CN105635235B - access control method and network node for access control - Google Patents
access control method and network node for access control Download PDFInfo
- Publication number
- CN105635235B CN105635235B CN201410719569.3A CN201410719569A CN105635235B CN 105635235 B CN105635235 B CN 105635235B CN 201410719569 A CN201410719569 A CN 201410719569A CN 105635235 B CN105635235 B CN 105635235B
- Authority
- CN
- China
- Prior art keywords
- resource
- http
- network node
- access
- identification
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Storage Device Security (AREA)
Abstract
This application discloses a kind of access control method and for the network node of access control, the method includes:Network node receives the HTTP access requests that client is sent, and identifies the referer fields in the HTTP access requests;The network node is matched according to the resource identification that the request accesses in one or more groups of accesses control lists;When the resource identification that the request accesses is matched to controlled resource identification, the network node obtains permission/refusal flag of the controlled resource identification, and the HTTP for sending out permission/denied access to the client for sending out the HTTP access requests according to the permission of the controlled resource identification/refusal flag accesses response.The application is based on http protocol, and criteria field is added in the header field of http response information and can be realized, can be compatible with different network nodes in a network.
Description
Technical field
This application involves TV and communication technical fields, and in particular to a kind of access control method and the net for access control
Network node.
Background technology
In the prior art, source station can generate the ACL (access of data sheet form according to configuration file or syntactic structure
Control list, accesses control list), the ACL of generation is then imported into operational system, by the Command Line Parsing of operational system
Or artificial parsing, the configuration file for reading parsing for caching system is generated, configuration file is issued to each network section respectively
In point, it will be configured with special ACL control modules in each network node, mould is controlled by the special ACL in network node
After block goes parsing configuration file, network node to parse configuration file acquisition ACL according to set grammer, reload (reload)
ACL either hot restart network node reload again or hot restart success after, ACL just completes the deployment in network node, from
And achieve the purpose that access control.If reloaded again or hot restart failure, need to reload once and again or
Person's hot restart.If the ACL of source station changes, need to re-start the above process.
In the above method, although can finally realize access control, there is no be based on http protocol, therefore each network
Node freely defines configuration format all in accordance with self-demand, causes incompatible between network nodes at different levels, and these network nodes
Coexist in network, it is clear that can not ACL be issued using identical configuration file, cause the increase of source station maintenance cost.
In addition, because when source station generates configuration file according to ACL, it is necessary to it is parsed by operational system and is converted, source
It stands and the format that is required according to current operational system is needed to go to fill in ACL to be configured, can enable operational system in this way
Identification and translation.And operational system is also required to the configuration format that can be identified according to network node by ACL translation-profiles, and
It is issued in network node.This obvious process has great exclusiveness, is only applicable to network node distribution and individual state
Known LAN can not directly apply in entire internet.
In addition, in terms of network autgmentability, the network node in the LAN of the above method must be in management software
Unified structure, because if there is the network node of different management softwares, the operational system of source station side is different in order to meet
Management software, it is necessary to increase conversion module for different management softwares, generates different configuration files, it is different to adapt to
The call format of management software, and source station needs to tell the network node using different management softwares, to these network sections
Point issues different configuration files, and it is more than certain order of magnitude, fortune to use degree with when the management software of local Webweb network node
Maintain the operation of system, configuration process will be extremely complex, maintenance cost sharply increases.
Configuration file is issued in operational system after network node parses configuration file acquisition ACL to need to network node
It is reloaded or hot restart operates.In the LAN of heavy traffic, reloads or hot restart operation is likely to
Network QPS (query rate per second, Query Per Second) moments can be caused to decline, the server CPU of network node side is occupied
Rate moment is increased to maximum value.Moreover, reload or hot restart operation exist failure risk, once can unsuccessfully cause snow
Effect is collapsed, LAN is caused to be paralysed, user is influenced and normally accesses.
Invention content
The application's is designed to provide a kind of access control method and the network node for access control.
In order to achieve the above object, this application discloses a kind of access control method, the method includes:Network node connects
The HTTP access requests that client is sent are received, identify the referer fields in the HTTP access requests, the referer words
Section includes the resource identification that request accesses;The resource identification that the network node is accessed according to the request is one or more groups of
It is matched in accesses control list, wherein one or more groups of accesses control lists are added to source station to the network
Include controlled resource for any group access control list in the extension header field for the accesses control list response that node issues
Permission/refusal flag of mark and the controlled resource identification;When the resource identification that the request accesses is matched to controlled money
When source identifies, the network node obtains permission/refusal flag of the controlled resource identification, according to the controlled resource mark
The HTTP that the permission of knowledge/refusal flag sends out the client for sending out the HTTP access requests permission/denied access is accessed
Response.
Further, further include the matching identification position of the controlled resource identification for any group access control list;Its
In, in any group access control list, when the controlled resource identification is arranged to matches criteria flag, the controlled resource
Mark includes:Domain name is all resource identifications of controlled resource identification;The controlled resource identification is arranged to extension matching mark
When knowing position, the controlled resource identification includes:Host name includes all resource identifications of controlled resource identification;The controlled money
When source mark is arranged to whole matching identification positions, it is default state to be controlled resource identification, and controlled resource identification includes:Institute
There is resource identification.
Further, the network node is arranged according to the resource identification that the request accesses in one or more groups of access controls
It is matched in table, including:When the accesses control list is multigroup, the network node is according to multigroup access control
Putting in order for list is matched one by one, and permission/refusal flag of the controlled resource identification arrived using first fit as
Matching result accesses response to send out the HTTP of permission/denied access to the client for sending out the HTTP access requests.
Further, multigroup accesses control list is added to the access that source station is issued to the network node
When in the extension header field of control list response, resource identification and the controlled resource will be controlled in multigroup accesses control list
The all identical part of the permission of mark/refusal flag merges.
Further, when the resource identification matching that the request accesses less than controlled resource identification or identifies the access
When control list is empty, judge to be directed to the HTTP access requests that the source station is sent to the network node, hair for client
Go out the HTTP access responses for allowing to access.
Further, the network node identifies the referer fields in the HTTP access requests, including:The net
The identification of network node less than in the HTTP access requests referer fields or the identification referer fields be sky, then directly
Judge to send out the HTTP access responses for allowing to access to the client.
Further, the network node identifies the referer fields in the HTTP access requests, including:The net
It is not effective that network node, which recognizes the resource identification that the request carried in the referer fields in the HTTP access requests accesses,
The resource identification of grammatical format, the HTTP that denied access is sent out to the client access response;The effectively resource of syntax format
Mark includes the universal resource identifier started with HTTP or HTTPS.
Further, described to allow the HTTP accessed access responses, including 200 OK of status information;The denied access
HTTP access responses, including 403 forbidden of status information.
Further, the network node receives the HTTP access requests that client is sent, and identifies that the HTTP accesses are asked
Referer fields in asking, including:The network node receives the HTTP access requests that client is sent, and identifies the HTTP
Access request requested resource file whether there is;If the resource file exists, identify the resource file whether mistake
Phase, and identify the referer fields in the HTTP access requests;If the resource file is not present, the network node
The source station is triggered to detect whether itself there are the resource files;When the source station detects itself, there are the resource files
When, the network node receives to be carried in the resource file sent the source station, expired time and extension header field
The acquisition for stating accesses control list confirms response, identifies whether the resource file is expired, and identify the HTTP access requests
In referer fields;When the source station detects that the resource file is not present in itself, described in the network node reception
The acquisition failure response that source station is sent, and send out the acquisition failure response to the client for sending out the HTTP access requests.
Further, it identifies whether the resource file is expired, and identifies the referer words in the HTTP access requests
Section, including:Identify whether the resource file is expired;If the resource file is not out of date, described in the network node identification
Referer fields in HTTP access requests;If the resource file is out of date, the network node is to issuing the resource
The source station of file sends out acquisition request, and the acquisition request triggers the source station and detects whether that the resource file has occurred more
Newly;When the source station detects that the resource file has updated, the network node receives the expansion that the source station is sent
Exhibition header field in carry the accesses control list acquisition confirm response and the updated resource file, it is expired when
Between, identify the referer fields in the HTTP access requests;When the source station detects that the resource file does not update
When, the network node, which receives, to be carried the acquisition of the accesses control list and unsuccessfully rings in the extension header field sent the source station
It answers and new expired time, identifies the referer fields in the HTTP access requests.
Further, the acquisition request, including If-Modify-Since requests;The acquisition confirms response, including shape
200 OK of state information;The acquisition failure response, including status information 304 Not Modified or 404 not found.
Further, the permission that the network node sends out the client for sending out the HTTP access requests/refusal is visited
In the HTTP access responses asked, also there is the extension header field for carrying the accesses control list.
In order to achieve the above object, disclosed herein as well is a kind of network nodes for access control, including:Network connects
Receive module, resource matched module, one or more groups of accesses control lists and access control module;One or more groups of access controls
List processed is added in the extension header field for the accesses control list response that source station is issued to the network node, for
Any group access control list includes permission/refusal flag of controlled resource identification and the controlled resource identification;The net
Network receiving module, the HTTP access requests sent for receiving client, identifies the referer words in the HTTP access requests
Section, the referer fields include the resource identification that request accesses;The resource matched module, for according to the request
The resource identification of access is matched in one or more groups of accesses control lists;The access control module, when described
When resource matched module is matched to controlled resource identification according to the resource identification that the request accesses, for obtaining the controlled money
Permission/refusal flag of source mark, connects according to the permission of the controlled resource identification/refusal flag to sending out the HTTP
The client for entering request sends out the HTTP access responses of permission/denied access.
Further, any group access control list further includes the matching identification position of the controlled resource identification, institute
When stating controlled resource identification and being arranged to matches criteria flag, the controlled resource identification includes:Domain name is controlled resource mark
All resource identifications known;When the controlled resource identification is arranged to extend matching identification position, the controlled resource identification packet
It includes:Host name includes all resource identifications of controlled resource identification;The controlled resource identification is arranged to all match mark
When knowing position, it is default state to be controlled resource identification, and controlled resource identification includes:All resource identifications.
Further, the resource matched module, when the accesses control list is multigroup, for according to described multigroup
Putting in order for accesses control list is matched one by one, and permission/refusal mark of the controlled resource identification arrived with first fit
Know position to access to send out the client for sending out the HTTP access requests HTTP of permission/denied access as matching result
Response.
Further, multigroup accesses control list is added to the institute that source station is issued to the network node
When stating in the extension header field of accesses control list response, resource identification and the quilt will be controlled in multigroup accesses control list
The all identical part of permission/refusal flag of control resource identification merges.
Further, the access control module, when the resource mark that the resource matched module is accessed according to the request
When knowledge matching identifies that the accesses control list is empty less than controlled resource identification or the resource matched module, for judging
The HTTP access requests that the source station is sent to the network node are directed to for client, send out the HTTP accesses for allowing to access
Response.
Further, the network receiving module, for identification less than the referer fields in the HTTP access requests
Or when identifying that the referer fields are empty, notify the access control module;The access control module is used for described
Client sends out the HTTP access responses for allowing to access.
Further, the network receiving module, for identification in the referer fields in the HTTP access requests
The resource identification that the request of carrying accesses is not the resource identification of effective grammatical format, notifies the access control module, wherein
The resource identification of effective grammatical format, includes the universal resource identifier started with HTTP or HTTPS;The access control
Molding block, the HTTP for sending out denied access to the client access response.
Further, the network receiving module, the HTTP access requests sent for receiving client, described in identification
HTTP access request requested resource files whether there is, and in the presence of the resource file, further identify the resource
Whether file is expired, and identifies the referer fields in the HTTP access requests;In the absence of the resource file, into
The one step triggering source station detects whether itself, and there are the resource files, and when the source station detects itself, there are the resources
When file, receives and carry the access control in the resource file sent the source station, expired time and extension header field
The acquisition of list processed confirms response, identifies whether the resource file is expired, and identify in the HTTP access requests
Referer fields;When the source station detects that the resource file is not present in itself, receives the acquisition sent the source station and lose
Response is lost, and notifies the access control module;The access control module, for the visitor for sending out the HTTP access requests
Family end sends out the acquisition failure response.
Further, the network receiving module, for identification the HTTP access requests requested resource file be
It is no expired, if the resource file is not out of date, identify the referer fields in the HTTP access requests;If the money
Source file is out of date, sends out acquisition request to the source station for issuing the resource file, the acquisition request triggers the source station inspection
Survey whether the resource file has updated;When the source station detects that the resource file has updated, institute is received
State the acquisition confirmation response that the accesses control list is carried in the extension header field sent source station and the updated money
Source file, expired time identify the referer fields in the HTTP access requests;When the source station detects the resource
When file does not update, the acquisition failure that the accesses control list is carried in the extension header field sent the source station is received
Response and new expired time, identify the referer fields in the HTTP access requests.
Compared with prior art, the application can be obtained including following technique effect:
The application is based on http protocol, and criteria field is added in the header field of http response information and can be realized, in network
In can be compatible with different network nodes.
The scheme of the application is no longer dependent on operational system, it is only necessary to which network node is unified to realize head according to http protocol
The field in domain is handled, and the ACL of source station can directly be issued to each network node, and act on entire internet, without
Access control can be completed in additional system helps.
Network node can be added or be reduced at any time, and independent of the management software run in network node, because
For ACL to issue and come into force be to rely on HTTP signalings, no matter the management software run in each network node in network whether be
A variety of mixing, the ACL of source station can come into force after being issued to network node.
The ACL of source station can come into force after being issued to network node, and network node is no longer reloaded
Or hot restart makes ACL come into force, and avoids to lead to the risk that network paralysis occurs because source station ACL changes in this way.
Certainly, implementing any product of the application must be not necessarily required to reach all the above technique effect simultaneously.
Description of the drawings
Attached drawing described herein is used for providing further understanding of the present application, constitutes part of this application, this Shen
Illustrative embodiments and their description please do not constitute the improper restriction to the application for explaining the application.In the accompanying drawings:
Fig. 1 is a kind of method flow diagram of access control method of the embodiment of the present application;
Fig. 2 is the method flow diagram of another access control method of the embodiment of the present application;
Fig. 3 is the method flow diagram of another access control method of the embodiment of the present application;
Fig. 4 is a kind of structure drawing of device of network node for access control of the embodiment of the present application.
Specific implementation mode
Presently filed embodiment is described in detail below in conjunction with accompanying drawings and embodiments, thereby how the application is applied
Technological means solves technical problem and reaches the realization process of technical effect to fully understand and implement.
In a typical configuration, computing device includes one or more processors (CPU), input/output interface, net
Network interface and memory.
Memory may include computer-readable medium in volatile memory, random access memory (RAM) and/or
The forms such as Nonvolatile memory, such as read-only memory (ROM) or flash memory (flash RAM).Memory is computer-readable medium
Example.
Computer-readable medium includes permanent and non-permanent, removable and non-removable media can be by any method
Or technology realizes information storage.Information can be computer-readable instruction, data structure, the module of program or other data.
The example of the storage medium of computer includes, but are not limited to phase transition internal memory (PRAM), static RAM (SRAM), moves
State random access memory (DRAM), other kinds of random access memory (RAM), read-only memory (ROM), electric erasable
Programmable read only memory (EEPROM), fast flash memory bank or other memory techniques, read-only disc read only memory (CD-ROM) (CD-ROM),
Digital versatile disc (DVD) or other optical storages, magnetic tape cassette, tape magnetic disk storage or other magnetic storage apparatus
Or any other non-transmission medium, it can be used for storage and can be accessed by a computing device information.As defined in this article, it calculates
Machine readable medium does not include non-temporary computer readable media (transitory media), such as data-signal and carrier wave of modulation.
Embodiment describes
The realization of the application method is described further with an embodiment below.As shown in Figure 1, being the embodiment of the present application
A kind of access control method method flow diagram, this method includes:
Step S100:Network node receives the HTTP access requests that client is sent, and identifies in the HTTP access requests
Referer fields, the referer fields include request access resource identification;
Referer fields can be inserted into the header field head of HTTP access requests by client acquiescence, and network node can be with
The resource identification for asking to access, record log, optimization caching etc. are obtained by Referer fields.Described in the present embodiment
Resource identification generally refers to URI (universal resource identifier), and the network node is generally referred between source station and client
Cache server, these cache servers may have one or more levels, it should be noted that and source station is also a kind of network node,
It is the superior node of the network node.
Step S102:The network node carries out according to the resource identification that the request accesses in accesses control list
To match, wherein the accesses control list includes permission/refusal flag of controlled resource identification and the controlled resource identification,
The accesses control list is added to the extension header for the accesses control list response that source station is issued to the network node
In domain;
Before being matched in this step using accesses control list, the network node sends out the access to source station
Control list is asked, and the source station sends out accesses control list response to the network node, and by the access control
List is added in the extension header field that the accesses control list responds.In this way, the source station is by the access
Control list is issued to network node.
Step S104:When the resource identification that the request accesses is matched to controlled resource identification, the network node obtains
Permission/refusal the flag for taking the controlled resource identification, according to the permission of the controlled resource identification/refusal flag to hair
The client for going out the HTTP access requests sends out the HTTP access responses of permission/denied access.
When the resource identification that the request accesses is matched less than controlled resource identification, judgement is for client for described
The HTTP access requests that source station is sent to the network node send out the HTTP access responses for allowing to access.
The accesses control list carries in the extension header field for the response that the source station is sent out to the network node, is
It can carry, do following agreement to the format of the accesses control list.It is controlled below by way of one embodiment to accessing
List processed is explained.
Extend the structure of header field and accesses control list
First, the setting extension header field X- in the header field header for the response that the source station is sent out to the network node
The content carried in Referer-ACL, extension header field X-Referer-ACL is exactly accesses control list.Note that extension header field X-
Referer-ACL is only appeared in the various responses that the source station is sent out to the network node.
For extending header field X-Referer-ACL, make described below:
X-Referer-ACL=X-Referer-ACL:ACTION TYPE PARAMS
PARAMS is parameter bit, and controlled resource identification is described, and can record multiple controlled resource identifications, between with point
It is separated every symbol (such as western language comma).
ACTION be permission/refusal flag, can there are two types of value, ACTION=" A " | " D ", wherein character A indicate pair
Allow (Allow ALL), the access request to the controlled resource identification described in PARAMS below, character D is allowed to indicate refusal
(Deny ALL) refuses the access request to the controlled resource identification described in PARAMS below.
TYPE be matching identification position, can there are three types of value, TYPE=" * " | " 1 " | " 2 ", wherein character 1 indicate standard
With mark, behind controlled resource identification described in PARAMS include all resource identifications that domain name is controlled resource identification, this
By resource identification and the domain name of the client request carried in referer fields access be to be controlled resource identification when sample matches
All resource identifications are compared;Character 2 indicates extension matching identification, behind controlled resource identification described in PARAMS include
Host name includes all resource identifications of controlled resource identification, is at this moment controlled resource identification and is extended to prodigious covering surface
Product, in this way match when by the client request carried in referer fields access resource identification and host name include by
All resource identifications of control resource identification are compared;Character * indicates whole matching identifications position, when TYPE is *, in PARAMS
The controlled resource identification recorded is default state, indicates that being controlled resource identification includes:All resource identifications, when matching in this way
The resource identification certainty match hit of the client request access carried in referer fields.
Matching rule and one by one matching rule at first
The setting extension header field X- in the header field header for the response that the source station is sent out to the network node
Referer-ACL may include multigroup accesses control list, will include ACTION TYPE for each group access control list
These parameters of PARAMS are separated per between group access control list using separator (such as western language branch).When access control arranges
When table is multigroup, it is likely that will appear for being similarly controlled resource identification, two group access control lists but occur different
Permission/refusal flag, for example, for the same URI, the first group access control list denied access, and the second group access control
List processed allows to access, in order to avoid this inconsistent matching result and this matching result are for the shadow of access control
Ringing, matching rule and one by one matching rule at first applied in the present embodiment --- the network node is controlled according to multigroup access
Putting in order for list processed is matched one by one, and permission/refusal flag of the controlled resource identification arrived with first fit is made
Response is accessed to send out the HTTP of permission/denied access to the client for sending out the HTTP access requests for matching result,
Similarly controlled resource identification is matched to again in other accesses control list later, as it is likely that different can occur
With as a result, therefore disregarding.Such matching way can avoid complexity in logic significantly, while having and well may be used
Operability.Of course, it is also possible to which it is exactly to be matched to again in other accesses control list later similarly another situation occur
Controlled resource identification, and first fit is the result is that identical, here for reduction matched sample the considerations of, can be by multigroup institute
State in accesses control list be controlled resource identification and the controlled resource identification all identical part of permission/refusal flag into
Row merges, and carries out matched sample size in this way and matching times are all greatly reduced, reduce overhead, improves matching effect
Rate.
Extension header field and accesses control list are illustrated with an application example below.
Here is the profile instance of an extension header field X-Referer-ACL:
X-Referer-ACL:A 1 A.B.taobao.com;D 1 B.taobao.com;A 1 taobao.com,
taobaocdn.com;D*
First, include 4 group access control lists, i.e. first group of A 1 in above-mentioned extension header field X-Referer-ACL
A.B.taobao.com allows the access request for A.B.taobao.com to domain name;Second group of 1 B.taobao.com of D, is refused
The access request that absolute domain name is B.taobao.com;Third group A 1 taobao.com, taobaocdn.com, allow to domain
The access request of entitled taobao.com and taobaocdn.com;4th group of D* notices that the 4th group access control list is Home Network
Network node refuses access request of any client to all resource identifications, but need exist for consider at first matching rule and by
One matching rule, first three groups accesses control list is first, so come into force formerly for the access control of match hit, and the 4th group
Accesses control list will not make the access control of first three groups accesses control list influence, therefore the 4th group access control row
Table, which can be construed to present networks node, to be refused any client and is connect to any resource identification except first three groups accesses control list
Enter request.Obviously, whole matching identification positions tend not to be used alone as access control, but in matching rule at first and one by one
Under rule, other accesses control lists is coordinated to access control.
The realization of the application method is described further with another embodiment below.As shown in Fig. 2, implementing for the application
The method flow diagram of another access control method of example, this method include:
Step S200, network node receive the HTTP access requests that client is sent.
Step S201, network node identify that the referer fields in the HTTP access requests are held if recognized
Row step S203, if identification less than or referer fields be null value, execute step S202.
Step S202, network node is identified less than referer fields or referer fields, is directly judged at this time to institute
It states client and sends out the HTTP access responses for allowing to access, flow terminates.
Allow the HTTP accessed access responses, including 200 OK of status information.
Step S203, network node identify the resource identification that the request carried in referer fields accesses.
Step S204, network node identify that the resource identification that the request carried in referer fields accesses is effective syntax
The resource identification of format executes step S206, if not the resource identification of effective grammatical format, executes step S205.
The resource identification of effectively syntax format includes the universal resource identifier started with HTTP or HTTPS.Grammatical lattice
Whether formula correctly can cause the matching process of later step access control mistake occur, even if by can also cause domain name after access
Parsing goes wrong, therefore to the detection of grammatical format it is possible to prevente effectively from resulting in waste of resources to subsequent operation and mistake is prolonged
It stretches.It needs exist for illustrating, grammatical format acquiescence all uses small letter in the present embodiment.Certainly, the application is not limited to this.
Step S205, the HTTP that network node sends out denied access to the client access response, and flow terminates.
The HTTP access responses of the denied access, including 403 forbidden of status information.
Whether step S206, the source station that network node detects the resource identification that the client request accesses issued access
Control list identifies that the accesses control list is sky, executes step S207 if do not issued;If issued, hold
Row step S208.
If network node asks accesses control list to source station in advance, described in source station can be issued to the network node
Accesses control list responds, and accesses control list is added to the accesses control list that source station is issued to the network node
In the extension header field X-Referer-ACL of response, as previously mentioned, one group may be carried in extension header field X-Referer-ACL
Or multigroup accesses control list, include controlled resource identification and the controlled resource identification for any group access control list
Permission/refusal flag, matching identification position.
Step S207, network node judgement connect client for the HTTP that the source station is sent to the network node
Enter request, the HTTP access responses for allowing to access are sent out to the client, flow terminates.
Source station did not issue accesses control list, illustrate source station at this time unconditionally and allow any client to any domain
The access request of name.Allow the HTTP accessed access responses, including 200 OK of status information.
Step S208, the resource identification that network node is accessed according to the request is in one or more groups of accesses control lists
It is matched, when the resource identification that the request accesses is matched to controlled resource identification, obtains the controlled resource identification
Permission/refusal flag executes step S209 when getting refusal flag, and getting allows to execute step when flag
S210;When the resource identification that the request accesses is matched less than controlled resource identification, step S210 is also executed.
Step S209, the HTTP that network node sends out the client denied access access response, and flow terminates.
The HTTP access responses of the denied access, including 403 forbidden of status information.
Step S210, network node send out the client HTTP access responses for allowing to access, and flow terminates.
Allow the HTTP accessed access responses, including 200 OK of status information.
It should be noted that in above-mentioned steps S202, S205, S207, S209, S210, network node is returned to client
There can be the extension header field for carrying the accesses control list in the HTTP access responses of above-mentioned permission/denied access, certainly
Response can also be accessed in HTTP do not carry extension header field.
The realization of the application method is described further with another embodiment below.As shown in figure 3, implementing for the application
The method flow diagram of another access control method of example is based on embodiment shown in Fig. 2, between step S200 and S201,
This method includes:
Step S200, network node receive the HTTP access requests that client is sent.
Step S2000, network node identify the HTTP access requests requested resource file in network node local
It whether there is, if it does not, step S2001 is executed, if it does, executing step S2006.
The resource file is locally not present in network node in step S2001, and network node sends out to the source station and asks
It asks, triggers the source station and search the resource file.
Step S2002 is detected in the source station and itself, there are when the resource file, step S2005 is executed, described
When source station detects that the resource file is not present in itself, step S2003 is executed.
Step S2003, network node receive the acquisition failure response sent the source station;
Source station then sends out acquisition failure response also without client requested resource file to network node, described to obtain
Take failure response, including status information 404not found.
Step S2004, network node send out the acquisition failure response to the client for sending out the HTTP access requests,
Flow terminates.
Network node will also obtain failure response and notify client after being connected to the acquisition failure response sent source station,
The acquisition failure response includes 404 not found of status information.
Step S2005, network node receive the resource file that the source station is sent and are carried in extension header field
The acquisition of the accesses control list confirms response.
The source station detects itself, and there are the resource files, the resource file can be issued to network node and carried out
Caching, when to there is client request to access the resource file again later, network node can be controlled directly, certainly,
It is the expired time of resource file setting with the source station that also has that resource file issues, as resource file sentencing whether expired
Disconnected standard.What is more important is issued with resource file and expired time, and the acquisition that also source station is sent confirms response, obtains
It can be inserted into taking confirmation to respond in extension header field, extend in header field and carry the accesses control list, to there is client to ask
When seeking access resource file, network node accesses to be used when controlling.The acquisition confirms response, including status information 200
OK。
Obviously, the resource file is not present within network nodes, and there are the resource file in source station, illustrate that this is
The resource file is issued from source station to network node for the first time, while confirming that response is issued to described in network node with obtaining
Accesses control list namely issues for the first time, it is clear that the accesses control list issues substantially by client first
Secondary request accesses the resource file and triggers, and therefore, the accesses control list need not issue configuration in advance, but only
To wait until the resource file for having client request source station, so that it may to obtain the accesses control list simultaneously.
Step S2006, whether the resource file that network node identification is buffered in network node local is expired, if not
It is expired, execute step S201;If out of date, step S2007 is executed.
Step S2007, network node send out acquisition request to the source station for issuing the resource file, and the acquisition request is touched
Whether the resource file for sending out source station described and detecting the source station storage has updated;
The acquisition request, including If-Modify-Since requests, belong to the request of get types, If-Modify-
Since requests are the HTTP information that network node is sent to source station, and HTTP information carries the resource file that previous source station issues
Expired time.Source station in this way receives whether this expired time can more easily judge the resource file cached at network node
It updates.
Step S2008 illustrates that network node caches if the resource file of source station storage does not update
The resource file do not have expired, can also continue to use, then follow the steps S2009;If the source station storage is described
Resource file has updated, and illustrates the resource file of the resource file and source station storage of network node caching
Different, the resource file of network node caching is expired, needs to be updated, thens follow the steps S2010.
Step S2009, network node receive in the extension header field sent the source station and carry the accesses control list
Acquisition failure response and new expired time, execute step S201.
Whether the resource file within network nodes has been cached before, or as under newest in step S2005
Hair and be buffered in resource file described in network node, all carry expired time, network node is according to the resource file
Expired time judges whether the resource file is expired.
It can be inserted into the acquisition failure response that source station is sent in extension header field, extend in header field and carry the access control
List, when to there is client request to access resource file, network node accesses to be used when controlling.The acquisition is unsuccessfully rung
It answers, including 304 Not Modified of status information.
Step S2010, the network node receive in the extension header field sent the source station and carry the access control
The acquisition of list confirms response and the updated resource file, expired time, executes step S201.
The resource file is issued to network node and is cached by source station, to there is client request to access institute again later
When stating resource file, network node can be controlled directly, be the resource with the source station that also has that resource file issues certainly
The expired time of file setting, as criterion of resource file whether expired.The acquisition that source station is sent confirms meeting in response
It is inserted into extension header field, extends in header field and carry the accesses control list, to there is client request to access resource file
When, network node accesses to be used when controlling.The acquisition confirms response, including 200 OK of status information.
Step S200, the flow relationship of step S201~S210 is as shown in Fig. 2, each the concrete operations of step are referring to above-mentioned
The description of embodiment corresponding with Fig. 2.
The realization of the application method is described further with another embodiment below.As shown in figure 4, implementing for the application
A kind of structure drawing of device of network node for access control of example, the network node include:Network receiving module 40, money
Source matching module 42, one or more groups of accesses control lists 44 and access control module 46;
One or more groups of accesses control lists 44 are added to the access that source station is issued to the network node
Include controlled resource identification and the controlled resource for any group access control list in the extension header field of control list response
The permission of mark/refusal flag;
The network receiving module 40, the HTTP access requests sent for receiving client identify the HTTP accesses
Referer fields in request, the referer fields include the resource identification that request accesses;
The resource matched module 42, the resource identification for being accessed according to the request is in one or more groups of access
It is matched in control list 44;
The access control module 46, when the resource matched module 42 is matched according to the resource identification that the request accesses
When to controlled resource identification, permission/refusal flag for obtaining the controlled resource identification, according to the controlled resource mark
The HTTP that the permission of knowledge/refusal flag sends out the client for sending out the HTTP access requests permission/denied access is accessed
Response.When the resource matched module 42 is matched according to the resource identification that the request accesses less than controlled resource identification, sentence
Fixed that the HTTP access requests that the source station is sent to the network node are directed to for client, sending out allows the HTTP accessed to connect
Enter response.
Any group access control list 44 further includes the matching identification position of the controlled resource identification, described controlled
When resource identification is arranged to matches criteria flag, the controlled resource identification includes:Domain name for be controlled resource identification institute
There is resource identification;When the controlled resource identification is arranged to extend matching identification position, the controlled resource identification includes:Host
Name includes all resource identifications of controlled resource identification;When the controlled resource identification is arranged to whole matching identification positions,
Controlled resource identification is default state, and controlled resource identification includes:All resource identifications.
The setting extension header field X- in the header field header for the response that the source station is sent out to the network node
Referer-ACL may include multigroup accesses control list, will include ACTION TYPE for each group access control list
These parameters of PARAMS are separated per between group access control list using separator (such as western language branch).When the access is controlled
When list processed is multigroup, it is likely that will appear for being similarly controlled resource identification, two group access control lists but differ
The permission of sample/refusal flag, for example, for the same URI, the first group access control list denied access, and second group of visit
Ask that control list allows to access, in order to avoid this inconsistent matching result and this matching result are for access control
Influence, the resource matched module 42 is further used for being carried out one by one according to putting in order for multigroup accesses control list
Matching, and using first fit to controlled resource identification permission/refusal flag as matching result to described in sending out
The client of HTTP access requests sends out the HTTP access responses of permission/denied access.Later in other accesses control list
It is matched to similarly controlled resource identification again, as it is likely that different matching results can occur, therefore disregards.
It is also possible that another situation is exactly to be matched to same be controlled again in other accesses control list later
Resource identification, and first fit is the result is that identical, here for the considerations of reducing matched sample, multigroup access
When control list 44 is added in the extension header field for the accesses control list response that source station is issued to the network node,
Permission/refusal flag that resource identification and the controlled resource identification are controlled in multigroup accesses control list is all identical
Part merge.It carries out matched sample size in this way and matching times is all greatly reduced, reduce overhead, improve
Matching efficiency.
If network node does not locally receive the accesses control list that source station issues, the resource matched mould
Block 42 identifies that the accesses control list is sky, and the access control module 46 directly judges to be directed to the source station for client
The HTTP access requests sent to the network node send out the HTTP access responses for allowing to access.
Before being matched by accesses control list, there are following special feelings when identifying the referer fields
Condition directly can make access control according to referer fields at this time:
The network receiving module 40 is further used for identifying the referer fields less than in the HTTP access requests
Or when identifying that the referer fields are empty, notify the access control module 46;The access control module 46, for
The client sends out the HTTP access responses for allowing to access.
The network receiving module 40 is further used for recognizing in the referer fields in the HTTP access requests
The resource identification that the request of carrying accesses is not the resource identification of effective grammatical format, notifies the access control module, wherein
The resource identification of effective grammatical format, includes the universal resource identifier started with HTTP or HTTPS;The access control
Molding block 46, the HTTP for sending out denied access to the client access response.
, can be first to whether being cached with requested resource file in network node before identifying the referer fields
It is identified.The network receiving module 40 receives the HTTP access requests that client is sent, and identifies the HTTP access requests
Requested resource file whether there is, and in the presence of the resource file, further identify whether the resource file is expired,
And identify the referer fields in the HTTP access requests, identify that the technology contents of referer fields are as previously described;Work as institute
In the absence of stating resource file, further triggers the source station and detect whether itself there are the resource files, when the source station
Detecting itself, there are the resource file, expired time and the extensions that when the resource file, receive the source station and send
The acquisition that the accesses control list is carried in header field confirms response, identifies whether the resource file is expired, and identify institute
The referer fields in HTTP access requests are stated, identify that the technology contents of referer fields are as previously described;When the source station is examined
Itself is measured there is no when the resource file, receives the acquisition failure response sent the source station, and the access is notified to control
Molding block 46;The access control module 46 loses for sending out the acquisition to the client for sending out the HTTP access requests
Lose response.
When identifying whether the resource file is expired, the network receiving module 40, if being further used for the resource
File is not out of date, identifies the referer fields in the HTTP access requests;If the resource file is out of date, to issuing
The source station of the resource file sends out acquisition request, and the acquisition request triggers the source station and detected whether the resource file
It updates;When the source station detects that the resource file has updated, the extension header field sent the source station is received
In carry the accesses control list acquisition confirm response and the updated resource file, expired time, identification
Referer fields in the HTTP access requests;When the source station detects that the resource file does not update, receive
The acquisition failure response of the accesses control list and new expired time are carried in the extension header field that the source station is sent,
Identify the referer fields in the HTTP access requests.
Described device is corresponding with method flow above-mentioned description, and shortcoming refers to the narration of above method flow, no longer
It repeats one by one.
Several preferred embodiments of the application have shown and described in above description, but as previously described, it should be understood that the application
Be not limited to form disclosed herein, be not to be taken as excluding other embodiments, and can be used for various other combinations,
Modification and environment, and the above teachings or related fields of technology or knowledge can be passed through in the scope of the invention is set forth herein
It is modified.And changes and modifications made by those skilled in the art do not depart from spirit and scope, then it all should be in this Shen
It please be in the protection domain of appended claims.
Claims (21)
1. a kind of access control method, which is characterized in that including:
Network node receives the HTTP access requests that client is sent, and identifies the referer fields in the HTTP access requests,
The referer fields include the resource identification that request accesses;
The network node is matched according to the resource identification that the request accesses in one or more groups of accesses control lists,
Wherein, one or more groups of accesses control lists are added to the access control row that source station is issued to the network node
Include controlled resource identification and the controlled resource identification for any group access control list in the extension header field of table response
Permission/refusal flag;
When the resource identification that the request accesses is matched to controlled resource identification, the network node obtains the controlled resource
The permission of mark/refusal flag is accessed according to the permission of the controlled resource identification/refusal flag to sending out the HTTP
The client of request sends out the HTTP access responses of permission/denied access.
2. access control method as described in claim 1, which is characterized in that
Further include the matching identification position of the controlled resource identification for any group access control list;
Wherein, in any group access control list, the matching identification position of the controlled resource identification is arranged to matches criteria mark
When knowing position, the controlled resource identification includes:Domain name is all resource identifications of controlled resource identification;The controlled resource identification
Matching identification position be arranged to extend matching identification position when, the controlled resource identification includes:Host name includes controlled money
All resource identifications of source mark;When the matching identification position of the controlled resource identification is arranged to whole matching identification positions, quilt
Control resource identification is default state, and controlled resource identification includes:All resource identifications.
3. access control method as described in claim 1, which is characterized in that the network node is accessed according to the request
Resource identification is matched in one or more groups of accesses control lists, is further comprised:
When the accesses control list is multigroup, the network node puts in order according to multigroup accesses control list
Permission/refusal the flag for the controlled resource identification for being matched, and being arrived using first fit one by one is as matching result to right
The client for sending out the HTTP access requests sends out the HTTP access responses of permission/denied access.
4. access control method as described in claim 1, which is characterized in that
Multigroup accesses control list is added to the accesses control list response that source station is issued to the network node
Extension header field in when, will be controlled in multigroup accesses control list the permission of resource identification and the controlled resource identification/
The all identical part of refusal flag merges.
5. access control method as described in claim 1, which is characterized in that
When the resource identification matching that the request accesses is sky less than controlled resource identification or the identification accesses control list
When, judge to be directed to the HTTP access requests that the source station is sent to the network node for client, sending out allows access
HTTP access responses.
6. access control method as described in claim 1, which is characterized in that the network node identifies that the HTTP accesses are asked
Referer fields in asking, further comprise:
The network node identification is less than the referer fields or the identification referer fields in the HTTP access requests
For sky, then directly judge to send out the HTTP access responses for allowing to access to the client.
7. access control method as described in claim 1, which is characterized in that the network node identifies that the HTTP accesses are asked
Referer fields in asking, further comprise:
The network node recognizes the resource mark that the request carried in the referer fields in the HTTP access requests accesses
Knowledge is not the resource identification of effective grammatical format, and the HTTP that denied access is sent out to the client accesses response;
The effectively resource identification of syntax format includes the universal resource identifier started with HTTP or HTTPS.
8. access control method as described in claim 1, which is characterized in that
It is described to allow the HTTP accessed access responses, including status information 200OK;
The HTTP access responses of the denied access, including status information 403forbidden.
9. access control method as described in claim 1, which is characterized in that the network node receives what client was sent
HTTP access requests identify the referer fields in the HTTP access requests, further comprise:
The network node receives the HTTP access requests that client is sent, and identifies the HTTP access requests requested resource
File whether there is;
If the resource file exists, identify whether the resource file is expired, and identify in the HTTP access requests
Referer fields;
If the resource file is not present, the network node triggering source station detects whether itself, and there are resource texts
Part;When the source station detects itself there are when the resource file, the network node receive the source station send it is described
The acquisition confirmation that the accesses control list is carried in resource file, expired time and extension header field responds, described in identification
Whether resource file is expired, and identifies the referer fields in the HTTP access requests;When the source station detects itself not
There are when the resource file, the network node receives the acquisition failure response sent the source station, and described to sending out
The client of HTTP access requests sends out the acquisition failure response.
10. access control method as claimed in claim 9, which is characterized in that identify whether the resource file is expired, and know
Referer fields in the not described HTTP access requests, further comprise:
Identify whether the resource file is expired;
If the resource file is not out of date, the network node identifies the referer fields in the HTTP access requests;
If the resource file is out of date, the network node sends out acquisition request to the source station for issuing the resource file,
The acquisition request triggers the source station and detects whether that the resource file has updated;When the source station detects the money
When source file has updated, the network node receives in the extension header field sent the source station and carries the access control
The acquisition of list confirms response and the updated resource file, expired time, identifies in the HTTP access requests
Referer fields;When the source station detects that the resource file does not update, the network node receives the source station
The acquisition failure response of the accesses control list and new expired time are carried in the extension header field sent, described in identification
Referer fields in HTTP access requests.
11. access control method as claimed in claim 10, which is characterized in that
The acquisition request, including If-Modify-Since requests;
The acquisition confirms response, including status information 200OK;
The acquisition failure response, including status information 304 Not Modified or 404 not found.
12. access control method as described in claim 1, which is characterized in that
The HTTP accesses for permission/denied access that the network node sends out the client for sending out the HTTP access requests are rung
Ying Zhong also has the extension header field for carrying the accesses control list.
13. a kind of network node for access control, which is characterized in that including:Network receiving module, resource matched module,
One or more groups of accesses control lists and access control module;
One or more groups of accesses control lists are added to the access control row that source station is issued to the network node
Include controlled resource identification and the controlled resource identification for any group access control list in the extension header field of table response
Permission/refusal flag;
The network receiving module, the HTTP access requests sent for receiving client, identifies in the HTTP access requests
Referer fields, the referer fields include request access resource identification;
The resource matched module, the resource identification for being accessed according to the request are arranged in one or more groups of access controls
It is matched in table;
The access control module, when the resource matched module is matched to controlled money according to the resource identification that the request accesses
When source identifies, permission/refusal flag for obtaining the controlled resource identification, according to permitting for the controlled resource identification
Perhaps the HTTP that/refusal flag sends out the client for sending out the HTTP access requests permission/denied access accesses response.
14. network node as claimed in claim 13, which is characterized in that
Any group access control list further includes the matching identification position of the controlled resource identification, the controlled resource mark
When the matching identification position of knowledge is arranged to matches criteria flag, the controlled resource identification includes:Domain name is controlled resource mark
All resource identifications known;When the matching identification position of the controlled resource identification is arranged to extend matching identification position, the quilt
Controlling resource identification includes:Host name includes all resource identifications of controlled resource identification;The matching of the controlled resource identification
When flag is arranged to whole matching identification positions, it is default state to be controlled resource identification, and controlled resource identification includes:Institute
There is resource identification.
15. network node as claimed in claim 13, which is characterized in that
The resource matched module is further used for being controlled according to multigroup access when the accesses control list is multigroup
Putting in order for list processed is matched one by one, and permission/refusal flag of the controlled resource identification arrived with first fit is made
For matching result response is accessed to send out the HTTP of permission/denied access to the client for sending out the HTTP access requests.
16. network node as claimed in claim 13, which is characterized in that
Multigroup accesses control list is added to the accesses control list that source station is issued to the network node
When in the extension header field of response, permitting for resource identification and the controlled resource identification will be controlled in multigroup accesses control list
Perhaps/all identical part of refusal flag merges.
17. network node as claimed in claim 13, which is characterized in that
The access control module, when the resource identification matching that the resource matched module is accessed according to the request is less than controlled
When resource identification or the resource matched module identify that the accesses control list is empty, client is directed to for judging
The HTTP access requests that the source station is sent to the network node send out the HTTP access responses for allowing to access.
18. network node as claimed in claim 13, which is characterized in that
The network receiving module, be further used for identifying less than in the HTTP access requests referer fields or identification
When the referer fields are empty, the access control module is notified;
The access control module accesses response for sending out the HTTP for allowing to access to the client.
19. network node as claimed in claim 13, which is characterized in that
The network receiving module is further used for recognizing the carrying referer fields in the HTTP access requests Nei
The resource identification that request accesses is not the resource identification of effective grammatical format, notifies the access control module, wherein described to have
The resource identification of the grammatical format of effect, includes the universal resource identifier started with HTTP or HTTPS;
The access control module, the HTTP for sending out denied access to the client access response.
20. network node as claimed in claim 13, which is characterized in that
The network receiving module is further used for receiving the HTTP access requests that client is sent, and identifies the HTTP accesses
Request requested resource file whether there is, and in the presence of the resource file, whether further identify the resource file
It is expired, and identify the referer fields in the HTTP access requests;In the absence of the resource file, further trigger
The source station detects whether itself there are the resource file, when the source station detects itself there are when the resource file,
It receives in the resource file sent the source station, expired time and extension header field and carries the accesses control list
It obtains and confirms response, identify whether the resource file is expired, and identify the referer fields in the HTTP access requests;
When the source station detects that the resource file is not present in itself, the acquisition failure response sent the source station is received, and lead to
Know the access control module;
The access control module, for sending out the acquisition failure response to the client for sending out the HTTP access requests.
21. network node as claimed in claim 20, which is characterized in that
The network receiving module is further used for identifying whether the HTTP access requests requested resource file is expired,
If the resource file is not out of date, the referer fields in the HTTP access requests are identified;If the resource file is
It is expired, acquisition request is sent out to the source station for issuing the resource file, the acquisition request triggers the source station and detects whether institute
Resource file is stated to have updated;When the source station detects that the resource file has updated, the source station hair is received
The acquisition that the accesses control list is carried in the extension header field come confirms response and the updated resource file, mistake
Time phase identifies the referer fields in the HTTP access requests;When the source station detects that the resource file does not occur
When update, the acquisition failure response that the accesses control list is carried in the extension header field sent the source station and new is received
Expired time, identify the referer fields in the HTTP access requests.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410719569.3A CN105635235B (en) | 2014-12-01 | 2014-12-01 | access control method and network node for access control |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410719569.3A CN105635235B (en) | 2014-12-01 | 2014-12-01 | access control method and network node for access control |
Publications (2)
Publication Number | Publication Date |
---|---|
CN105635235A CN105635235A (en) | 2016-06-01 |
CN105635235B true CN105635235B (en) | 2018-10-09 |
Family
ID=56049711
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201410719569.3A Active CN105635235B (en) | 2014-12-01 | 2014-12-01 | access control method and network node for access control |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105635235B (en) |
Families Citing this family (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107623662B (en) * | 2016-07-15 | 2021-06-01 | 阿里巴巴集团控股有限公司 | Access control method, device and system |
CN106210104B (en) * | 2016-07-21 | 2019-07-05 | 北京百度网讯科技有限公司 | The screen method and device of file resource |
CN107483483A (en) * | 2017-08-31 | 2017-12-15 | 中国农业银行股份有限公司 | The customer information access control method and device of a kind of financial circles information system |
CN109977693A (en) * | 2019-03-08 | 2019-07-05 | 北京椒图科技有限公司 | A kind of generation method and device of forced symmetric centralization rule |
CN109921935A (en) * | 2019-03-12 | 2019-06-21 | 北京百度网讯科技有限公司 | Method and apparatus for sending information |
CN110708328B (en) * | 2019-10-16 | 2022-04-05 | 南京焦点领动云计算技术有限公司 | Website static resource anti-stealing link method |
CN113329404B (en) * | 2021-05-27 | 2022-11-22 | 中国联合网络通信集团有限公司 | Network access method and device |
CN113141260B (en) * | 2021-06-22 | 2021-09-28 | 深圳市光联世纪信息科技有限公司 | Secure access method, system and equipment based on software-defined wide area network (SD-WAN) |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101188558A (en) * | 2007-12-07 | 2008-05-28 | 杭州华三通信技术有限公司 | Access control method, unit and network device |
US7840542B2 (en) * | 2006-02-06 | 2010-11-23 | International Business Machines Corporation | Method and system for controlling access to semantic web statements |
CN102447677A (en) * | 2010-09-30 | 2012-05-09 | 北大方正集团有限公司 | Resource access control method, system and equipment |
CN102833236A (en) * | 2012-08-13 | 2012-12-19 | 北京百度网讯科技有限公司 | Control method and device of reference authority of network resources |
CN103248506A (en) * | 2012-02-08 | 2013-08-14 | 华为终端有限公司 | Right control method of device management and terminal |
-
2014
- 2014-12-01 CN CN201410719569.3A patent/CN105635235B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7840542B2 (en) * | 2006-02-06 | 2010-11-23 | International Business Machines Corporation | Method and system for controlling access to semantic web statements |
CN101188558A (en) * | 2007-12-07 | 2008-05-28 | 杭州华三通信技术有限公司 | Access control method, unit and network device |
CN102447677A (en) * | 2010-09-30 | 2012-05-09 | 北大方正集团有限公司 | Resource access control method, system and equipment |
CN103248506A (en) * | 2012-02-08 | 2013-08-14 | 华为终端有限公司 | Right control method of device management and terminal |
CN102833236A (en) * | 2012-08-13 | 2012-12-19 | 北京百度网讯科技有限公司 | Control method and device of reference authority of network resources |
Also Published As
Publication number | Publication date |
---|---|
CN105635235A (en) | 2016-06-01 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105635235B (en) | access control method and network node for access control | |
US12010096B2 (en) | Dynamic firewall configuration | |
US12015666B2 (en) | Systems and methods for distributing partial data to subnetworks | |
EP2894833B1 (en) | Portal push method and network equipment | |
CN103369531B (en) | A kind of method and device that control of authority is carried out based on end message | |
CN108259425A (en) | The determining method, apparatus and server of query-attack | |
US10560452B2 (en) | Apparatus and method to control transfer apparatuses depending on a type of an unauthorized communication occurring in a network | |
WO2008030734A2 (en) | Method and system for providing network management based on defining and applying network administrative intents | |
WO2012151843A1 (en) | Ulr filtering system, method and gateway | |
CN109660563A (en) | A kind of application access control method, system and medium | |
CN108429785A (en) | A kind of generation method, reptile recognition methods and the device of reptile identification encryption string | |
CN106844111A (en) | The access method of cloud storage NFS | |
CN108200039B (en) | Non-perception authentication and authorization system and method based on dynamic establishment of temporary account password | |
CN116980229B (en) | Network policy configuration method, device, electronic equipment and storage medium | |
CN108040124B (en) | Method and device for controlling mobile terminal application based on DNS-Over-HTTP protocol | |
CN103634289A (en) | Communication block apparatus and communication block method | |
CN105933333A (en) | Authentication charging method and export gateway of enterprise network | |
CN113472831B (en) | Service access method, device, gateway equipment and storage medium | |
CN105704105B (en) | Authentication method and access device | |
US20190281045A1 (en) | Control Of Access To Contents Which Can Be Retrieved Via A Data Network | |
KR20120072058A (en) | Apparatus and method for identifying virtual node | |
CN105554170A (en) | DNS message processing method, device and system | |
Kim et al. | Vulnerability detection mechanism based on open API for multi-user's convenience | |
AU2023203129B2 (en) | Systems and methods for distributing partial data to subnetworks | |
CN109246141A (en) | A kind of anti-excessive crawler method based on SDN |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |