所述第二服务器传输的所述资源访问请求对应的授权信息;receiving authorization information corresponding to the resource access request transmitted by the second server; 将所述授权信息传输给所述第一节点,所述授权信息用于指示所述第一节点访问所述第一资源。transmitting the authorization information to the first node, where the authorization information is used to instruct the first node to access the first resource. 根据权利要求1所述的方法,其中,所述资源访问请求对应的记录信息通过以下方式被记录在所述记录列表中:The method according to claim 1, wherein the record information corresponding to the resource access request is recorded in the record list in the following manner: 接收所述第二节点通过所述第二服务器发送的资源授权请求,所述资源授权请求表征所述第二节点授权所述第一节点以授权信息访问所述第一资源;receiving a resource authorization request sent by the second node through the second server, the resource authorization request indicating that the second node authorizes the first node to access the first resource with authorization information; 在所述记录列表中添加所述资源授权请求对应的记录信息,所述资源授权请求对应的记录信息至少表征所述第一节点被授权访问所述第二节点中的第一资源。Add record information corresponding to the resource authorization request to the record list, where the record information corresponding to the resource authorization request at least indicates that the first node is authorized to access the first resource in the second node. 根据权利要求2所述的方法,所述资源访问请求对应的记录信息还表征所述第一节点访问所述第一资源的目标访问类型;According to the method according to claim 2, the record information corresponding to the resource access request further represents the target access type of the first node to access the first resource; 其中,所述目标访问类型通过以下方式被记录在所述记录列表中:Wherein, the target access type is recorded in the record list in the following manner: 接收所述第二节点通过所述第二服务器发送的授权设置请求,所述授权设置请求表征所述第二节点授权第一节点以目标访问类型访问所述第一资源;receiving an authorization setting request sent by the second node through the second server, the authorization setting request indicating that the second node authorizes the first node to access the first resource with a target access type; 在所述记录列表中添加所述授权设置请求对应的记录信息,所述授权设置请求对应的记录信息不仅表征所述第一节点被授权访问所述第二节点中的第一资源,还表征所述第一节点被授权以目标访问类型访问所述第一资源。The record information corresponding to the authorization setting request is added to the record list, and the record information corresponding to the authorization setting request not only indicates that the first node is authorized to access the first resource in the second node, but also indicates that the The first node is authorized to access the first resource with the target access type. 根据权利要求1或2所述的方法,还包括:The method according to claim 1 or 2, further comprising: 接收所述第二节点通过所述第二服务器发送的授权撤销请求,所述授权撤销请求表征所述第二节点不允许所述第一节点访问所述第一资源;receiving an authorization revocation request sent by the second node through the second server, the authorization revocation request indicating that the second node does not allow the first node to access the first resource; 在所述记录列表中添加所述授权撤销请求对应的记录信息,所述授权撤销请求对应的记录信息表征所述第一节点被禁止访问所述第二节点中的第一资源。Add record information corresponding to the authorization revocation request to the record list, where the record information corresponding to the authorization revocation request indicates that the first node is prohibited from accessing the first resource in the second node. 根据权利要求1或2所述的方法,在所述全局服务器的记录列表中,获得所述资源访问请求对应的记录信息,包括:According to the method according to claim 1 or 2, obtaining record information corresponding to the resource access request in the record list of the global server includes: 将所述资源访问请求中的第一节点的全局节点标识、第二节点的全局节点标识和所述资源标识与所述记录列表中的记录信息进行比对,以获得与所述资源访问请求相匹配的记录信息。Comparing the global node identifier of the first node, the global node identifier of the second node, and the resource identifier in the resource access request with the record information in the record list to obtain information related to the resource access request Matching record information. 根据权利要求5所述的方法,其中,所述全局服务器上通过以下方式为所述第一节点注册全局节点标识:The method according to claim 5, wherein the global node identifier is registered for the first node on the global server in the following manner: 接收所述第一节点通过所述区块链中的跨域协调服务器发送的节点注册请求;所述节点注册请求中至少包含所述第一节点在所述第一域中的本地节点标识;receiving the node registration request sent by the first node through the cross-domain coordination server in the blockchain; the node registration request at least includes the local node identifier of the first node in the first domain; 按照所述节点注册请求中所述第一节点的本地节点标识,为所述第一节点生成全局节点标识;generating a global node identifier for the first node according to the local node identifier of the first node in the node registration request; 将所述第一节点的全局节点标识通过所述跨域协调服务器返回给所述第一节点。Returning the global node identifier of the first node to the first node through the cross-domain coordination server. 根据权利要求1或2所述的方法,将所述授权信息传输给所述第一节点,包括:According to the method according to claim 1 or 2, transmitting the authorization information to the first node comprises: 在所述全局服务器和所述第一节点之间的链路层导通的情况下,将所述授权信息通过所述链路层发送给所述第一节点;When the link layer between the global server and the first node is connected, send the authorization information to the first node through the link layer; 在所述全局服务器和所述第一节点之间的链路层没有导通的情况下,将所述授权信息至少通过所述第一服务器发送给所述第一节点。When the link layer between the global server and the first node is not connected, the authorization information is at least sent to the first node through the first server. 一种区块链上的跨域访问方法,应用于区块链上第一域内的第一服务器,所述方法包括:A cross-domain access method on a block chain, applied to a first server in a first domain on the block chain, the method comprising: 接收所述区块链内的协调服务器发送的资源访问请求,所述资源访问请求表征第一节点请求访问第二节点中的第一资源,所述第一节点处于所述第一域;receiving a resource access request sent by a coordinating server in the blockchain, the resource access request representing that the first node requests to access the first resource in the second node, and the first node is in the first domain; 确定所述第二节点处于第二域;determining that the second node is in a second domain; 将所述资源访问请求发送给所述区块链上的全局服务器;sending the resource access request to the global server on the block chain; 接收所述全局服务器发送的授权信息;receiving authorization information sent by the global server; 将所述授权信息通过所述协调服务器发送给所述第一节点,所述授权信息用于指示所述第一节点访问所述第一资源。sending the authorization information to the first node through the coordinating server, where the authorization information is used to instruct the first node to access the first resource. 一种服务器,作为区块链上的全局服务器,包括:A server, as a global server on the blockchain, including: 存储器,用于存储计算机程序和所述计算机程序运行所产生的数据;memory for storing computer programs and data generated by running the computer programs; 处理器,用于执行所述计算机程序,以实现:接收所述区块链上第一域内的第一服务器发送的资源访问请求,所述资源访问请求表征第一节点请求访问第二节点中的第一资源,所述第一节点处于所述第一域,所述第二节点不处于所述第一域;在所述全局服务器的记录列表中,获得所述资源访问请求对应的记录信息;根据所述记录信息,将所述资源访问请求传输给所述第二节点所在的第二域内的第二服务器;接收所述第二服务器传输的所述资源访问请求对应的授权信息;将所述授权信息传输给所述第一节点,所述授权信息用于指示所述第一节点访问所述第一资源。A processor, configured to execute the computer program, so as to: receive a resource access request sent by a first server in the first domain on the block chain, the resource access request indicates that the first node requests to access the resource in the second node For the first resource, the first node is in the first domain, and the second node is not in the first domain; in the record list of the global server, record information corresponding to the resource access request is obtained; According to the record information, transmit the resource access request to a second server in the second domain where the second node is located; receive authorization information corresponding to the resource access request transmitted by the second server; transmit the resource access request; Authorization information is transmitted to the first node, where the authorization information is used to instruct the first node to access the first resource. 一种服务器,作为区块链上第一域内的第一服务器,包括:A server, as the first server in the first domain on the blockchain, comprising: 存储器,用于存储计算机程序和所述计算机程序运行所产生的数据;memory for storing computer programs and data generated by running the computer programs; 处理器,用于执行所述计算机程序,以实现:接收所述区块链内的协调服务器发送的资源访问请求,所述资源访问请求表征第一节点请求访问第二节点中的第一资源,所述第一节点处于所述第一域;确定所述第二节点处于第二域;将所述资源访问请求发送给所述区块链上的全局服务器;接收所述全局服务器发送的授权信息;将所述授权信息通过所述协调服务器发送给所述第一节点,所述授权信息用于指示所述第一节点访问所述第一资源。a processor, configured to execute the computer program to realize: receiving a resource access request sent by a coordinating server in the blockchain, the resource access request representing that the first node requests to access the first resource in the second node, The first node is in the first domain; determine that the second node is in the second domain; send the resource access request to the global server on the block chain; receive authorization information sent by the global server ; Send the authorization information to the first node through the coordinating server, where the authorization information is used to instruct the first node to access the first resource.
PCT/CN2022/115786 2021-12-21 2022-08-30 Cross-domain access method on blockchain and server WO2023116028A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202111575402.0A CN114268493B (en) 2021-12-21 2021-12-21 Cross-domain access method and server on block chain
CN202111575402.0 2021-12-21

Publications (1)

Publication Number Publication Date
WO2023116028A1 true WO2023116028A1 (en) 2023-06-29

Family

ID=80828393

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2022/115786 WO2023116028A1 (en) 2021-12-21 2022-08-30 Cross-domain access method on blockchain and server

Country Status (2)

Country Link
CN (1) CN114268493B (en)
WO (1) WO2023116028A1 (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114268493B (en) * 2021-12-21 2023-07-21 联想(北京)有限公司 Cross-domain access method and server on block chain
CN114867119B (en) * 2022-05-24 2025-02-14 中国联合网络通信集团有限公司 Resource scheduling method, device and storage medium
CN115314375B (en) * 2022-07-22 2024-02-06 京东科技信息技术有限公司 Blockchain network cross-domain networking method, equipment, storage medium and program product

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030093666A1 (en) * 2000-11-10 2003-05-15 Jonathan Millen Cross-domain access control
CN113542117A (en) * 2021-07-09 2021-10-22 重庆邮电大学 A layered blockchain-based resource access control method for IoT devices
CN113612754A (en) * 2021-07-28 2021-11-05 中国科学院深圳先进技术研究院 Cross-domain access method and system based on block chain
CN114268493A (en) * 2021-12-21 2022-04-01 联想(北京)有限公司 Cross-domain access method on block chain and server

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108833599B (en) * 2018-09-10 2023-02-03 珠海格力电器股份有限公司 Energy internet system and information processing method
CN111010376B (en) * 2019-11-28 2022-01-21 国网河南省电力公司信息通信公司 IoT authentication system and method based on master-slave chain
CN111835528B (en) * 2020-07-16 2023-04-07 广州大学 Decentralized Internet of things cross-domain access authorization method and system
CN113507458B (en) * 2021-06-28 2023-01-31 电子科技大学 Cross-domain identity authentication method based on block chain

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030093666A1 (en) * 2000-11-10 2003-05-15 Jonathan Millen Cross-domain access control
CN113542117A (en) * 2021-07-09 2021-10-22 重庆邮电大学 A layered blockchain-based resource access control method for IoT devices
CN113612754A (en) * 2021-07-28 2021-11-05 中国科学院深圳先进技术研究院 Cross-domain access method and system based on block chain
CN114268493A (en) * 2021-12-21 2022-04-01 联想(北京)有限公司 Cross-domain access method on block chain and server

Also Published As

Publication number Publication date
CN114268493A (en) 2022-04-01
CN114268493B (en) 2023-07-21

Similar Documents

Publication Publication Date Title
CN110032865B (en) Authority management method, device and storage medium
CN110351381B (en) Block chain-based Internet of things trusted distributed data sharing method
CN112311530B (en) Block chain-based alliance trust distributed identity certificate management authentication method
CN111373704B (en) Method, system and storage medium for supporting multimode identification network addressing progressive-entry IP
US10708070B2 (en) System and method for utilizing connected devices to enable secure and anonymous electronic interaction in a decentralized manner
Tran et al. A trust based access control framework for P2P file-sharing systems
WO2023116028A1 (en) Cross-domain access method on blockchain and server
US7299351B2 (en) Peer-to-peer name resolution protocol (PNRP) security infrastructure and method
Czerwinski et al. An architecture for a secure service discovery service
US9021106B2 (en) Peer-to-peer identity management interfaces and methods
Gessner et al. Trustworthy infrastructure services for a secure and privacy-respecting internet of things
Alzahrani An information-centric networking based registry for decentralized identifiers and verifiable credentials
CN109218981A (en) Wi-Fi access authentication method based on position signal feature common recognition
CN112307116B (en) Data access control method, device and equipment based on blockchain
US12113785B2 (en) Directory server providing tag enforcement and network entity attraction in a secure peer-to-peer data network
EP1694027B1 (en) Peer-to-peer network information
US7788707B1 (en) Self-organized network setup
JP2006236349A5 (en)
Chai et al. BHE-AC: A blockchain-based high-efficiency access control framework for Internet of Things
KR20210039190A (en) Method for maintaining private information on blockchain network and device thereof
WO2023116027A1 (en) Cross-domain identity verification method in secure multi-party computation, and server
Truong et al. [Retracted] Enabling Decentralized and Auditable Access Control for IoT through Blockchain and Smart Contracts
CN114374700A (en) Master-slave multi-chain based trusted identity management method supporting wide area collaboration
Liu et al. A policy-driven approach to access control in future internet name resolution services
Alkhamisi et al. Privacy-aware decentralized and scalable access control management for iot environment

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22909353

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 04.10.2024)

122 Ep: pct application non-entry in european phase

Ref document number: 22909353

Country of ref document: EP

Kind code of ref document: A1