CN108600177A - A kind of authority control method and device - Google Patents

A kind of authority control method and device Download PDF

Info

Publication number
CN108600177A
CN108600177A CN201810260521.9A CN201810260521A CN108600177A CN 108600177 A CN108600177 A CN 108600177A CN 201810260521 A CN201810260521 A CN 201810260521A CN 108600177 A CN108600177 A CN 108600177A
Authority
CN
China
Prior art keywords
information
permission
target
button
active user
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201810260521.9A
Other languages
Chinese (zh)
Other versions
CN108600177B (en
Inventor
雷小辉
孙加光
喻波
王志海
韩振国
安鹏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Wondersoft Technology Co Ltd
Original Assignee
Beijing Wondersoft Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Wondersoft Technology Co Ltd filed Critical Beijing Wondersoft Technology Co Ltd
Priority to CN201810260521.9A priority Critical patent/CN108600177B/en
Publication of CN108600177A publication Critical patent/CN108600177A/en
Application granted granted Critical
Publication of CN108600177B publication Critical patent/CN108600177B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/01Input arrangements or combined input and output arrangements for interaction between user and computer
    • G06F3/048Interaction techniques based on graphical user interfaces [GUI]
    • G06F3/0481Interaction techniques based on graphical user interfaces [GUI] based on specific properties of the displayed interaction object or a metaphor-based environment, e.g. interaction with desktop elements like windows or icons, or assisted by a cursor's changing behaviour or appearance
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/01Input arrangements or combined input and output arrangements for interaction between user and computer
    • G06F3/048Interaction techniques based on graphical user interfaces [GUI]
    • G06F3/0481Interaction techniques based on graphical user interfaces [GUI] based on specific properties of the displayed interaction object or a metaphor-based environment, e.g. interaction with desktop elements like windows or icons, or assisted by a cursor's changing behaviour or appearance
    • G06F3/0482Interaction with lists of selectable items, e.g. menus
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security

Landscapes

  • Engineering & Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Human Computer Interaction (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

The present invention provides a kind of authority control method and device, this method includes:When receiving permission control data, the authority information of each role is obtained;Different according to role cache authority information classification;According to the target roles of active user, the target permission aggregate information of the active user of corresponding target roles is searched in the authority information of caching;Menu level permission aggregate information is searched from target permission aggregate information;Menu level permission aggregate information is sent to client;Client is received to the trigger request of target menu in multiple menus of displaying, determines the corresponding target pages of trigger request;According to the button information of button grade authority information and target pages in target permission aggregate information, the button grade permission aggregate information of multiple buttons of the active user with operating right in target pages is determined;In response to trigger request, button grade permission aggregate information is sent to client.The present invention can show that user has the menu and button of operating right.

Description

A kind of authority control method and device
Technical field
The present invention relates to field of information security technology, more particularly to a kind of authority control method and device.
Background technology
The rapid development of adjoint network, network office have become a part indispensable in work.However, network just by In its efficient and virtualization, management and permission control seem of crucial importance.Permission does not say the importance of a system And explain, the managing and control system in modern enterprise mostly uses distributed, multiple spot and integrates, multistage multi-class rights management person's management and control, each It takes charge of under the principle of its duty and how to take care of yourself the centralization of state power and delegate power that lay equal stress on be one of managing and control system important process.
The more popular permission control framework of industry has shiro frames (Shiro at present:Shiro is mentioned in java to refer to Apache Shiro, Apache Shiro are a powerful and easy-to-use Java security frameworks) and spring Security frames Certification, mandate, the management functions such as session and password encryption can be achieved in frame, both security frameworks.Spring Security frames Holder function is powerful but to have to rely on Spring, underaction and heavier, shiro frames lithe but using interception mode or Note mode authorized user's experience effect is poor, it is poor according to label and programmatic method mandate source code durability, coupling it is excessively high not Meet WEB standards and customized development is supported not enough.
Specifically, as shown in Figure 1, the pursuit of shiro frames comprehensively, emphasizes one-stop service.Before request services, power Frame is limited it is first determined whether having passed through certification, is then judged whether again in a session, finally judges whether to have again and currently ask The permission asked, but just since its comprehensive permission control is as a part in its frame, as long as the logic of configuration permission control It is even more to need to complete above three steps, this results in repetitive operation (such as above-mentioned authenticating step and authorization check steps Suddenly increase on foot);In this way, equal access right frame verification permission is each operated, user is only after executing relevant action It can know whether to have permission, user experience is poor;Using label form can dynamic control user button grade permission, but jsp rings Border relies on seriously, is unfavorable for the static processing of project front end, and less efficient;Inquiry, verification and the filtering of permission are servicing End is completed, and delay is will appear when client is concurrently larger;In addition, the encapsulation of shiro security frameworks learns compared with deep, file is larger It is higher with maintenance cost.
Therefore, at present a technical problem that is urgently needed by the technical personnel in the field at present is that:How a kind of symbol is provided Close user operation habits, the good permission control program of user experience.
Invention content
The present invention provides a kind of authority control method and devices, are deposited with the permission control program solved in traditional technology Displaying menu or button and non-user all have operating right, cause the problem that user experience is poor.
To solve the above-mentioned problems, according to an aspect of the present invention, the invention discloses a kind of authority control method, packets It includes:
When receiving permission control data, the authority information of each role is obtained, wherein the authority information at least wraps Include menu level authority information and button grade authority information;
Different according to role cache authority information classification;
According to the target roles of active user, the institute of the corresponding target roles is searched in the authority information of caching State the target permission aggregate information of active user;
Menu level permission aggregate information is searched from the target permission aggregate information, wherein the menu level authority set Close the authority information that information includes the menu information of multiple menus and the active user for the multiple menu;
The menu level permission aggregate information is sent to client so that the client can be believed according to the menu Breath shows multiple menus;
The client is received to the trigger request of target menu in the multiple menu of displaying, determines that the triggering is asked Seek corresponding target pages;
According to the button information of button grade authority information and the target pages in the target permission aggregate information, really Active user described in the fixed target pages has the button grade permission aggregate information of the multiple buttons of operating right, wherein The button grade permission set information includes the button information of the multiple button and for the described current of the multiple button The authority information of user;
In response to the trigger request, the button grade permission aggregate information is sent to the client so that the visitor Family end can show multiple buttons according to the button information of the multiple button on the target pages.
According to another aspect of the present invention, the invention also discloses a kind of permission control devices, including:
Acquisition module, for when receiving permission control data, obtaining the authority information of each role, wherein described Authority information includes at least menu level authority information and button grade authority information;
Cache module, for being cached to authority information classification according to the different of role;
First searching module, for the target roles according to active user, the lookup pair in the authority information of caching Answer the target permission aggregate information of the active user of the target roles;
Second searching module, for searching menu level permission aggregate information from the target permission aggregate information, wherein The menu level permission set information includes the menu information of multiple menus and the active user for the multiple menu Authority information;
Sending module, for the menu level permission aggregate information to be sent to client so that the client being capable of root Multiple menus are shown according to the menu information;
First receiving module asks the triggering of target menu in the multiple menu of displaying for receiving the client It asks, determines the corresponding target pages of the trigger request;
Determining module, for according in the target permission aggregate information button grade authority information and the target pages Button information, determine active user described in the target pages have operating right multiple buttons button grade authority set Close information, wherein the button grade permission set information includes the button information of the multiple button and pressed for the multiple The authority information of the active user of button;
First respond module, in response to the trigger request, the button grade permission aggregate information to be sent to institute State client so that the client can be shown on the target pages according to the button information of the multiple button it is multiple Button.
Compared with prior art, the present invention includes following advantages:
The present invention is divided into menu level permission aggregate information and button grade authority set by the granularity by permission according to control Close information, wherein menu level permission aggregate information is to be generated according to the role of user, and directly control menu by permission Or the generation and displaying of button so that the menu and button that user sees all have operating right, reduce unnecessary net Network interacts, and meets user operation habits, the user experience is improved.
Description of the drawings
Fig. 1 is a kind of step flow chart of authority control method embodiment in the prior art;
Fig. 2 is a kind of step flow chart of authority control method embodiment of the present invention;
Fig. 3 is the step flow chart of another authority control method embodiment of the present invention;
Fig. 4 is a kind of structure diagram of permission control device embodiment of the present invention.
Specific implementation mode
In order to make the foregoing objectives, features and advantages of the present invention clearer and more comprehensible, below in conjunction with the accompanying drawings and specific real Applying mode, the present invention is described in further detail.
With reference to Fig. 2, a kind of step flow chart of authority control method embodiment of the present invention is shown;With reference to Fig. 3, show One kind of the present invention being based on the flow chart of the authority control method of B/S (browser/server) pattern, it can be seen that permission Control method relates to three parts, is client (this example is by taking browser as an example) respectively, (this example is server with web services Example) and database three parts.
Note:The flow chart shown in Fig. 3 of the present embodiment just shows permission relevant portion, other do not provide flow elements For known method, which is not described herein again.
The authority control method of the embodiment of the present invention is described in detail with reference to Fig. 2 and Fig. 3:
With reference to Fig. 2, the method for the embodiment of the present invention can specifically include following steps:
Step 101, when receiving permission control data, the authority information of each role is obtained, wherein the permission letter Breath includes at least menu level authority information and button grade authority information;
Wherein, with reference to Fig. 3, when permission, which controls service, to be started, that is, when receiving permission control data, server inquires number The authority information of each role in the goal systems using the authority control method of the embodiment of the present invention is obtained according to library, wherein The authority information of each role is all permissions information that the role has.
Menu level authority information includes the control authority and some menu of operator URL corresponding to some menu Menu information (such as spatial cue etc. of the element, menu in menu).Wherein, the permission for having this URL means to use Family can access to the corresponding services of this URL, and otherwise user is denied access to the corresponding services of this URL.
Button grade authority information includes operator, and to some, button (or other can trigger elements of action) is corresponding asks The button information (such as spatial cue etc. of the element of button, button) of the control authority asked and some button.Such as one As " modification " in application system, " deletion ", Update button etc., " modification " button corresponds to some address of background request, User with this permission can access this address, otherwise request can be rejected.
Step 102, authority information classification is cached according to the different of role;
Wherein, with reference to Fig. 3, all permissions information cache of each role got to role-security can be cached son In module.Wherein, when storing the authority information, as shown in figure 3, storage is associated in the way of role-authority information, Wherein, each role association has all permissions information that the role has, i.e. authority set.
Step 103, according to the target roles of active user, the corresponding target is searched in the authority information of caching The target permission aggregate information of the active user of role;
Wherein, which equally includes menu level authority information and button grade authority information.
Wherein, in a kind of optionally embodiment, when needs carry out authentication or permission to the active user When verification, role's set of the active user can be obtained by session, wherein role set includes one or more A target roles.
That is, determining that the active user has which role, such as product manager, general manager by way of session inquiry Deng.
It, then can be directly from Fig. 3 institutes when the quantity of the target roles is one in a kind of optionally embodiment The corresponding authority set of the target roles, such as 2 corresponding power of role are obtained in each group authority set for the associated storage shown Limit collection.
It, then can be according to current when the quantity of the target roles is multiple in another optionally embodiment The target roles of user search the corresponding each first object authority set of each target roles in the authority information of caching Close information;And the target permission set that the union of multiple first object permission aggregate informations is determined as to the active user is believed Breath.
That is, if when active user has multiple roles, can delay in the orange permission cache sub-module of Fig. 3 The corresponding authority set of each of which target roles is searched in the multigroup authority set deposited, such as the user has role 1 and role 2, then It needs exist for obtaining 1 corresponding authority set of role and 2 corresponding authority set of role;Also, due to the authority set of each role it Between there may be identical permissions, therefore, need exist for taking union to two authority sets got, should and the ownership concentrated Limit information is the relevant information for all permissions that the active user has, and constitutes target permission aggregate information.
It, according to the method for the embodiment of the present invention can also be to institute after step 103 in a kind of optionally embodiment Target permission aggregate information is stated to be cached;
Wherein, it in order to facilitate the lookup to the information in the target permission set in subsequent step, avoids repeatedly from angle Classify in color permission cache sub-module caching authority set in obtain the target permission set again, here can directly will be described Target permission aggregate information is cached.
Step 104, menu level permission aggregate information is searched from the target permission aggregate information;
Wherein, in a kind of optionally embodiment, when the authentication success of the active user or authorization check When succeeding or receiving menu list update request, then menu level power can be searched from the target permission aggregate information Limit aggregate information.
Wherein, target permission aggregate information include all permissions that the active user has relevant information and here only It needs to obtain all permissions information correlation letter being related to menu that the active user has from the target permission aggregate information Breath;
Wherein, the menu level permission aggregate information may include that (i.e. active user has operating right to multiple menus Menu) menu information (such as spatial cue etc. of the element of each menu, menu) and the institute for the multiple menu State the authority information (that is, what operating right that the user has it each menu of permission is) of active user.
Step 105, the menu level permission aggregate information is sent to client so that the client can be according to institute The menu information for stating multiple menus shows multiple menus;
Wherein, with reference to Fig. 3, menu level permission aggregate information (i.e. menu level authority set) can be sent to client by server End, client can parse the menu level authority set and according to menu information dynamic generation the various menus therein, and Render the various menu finally can show that the user has multiple menus of operating right, such as menu on customer terminal webpage 1, menu 2 ... menu n.
Step 106, the client is received to the trigger request of target menu in the multiple menu of displaying, determines institute State the corresponding target pages of trigger request;
Wherein, user, can be to arbitrary after its multiple menu with operating right for seeing displaying from client One menu carries out trigger action (wherein, the mode of trigger action includes but not limited to click, double-click etc.), to triggering pair Some menu, for example, menu 2 trigger request.
Wherein, each menu is corresponding there are one URL on triggering, i.e., what trigger request was that client sends is to this The access request of URL, therefore, server can determine the corresponding target pages of trigger request, the i.e. corresponding targets of URL with this The page.
In a kind of optionally embodiment, in client before trigger request is sent to server, client exists It, first can be above-mentioned for described more according to what is received in step 105 after user is received to the trigger request of target menu The authority information of the active user of a menu is (that is, the operating right that the user has it each menu of permission is assorted ) to carry out logic verify to the trigger request, whether verification active user has the permission of request on target menu, from And imitative user information is avoided to carry out the behavior of menu operation, and reduce the unnecessary request to server.It is to be determined current When user has the operating right to the target menu, just trigger request can be sent to server, to mitigate server Processing pressure.
(if click or mouse are on menu when so user operationally states any one menu in multiple menus The behaviors such as mobile), for trigger request before being sent to server, client can carry out logic verify to the trigger request Determine whether the user has operating right to the menu.
Step 107, according in the target permission aggregate information button grade authority information and the target pages press Button information determines that active user described in the target pages has the button grade permission set letter of the multiple buttons of operating right Breath, wherein the button grade permission set information includes the button information of the multiple button and for the multiple button The authority information of the active user;
Wherein, target permission set information includes the relevant information for all permissions that the active user has, therefore, this Step also needs to filter out button grade authority information from target permission aggregate information (that is, what the user has to which button The information of kind permission).Wherein, in the fig. 3 embodiment, the role of such as user only includes role 2, then target permission set Information corresponds to 2 corresponding authority set of role in Fig. 3.And due in Fig. 3 embodiments not by target permission aggregate information from point Individually extraction is cached in the authority set of class caching, so, button grade authority information here be also from Fig. 3 role 2 it is right It is screened in the authority set answered.
In addition, server side can also determine URL be directed toward target pages button information (i.e. the page have which by Button).
So have the operating right of which button using the user, and is pressed with which in the target pages Both information of button, so that it may with directly determine the user to which of target pages button have operating right, and The button grade permission aggregate information of the button with operating right is similarly stored in role-security caching submodule in target pages In the classification caching of block.
So this step can directly determine that the active user has the button grade power of the multiple buttons of operating right Limit aggregate information, wherein the button grade permission set information includes button information (such as the member of button of the multiple button Element, the spatial cue of button, button are triggered the path etc. subsequently pointed to) and the active user there is operation in target pages The authority information of the multiple buttons of permission;
It, according to the method for the embodiment of the present invention can also be to institute after step 107 in a kind of optionally embodiment Button grade permission aggregate information is stated to be cached.
Wherein, it in order to facilitate the lookup to the information in the button grade permission aggregate information in subsequent step, avoids repeating Ground obtains button grade power again from the authority set for caching of classifying in role-security cache sub-module or target permission set Aggregate information is limited, can directly be cached the button grade permission aggregate information here.
Such as in flow chart shown in Fig. 3, server is from the authority set of classification caching by button grade permission aggregate information It is individually cached, obtains permission cache blocks.
Step 108, in response to the trigger request, by the button grade permission aggregate information be sent to the client with The client is set to show multiple buttons on the target pages according to the button information of the multiple button.
Wherein, the access request for the URL for the target page that server can be sent in response to client, by the target The active user has the button information of the multiple buttons of operating right (as shown in figure 3, including each button pair here in the page The daughter element answered, the i.e. display button of button, and each shown button are triggered the path subsequently pointed to, such as button 1 The path of direction be " 1 path of button ") and authority information be sent to client.
Wherein, client can utilize local button to generate plug-in unit and be shown in target pages according to the information received Show each daughter element, that is, shows that each user has the button of button of operating right, and believe according to the rendering of each button Breath each button is carried out on target pages rendering show (such as display location be where, what kind of etc. be display effect be It renders);Also, event is bound to each button, wherein the event bound in each button includes two classes, and type one is triggering Event, type two are to redirect event.Wherein, trigger event can be click, carriage return, double-click etc. event, i.e., ought detect use Family redirects event accordingly to being jumped to after the trigger event of the button;Wherein, the event that redirects of button can be to click to be somebody's turn to do The operation executed after button, such as delete operation, submission operation etc..
In a kind of optionally embodiment, after step 108, it can also wrap according to the method for the embodiment of the present invention It includes:
Step 109, the active user of the client is received to the target button in the multiple button of displaying Trigger request;
Wherein, client displaying have the active user have operating right multiple buttons, when user trigger it is any one When a the target button, trigger request can be sent to server so that server receive the active user to the target by The trigger request of button.
In a kind of optionally embodiment, client by the trigger request in step 109 be sent to server it Before, client, first can be above-mentioned according to what is received in step 107 after receiving user to the trigger request of the target button Logic school is carried out to the trigger request in step 109 for the authority information of the active user of the multiple button Test, whether verification active user has request permissions in the operation of the target button, to avoid imitative user information carry out by The behavior of button operation, and reduce the unnecessary request to server.Active user to be determined has the behaviour to the target button When making permission, just trigger request can be sent to server, to mitigate the processing pressure of server.
(if click or mouse are on button when so user operationally states any one button in multiple buttons The behaviors such as mobile), after receiving to the trigger request of the button, before the trigger request is sent to server, visitor Family end can carry out logic verify to determine whether the user has operating right to the button to the trigger request.
Step 110, in the authority information of the classification caching, inquire whether the active user has to described The operating right of the trigger request of the target button;
Wherein, in order to avoid the programmed logic of attacker's crack servers side, camouflage user's request server carries out above-mentioned The operation of step 101~step 108 can be in subangle color as shown in Figure 3 here in order to further enhance the safety of information In each authority set of storage, to inquire whether active user has operating right to the trigger request of the target button.
In a kind of optionally embodiment, if having cached above-mentioned target permission aggregate information in above-mentioned steps, also The active user being inquired in the target permission aggregate information of caching and whether have, described the target button is touched Send out the operating right of request;
Alternatively, if having cached button grade permission aggregate information in above-mentioned steps, i.e., as shown in figure 3, individually caching obtains Permission cache blocks, then server can also be looked into the button grade permission aggregate information (i.e. permission cache blocks) of caching Ask the operating right for the trigger request whether active user has to described the target button.
Step 111, if so, executing corresponding operating in response to the trigger request.
In this way, can further lifting system safety.
In a kind of optionally embodiment, when the trigger request of described the target button in step 109 is to believe permission When breath is updated (such as when continuous operation after execution shown in Fig. 3, it can be determined that whether the trigger request is to need to update power Limit collection, if it is, explanation is to be updated to authority information to the trigger request of the target button), then executing step 111 It is described in response to the trigger request execute corresponding operating when, then can be with as shown in figure 3, according to the trigger request to data The authority information stored in library, and the authority information of classification caching (believe by the permission i.e. in orange permission cache sub-module Breath) it is updated.
If it is not, then illustrating that the user does not have the access rights of the trigger request, it is believed that be network attack or illegal Request, server refusal request.
In a kind of optionally embodiment, when the target permission aggregate information in above-described embodiment is also slow from classification After individually extracting caching in the authority information deposited, then also need to be touched according to described according to the method for the embodiment of the present invention Hair request is updated the target permission aggregate information of caching;
In a kind of optionally embodiment, when the button grade permission aggregate information in above-described embodiment is also from classification It is individually extracted in the authority information of caching after caching to get to permission cache blocks shown in Fig. 3, then according to the present invention The method of embodiment also needs to the button grade permission aggregate information according to the trigger request to caching, and (i.e. permission caches Block) it is updated.
By means of the technical solution of the above embodiment of the present invention, the present invention is divided by the granularity by permission according to control For menu level permission aggregate information and button grade permission aggregate information, wherein menu level permission aggregate information is according to user's Role and generate, and the generation and displaying of menu or button are directly controlled by permission so that menu that user sees and Button all has operating right, reduces unnecessary network interaction, meets user operation habits, the user experience is improved.
To sum up, the invention has the advantages that:
(1), simplify permission control logic
By permission according to the granularity of control, it is divided into menu level permission and button grade permission.Menu level permission is according to user Information directly generates, and the menu that user can be seen all has permission, so reduces unnecessary network interaction;It is asked in menu Having cached user when asking for current request has all possible action permission (button grade permission) of permission, the corresponding use of menu There are all button grade permissions of operating right to be returned at family;
(2), the experience of user is promoted
The generation of menu or button is directly controlled by permission, every user can see button and have permission, this meets The general operation of user is accustomed to, and experience property is more preferable.
(3), the coupling with represent layer is reduced
The button (or element) using dynamic generation with permission, no longer needs to be inserted in using label in former represent layer Specified position reduces the coupling with represent layer.
(4), reinforce being applied in combination with other frames or component
Using some other frames or component, when such as jQgrid in table button have plenty of generation rather than label render, Use former label control authority mode unavailable at this time.Dynamic generation button (or other elements) can be completed using this control method This kind of demand.
(5), suitability is improved
It is driving with data using component mechanism, represent layer needs only to need to access related plug-in unit when control authority It realizes.
It (6), can front end static processing
Using the authority control method of the embodiment of the present invention, the coupling with jsp (or other must environment) is eliminated so that Represent layer more lightweight, flexibly, when necessary completely can static.
(7), rich client is handled, and performance can still be kept under high concurrent
When user asks when menu level, server-side only need to from caching return push-button authority set, client is according to return Authority set render coherent element.Since the workload of server-side is less, and from obtaining therefore performance under high concurrent in caching It can keep preferable.In addition, to prevent network attack, permission judgement can be added in the non-inquiry request of user.
It should be noted that for embodiment of the method, for simple description, therefore it is all expressed as a series of action group It closes, but those skilled in the art should understand that, the embodiment of the present invention is not limited by the described action sequence, because according to According to the embodiment of the present invention, certain steps can be performed in other orders or simultaneously.Secondly, those skilled in the art also should Know, embodiment described in this description belongs to preferred embodiment, and the involved action not necessarily present invention is implemented Necessary to example.
It is corresponding with the method that the embodiments of the present invention are provided, with reference to Fig. 4, show a kind of permission control of the present invention The structure diagram of device embodiment, can specifically include following module:
Acquisition module 31, for when receiving permission control data, obtaining the authority information of each role, wherein institute It states authority information and includes at least menu level authority information and button grade authority information;
Cache module 32, for being cached to authority information classification according to the different of role;
First searching module 33 is searched for the target roles according to active user in the authority information of caching The target permission aggregate information of the active user of the corresponding target roles;
Second searching module 34, for searching menu level permission aggregate information from the target permission aggregate information, In, the menu level permission set information includes the menu information of multiple menus and the current use for the multiple menu The authority information at family;
Sending module 35, for the menu level permission aggregate information to be sent to client so that the client can Multiple menus are shown according to the menu information;
First receiving module 36, for receiving triggering of the client to target menu in the multiple menu of displaying Request, determines the corresponding target pages of the trigger request;
Determining module 37, for according in the target permission aggregate information button grade authority information and the page object The button information in face determines that active user described in the target pages has the button grade permission of multiple buttons of operating right Aggregate information, wherein the button grade permission set information includes the button information of the multiple button and is directed to the multiple The authority information of the active user of button;
First respond module 38, in response to the trigger request, the button grade permission aggregate information to be sent to The client so that the client can be shown on the target pages according to the button information of the multiple button it is more A button.
Optionally, first searching module 33 includes:
First searches submodule, is used for when the quantity of the target roles is multiple, according to the target angle of active user Color searches the corresponding each first object permission aggregate information of each target roles in the authority information of caching;
Determination sub-module, the mesh for the union of multiple first object permission aggregate informations to be determined as to the active user Mark permission aggregate information.
Optionally, first searching module 33 further includes:
Acquisition submodule, for when carrying out authentication or authorization check to the active user, being obtained by session The role of the active user is taken to gather, wherein role's set includes one or more target roles;
Second searches submodule, for the target roles according to the active user, in the authority information of caching Search the target permission aggregate information of the active user of the corresponding target roles.
Optionally, second searching module 34 includes:
Third search submodule, for when the active user authentication success or authorization check success or When receiving menu list update request, menu level permission aggregate information is searched from the target permission aggregate information.
Optionally, described device further includes:
Second receiving module, for receiving the active user of the client to mesh in the multiple button of displaying Mark the trigger request of button;
Enquiry module, in the authority information of the classification caching, inquiring whether the active user has To the operating right of the trigger request of described the target button;
Second respond module, if being inquired in the authority information of the classification caching for the enquiry module The active user has the operating right of the trigger request to described the target button, then executes phase in response to the trigger request It should operate.
Optionally, second respond module includes:
Submodule is updated, for when the trigger request of described the target button is to be updated to authority information, then basis The trigger request is updated the authority information that is stored in database, and the authority information of classification caching.
For device embodiments, since it is basically similar to the method embodiment, so fairly simple, the correlation of description Place illustrates referring to the part of embodiment of the method.
Each embodiment in this specification is described in a progressive manner, the highlights of each of the examples are with The difference of other embodiment, the same or similar parts between the embodiments can be referred to each other.
It should be understood by those skilled in the art that, the embodiment of the embodiment of the present invention can be provided as method, apparatus or calculate Machine program product.Therefore, the embodiment of the present invention can be used complete hardware embodiment, complete software embodiment or combine software and The form of the embodiment of hardware aspect.Moreover, the embodiment of the present invention can be used one or more wherein include computer can With in the computer-usable storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) of program code The form of the computer program product of implementation.
The embodiment of the present invention be with reference to according to the method for the embodiment of the present invention, terminal device (system) and computer program The flowchart and/or the block diagram of product describes.It should be understood that flowchart and/or the block diagram can be realized by computer program instructions In each flow and/or block and flowchart and/or the block diagram in flow and/or box combination.These can be provided Computer program instructions are set to all-purpose computer, special purpose computer, Embedded Processor or other programmable data processing terminals Standby processor is to generate a machine so that is held by the processor of computer or other programmable data processing terminal equipments Capable instruction generates for realizing in one flow of flow chart or multiple flows and/or one box of block diagram or multiple boxes The device of specified function.
These computer program instructions, which may also be stored in, can guide computer or other programmable data processing terminal equipments In computer-readable memory operate in a specific manner so that instruction stored in the computer readable memory generates packet The manufacture of command device is included, which realizes in one flow of flow chart or multiple flows and/or one side of block diagram The function of being specified in frame or multiple boxes.
These computer program instructions can be also loaded into computer or other programmable data processing terminal equipments so that Series of operation steps are executed on computer or other programmable terminal equipments to generate computer implemented processing, thus The instruction executed on computer or other programmable terminal equipments is provided for realizing in one flow of flow chart or multiple flows And/or in one box of block diagram or multiple boxes specify function the step of.
Although the preferred embodiment of the embodiment of the present invention has been described, once a person skilled in the art knows bases This creative concept, then additional changes and modifications can be made to these embodiments.So the following claims are intended to be interpreted as Including preferred embodiment and fall into all change and modification of range of embodiment of the invention.
Finally, it is to be noted that, herein, relational terms such as first and second and the like be used merely to by One entity or operation are distinguished with another entity or operation, without necessarily requiring or implying these entities or operation Between there are any actual relationship or orders.Moreover, the terms "include", "comprise" or its any other variant meaning Covering non-exclusive inclusion, so that process, method, article or terminal device including a series of elements not only wrap Those elements are included, but also include other elements that are not explicitly listed, or further include for this process, method, article Or the element that terminal device is intrinsic.In the absence of more restrictions, being wanted by what sentence "including a ..." limited Element, it is not excluded that there is also other identical elements in process, method, article or the terminal device including the element.
Above to a kind of authority control method provided by the present invention and a kind of permission control device, detailed Jie has been carried out It continues, principle and implementation of the present invention are described for specific case used herein, and the explanation of above example is only It is the method and its core concept for being used to help understand the present invention;Meanwhile for those of ordinary skill in the art, according to this hair Bright thought, there will be changes in the specific implementation manner and application range, in conclusion the content of the present specification should not manage Solution is limitation of the present invention.

Claims (12)

1. a kind of authority control method, which is characterized in that including:
When receiving permission control data, the authority information of each role is obtained, wherein the authority information includes at least dish Single-stage authority information and button grade authority information;
Different according to role cache authority information classification;
According to the target roles of active user, searches in the authority information of caching and work as described in the corresponding target roles The target permission aggregate information of preceding user;
Menu level permission aggregate information is searched from the target permission aggregate information, wherein the menu level permission set letter Breath includes the authority information of the menu information of multiple menus and the active user for the multiple menu;
The menu level permission aggregate information is sent to client so that the client can be according to the menu information exhibition Show multiple menus;
The client is received to the trigger request of target menu in the multiple menu of displaying, determines the trigger request pair The target pages answered;
According to the button information of button grade authority information and the target pages in the target permission aggregate information, institute is determined State the button grade permission aggregate information of multiple buttons of the active user described in target pages with operating right, wherein described Button grade permission set information includes the button information of the multiple button and the active user for the multiple button Authority information;
In response to the trigger request, the button grade permission aggregate information is sent to the client so that the client According to the button information of the multiple button multiple buttons can be shown on the target pages.
2. according to the method described in claim 1, it is characterized in that, when the quantity of the target roles be it is multiple when, described According to the target roles of active user, the active user of the corresponding target roles is searched in the authority information of caching Target permission aggregate information, including:
According to the target roles of active user, each target roles corresponding each are searched in the authority information of caching One target permission aggregate information;
The union of multiple first object permission aggregate informations is determined as to the target permission aggregate information of the active user.
3. according to the method described in claim 1, it is characterized in that, the target roles according to active user, in caching Lookup corresponds to the target permission aggregate information of the active user of the target roles in the authority information, further includes:
When carrying out authentication or authorization check to the active user, pass through the role of active user described in acquisition conversation Set, wherein role's set includes one or more target roles;
According to the target roles of the active user, the institute of the corresponding target roles is searched in the authority information of caching State the target permission aggregate information of active user.
4. according to the method described in claim 3, it is characterized in that, described search menu from the target permission aggregate information Grade permission aggregate information, including:
When the authentication of the active user is successful or authorization check is successful or receives menu list update request When, menu level permission aggregate information is searched from the target permission aggregate information.
5. according to the method described in claim 1, it is characterized in that, described in response to the trigger request, by the button grade Permission aggregate information is sent to the client so that the client can be according to the button information of the multiple button in institute It states after showing multiple buttons on target pages, the method further includes:
Receive trigger request of the active user to the target button in the multiple button of displaying of the client;
In the authority information of the classification caching, inquires the active user and whether have and described the target button is touched Send out the operating right of request;
If so, executing corresponding operating in response to the trigger request.
6. according to the method described in claim 5, it is characterized in that, when the trigger request of described the target button is to authority information It is described to execute corresponding operating in response to the trigger request when being updated, including:
The authority information that is stored in database, and the authority information of classification caching are carried out more according to the trigger request Newly.
7. a kind of permission control device, which is characterized in that including:
Acquisition module, for when receiving permission control data, obtaining the authority information of each role, wherein the permission Information includes at least menu level authority information and button grade authority information;
Cache module, for being cached to authority information classification according to the different of role;
First searching module searches corresponding institute for the target roles according to active user in the authority information of caching State the target permission aggregate information of the active user of target roles;
Second searching module, for searching menu level permission aggregate information from the target permission aggregate information, wherein described Menu level permission set information includes the power of the menu information of multiple menus and the active user for the multiple menu Limit information;
Sending module, for the menu level permission aggregate information to be sent to client so that the client can be according to institute It states menu information and shows multiple menus;
First receiving module, the trigger request for receiving the client to target menu in the multiple menu of displaying, Determine the corresponding target pages of the trigger request;
Determining module, for according in the target permission aggregate information button grade authority information and the target pages press Button information determines that active user described in the target pages has the button grade permission set letter of the multiple buttons of operating right Breath, wherein the button grade permission set information includes the button information of the multiple button and for the multiple button The authority information of the active user;
First respond module, in response to the trigger request, the button grade permission aggregate information to be sent to the visitor Family end is so that the client can show multiple buttons according to the button information of the multiple button on the target pages.
8. device according to claim 7, which is characterized in that first searching module includes:
First searches submodule, for when the quantity of the target roles is multiple, according to the target roles of active user, The corresponding each first object permission aggregate information of each target roles is searched in the authority information of caching;
Determination sub-module, the target for the union of multiple first object permission aggregate informations to be determined as to the active user are weighed Limit aggregate information.
9. device according to claim 7, which is characterized in that first searching module further includes:
Acquisition submodule, for when carrying out authentication or authorization check to the active user, passing through acquisition conversation institute State role's set of active user, wherein role's set includes one or more target roles;
Second searches submodule, for the target roles according to the active user, is searched in the authority information of caching The target permission aggregate information of the active user of the corresponding target roles.
10. device according to claim 9, which is characterized in that second searching module includes:
Third searches submodule, for when the authentication of the active user is successful or authorization check is successful or receives When updating request to menu list, menu level permission aggregate information is searched from the target permission aggregate information.
11. device according to claim 7, which is characterized in that described device further includes:
Second receiving module, the active user for receiving the client press target in the multiple button of displaying The trigger request of button;
Enquiry module, in the authority information of the classification caching, inquiring whether the active user has to institute State the operating right of the trigger request of the target button;
Second respond module, if being inquired described in the authority information of the classification caching for the enquiry module Active user has the operating right of the trigger request to described the target button, then executes corresponding behaviour in response to the trigger request Make.
12. according to the devices described in claim 11, which is characterized in that second respond module includes:
Submodule is updated, when for being updated to authority information when the trigger request of described the target button, then according to Trigger request is updated the authority information that is stored in database, and the authority information of classification caching.
CN201810260521.9A 2018-03-27 2018-03-27 Authority control method and device Active CN108600177B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810260521.9A CN108600177B (en) 2018-03-27 2018-03-27 Authority control method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810260521.9A CN108600177B (en) 2018-03-27 2018-03-27 Authority control method and device

Publications (2)

Publication Number Publication Date
CN108600177A true CN108600177A (en) 2018-09-28
CN108600177B CN108600177B (en) 2020-06-12

Family

ID=63623732

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810260521.9A Active CN108600177B (en) 2018-03-27 2018-03-27 Authority control method and device

Country Status (1)

Country Link
CN (1) CN108600177B (en)

Cited By (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109492884A (en) * 2018-10-25 2019-03-19 平安科技(深圳)有限公司 Close rule risk information methods of exhibiting, device, computer equipment and storage medium
CN109817347A (en) * 2019-01-15 2019-05-28 深圳市道通科技股份有限公司 Inline diagnosis platform, its right management method and Rights Management System
CN110119488A (en) * 2019-04-12 2019-08-13 平安普惠企业管理有限公司 The control method and device that the page is shown
CN110378098A (en) * 2019-06-11 2019-10-25 平安科技(深圳)有限公司 Authority control method, system, electronic device and storage medium
CN110889126A (en) * 2019-11-25 2020-03-17 杭州安恒信息技术股份有限公司 Optimized Web application permission control method
CN110909324A (en) * 2019-11-19 2020-03-24 杭州迪普科技股份有限公司 Control method and device for web permission
CN110968890A (en) * 2018-09-30 2020-04-07 北京国双科技有限公司 Operation control method and device based on permission
CN112259259A (en) * 2020-11-16 2021-01-22 泰康保险集团股份有限公司 Diagnosis and treatment page operation authority control method and device
CN112346808A (en) * 2020-11-09 2021-02-09 福建天晴在线互动科技有限公司 Method and system for managing and controlling background button authority
CN112764605A (en) * 2020-12-31 2021-05-07 航天精一(广东)信息科技有限公司 Dynamic response method and system for page button
CN113158217A (en) * 2021-05-20 2021-07-23 湖南快乐阳光互动娱乐传媒有限公司 Authority verification method and device, computer equipment and storage medium
CN113254899A (en) * 2021-05-26 2021-08-13 北京创源微致软件有限公司 Display page determining method, display method, system, server and terminal
CN113449228A (en) * 2020-03-24 2021-09-28 北京沃东天骏信息技术有限公司 Page rendering method and device
CN113688343A (en) * 2021-07-23 2021-11-23 济南浪潮数据技术有限公司 Page permission control method, device, equipment and readable storage medium
CN114301714A (en) * 2022-01-20 2022-04-08 杭萧钢构股份有限公司 Multi-tenant permission control method and system
CN114466217A (en) * 2022-02-16 2022-05-10 上海哔哩哔哩科技有限公司 Information display method and device for live broadcast room
CN114510180A (en) * 2022-01-25 2022-05-17 中煤航测遥感集团有限公司 Role authority control method and device of application program and mobile terminal
CN114518924A (en) * 2022-01-29 2022-05-20 苏州达家迎信息技术有限公司 Page display method, device, equipment and storage medium for mobile client
CN115277263A (en) * 2022-09-28 2022-11-01 天津卓朗昆仑云软件技术有限公司 Data processing system, method and device for authority authentication

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102955910A (en) * 2011-08-25 2013-03-06 阿里巴巴集团控股有限公司 Method and device for multi-account authority control
CN104360846A (en) * 2014-10-27 2015-02-18 江西博微新技术有限公司 OSGi-based adaptive design method for authority management of Web application development platform based on OSGi
US20150169154A1 (en) * 2013-12-16 2015-06-18 Google Inc. User interface for an application displaying pages
CN106227785A (en) * 2016-07-15 2016-12-14 杭州数梦工场科技有限公司 The display packing of a kind of page object and device
CN106911687A (en) * 2017-02-20 2017-06-30 深圳国泰安教育技术股份有限公司 A kind of page makeup control method and device

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102955910A (en) * 2011-08-25 2013-03-06 阿里巴巴集团控股有限公司 Method and device for multi-account authority control
US20150169154A1 (en) * 2013-12-16 2015-06-18 Google Inc. User interface for an application displaying pages
CN104360846A (en) * 2014-10-27 2015-02-18 江西博微新技术有限公司 OSGi-based adaptive design method for authority management of Web application development platform based on OSGi
CN106227785A (en) * 2016-07-15 2016-12-14 杭州数梦工场科技有限公司 The display packing of a kind of page object and device
CN106911687A (en) * 2017-02-20 2017-06-30 深圳国泰安教育技术股份有限公司 A kind of page makeup control method and device

Cited By (27)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110968890A (en) * 2018-09-30 2020-04-07 北京国双科技有限公司 Operation control method and device based on permission
CN109492884A (en) * 2018-10-25 2019-03-19 平安科技(深圳)有限公司 Close rule risk information methods of exhibiting, device, computer equipment and storage medium
CN109492884B (en) * 2018-10-25 2024-05-07 平安科技(深圳)有限公司 Compliance risk information display method and device, computer equipment and storage medium
CN109817347A (en) * 2019-01-15 2019-05-28 深圳市道通科技股份有限公司 Inline diagnosis platform, its right management method and Rights Management System
US11303645B2 (en) 2019-01-15 2022-04-12 Autel Intelligent Technology Corp., Ltd. Online diagnostic platform, and permission management method and permission management system thereof
WO2020147605A1 (en) * 2019-01-15 2020-07-23 深圳市道通科技股份有限公司 Online diagnosis platform, permission management method and permission management system for online diagnosis platform
CN110119488A (en) * 2019-04-12 2019-08-13 平安普惠企业管理有限公司 The control method and device that the page is shown
CN110378098A (en) * 2019-06-11 2019-10-25 平安科技(深圳)有限公司 Authority control method, system, electronic device and storage medium
CN110909324A (en) * 2019-11-19 2020-03-24 杭州迪普科技股份有限公司 Control method and device for web permission
CN110909324B (en) * 2019-11-19 2022-03-01 杭州迪普科技股份有限公司 Control method and device for web permission
CN110889126A (en) * 2019-11-25 2020-03-17 杭州安恒信息技术股份有限公司 Optimized Web application permission control method
CN113449228A (en) * 2020-03-24 2021-09-28 北京沃东天骏信息技术有限公司 Page rendering method and device
CN112346808A (en) * 2020-11-09 2021-02-09 福建天晴在线互动科技有限公司 Method and system for managing and controlling background button authority
CN112346808B (en) * 2020-11-09 2022-06-14 福建天晴在线互动科技有限公司 Method and system for managing and controlling background button authority
CN112259259A (en) * 2020-11-16 2021-01-22 泰康保险集团股份有限公司 Diagnosis and treatment page operation authority control method and device
CN112764605A (en) * 2020-12-31 2021-05-07 航天精一(广东)信息科技有限公司 Dynamic response method and system for page button
CN113158217A (en) * 2021-05-20 2021-07-23 湖南快乐阳光互动娱乐传媒有限公司 Authority verification method and device, computer equipment and storage medium
CN113254899A (en) * 2021-05-26 2021-08-13 北京创源微致软件有限公司 Display page determining method, display method, system, server and terminal
CN113688343B (en) * 2021-07-23 2023-11-03 济南浪潮数据技术有限公司 Page authority control method, device, equipment and readable storage medium
CN113688343A (en) * 2021-07-23 2021-11-23 济南浪潮数据技术有限公司 Page permission control method, device, equipment and readable storage medium
CN114301714A (en) * 2022-01-20 2022-04-08 杭萧钢构股份有限公司 Multi-tenant permission control method and system
CN114301714B (en) * 2022-01-20 2024-01-19 杭萧钢构股份有限公司 Multi-tenant authority control method and system
CN114510180A (en) * 2022-01-25 2022-05-17 中煤航测遥感集团有限公司 Role authority control method and device of application program and mobile terminal
CN114518924A (en) * 2022-01-29 2022-05-20 苏州达家迎信息技术有限公司 Page display method, device, equipment and storage medium for mobile client
CN114518924B (en) * 2022-01-29 2024-02-02 苏州达家迎信息技术有限公司 Page display method, device and equipment of mobile client and storage medium
CN114466217A (en) * 2022-02-16 2022-05-10 上海哔哩哔哩科技有限公司 Information display method and device for live broadcast room
CN115277263A (en) * 2022-09-28 2022-11-01 天津卓朗昆仑云软件技术有限公司 Data processing system, method and device for authority authentication

Also Published As

Publication number Publication date
CN108600177B (en) 2020-06-12

Similar Documents

Publication Publication Date Title
CN108600177A (en) A kind of authority control method and device
CN108370374B (en) Certificate update and deployment
CN113010911B (en) Data access control method, device and computer readable storage medium
US10171455B2 (en) Protection of application passwords using a secure proxy
CN107196951B (en) A kind of implementation method and firewall system of HDFS system firewall
CN109792439A (en) Dynamic strategy injection and access visualization for threat detection
CN110519240B (en) Single sign-on method, device and system
US9485244B2 (en) Executing an operation over file repositories located in different authentication domains using a representational state transfer (REST)-compliant client
US20120254996A1 (en) Dns resolution, policies, and views for large volume systems
US10938823B2 (en) Authenticating a request for an electronic transaction
CN109617933A (en) Utilize the network-based single-sign-on of form filling agent application
CN109597643A (en) Using gray scale dissemination method, device, electronic equipment and storage medium
CN112073289B (en) Instant messaging control method and device
CN106464497A (en) Methods and systems of issuing, transmitting and managing tokens using a low-latency session syndication framework
CN110197075A (en) Resource access method, calculates equipment and storage medium at device
US20180205705A1 (en) Network request proxy system and method
CN112383534B (en) Data access authority control method and device
US11765112B2 (en) Context driven dynamic actions embedded in messages
CN112688983A (en) Proxy right management device, terminal device and storage medium
CN108449308A (en) Identify the method and device that malice resource accesses
CN106254528A (en) A kind of resource downloading method and buffer memory device
CN103415847A (en) A system and method for accessing a service
CN110210191A (en) A kind of data processing method and relevant apparatus
CN111190664A (en) Method and system for generating page
CN106209746B (en) Security service providing method and server

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant