CN107623662A

CN107623662A - The control method of access, device and system

Info

Publication number: CN107623662A
Application number: CN201610559869.9A
Authority: CN
Inventors: 祁海; 向西西; 闵庆欢; 阚俊宝
Original assignee: Alibaba Group Holding Ltd
Current assignee: Alibaba Group Holding Ltd
Priority date: 2016-07-15
Filing date: 2016-07-15
Publication date: 2018-01-23
Anticipated expiration: 2036-07-15
Also published as: CN107623662B

Abstract

The invention discloses a kind of control method of access, device and system.Wherein, this method includes：Receive access request；The access restricted information carried in read access request, wherein, required content when accessing restricted information to limit access target object；Response contents are determined according to restricted information is accessed.The present invention solves prior art and conducted interviews control by acting on behalf of or returning source server, due to acting on behalf of or returning the configuration difference of source server, causes the technical problem for not having unified access control management in internet whole system.

Description

The control method of access, device and system

Technical field

The present invention relates to internet arena, in particular to a kind of control method of access, device and system.

Background technology

With the gradual development of internet, the management object of NMS becomes to become increasingly complex, NMS The safety problem of system by people more concerns, wherein, access control be whole network management system safety key problem One of.Access control can prevent from carrying out any resource the access of unauthorized, so that computer system is in legal access Interior use, it is generally used for system manager and controls access of the user to Internet resources such as server, catalogue, files.

Current existing technological means, there is the description for referer in HTTP RFC 2616, and this field serves one The effect of fixed access control.The region that content copyright is accessed for user controls, common to be achieved in that agency or Hui Yuan Server carries out mapping relations to confirm whether the identity of user meets the requirement of viewing, such as Fig. 1 institutes by ip addresses and region Show, specific implementation step is as follows：

1) proxy server configuration copyright local domain policy, such as：country_visit_map{CH:1；US:0 } (in representative The user in state area can watch, and the user of U.S. locations cannot watch)；

2) the ip addresses of proxy server inquiry user, obtain the region where user；

3) strategy matching, the access rights of user are obtained；

4) user's result is returned to according to authority, there are access rights to continue to forward, otherwise directly prompt user's no copyright.

Such scheme is used, although the final control for realizing copyright region, there are the following problems：

1) whole technological means does not associate in itself with http protocol.In a network, each agency or time source server are complete It can be realized entirely according to the idea of oneself, freely define the mapping relations of ip addresses and copyright, then be corresponding to configure also just It is different.

2) in existing method, the viewing of the webpage or video content that are accessed for user limits, and is generally all directly to prompt User, such as " teenage to watch " etc.；Or we in content is searched for, search result is simply classified according to simple, Such as " juvenile ", do not shown according still further to thinner age range.

3) in existing method, to the content-control of internet, ununified standard, the side for causing each manufacturer to realize Formula is different, and autgmentability is poor.

Also, at present for the type and rank of internet access content, typically by way of prompting user, by User oneself is confirmed whether to access, it is impossible to which the display of flexible control content, there is also certain to manslaughter.

Conducted interviews control by acting on behalf of or returning source server for prior art, due to acting on behalf of or time source server is matched somebody with somebody Difference is put, causes do not have the problem of unified access control management in internet whole system, is not yet proposed at present effective Solution.

The content of the invention

The embodiments of the invention provide a kind of control method of access, device and system, led to at least solving prior art Cross agency or return source server and conduct interviews control, due to acting on behalf of or returning the configuration difference of source server, cause whole in internet There is no the technical problem of unified access control management in individual system.

One side according to embodiments of the present invention, there is provided a kind of control method of access, including：Receive to access and ask Ask；The access restricted information carried in read access request, wherein, it is required when accessing restricted information to limit access target object Content；Response contents are determined according to restricted information is accessed.

Another aspect according to embodiments of the present invention, a kind of control device of access is additionally provided, including：Receiving module, For receiving access request；Read module, for the access restricted information carried in read access request, wherein, access limitation Required content when information is limits access target object；First determining module, for determining response according to access restricted information Content.

Another aspect according to embodiments of the present invention, a kind of control method of access is additionally provided, including：Client terminal is sent out Access request is sent, wherein, access request includes being used for the control field for performing access control；Client terminal the reception server is rung The response message answered access request and returned, wherein, the access limit that server carries from control field in read access request Information processed, and response contents are determined according to restricted information is accessed, wherein, restricted information is accessed as limitation access target object when institute The content needed.

Another aspect according to embodiments of the present invention, a kind of control system of access is additionally provided, including：Client, use In transmission access request；Server, there is correspondence with client, the access for being carried in read access request limits letter Breath, and response contents are determined according to restricted information is accessed, wherein, it is required when accessing restricted information to limit access target object Content.

In embodiments of the present invention, can be after access request be received, the access limitation letter in read access request Breath, and the response contents for determining to return according to restricted information is accessed.This programme can be limited by the access in read access request Response contents corresponding to information determination processed, realize the purpose that the control to user access resources manages.

It is easily noted that, due to can be added in access request according to unified rule and accessing restricted information, different generations Manage server or return source server after receive identical access request, can be according to being read from access request Restricted information is accessed, determines identical response contents, without according to proxy server or returning source server and itself matching somebody with somebody Determination response contents are put, so as to realize the offer access control standard in http protocol, come unified access control, lifting management system The compatibility of system.Therefore, the scheme provided by the embodiment of the present application, it is possible to achieve more by customized mode, extension Kind management Control Cooling, while a standard is provided in http protocol, carry out unified access control, lift the compatibility of management system The effect of property.

Thus, scheme provided by the invention solves prior art and conducted interviews control by acting on behalf of or returning source server, Because the configuration for acting on behalf of or returning source server is different, cause there is no unified access control management in internet whole system Technical problem.

Brief description of the drawings

Accompanying drawing described herein is used for providing a further understanding of the present invention, forms the part of the application, this hair Bright schematic description and description is used to explain the present invention, does not form inappropriate limitation of the present invention.In the accompanying drawings：

Fig. 1 is the flow chart according to a kind of control method of access of prior art；

Fig. 2 is the hardware block diagram according to a kind of terminal of the control method of access of the embodiment of the present application；

Fig. 3 is the flow chart according to a kind of control method of access of the embodiment of the present application one；

Fig. 4 is the flow chart according to a kind of control method optionally accessed of the embodiment of the present application one；

Fig. 5 is the interaction figure according to a kind of control method optionally accessed of the embodiment of the present application one；

Fig. 6 is the schematic diagram according to a kind of control device of access of the embodiment of the present application two；

Fig. 7 is the schematic diagram according to a kind of control device optionally accessed of the embodiment of the present application two；

Fig. 8 is the schematic diagram according to a kind of control device optionally accessed of the embodiment of the present application two；

Fig. 9 is the schematic diagram according to a kind of control device optionally accessed of the embodiment of the present application two；

Figure 10 is the schematic diagram according to a kind of control device optionally accessed of the embodiment of the present application two；

Figure 11 is the schematic diagram according to a kind of control device optionally accessed of the embodiment of the present application two；

Figure 12 is the schematic diagram according to a kind of control device optionally accessed of the embodiment of the present application two；

Figure 13 is the schematic diagram according to a kind of control device optionally accessed of the embodiment of the present application two；

Figure 14 is the flow chart according to a kind of control method of access of the embodiment of the present application three；

Figure 15 is the schematic diagram according to a kind of control system of access of the embodiment of the present application four；And

Figure 16 is the structured flowchart according to a kind of terminal of the embodiment of the present application.

Embodiment

In order that those skilled in the art more fully understand the present invention program, below in conjunction with the embodiment of the present invention Accompanying drawing, the technical scheme in the embodiment of the present invention is clearly and completely described, it is clear that described embodiment is only The embodiment of a part of the invention, rather than whole embodiments.Based on the embodiment in the present invention, ordinary skill people The every other embodiment that member is obtained under the premise of creative work is not made, it should all belong to the model that the present invention protects Enclose.

It should be noted that term " first " in description and claims of this specification and above-mentioned accompanying drawing, " Two " etc. be for distinguishing similar object, without for describing specific order or precedence.It should be appreciated that so use Data can exchange in the appropriate case, so as to embodiments of the invention described herein can with except illustrating herein or Order beyond those of description is implemented.In addition, term " comprising " and " having " and their any deformation, it is intended that cover Cover it is non-exclusive include, be not necessarily limited to for example, containing the process of series of steps or unit, method, system, product or equipment Those steps or unit clearly listed, but may include not list clearly or for these processes, method, product Or the intrinsic other steps of equipment or unit.

First, the part noun or term occurred during the embodiment of the present application is described is applied to following solution Release：

Proxy server：Refer to the computer system that agency service is provided or the other types of network terminal.

Http protocol：HTTP, hyper text transfer protocol abbreviation, is on internet A kind of procotol being most widely used, it is the standard of a client and server end request and response, client is eventually End subscriber, server end are websites.

Request：Refer to http request, refer to the request message from client to server end.

Response：Refer to http responses, refer to the response message from server end to client.

Access control：It is the main policies of Protection of Network Security and protection, is by user identity and its is belonged to a certain Access of the user to some items of information, or limitation are limited to a kind of technology used of some control functions due to group.Access Control includes the multiple means such as networking access control, network legal power control, directory level control and property control.

Access content copyright：Content rights in accessing, different user can access different content.

Region controls：Access of the user to some items of information, or limitation are limited to some according to region where user One kind strategy used of control function.

Access restricted information：The limitation content of customer access network resource is limited, for example, limiting customer access network resource Regional information, limit user be subjected to response contents content type and rank.

Embodiment 1

According to the embodiment of the present application, a kind of control method embodiment of access is additionally provided, it is necessary to illustrate, in accompanying drawing Flow the step of illustrating can be performed in the computer system of such as one group computer executable instructions, although also, Show logical order in flow charts, but in some cases, can with different from order herein perform it is shown or The step of description.

The embodiment of the method that the embodiment of the present application one is provided can be in mobile terminal, terminal or similar fortune Calculate and performed in device.Exemplified by running on computer terminals, Fig. 2 is the controlling party according to a kind of access of the embodiment of the present application The hardware block diagram of the terminal of method.As shown in Fig. 2 terminal 20 can include one or more (in figure only Showing one) (processor 202 can include but is not limited to Micro-processor MCV or PLD FPGA etc. to processor 202 Processing unit), the memory 204 for data storage and the transport module 206 for communication function.This area is common Technical staff is appreciated that the structure shown in Fig. 2 is only to illustrate, and it does not cause to limit to the structure of above-mentioned electronic installation.Example Such as, terminal 20 may also include than shown in Fig. 2 more either less components or with different from shown in Fig. 2 Configuration.

Memory 204 can be used for the software program and module of storage application software, such as the access in the embodiment of the present application Control method corresponding to programmed instruction/module, processor 202 by operation be stored in software program in memory 204 with And module, so as to perform various function application and data processing, that is, realize the control method of above-mentioned access.Memory 204 May include high speed random access memory, may also include nonvolatile memory, as one or more magnetic storage device, flash memory, Or other non-volatile solid state memories.In some instances, memory 204 can further comprise relative to processor 202 Remotely located memory, these remote memories can pass through network connection to terminal 20.The example of above-mentioned network Including but not limited to internet, intranet, LAN, mobile radio communication and combinations thereof.

Transmitting device 206 is used to data are received or sent via a network.Above-mentioned network instantiation may include The wireless network that the communication providerses of terminal 20 provide.In an example, transmitting device 206 is fitted including a network Orchestration (Network Interface Controller, NIC), its can be connected by base station with other network equipments so as to Internet is communicated.In an example, transmitting device 206 can be radio frequency (Radio Frequency, RF) module, its For wirelessly being communicated with internet.

Under above-mentioned running environment, this application provides the control method of access as shown in Figure 3.Fig. 3 is according to this Shen Please embodiment one a kind of access control method flow chart, as shown in figure 3, the above method may include steps of：

Step S32, receive access request.

Specifically, above-mentioned access request can be the access request of HTTP http protocol, HTTP request, i.e., Request。

In a kind of optional scheme, when user accesses the resource in server by client, it can generate from visitor Family end is to the access request of server end, and access request is sent into proxy server by internet for client or time source takes Business device.

Step S34, the access restricted information carried in read access request, wherein, access restricted information and accessed for limitation Required content during destination object.

, can be with specifically, above-mentioned access restricted information can be the new head " X-Limit " introduced in access request head It is according to access control needs, the content of restricting user access server resource, for example, accessing the ground of content copyright for user Domain controls, and accesses the area (as China) that restricted information can be restricting user access resource, belongs to the user of this area, i.e., in State user can access resource；For returning to corresponding response contents according to the age bracket of user, accessing restricted information can be The acceptable response contents of user are limited by age to show.

Step S36, response contents are determined according to restricted information is accessed, wherein, response contents can include accessing user's Access rights and/or the access content of return.

In a kind of optional scheme, the access that client transmission is received in proxy server or time source server please After asking, access request can be analyzed, the access restricted information in read access request, and be limited according to obtained access Information processed judges that user right if user meets to access all the elements in restricted information, i.e. the user possesses visit Content copyright is asked, then allows user to conduct interviews, the corresponding content that accesses is returned to client, so as to which user can watch oneself The resource needed；If user is unsatisfactory for accessing any one content in restricted information, i.e. the user does not access content version Power, then do not allow user to conduct interviews, and returns to user's no copyright, forbids the error message accessed.

For example, it is HTTP request with access request, exemplified by accessing restricted information as ground domain browsing restricted information, to the application Above-described embodiment is described in detail.In the case of customer access network resource, proxy server or time source server can To receive the HTTP request of subscription client generation, the regional information in HTTP request is read, obtains restricting user access net The area of network resource accesses restricted information, and the region attribute according to belonging to area accesses restricted information and user, it is determined that sending To the response contents of client, if the region attribute belonging to user is identical with area access restricted information, it is determined that Yong Huyong There is access content copyright, it is allowed to customer access network resource；If the region attribute belonging to user accesses restricted information with area It is different, it is determined that user does not access content copyright, does not allow customer access network resource, returns to 403 and forbids access information.

From the foregoing, it will be observed that in scheme disclosed in the above embodiments of the present application one, can be read after access request is received Access restricted information in access request, and the response contents for determining to return according to restricted information is accessed.This programme can pass through Response contents corresponding to access restricted information determination in read access request, realize what the control to user access resources managed Purpose.

It is easily noted that, due to can be added in access request according to unified rule and accessing restricted information, Ge Gedai Reason returns source server after identical access request is received, and can be limited according to the access read from access request Information processed, identical response contents are determined, therefore, the scheme provided by the embodiment of the present application, it is possible to achieve by making by oneself The mode of justice, a variety of management Control Coolings are extended, while a standard is provided in http protocol, carried out unified access control, carry Rise the compatible effect of management system.

Thus, the scheme of above-described embodiment one that the application provides solves prior art by acting on behalf of or returning source server Conduct interviews control, because the configuration for acting on behalf of or returning source server is different, causes do not have unification in internet whole system The technical problem of access control management.

According to the above embodiments of the present application, in step S32, before receiving access request, the above method can also be included such as Lower step：

Step S30, at least one access restricted information is set in the header field of access request, wherein, access limitation letter Breath includes one or more groups of restriction rules to be checked, and any one group of restriction rule includes following any one or more information： The value of different types of parameter and parameter.

Specifically, the header field of above-mentioned access request can be the head H TTP header of HTTP request, above-mentioned limitation rule Can be then territorial restrictions rule, age limit is regular, wherein, territorial restrictions rule can include regional parameters, and area ginseng Numerical value；Age limit rule can include age parameter and age parameter value.

In a kind of optional scheme, new head can be introduced in the head H TTP header of the access request of generation Portion " X-Limit ", new head include two fields, as shown in table 1：

Table 1

For this head, we make described below：

X-Limit=X-Limit:TYPE PARAMS

TYPE=" AREA " | " AGE " | " OTHER "

AREA=Matching user ' s area

AGE=Matching user ' s age

OTHER=expansible

PARAMS=", " token

Wherein, TYPE can check type, and with a string representation, the content for representing to need to limit is assorted , such as：AREA- user location matches, and restriction user, which belongs to this area, to be accessed；AGE-age of user matching, The acceptable response contents of user are limited by age to show.PARAMS can be parameter list, determine that parameter arranges by inspect-type Table configures what type of data, if list includes multiple parameters, is just separated with western language comma (), if for example, TYPE= AREA, i.e. user location verifies, then PARAMS needs to specify specific area, supports continent, country, city, supports to write Multiple values, separated with vertical line (|)；If TYPE=AGE, i.e. age of user verifies, then PARAMS, which needs to specify, to be allowed most At the small age, support age bracket, such as 3-8；If TYPE=OTHER, represent expansible.

Illustrated with reference to a profile instance：X-Limit:AREA US|CH；AGE 3-5, as shown in table 2.Root According to restrictive rule, it may be determined that in above-mentioned configuration, access restricted information and include two restriction rules, each restriction rule it is specific It is meant that：First restriction rule represents the content for only allowing the user of the U.S. or regional to access source station；Second limitation The content that Rule Expression limitation returns meets the age bracket of three to five years old.

Table 2

Herein it should be noted that head " X-Limit " is only present in access request, respond request is not present in In.

For example, being HTTP request with access request, the above embodiments of the present application are described in detail.As shown in figure 4, with Family can set the type and rank for accessing content in Request, receive before webpage or video is accessed After Request, proxy server or time source server can read the X-Limit fields that Request is carried, and be set Access content type and rank, and corresponding response contents are determined according to the content of setting.

By such scheme, it can be set in the header field of access request and access restricted information, control is accessed so as to realize System, and the type and rank of content can be accessed by setting, reach the requirement of content classification classification.

According to the above embodiments of the present application, include the situation of multiple access restricted informations in the header field of access request Under, the above method can also comprise the following steps：

Step S302, multiple access restricted informations are merged, wherein, step S302, by multiple access restricted informations Merge including：Step S3022, the identical value of same type parameter in multiple access restricted informations is merged into same Value, the different values of same type parameter merge into multiple values arranged side by side.

In a kind of optional scheme, if including multiple access restricted informations, i.e. X- in the header field of HTTP request Limit occurs repeatedly in HTTP header, then first can merge the value of this field, by the identical of same type parameter Value merges into same value, and the different values of same type parameter are merged into and train value, are then limited according to the access after merging Information processed carries out matching work, for example, occurring two X-Limit in HTTP header, is respectively：X-Limit:AREA CH and X-Limit:AREA US | CH, then after two X-Limit are read, two X-Limit can be merged into an X- Limit, i.e. X-Limit:AREA US|CH.

According to the above embodiments of the present application, in the case where access request includes multiple access restricted informations, above-mentioned side Method can also comprise the following steps：

Step S304, limited if there is between the restriction rule included in any two or multiple access restricted informations Logic content contradiction in the case of, extract the restriction rule of highest priority.

Specifically, the restriction rule of above-mentioned highest priority can be the restriction rule matched at first, for example, it may be the One restriction rule.

In a kind of optional scheme, conflict matching principle at first can be used, if there are content conflicts in field Rule, then can be by the taking effect rules matched at first in conflict, other conflict rule after this, no longer progress Match somebody with somebody, to avoid the complexity of logic, for example, occurring two X-Limit in HTTP header, be respectively：X-Limit:AREA CH and X-Limit:AREA US, then conflict matching principle at first can be used, by the regular X-Limit matched at first:AREA CH is matched, not regular X-Limit after the matching:AREA US.

According to the above embodiments of the present application, step S36, response contents are determined according to restricted information is accessed, can be included such as Lower step：

Step S362, the parameter inquired about one by one included in restriction rule, wherein, the parameter in restriction rule includes：Visit Ask the access rights of user and/or return to the access content for accessing user.

Specifically, the access rights of above-mentioned access user can be the matching of user location, return to and access user's It can be that the acceptable response contents of user are by age shown to access content.

Step S364, in the case of the failure of any one or more parameter queries, response contents are to forbid accessing.

Step S366, in the case of parameter query is successful, response contents to allow to access, and according to each parameter and Relation determines to return to the access rights for accessing user and/or accesses content.

In a kind of optional scheme, whether each parameter that can be inquired about one by one in restriction rule meets, if there is The parameter of restriction rule is not met, it is determined that response contents show that the user does not access content copyright, do not permitted to forbid accessing Family allowable is conducted interviews, and response contents are returned into client；If all meeting, it is determined that response contents are to allow to access, Show that the user possesses access content copyright, according to it is each rule and relation, response contents corresponding to return, for example, when ginseng When number is regional parameters, it may be determined that backward reference user possesses the response contents of access rights to client；When parameter is year During age parameter, it may be determined that the access content that return is by age shown to client.

For example, being HTTP request still with access request, the above embodiments of the present application are described in detail.As shown in figure 4, User can set the type and rank for accessing content in Request, receive before webpage or video is accessed After Request, proxy server or time source server can read the X-Limit fields that Request is carried, and inquire about one by one Restriction rule in X-Limit fields, if whole successful inquirings, Query Result is returned to, i.e., in access rights and/or access Hold；If inwhole successful inquirings, 403 response contents for forbidding accessing are returned.

Herein it should be noted that when carrying out match query, it can be matched one by one according to the rule in X-Limit, such as Fruit has one, and it fails to match, then returns to 403 response contents for forbidding accessing immediately.

, can be by way of inquiring about the parameter included in restriction rule one by one, it is determined that corresponding ring by such scheme Content is answered, so as to realize the purpose of access control.

According to the above embodiments of the present application, in step S362, inquire about one by one before the parameter included in restriction rule, on The method of stating can also comprise the following steps：

Step S3602, whether the form of authentication-access restricted information is legal, wherein, if accessing the form of restricted information It is legal, continuing executing with the step of inquiring about the parameter included in restriction rule one by one；If access the form of restricted information not It is legal, it is determined that response contents are to forbid accessing.

, can be with authentication-access after access restricted information is read from access request in a kind of optional scheme Whether the form of restricted information is legal, if legal, whether each parameter inquired about one by one in restriction rule meets, so as to really Provisioning response content；It is if illegal, it is determined that the access restricted information is invalid information, determines response contents to forbid accessing, Show that the user does not access content copyright, do not allow user to conduct interviews, response contents are returned into client.

For example, being HTTP request still with access request, the above embodiments of the present application are described in detail.As shown in figure 4, User can set the type and rank for accessing content in Request, receive before webpage or video is accessed After Request, proxy server or time source server can read the X-Limit fields that Request is carried, and judge X- Whether Limit legal, if legal, one by one inquire about X-Limit fields in restriction rule, if whole successful inquirings, Return to Query Result, i.e. access rights and/or access content；If inwhole successful inquirings, 403 sound for forbidding accessing are returned Answer content；If illegal, 403 response contents for forbidding accessing are returned.

According to the above embodiments of the present application, in step S3602, before whether the form of authentication-access restricted information is legal, The above method can also comprise the following steps：

Step S3604, judge to access whether restricted information is empty, wherein, if accessing restricted information as sky, allow to ring Answer all the elements that access request is asked；If it is not sky to access restricted information, into the lattice of authentication-access restricted information The step of formula, or continue executing with the step of inquiring about the parameter included in restriction rule one by one.

In a kind of optional scheme, after access restricted information is read from access request, it can first determine whether Access whether restricted information is empty, if sky, then unconditionally allow the access request；If being not sky, determine whether Whether legal access the form of restricted information, if legal, whether each parameter inquired about one by one in restriction rule meets, from And determine response contents；It is if illegal, it is determined that the access restricted information is invalid information, determines response contents to forbid visiting Ask, show that the user does not access content copyright, do not allow user to conduct interviews, response contents are returned into client.

For example, being HTTP request still with access request, the above embodiments of the present application are described in detail.As shown in figure 4, User can set the type and rank for accessing content in Request, receive before webpage or video is accessed After Request, proxy server or time source server can read the X-Limit fields carried in Request, if X- Limit fields are sky, then unconditionally allow the Request；If X-Limit fields are not sky, X-Limit fields are read, And judge whether X-Limit legal, if legal, one by one inquire about X-Limit fields in restriction rule, if all inquiry Success, then return to Query Result, i.e. access rights and/or access content；If inwhole successful inquirings, return to 403 and forbid The response contents of access；If illegal, 403 response contents for forbidding accessing are returned.

Herein it should be noted that if it is not sky to access restricted information, but the type of restriction rule is not effective class Type, then without processing.

According to the above embodiments of the present application, in step S32, after receiving access request, the above method can also be included such as Lower step：

Step S322, judge access restricted information whether is carried in access request, wherein, it is determined that being taken in access request Band access restricted information in the case of, into judge access restricted information whether be sky step；It is determined that in access request not Carry in the case of accessing restricted information, it is allowed to respond all the elements that access request is asked.

In a kind of optional scheme, after access restricted information is read from access request, it can first determine whether Access whether restricted information carries access restricted information, if do not carried, show that access request does not have access control, can be with Unconditionally allow the access request；If carried, determine whether the form for accessing restricted information is legal, if closed Method, then whether each parameter inquired about one by one in restriction rule meets, so that it is determined that response contents；It is if illegal, it is determined that The access restricted information is invalid information, determines response contents to forbid accessing, shows that the user does not access content copyright, no Allow user to conduct interviews, response contents are returned into client.

For example, being HTTP request still with access request, the above embodiments of the present application are described in detail.As shown in figure 4, User can set the type and rank for accessing content in Request, receive before webpage or video is accessed After Request, proxy server or time source server may determine that X-Limit fields whether are carried in Request, if Do not carry, be i.e. there is no X-Limit in Request header, then it represents that current Request does not have X-Limit limitations, then without The conditions permit Request；If carrying X-Limit fields in Request and X-Limit fields being not sky, X- is read Limit fields, and judge whether X-Limit is legal, if legal, the restriction rule inquired about one by one in X-Limit fields, such as Fruit whole successful inquiring, then return to Query Result, i.e. access rights and/or access content；If inwhole successful inquirings, are returned Return 403 response contents for forbidding accessing；If illegal, 403 response contents for forbidding accessing are returned.

A preferred embodiment of the present application is discussed in detail with reference to Fig. 4 and Fig. 5.

As shown in figure 5, using HTTP request as application scenarios, there is provided a kind of control method optionally accessed, this method S501 be may include steps of to step S503：

Step S501, client 151 send HTTP request to server 153.

Optionally, server can receive the HTTP request Request of client transmission.

Step S502, access restricted information of the server 153 in HTTP request, determines response contents.

Optionally, server judges whether carried in Request after the Request of client transmission is received X-Limit fields, if do not carried, it is determined that response contents are Response corresponding to Request；If carried, read X-Limit fields, and determine whether sky, if sky, it is determined that response contents are Response corresponding to Request；Such as Fruit is not sky, then judges whether X-Limit fields are legal, if illegal, it is determined that response contents are forbidden accessing for 403；Such as Fruit is legal, then matches X-Limit rules one by one, judges whether that all the match is successful, if all the match is successful, it is determined that ring Content is answered to forbid accessing for 403；If all, the match is successful, according to each rule and relation, obtain corresponding in response Hold.

Response contents are returned to client 151 by step S503, server 153.

Optionally, response contents are returned to client by server it is determined that after response contents, check for user or Person prompts user not have access rights.

Pass through above-mentioned steps S501 to step S503, there is provided a kind of access control scheme, server are receiving client After holding the HTTP request sent, the X-Limit fields in HTTP request head are judged, phase is obtained according to judged result Response contents answered, and response contents are back into client, can be with so as to realize the access control scheme based on http protocol Realized jointly by all equipment, carry out unified standard, reach more preferable compatibility, and webpage or video are accessed in user Before, the type and rank for accessing content can be set in advance by http protocol, and server is according to the content of setting come corresponding Corresponding result is returned, reaches the requirement of content classification classification, further, based on http agreement header, by self-defined Mode, a variety of management and control types can be extended.

Herein it should be noted that the above embodiments of the present application can be realized by C/C++ language, but this is not limited only to, Other kinds of computer language can also reach the implementation result of the application.

It should be noted that for foregoing each method embodiment, in order to be briefly described, therefore it is all expressed as a series of Combination of actions, but those skilled in the art should know, the application is not limited by described sequence of movement because According to the application, some steps can use other orders or carry out simultaneously.Secondly, those skilled in the art should also know Know, embodiment described in this description belongs to preferred embodiment, involved action and module not necessarily the application It is necessary.

Through the above description of the embodiments, those skilled in the art can be understood that according to above-mentioned implementation The method of example can add the mode of required general hardware platform to realize by software, naturally it is also possible to by hardware, but a lot In the case of the former be more preferably embodiment.Based on such understanding, the technical scheme of the application is substantially in other words to existing The part that technology contributes can be embodied in the form of software product, and the computer software product is stored in a storage In medium (such as ROM/RAM, magnetic disc, CD), including some instructions to cause a station terminal equipment (can be mobile phone, calculate Machine, server, or network equipment etc.) perform each embodiment of the application described in method.

Embodiment 2

According to the embodiment of the present application, a kind of control dress for being used to implement the access of the control method of above-mentioned access is additionally provided Put, as shown in fig. 6, the device can include：Receiving module 61, read module 63 and determining module 65.

Wherein, receiving module 61 is used to receive access request；Read module 63 is used in read access request the visit carried Restricted information is asked, wherein, required content when accessing restricted information to limit access target object；Determining module 65 is used for basis Access restricted information and determine response contents, wherein, response contents can include access rights and/or the visit of return for accessing user Ask content.

Specifically, above-mentioned access request can be the access request of HTTP http protocol, HTTP request, i.e., Request.Above-mentioned access restricted information can be the new head " X-Limit " introduced in access request head, can be basis Access control needs, the content of restricting user access server resource, for example, the region that content copyright is accessed for user is controlled System, the area (such as China) that restricted information can be restricting user access resource is accessed, belong to the user of this area, i.e., middle national expenditures Family can access resource；For returning to corresponding response contents according to the age bracket of user, it can limit to access restricted information The acceptable response contents of user are by age shown.

Herein it should be noted that above-mentioned receiving module 61, read module 63 and determining module 65 correspond to embodiment one In step S32 to step S36, three modules are identical with example and application scenarios that corresponding step is realized, but are not limited to The disclosure of that of above-described embodiment one.It should be noted that above-mentioned module may operate in implementation as a part for device In the terminal 20 that example one provides.

From the foregoing, it will be observed that in scheme disclosed in the above embodiments of the present application two, can be read after access request is received Access restricted information in access request, and the response contents for determining to return according to restricted information is accessed.This programme can pass through Response contents corresponding to access restricted information determination in read access request, realize what the control to user access resources managed Purpose.

Thus, the scheme of above-described embodiment two that the application provides solves prior art by acting on behalf of or returning source server Conduct interviews control, because the configuration for acting on behalf of or returning source server is different, causes do not have unification in internet whole system The technical problem of access control management.

According to the above embodiments of the present application, as shown in fig. 7, said apparatus can also include：Setup module 71.

Wherein, setup module 71 is used to set at least one access restricted information in the header field of access request, wherein, Accessing restricted information includes one or more groups of restriction rules to be checked, any one group of restriction rule include as follows any one or Multiple information：The value of different types of parameter and parameter.

Herein it should also be noted that, above-mentioned setup module 71 correspond to embodiment one in step S30, the module with it is right The example that the step of answering is realized is identical with application scenarios, but is not limited to the disclosure of that of above-described embodiment one.Need to illustrate , above-mentioned module as a part for device may operate in embodiment one offer terminal 20 in.

According to the above embodiments of the present application, as shown in figure 8, the header field in access request includes multiple access limitation letters In the case of breath, said apparatus can also include：Merging module 81.

Wherein, merging module 81 is used to merge multiple access restricted informations, wherein, merging module 81 includes：Close And submodule 811, it is identical for the identical value of same type parameter in multiple access restricted informations to be merged into same value The different values of type parameter merge into multiple values arranged side by side.

Herein it should be noted that the step that above-mentioned merging module 81 and merging submodule 811 correspond in embodiment one S302 and step S3022, two modules are identical with example and application scenarios that corresponding step is realized, but are not limited to above-mentioned reality Apply the disclosure of that of example one.Carried it should be noted that above-mentioned module may operate in embodiment one as a part for device In the terminal 20 of confession.

According to the above embodiments of the present application, as shown in figure 9, including the situation of multiple access restricted informations in access request Under, said apparatus can also include：Extraction module 91.

Wherein, extraction module 91 is used for if there is the restriction rule included in any two or multiple access restricted informations Between in the case of the logic content contradiction that is limited, extract the restriction rule of highest priority.

Herein it should be noted that said extracted module 91 correspond to embodiment one in step S304, the module with it is right The example that the step of answering is realized is identical with application scenarios, but is not limited to the disclosure of that of above-described embodiment one.Need to illustrate , above-mentioned module as a part for device may operate in embodiment one offer terminal 20 in.

According to the above embodiments of the present application, as shown in Figure 10, determining module 65 can include：Inquiry submodule 101, first The determination sub-module 105 of determination sub-module 103 and second.

Wherein, the parameter that submodule 101 is used to inquire about included in restriction rule one by one is inquired about, wherein, in restriction rule Parameter include：Access the access rights of user and/or return to the access content for accessing user；First determination sub-module 103 For in the case of the failure of any one or more parameter queries, response contents to be to forbid accessing；Second determination sub-module 105 For in the case of parameter query is successful, response contents to allow to access, and according to each parameter and relation determine to return To the access rights for accessing user and/or access content.

Herein it should also be noted that, above-mentioned inquiry submodule 101, the first determination sub-module 103 and second determine submodule The step S362 to step S366 that block 105 corresponds in embodiment one, example that three modules are realized with corresponding step and Application scenarios are identical, but are not limited to the disclosure of that of above-described embodiment one.It should be noted that above-mentioned module is as device A part may operate in the terminal 20 of the offer of embodiment one.

According to the above embodiments of the present application, as shown in figure 11, said apparatus can also include：Authentication module 111.

Wherein, whether authentication module 111 is legal for the form of authentication-access restricted information, wherein, if accessing limitation The form of information is legal, is continuing executing with the function of inquiry submodule 101；If the form for accessing restricted information is illegal, Response contents are determined to forbid accessing.

Herein it should be noted that above-mentioned authentication module 111 correspond to embodiment one in step S3602, the module with The example that corresponding step is realized is identical with application scenarios, but is not limited to the disclosure of that of above-described embodiment one.Need Bright, above-mentioned module is may operate in as a part for device in the terminal 20 of the offer of embodiment one.

According to the above embodiments of the present application, as shown in figure 12, said apparatus can also include：First judge module 121.

Wherein, the first judge module 121 is used to judge to access whether restricted information is empty, wherein, if accessing limitation letter Cease for sky, then all the elements for allowing response access request to be asked；If it is not sky to access restricted information, tested into execution The function of module 111 is demonstrate,proved, or continues executing with the function of inquiry submodule 101.

Herein it should also be noted that, the step S3604 that above-mentioned first judge module 121 corresponds in embodiment one, is somebody's turn to do Module is identical with example and application scenarios that corresponding step is realized, but is not limited to the disclosure of that of above-described embodiment one. It should be noted that above-mentioned module is may operate in as a part for device in the terminal 20 of the offer of embodiment one.

According to the above embodiments of the present application, as shown in figure 13, said apparatus can also include：Second judge module 131.

Wherein, the second judge module 131 is used to judge whether carry access restricted information in access request, wherein, Determine in the case of access restricted information is carried in access request, into the function of performing the first judge module 121；It is determined that visiting Ask in the case of not carrying access restricted information in request, it is allowed to respond all the elements that access request is asked.

Herein it should be noted that the step S322 that above-mentioned second judge module 131 corresponds in embodiment one, the module It is identical with the example and application scenarios that corresponding step is realized, but it is not limited to the disclosure of that of above-described embodiment one.Need Illustrate, above-mentioned module is may operate in as a part for device in the terminal 20 of the offer of embodiment one.

Embodiment 3

Figure 14 be according to a kind of flow chart of the control method of access of the embodiment of the present application three, it is as shown in figure 14, above-mentioned Method may include steps of：

Step S142, client terminal send access request, wherein, access request includes being used for the control for performing access control Field processed.

Step S144, the response message that client terminal the reception server returns in response to access request, wherein, server from The access restricted information carried in control field in read access request, and response contents are determined according to restricted information is accessed, its In, required content when accessing restricted information to limit access target object.

For example, it is HTTP request with access request, exemplified by accessing restricted information as ground domain browsing restricted information, to the application Above-described embodiment is described in detail.In the case of customer access network resource, subscription client generation HTTP request is sent To proxy server or source server is returned, proxy server or time source server are read after HTTP request is received Regional information in HTTP request, the area for obtaining restricting user access Internet resources accesses restricted information, and is visited according to area Restricted information and the region attribute belonging to user are asked, it is determined that the response contents of client are sent to, if the area belonging to user Attribute is identical with area access restricted information, it is determined that user possesses access content copyright, it is allowed to customer access network resource；Such as Region attribute belonging to fruit user is different from area access restricted information, it is determined that user does not access content copyright, does not allow Customer access network resource, return to 403 and forbid access information.

From the foregoing, it will be observed that in scheme disclosed in the above embodiments of the present application three, access request, service can be sent with client terminal The access restricted information that device carries from control field in read access request, and determined according to restricted information is accessed in response Hold, the response message that client terminal the reception server returns in response to access request.This programme can pass through read access request In access restricted information determine corresponding to response contents, realize to user access resources control manage purpose.

Thus, the scheme of above-described embodiment three that the application provides solves prior art by acting on behalf of or returning source server Conduct interviews control, because the configuration for acting on behalf of or returning source server is different, causes do not have unification in internet whole system The technical problem of access control management.

Embodiment 4

According to the embodiment of the present application, a kind of control system for being used to implement the access of the control method of above-mentioned access is additionally provided System, as shown in figure 15, the system includes：

Client 151, for sending access request.

Server 153, there is correspondence with client 151, the access for being carried in read access request limits letter Breath, and response contents are determined according to restricted information is accessed, wherein, it is required when accessing restricted information to limit access target object Content.

Specifically, above-mentioned server can be proxy server or return source server.Above-mentioned access restricted information can be with It is the new head " X-Limit " introduced in access request head, can is according to access control needs, restricting user access service The content of device resource, for example, the region that content copyright is accessed for user controls, it can be that limitation user visits to access restricted information The area (such as China) of resource is asked, belongs to the user of this area, be i.e. Chinese user can access resource；For the year according to user Age section returns to corresponding response contents, and it can limit the acceptable response contents of user by age to show to access restricted information.

From the foregoing, it will be observed that in scheme disclosed in the above embodiments of the present application four, can be read after access request is received Access restricted information in access request, and the response contents for determining to return according to restricted information is accessed.This programme can pass through Response contents corresponding to access restricted information determination in read access request, realize what the control to user access resources managed Purpose.

Thus, the scheme of above-described embodiment four that the application provides solves prior art by acting on behalf of or returning source server Conduct interviews control, because the configuration for acting on behalf of or returning source server is different, causes do not have unification in internet whole system The technical problem of access control management.

Embodiment 5

Embodiments herein can provide a kind of terminal, and the terminal can be in terminal group Any one computer terminal.Alternatively, in the present embodiment, above computer terminal can also replace with mobile whole The terminal devices such as end.

Alternatively, in the present embodiment, above computer terminal can be located in multiple network equipments of computer network At least one network equipment.

In the present embodiment, above computer terminal can perform the program generation of following steps in the control method of access Code：Receive access request；The access restricted information carried in read access request, wherein, access restricted information and accessed for limitation Required content during destination object；Response contents are determined according to restricted information is accessed.

Alternatively, Figure 16 is the structured flowchart according to a kind of terminal of the embodiment of the present application.As shown in figure 16, should Terminal A can include：One or more (one is only shown in figure) processors 161, memory 163 and transmission dress Put 165.

Wherein, memory can be used for storage software program and module, such as the controlling party of the access in the embodiment of the present application Programmed instruction/module corresponding to method and device, processor are stored in software program and module in memory by operation, from And perform various function application and data processing, that is, realize the control method of above-mentioned access.Memory may include at a high speed with Machine memory, nonvolatile memory can also be included, such as one or more magnetic storage device, flash memory or other are non- Volatile solid-state.In some instances, memory can further comprise relative to the remotely located memory of processor, These remote memories can pass through network connection to terminal A.The example of above-mentioned network include but is not limited to internet, Intranet, LAN, mobile radio communication and combinations thereof.

Processor can call the information and application program of memory storage by transmitting device, to perform following step： Receive access request；The access restricted information carried in read access request, wherein, restricted information is accessed as limitation access target Required content during object；Response contents are determined according to restricted information is accessed.

Optionally, above-mentioned processor can also carry out the program code of following steps：Before access request is received, visiting Ask and at least one access restricted information be set in the header field of the packet of request, wherein, access restricted information include one group or Multigroup restriction rule to be checked, any one group of restriction rule include following any one or more information：Different types of ginseng The value of number and parameter.

Optionally, above-mentioned processor can also carry out the program code of following steps：Wrapped in the header field of access request In the case of including multiple access restricted informations, multiple access restricted informations are merged, wherein, by multiple access restricted informations Merge including：The identical value of same type parameter in multiple access restricted informations is merged into same value, it is mutually similar The different values of shape parameter merge into multiple values arranged side by side.

Optionally, above-mentioned processor can also carry out the program code of following steps：Include multiple visits in access request In the case of asking restricted information, limited if there is between the restriction rule included in any two or multiple access restricted informations In the case of fixed logic content contradiction, the restriction rule of highest priority is extracted.

Optionally, above-mentioned processor can also carry out the program code of following steps：Inquire about in restriction rule and wrapped one by one The parameter contained, wherein, the parameter in restriction rule includes：Access the access rights of user and/or return to the visit for accessing user Ask content；In the case of the failure of any one or more parameter queries, response contents are to forbid accessing；In parameter query success In the case of, response contents to allow to access, and according to each parameter and relation determine to return to the access right for accessing user Limit and/or access content.

Optionally, above-mentioned processor can also carry out the program code of following steps：Institute in restriction rule is being inquired about one by one Comprising parameter before, whether the form of authentication-access restricted information legal, wherein, if access restricted information form close Method, continuing executing with the step of inquiring about the parameter included in restriction rule one by one；If the form for accessing restricted information does not conform to Method, it is determined that response contents are to forbid accessing.

Optionally, above-mentioned processor can also carry out the program code of following steps：In the lattice of authentication-access restricted information Before whether formula is legal, judge to access whether restricted information is empty, wherein, if accessing restricted information as sky, allow to respond All the elements that access request is asked；If it is not sky to access restricted information, into the form of authentication-access restricted information The step of, or continue executing with the step of inquiring about the parameter included in restriction rule one by one.

Optionally, above-mentioned processor can also carry out the program code of following steps：After access request is received, judge Whether access restricted information is carried in access request, wherein, it is determined that carrying the situation of access restricted information in access request Under, into judging to access whether restricted information is empty step；Restricted information is being accessed it is determined that not carried in access request In the case of, it is allowed to respond all the elements that access request is asked.

, can be after access request be received using the embodiment of the present application, the access limitation letter in read access request Breath, and the response contents for determining to return according to restricted information is accessed.This programme can be limited by the access in read access request Response contents corresponding to information determination processed, realize the purpose that the control to user access resources manages.

Thus, the scheme that the application provides solves prior art and conducted interviews control by acting on behalf of or returning source server, Because the configuration for acting on behalf of or returning source server is different, cause there is no unified access control management in internet whole system Technical problem.

It will appreciated by the skilled person that the structure shown in Figure 16 is only to illustrate, terminal can also be Smart mobile phone (such as Android phone, iOS mobile phones), tablet personal computer, applause computer and mobile internet device The terminal device such as (MobileInternetDevices, MID), PAD.Figure 16 it does not cause to the structure of above-mentioned electronic installation Limit.For example, terminal A may also include the component more or less than shown in Figure 16 (such as network interface, display dress Put), or there is the configuration different from shown in Figure 16.

One of ordinary skill in the art will appreciate that all or part of step in the various methods of above-described embodiment is can To be completed by program come command terminal device-dependent hardware, the program can be stored in a computer-readable recording medium In, storage medium can include：Flash disk, read-only storage (Read-Only Memory, ROM), random access device (Random Access Memory, RAM), disk or CD etc..

Embodiment 6

Embodiments herein additionally provides a kind of storage medium.Alternatively, in the present embodiment, above-mentioned storage medium can For preserving the program code performed by the control method for the access that above-described embodiment one is provided.

Alternatively, in the present embodiment, above-mentioned storage medium can be located in computer network Computer terminal group In any one terminal, or in any one mobile terminal in mobile terminal group.

Alternatively, in the present embodiment, storage medium is arranged to the program code that storage is used to perform following steps：Connect Receive access request；The access restricted information carried in read access request, wherein, restricted information is accessed as limitation access target pair As when required content；Response contents are determined according to restricted information is accessed.

Alternatively, storage medium is also configured to the program code that storage is used to perform following steps：Asked receiving to access Before asking, at least one access restricted information is set in the header field of the packet of access request, wherein, access restricted information Including one or more groups of restriction rules to be checked, any one group of restriction rule includes following any one or more information：No The parameter of same type and the value of parameter.

Alternatively, storage medium is also configured to the program code that storage is used to perform following steps：In access request In the case that header field includes multiple access restricted informations, multiple access restricted informations are merged, wherein, by multiple visits Ask restricted information merge including：The identical value of same type parameter in multiple access restricted informations is merged into same Value, the different values of same type parameter merge into multiple values arranged side by side.

Alternatively, storage medium is also configured to the program code that storage is used to perform following steps：In access request In the case of including multiple access restricted informations, advised if there is the limitation included in any two or multiple access restricted informations In the case of the logic content contradiction limited between then, the restriction rule of highest priority is extracted.

Alternatively, storage medium is also configured to the program code that storage is used to perform following steps：Inquiry limitation one by one Parameter included in rule, wherein, the parameter in restriction rule includes：Access the access rights of user and/or return to visit Ask the access content of user；In the case of the failure of any one or more parameter queries, response contents are to forbid accessing；Joining In the case of number successful inquiring, response contents to allow to access, and according to each parameter and relation determine that returning to access uses The access rights and/or access content at family.

Alternatively, storage medium is also configured to the program code that storage is used to perform following steps：In inquiry limit one by one Before parameter included in system rule, whether the form of authentication-access restricted information is legal, wherein, if accessing restricted information Form it is legal, continuing executing with one by one inquire about restriction rule included in parameter the step of；If access restricted information Form is illegal, it is determined that response contents are to forbid accessing.

Alternatively, storage medium is also configured to the program code that storage is used to perform following steps：Limited in authentication-access Before whether the form of information processed is legal, judge to access whether restricted information is empty, wherein, if accessing restricted information as sky, Then allow to respond all the elements that access request is asked；If it is not sky to access restricted information, limited into authentication-access The step of form of information, or continue executing with the step of inquiring about the parameter included in restriction rule one by one.

Alternatively, storage medium is also configured to the program code that storage is used to perform following steps：Asked receiving to access After asking, judge access restricted information whether is carried in access request, wherein, accessing limitation it is determined that being carried in access request In the case of information, into judging to access whether restricted information is empty step；It is determined that access is not carried in access request In the case of restricted information, it is allowed to respond all the elements that access request is asked.

The embodiments of the present invention are for illustration only, do not represent the quality of embodiment.

In the above embodiment of the present invention, the description to each embodiment all emphasizes particularly on different fields, and does not have in some embodiment The part of detailed description, it may refer to the associated description of other embodiment.

In several embodiments provided herein, it should be understood that disclosed technology contents, others can be passed through Mode is realized.Wherein, device embodiment described above is only schematical, such as the division of the unit, is only A kind of division of logic function, can there is an other dividing mode when actually realizing, for example, multiple units or component can combine or Person is desirably integrated into another system, or some features can be ignored, or does not perform.Another, shown or discussed is mutual Between coupling or direct-coupling or communication connection can be INDIRECT COUPLING or communication link by some interfaces, unit or module Connect, can be electrical or other forms.

The unit illustrated as separating component can be or may not be physically separate, show as unit The part shown can be or may not be physical location, you can with positioned at a place, or can also be distributed to multiple On NE.Some or all of unit therein can be selected to realize the mesh of this embodiment scheme according to the actual needs 's.

In addition, each functional unit in each embodiment of the present invention can be integrated in a processing unit, can also That unit is individually physically present, can also two or more units it is integrated in a unit.Above-mentioned integrated list Member can both be realized in the form of hardware, can also be realized in the form of SFU software functional unit.

If the integrated unit is realized in the form of SFU software functional unit and is used as independent production marketing or use When, it can be stored in a computer read/write memory medium.Based on such understanding, technical scheme is substantially The part to be contributed in other words to prior art or all or part of the technical scheme can be in the form of software products Embody, the computer software product is stored in a storage medium, including some instructions are causing a computer Equipment (can be personal computer, server or network equipment etc.) perform each embodiment methods described of the present invention whole or Part steps.And foregoing storage medium includes：USB flash disk, read-only storage (ROM, Read-Only Memory), arbitrary access are deposited Reservoir (RAM, Random Access Memory), mobile hard disk, magnetic disc or CD etc. are various can be with store program codes Medium.

Described above is only the preferred embodiment of the present invention, it is noted that for the ordinary skill people of the art For member, under the premise without departing from the principles of the invention, some improvements and modifications can also be made, these improvements and modifications also should It is considered as protection scope of the present invention.

Claims

A kind of 1. control method of access, it is characterised in that including：

Access request is received, wherein, the access request includes being used for the control field for performing access control；

The access restricted information carried in the access request is read from the control field, wherein, it is described to access limitation letter Cease content required during to limit access target object；

Response contents are determined according to the access restricted information.
2. according to the method for claim 1, it is characterised in that before access request is received, methods described also includes： At least one access restricted information is set in the header field of the packet of the access request, wherein,

The access restricted information includes one or more groups of restriction rules to be checked, and any one group of restriction rule includes following appoint Anticipate one or more information：The value of polytype parameter and parameter.
3. according to the method for claim 2, it is characterised in that include multiple access in the header field of the access request In the case of restricted information, the multiple access restricted information is merged, wherein, the multiple access restricted information is entered Row merging includes：The identical value of same type parameter in the multiple access restricted information is merged into same value, it is identical The different values of type parameter merge into multiple values arranged side by side.
4. according to the method for claim 2, it is characterised in that include multiple access restricted informations in the access request In the case of, if there is the content lance limited between the restriction rule included in any two or multiple access restricted informations In the case of shield, the restriction rule of highest priority is extracted.
5. method as claimed in any of claims 2 to 4, it is characterised in that true according to the access restricted information Provisioning response content, including：

The parameter inquired about one by one included in the restriction rule, wherein, the parameter in the restriction rule includes：

Access the access rights of user and/or return to the access content of the access user；

In the case of the failure of any one or more parameter queries, the response contents are to forbid accessing；

In the case of the parameter query is successful, the response contents to allow to access, and according to each parameter and relation It is determined that return to the access rights for accessing user and/or access content.
6. according to the method for claim 5, it is characterised in that inquiring about the parameter included in the restriction rule one by one Before, methods described also includes：

Verify whether the form of the access restricted information is legal, wherein,

If it is described access restricted information form it is legal, continuing executing with the ginseng inquired about one by one included in the restriction rule Several steps；

If the form of the access restricted information is illegal, it is determined that the response contents are forbidden accessing to be described.
7. according to the method for claim 6, it is characterised in that verifying whether the form for accessing restricted information is legal Before, methods described also includes：

Judge whether the access restricted information is empty, wherein,

If the access restricted information is sky, allow to respond all the elements that the access request is asked；

If it is described access restricted information for sky, enter verify it is described access restricted information form the step of, Huo Zheji The step of parameter included in the restriction rule is inquired about in continuous execution one by one.
8. according to the method for claim 7, it is characterised in that after access request is received, methods described also includes：

Judge the access restricted information whether is carried in the access request, wherein,

In the case of it is determined that carrying the access restricted information in the access request, into judging the access restricted information Whether it is empty step；

In the case of it is determined that the access restricted information is not carried in the access request, it is allowed to respond the access request The all the elements asked.
A kind of 9. control device of access, it is characterised in that including：

Receiving module, for receiving access request；

Read module, for reading the access restricted information carried in the access request, wherein, the access restricted information is Limit content required during access target object；

Determining module, for determining response contents according to the access restricted information.
A kind of 10. control method of access, it is characterised in that including：

Client terminal sends access request, wherein, the access request includes being used for the control field for performing access control；

The response message that the client terminal the reception server responds the access request and returned, wherein, the server from The access restricted information carried in the access request is read in the control field, and is determined according to the access restricted information Response contents, wherein, it is described to access content required when restricted information is limitation access target object.
A kind of 11. control system of access, it is characterised in that including：

Client, for sending access request；

Server, there is correspondence with the client, for reading the access restricted information carried in the access request, And response contents are determined according to the access restricted information, wherein, when the access restricted information is limits access target object Required content.