CN109150787A - A kind of authority acquiring method, apparatus, equipment and storage medium - Google Patents
A kind of authority acquiring method, apparatus, equipment and storage medium Download PDFInfo
- Publication number
- CN109150787A CN109150787A CN201710444357.2A CN201710444357A CN109150787A CN 109150787 A CN109150787 A CN 109150787A CN 201710444357 A CN201710444357 A CN 201710444357A CN 109150787 A CN109150787 A CN 109150787A
- Authority
- CN
- China
- Prior art keywords
- access
- authority
- information
- user information
- request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0892—Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/102—Entity profiles
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Business, Economics & Management (AREA)
- Accounting & Taxation (AREA)
- Power Engineering (AREA)
- Storage Device Security (AREA)
Abstract
The embodiment of the invention discloses a kind of authority acquiring method, apparatus, equipment and storage mediums.The method comprise the steps that sending the authority acquiring request for carrying user information to remote customer dialing authentication system radius server, the authority acquiring request is for obtaining the corresponding access authority information of the user information;Receive the authority acquiring response for the carrying access authority information that the radius server is sent.
Description
Technical field
The present invention relates to field of communication technology more particularly to a kind of authority acquiring method, apparatus, equipment and storage medium.
Background technique
The equipment for being stored with accessible resource or usable resource is properly termed as resource apparatus, and resource apparatus can be to money
Source requestor provides the resource on resource apparatus.
Resource requestor requests access to resource apparatus or when using resource on resource apparatus, and resource apparatus is according in advance
The permissions data of the legitimate user of storage carries out authentication to resource requestor, if certification passes through, to legitimate user's body
The resource requestor of part provides the resource on resource apparatus.
But when the permissions data of legitimate user stores on resource apparatus, resource apparatus is once stolen or meets with
Network attack, illegal user still may obtain the resource on resource apparatus, to bring great security risk.
Summary of the invention
In view of this, an embodiment of the present invention is intended to provide a kind of authority acquiring method, apparatus, equipment and storage medium, energy
Illegal user is enough avoided to obtain the resource being stored on resource apparatus.
The technical solution of the embodiment of the present invention is achieved in that
In a first aspect, the embodiment of the present invention provides a kind of authority acquiring method, which comprises to remote customer dialing
Verification System radius server sends the authority acquiring request for carrying user information, and the authority acquiring request is for obtaining institute
State the corresponding access authority information of user information;Receive the carrying access authority information that the radius server is sent
Authority acquiring response.
In the above scheme, before sending the authority acquiring request for carrying user information to radius server described,
It include: to receive the resource access request for carrying the user information, the resource access request is for obtaining user's letter
Breath corresponding accessible resource on resource apparatus;Correspondingly, in the carrying institute for receiving the radius server and sending
After the authority acquiring response for stating access authority information, comprising: determine that the user information exists according to the access authority information
Corresponding accessible resource on the resource apparatus.
In the above scheme, the resource apparatus is home gateway, described to receive the resource for carrying the user information
Access request, comprising: receive the log on request for carrying the user information that internet-of-things terminal is sent;The log on request is used
In request in home gateway accessible resource corresponding with the user information;It is described true according to the access authority information
The fixed user information corresponding accessible resource on the resource apparatus, comprising: determined according to the access authority information
The internet-of-things terminal corresponding accessible resource on the home gateway.
In the above scheme, the user information includes the MAC address and password of internet-of-things terminal, together
One MAC Address corresponds to identical or different access authority information from the combination of different passwords.
In the above scheme, the resource apparatus is terminal device, and the accessible resource is the application for allowing to enable
Set, then before the authority acquiring request for sending carrying user information to radius server, comprising: receiving use
Laggard access customer acquisition of information state is operated in the enabling that instruction starts the application on the terminal device;In the user information
Under acquisition state, user information is received;Then the carrying access authority letter that the radius server is sent is received described
After the authority acquiring response of breath, comprising: determined according to the set of the corresponding application for allowing to enable of the access authority information
Whether the application is enabled.
In the above scheme, the user information includes username and password, the combination of same user name and different passwords
Corresponding different access authority information.
In the above scheme, described send to remote customer dialing authentication system radius server carries user information
Authority acquiring request, comprising: the access for carrying the user information and access permission mark to the transmission of radius server is asked
Seek message Access-Requst;The permission for receiving the carrying access authority information that the radius server is sent
Obtain response, comprising: receive the carrying access authority information that the radius server is sent is successfully accessed response report
Literary Access-Accept.
In the above scheme, connecing in the carrying access authority information for receiving the radius server transmission
After entering successfully back message Access-Accept, comprising: sent to radius server and carry the access authority information
Accounting request message Accounting-Request, the accounting request message is for requesting the radius server according to institute
It states access authority information and determines the corresponding charging mode of the user information and/or charging rate.
In the above scheme, the access request message containing type type characterizes the attribute of the access permission mark
To AVP field.
Second aspect, the embodiment of the present invention provide a kind of authority acquiring method, which comprises remote customer dialing is recognized
What card system radius server reception radius client was sent carries user information authority acquiring request, and the permission obtains
Take request for obtaining the corresponding access authority information of the user information;The use is carried to the transmission of radius client
The authority acquiring of the corresponding access authority information of family information responds.
In above scheme, what the radius server reception radius client was sent carries the user information
Authority acquiring request includes: that the radius server reception radius client transmission carries user information and access permission
The access request message Access-Requst of mark;It is described to carry the user information correspondence to the transmission of radius client
Access authority information authority acquiring response, comprising: to the transmission of radius client, to carry the user information corresponding
Access authority information is successfully accessed back message Access-Accept.
In above scheme, the access authority information is used to determine the corresponding accessible resource of the user information, and not
Same access authority information corresponds to different accessible resources.
In above scheme, the corresponding access authority letter of the user information is carried to the transmission of radius client described
Breath is successfully accessed after back message Access-Accept, comprising: receives the carrying access that raduis client is sent
The accounting request message Accounting-Request of authority information;The user information is determined according to the access authority information
Corresponding charging mode and/or charging rate.
The third aspect, the embodiment of the present invention provide a kind of authority acquiring device, and the authority acquiring device includes: the first hair
Module is sent, the authority acquiring for being configured to send carrying user information to remote customer dialing authentication system radius server is asked
It asks, the authority acquiring request is for obtaining the corresponding access authority information of the user information;First receiving module, is configured to
Receive the authority acquiring response for the carrying access authority information that the radius server is sent.
Fourth aspect, the embodiment of the present invention provide a kind of authority acquiring device, and the authority acquiring device includes: second to connect
Module is received, is configured to receive the power for carrying the user information that remote customer dialing authentication system radius client is sent
Limit acquisition request;The authority acquiring request is for obtaining the corresponding access authority information of the user information;Second sends mould
Block is configured to send the authority acquiring sound for carrying the corresponding access authority information of the user information to radius client
It answers.
In the above scheme, the access authority information is used to determine the corresponding accessible resource of the user information, and
Different access authority information correspond to different accessible resources.
5th aspect, the embodiment of the present invention provide a kind of resource apparatus, and the resource apparatus includes:
Memory, processor and storage on a memory and the authority acquiring program that can run on a processor, the place
It manages and realizes first aspect any authority acquiring method when device executes described program.
6th aspect, the embodiment of the present invention provides a kind of remote customer dialing authentication system authentication server, described long-range
Subscriber dialing Verification System certificate server includes: memory, processor and storage on a memory and can transport on a processor
Capable authority acquiring program, the processor realize second aspect any authority acquiring method when executing described program.
7th aspect, the embodiment of the present invention provide a kind of computer readable storage medium, are stored with authority acquiring program,
In, the power as described in first aspect is any or second aspect is any is realized when the authority acquiring program is executed by processor
The step of limiting acquisition methods.
Authority acquiring method provided in an embodiment of the present invention carries the power of user information by sending to radius server
Acquisition request is limited, the authority acquiring request is for obtaining the corresponding access authority information of the user information;Described in reception
The authority acquiring response for the carrying access authority information that radius server is sent;It may have access to since user information is corresponding
Resource is by the radius server of network side is arranged according to user information and the permissions data for being stored in radius server
What certification obtained, and illegal user can not obtain the permissions data stored on radius server so that illegal user without
Method gets the resource on resource apparatus.
Detailed description of the invention
Figure 1A is the network architecture schematic diagram one of authority acquiring method in the embodiment of the present invention;
Figure 1B is the flow diagram for the authority acquiring method realized in the embodiment of the present invention based on radius server;
Fig. 2A is the interaction flow schematic diagram one of authority acquiring method in the embodiment of the present invention;
Fig. 2 B is attribute in authority acquiring method in the embodiment of the present invention to the form schematic diagram of field;
Fig. 3 is the processing flow schematic diagram one of authority acquiring method in the embodiment of the present invention;
Fig. 4 A is the network architecture schematic diagram two of authority acquiring of embodiment of the present invention method;
Fig. 4 B is the interaction flow schematic diagram two of authority acquiring method in the embodiment of the present invention;
Fig. 5 is the processing flow schematic diagram two of authority acquiring method in the embodiment of the present invention;
Fig. 6 A is the network architecture schematic diagram three of authority acquiring method in the embodiment of the present invention;
Fig. 6 B is the processing flow schematic diagram three of authority acquiring method in the embodiment of the present invention;
Fig. 7 is the structural schematic diagram one of authority acquiring device in the embodiment of the present invention;
Fig. 8 is the structural schematic diagram two of authority acquiring device in the embodiment of the present invention;
Fig. 9 is the structural schematic diagram of resource apparatus in the embodiment of the present invention;
Figure 10 is the structural schematic diagram of radius server in the embodiment of the present invention.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Site preparation description.
Embodiment one
Figure 1A is the network architecture schematic diagram one of authority acquiring method in the embodiment of the present invention.As shown in Figure 1A, of the invention
The network architecture of embodiment may include: resource requestor 10, resource apparatus 11, certificate server 12.Wherein, resource apparatus
11 can be an equipment, for example, the terminal devices such as home gateway, mobile phone, resource requestor 10 can be another equipment or
User, such as internet-of-things terminal.Resource apparatus 11 can provide access corresponding with resource requestor 12 to resource requestor 10
The corresponding accessible resource of permission.
In embodiments of the present invention, resource requestor 10 can send the resource for carrying user information to resource apparatus 11
Access request, the resource access request can be for requesting user information corresponding accessible resource on resource apparatus to be stepped on
Land request, resource apparatus 11 can send the authority acquiring request for carrying user information to certificate server 12, be recognized with obtaining
The corresponding access authority of user information that server 12 is determined according to user information is demonstrate,proved, resource apparatus 11 is further according to user information pair
The access authority answered determines user information corresponding resource for allowing to access on resource apparatus 11, and allows resource requestor 10
Use the resource being allowed access to.In other embodiments of the present invention, the resource that resource requestor 10 is sent to resource apparatus 11
Access request is also possible to the enabling request for requesting to enable a certain resource on resource apparatus 11, and resource apparatus 11 can be with
After receiving the resource access request, 10 report of user information of resource requestor is triggered, later, resource apparatus 11 can basis
User information obtains the corresponding access authority of user information from certificate server, and true according to the corresponding access authority of user information
Determine whether resource requestor 10 is allowed to enable requested resource, if requested resource belongs to the access authority and sets in resource
On standby 11 it is corresponding allow using resource, then allow resource requestor 10 to enable requested resource.
Storage and verification process due to user data are executed by certificate server 12, do not need to store on resource apparatus 11
All legitimate user's data, when so as to avoid resource apparatus 11 from losing or meet with network attack, user data loss is asked
Topic.
In embodiments of the present invention, the corresponding access authority of user information can be access authority information, access authority letter
Breath may include at least one of access authority grade, access authority range, access authority size, access authority content information,
Different user informations can correspond to same or different access authority information, and different access authority information can correspond to money
Access authority grade pair is can store on different accessible resources on source device 11, resource apparatus 11 or server 12
The range for the accessible resource answered or the size of accessible resource or quantity, so that resource apparatus 11 being capable of root
Corresponding accessible resource is provided to resource requestor 10 according to the corresponding access authority information of user information.For example, user
Information may include username and password, and in one example, different user informations can refer to different user names, different
User name can correspond to identical or different access authority information, and in another example, different user informations may also mean that
The combination of user name and password, then same user name can also correspond to same or different access right from the combination of different passwords
Limit information.Using the matching rule of above-mentioned various user informations and access authority information, can be provided for resource apparatus 11 cleverer
The control mode of accessible resource living.
In embodiments of the present invention, above-mentioned certificate server 12 can be remote customer dialing authentication system (Remote
Authentication Dial In User Service, radius) server, then resource apparatus 11 can pass through radius
Client and radius server carry out the interactive process of authority acquiring, it should be noted that radius client can dispose
In on resource apparatus 11, can also be located at except resource apparatus 11.
Figure 1B is the flow diagram for the authority acquiring method realized in the embodiment of the present invention based on radius server, this
The executing subject of inventive embodiments can be the resource apparatus for being deployed with radius client, alternatively, being deployed on resource apparatus
Radius client, alternatively, being deployed in except resource apparatus and establishing the radius client for having communication connection with resource apparatus
End.As shown in Figure 1B, the step of embodiment of the present invention may include:
S101: sending the authority acquiring request for carrying user information to radius server, which is used for
Obtain the corresponding access authority information of user information.
In embodiments of the present invention, after resource apparatus 11 receives and carries the resource access request of user information,
Resource apparatus 11 can be by radius client or the radius client from being deployed on resource apparatus 11 to radius
Server sending permission acquisition request.Illustratively, resource apparatus 11 can after receiving resource access request, to
Radius client sends the certification request for carrying user information, is initiated with triggering radius client to radius server
Identifying procedure.
S102: the authority acquiring for carrying the corresponding access authority information of user information that radius server is sent is received
Response.
In embodiments of the present invention, access authority information is determined for the corresponding accessible resource of user information, and
Different access authority information correspond to different accessible resources.
In embodiments of the present invention, the authentication data and permission number for the legitimate user that radius server is stored according to itself
According to being authenticated and authenticated to user information, if certification passes through, the corresponding access authority information of user information is carried in permission
It obtains in response and is sent to resource apparatus 11 or radius client.Wherein, access authority information is determined for user
The corresponding accessible resource of information, different access authority information can correspond to different accessible resources.Then, radius visitor
The corresponding access authority information of user information can be sent to resource apparatus 11 by authentication response by family end.Later, resource is set
Standby 11 can determine user information corresponding accessible resource on resource apparatus 11 according to access authority information, wherein no
Same access authority information can correspond to the different accessible resources on resource apparatus.
Authority acquiring method provided in an embodiment of the present invention can have user to want to obtain may have access on resource apparatus
When resource, first the user information that resource requestor uses is authenticated by radius server, determines that resource requestor institute is right
The access authority information answered, since different access authority information corresponds to different accessible resources, it is thus possible to guarantee resource
Data, the resource stored in equipment can be only opened to legitimate user's access with access authority, to avoid illegally using
Family obtains and is stored in the data stored on resource apparatus.
Embodiment two
It in embodiments of the present invention, can be using in (Request For Comments, the RFC) serial protocols that request for comments
RFC2865 agreement defined in access request message (Access-Request) and be successfully accessed back message (Access-
Accept) the substitution implementation responded respectively as above-mentioned authority acquiring request and authority acquiring.Fig. 2A is that the present invention is implemented
The interaction flow schematic diagram one of authority acquiring method in example, as shown in Figure 2 A, between radius client and radius server
Interactive process may include:
S201:radius client sends access request message to radius server.
Wherein, access request message can carry access permission mark and user information, to indicate the access request report
Text is for requesting the corresponding access authority information of user information.For example, the embodiment of the present invention can be fixed to RFC2865 agreement
Style number (type) field of the attribute of justice to (Attribute Value Pairs, AVP) field, i.e., in attribute list field
Extension has been carried out to use.Illustratively, access request message containing type type characterizes the attribute of the access permission mark
To AVP field.
Fig. 2 B is attribute in authority acquiring method in the embodiment of the present invention to the form schematic diagram of field.As shown in Figure 2 B,
AVP field may include: the domain style number (type), the length domain (length) and the domain value (value), wherein style number domain is also referred to as
For radius type field.Illustratively, the domain type, the domain length and the domain value can occupy 1 byte respectively.In RFC
In the description of part " designated number (Assigned Number) " of 6 agreements, the enumerated value of the domain the type field in AVP field
Use rule be defined as follows: range is that the enumerated value of 192-223 is reserved to experiment and uses, and range is enumerating for 224-240
Value is reserved to specific implementation and uses, and range is that the enumerated value of 241-255 is reserved.
In embodiments of the present invention, the value of the domain type field can be optimized, for example, can be in access request report
AVP field that the value that the domain type is carried in text is 224 indicates access request message for requesting access authority information, it can
Using the value in the domain type be 224 AVP field as to the mark of the relevant message process of request access authority information, can should
Mark is known as access permission mark (access permission).In other embodiments of the present invention, it can also use and belong to model
The other values in 224-240 are enclosed as the mark for indicating request access authority information.In one example, in access request message
The value in the domain value can be 0.
S202:radius server is successfully accessed back message to the transmission of radius client.
Wherein, radius server is after authenticating user information, if certification passes through, connects user information is corresponding
Enter authority information carrying and is sent to radius client in being successfully accessed back message.Illustratively, it is successfully accessed response report
The value in the domain type in AVP field in text can be that the value in the domain 224, value can be the corresponding access right of the user information
Limit information, for example, the value in the domain value can be any value in 1-254.In other embodiments of the present invention, radius is serviced
Device is after passing through user information authentication, if not inquiring the matched access authority of the user information in rights database
When information, the AVP field that the value in the domain type is 224, the value in the domain value is 255 can be carried in being successfully accessed back message,
To indicate that the user information is not configured any access authority information.
In other embodiments of the present invention, if radius server determines that user is illegal after authenticating to user information
User, authentication authorization and accounting result are authentification failure, and radius server can also send admission reject to radius client and respond report
Literary (Access-Reject), wherein carrying does not have the information of access authority for identifying the user information.Illustratively, it accesses
The value for refusing the domain type in the AVP field in back message can be 224, and the value of codomain can be 255, to identify the user
Information does not have access authority information.In other embodiments of the present invention, it can not also be carried in admission reject back message and include
The AVP field that the value in the domain type is 224.
In other embodiments of the present invention, back message is successfully accessed to the transmission of radius client in radius server
Later, it can also include the steps that following starting charging flow:
S203:radius client sends accounting request message to radius server.
Wherein, user information can be carried in accounting request message (Accounting-Request), can also taken simultaneously
The corresponding access authority information of band user information.Illustratively, the value in the domain type in the AVP field in accounting request message can
The value for thinking the domain 224, value can be the corresponding access authority information of the user information.
S204:radius server sends charging response message to radius client.
Wherein, charging response (Accounting-Response) is sent to radius client in radius server
Afterwards, radius server can be according to the corresponding access authority information pair of user information resource access behaviour related with user information
Make carry out charging.In embodiments of the present invention, different access authority information can correspond to different charging mode and/or charging
Rate.Charging mode for example can be by different period corresponding charging rate chargings, alternatively, pay-per-use etc., meter
The resource that expense rate for example can be the unit time uses rate.
The embodiment of the present invention is extended RFC agreement, provides one kind in radius client and radius server
The exchange method of access authority information is obtained under Verification System framework.Since radius server is typically deployed at mobile network's
Core-network side obtains the mode of access authority information, can provide to enterprise using radius server as certificate server
Accessible resource solution in safety, flexible management vast resources equipment.On the one hand, it does not need to store on resource apparatus
User authentication data not will cause whole user authentication datas when single resource apparatus is lost and lose.On the other hand, enterprise is not
It needs to be separately provided the server of storage user authentication data and permissions data, especially needs to manage across ground in some enterprises
Area, transnational magnanimity resource apparatus when, do not need enterprise it is each area or country certificate server is separately provided, in turn
The possibility that user information is leaked in trans-regional transmission process can be reduced.It can be seen that using permission provided in an embodiment of the present invention
Acquisition methods, in rights management process of the enterprise to vast resources equipment, the safety of user information has obtained strong guarantee.
Fig. 3 is the processing flow schematic diagram one of authority acquiring method in the embodiment of the present invention.As shown in figure 3, the present invention is real
The step of applying may include:
S301:radius client terminal start-up, and the access request identified with access permission is sent to radius server
Message.
Wherein, the username and password write-in Access-Request that radius client can will acquire (is accessed
Request message) in, and add access permission in the AVP field of Access-Request and identify (access
permission).Illustratively, using network package analysis software to access request message in carry access permission mark
The parsing of AVP field is as follows:
AVP:l=3t=Acess-Permission (224): 0
Wherein, in the AVP field, l indicates the domain length, and the value of l is that 3, t indicates the domain type, and the value of t is 224, value
The value in domain is 0.In other embodiments of the present invention, the value in the domain length can also be more than or equal to 3.
S302:radius server receives access request message, and search access right database.
Wherein, radius server can identify access permission mark (Access in recognizing access request message
Permission field) when, search access right database.
S303:radius server judges whether to inquire the corresponding access authority letter of user information in rights database
Breath executes S305 if inquiring, if do not inquired, executes S304.
S304:radius server sends admission reject back message to radius client.
Wherein, when radius server does not inquire the corresponding authority information of this user name in rights database, to
Radius client sends admission reject back message (Access-Reject).
S305:radius server sends to radius client and is successfully accessed response report with what access permission identified
Text.
Wherein, the corresponding access authority information of the user name inquired from rights database is written radius server
To the domain the value field for being successfully accessed back message (Access-Accept), the length in the domain value in the embodiment of the present invention
It can be defaulted as 1 byte, then, the value in the domain value can be the numerical value in 0-255, wherein the value in the domain value can be used as 0
Access authority in access request message obtains mark, and the value in the domain value can be used as 255 does not inquire user information
The mistake being successfully accessed in back message when corresponding access authority information responds mark, and 255 can also be used as unverified pass through
When admission reject back message in the domain value value.Therefore the permission of 254 seed types can be supported herein.In other realities of the invention
It applies in example, the length in the domain value can be extended, such as 2 bytes, then when the byte number in the domain value increases, value
Support that the access authority information carried can be more in domain.Illustratively, using network package analysis software to being successfully accessed back
Answer the AVP field parsing for carrying access permission mark in message as follows:
AVP:l=3t=Acess-Permission (224): 1
At this point, the rights database of radius server can not only configure different power according to the difference of user name
Limit, can also configure different permissions according to the difference of password.For example, certain terminal device A using user entitled " admin " into
Row logs in, if the password of input is " testA ", it is 1 that access authority information can be configured in rights database, if defeated
The password entered is " testB ", then it is 2 that access authority information can be configured in rights database.It can plan different user
Possess different permissions when using same user name and different password logins, and the subsequent charging stage can be influenced.
In addition, radius server can be provided for the user of different access authority information different charge mode and/or
Charging rate.For example, online rate of the internet-of-things terminal by unit time when home gateway progress internet business.
After radius client receives Access-Accept message, the access permission mark in AVP field is parsed
(Access-Permission) field, the login module of terminal device decontrol this according to the value in the domain value of the AVP field
The permission that user logs in.For example, can configure the user with different access authority information in radius client obtains difference
Resource illustratively can obtain the different permission surf times.
S306:radius client, which receives, is successfully accessed back message, sends accounting request report to radius server
Text.
Wherein, the AVP field in accounting request message (Accounting-Request) equally configures corresponding access and is permitted
It can identify.Illustratively, using network package analysis software to the AVP word for carrying access permission mark in accounting request message
Section parsing is as follows:
AVP:l=3t=Acess-Permission (224): 1
S307:radius server receives accounting request message, sends charging back message, according to access permission mark pair
The access authority information answered carries out starting charging using the corresponding charging mode of access authority information and/or charging rate.
Wherein, radius server reads connecing in the AVP field of accounting request message (Accounting-Request)
Enter the value in the corresponding domain value of permission flag (Access-Permission) field, and can to use same user name with not
Resource access operations corresponding to the user information of access authentication, which are carried out, with password combination carries out classification charging.Illustratively, sharp
With network package analysis software to the AVP field solution for carrying access permission mark in accounting request message and charging back message
Analysis is following any:
AVP:l=3t=Acess-Permission (224): 1 or
AVP:l=3t=Acess-Permission (224): 2
It should be noted that S301 to S308 is to be related to access permission mark (Access-Permission) field
Radius interaction flow, subsequent charging back message can be identical as the definition in RFC2865 agreement, i.e. place after S308
Reason process can identify (Access-Permission) field without the concern for access permission.
S308: at the end of charging, radius client sends charging ending request message to radius server.
S309:radius server stops charging after receiving charging ending request message, and sends out to radius client
Charging is sent to terminate back message.
The other technologies solution details and technical effect of the embodiment of the present invention can refer to shown in Figure 1A to Fig. 2 B.
Embodiment three
Fig. 4 A is the network architecture schematic diagram two of authority acquiring of embodiment of the present invention method.As shown in Figure 4 A, the present invention is real
Applying home gateway (Customer Premises Equipment, CPE) 130 in example and internet-of-things terminal can be respectively as
A kind of substitution implementation of resource apparatus 11 and resource requestor 10 shown in Figure 1A, correspondingly, on home gateway can
Accession page can be used as a kind of example of the accessible resource on resource apparatus 11.In embodiments of the present invention, authentication service
Device 12 can may be other certificate servers for radius server.
Based on the network architecture shown in Fig. 4 A, the embodiment of the present invention provides a kind of authority acquiring method, and Fig. 4 B is the present invention
The interaction flow schematic diagram two of authority acquiring method in embodiment.As shown in Figure 4 B, the step of embodiment of the present invention includes:
S401: internet-of-things terminal sends the log on request for carrying user information to CPE.
Wherein, which can be used for the accessible page on request CPE.In embodiments of the present invention, object
Networked terminals can obtain from CPE after establishing communication connection with CPE and be based on networking products interface (Website User
Interface, WEB UI) technological development login page, user can pass through WEB UI input user information, user information example
It such as can be username and password.Then, user information can be carried and be sent to CPE in log on request by internet-of-things terminal.
Illustratively, accessible page can be the parameter configuration page of CPE.In embodiments of the present invention, internet-of-things terminal can lead to
It crosses various ways and CPE is established and communicated to connect, for example, extra long distance low power consumption data transmission technology (long can be based on
Range, lora) network, cable, WiFi network and CPE foundation communication connection.Internet-of-things terminal for example can be camera, scanning
Instrument, printer, projector etc..
S402:CPE sends the authority acquiring request for carrying user information to certificate server, and authority acquiring request is used for
Obtain the corresponding access authority of the user information.
Wherein, certificate server can be radius server, then CPE can be by radius client to radius
Server sending permission acquisition request.For example, CPE is upper can be deployed with radius client, and receive Internet of Things
After the log on request of terminal, by radius client to radius server sending permission acquisition request.Illustratively, permission
Acquisition request can be access request message (Access-Request).
S403: certificate server sends the authority acquiring response for carrying the corresponding access authority of user information to CPE.
Wherein, authority acquiring response is to be successfully accessed back message (Access-Accept).
S404:CPE determines internet-of-things terminal corresponding addressable page on CPE according to the corresponding access authority of user information
Face.
S405:CPE sends accessible page to internet-of-things terminal.
In embodiments of the present invention, as a kind of substitution implementation of S302, authority acquiring request can be also used for obtaining
Take the corresponding access authority information of user information;Then S303-S304 could alternatively be: certificate server can send to CPE and take
Authority acquiring response with the corresponding access authority information of the user information.CPE can be determined according to access authority information
Internet-of-things terminal corresponding accessible page on CPE.
Illustratively, authority acquiring request can for the value comprising the domain type in AVP field be 224, the value in the domain value
For 0 access request message, it can be 224 for the value comprising the domain type in AVP field that authority acquiring, which responds, the value in the domain value
Back message is successfully accessed for the corresponding access authority information of user information.
In the present invention is implemented, different access authority information can correspond to the different addressable pages on home gateway
Face.For example, the corresponding accessible page of normal user permission can be the configuration page of Common Parameters.Administrator right is corresponding
Accessible page can be the configuration page of advanced parameters.The corresponding accessible page of superuser right can be device manufacturer
The configuration page of inner parameter.Since the data of the user information of each permission of correspondence do not need to be stored on home gateway, i.e.,
The device manufacturer of home gateway does not need power user's account and corresponding password storage on home gateway, it is thus possible to protect
Card can not crack out the power user's account and password of device manufacturer's setting from being stored in the information stored in home gateway.
In one example, user information may include username and password, and different user names can correspond to different connect
Enter authority information, same user name can also correspond to different access authority information from the combination of different passwords.Using this side
Formula can be convenient management operation, different access authority information configured using identical user name and different passwords, so as to
To reduce the user name resource for needing to plan.
In another example, user information may be media access control (the Media Access of internet-of-things terminal
Control, MAC) address and password, MAC Address is also referred to as physical address or hardware address, the same address MAC and different passwords
The corresponding identical or different access authority information of combination.In this way, it may not be necessary to plan user name, resource apparatus
The corresponding access authority of each internet-of-things terminal can be configured on certificate server, due to not needing to transmit user in a network
Information, it is thus possible to avoid revealing user information in verification process.
Fig. 5 is the processing flow schematic diagram two of authority acquiring method in the embodiment of the present invention.Such as Fig. 5 of embodiment of the present invention institute
Show, the step of embodiment of the present invention may include:
S501:CPE provides log-in interface, obtains username and password.
Wherein, user or administrator can be by internet-of-things terminal login CPE offers based on web UI or Secure Shell
The login interface of the technologies such as agreement (Secure Shell, SSH) inputs username and password.
S502:CPE check username and password whether load standard letter, if so, execute S503, if it is not, execute S508.
Wherein it is possible to detected by the legitimacy that the login module of CPE carries out username and password, it illustratively, can be right
User name or the length of password carry out legitimacy detection.
S503:CPE starts radius client, carries the certification that access permission identifies to the transmission of radius server and asks
Seek message.
Wherein it is possible to send the inside story corresponding user name of notice radius client and close by the login module of CPE
The information such as code.The authentication request packet that radius client is sent can be access request message (Access-Request), connect
Entering the AVP field in request message includes access permission mark (access permission field).Illustratively, net is utilized
It is as follows to the AVP field parsing for carrying access permission mark in access request message that network package analyzes software:
AVP:l=3t=Acess-Permission (224): 0
Wherein, when the value in the domain value is 0 in AVP field, it is believed that this access request message is for requesting user information corresponding
Access authority information.
S504:radius server receives authentication request packet, and search access right database.
Wherein, radius server can receive the access request message, the message interaction process of the identifying procedure with
Consistent in RFC2865, when in access request message including access permission identification field, the increase of radius server connects for this
Enter the processing of the rights database inquiry operation of permission flag field, the corresponding authority configuration data of inquiry user name.
S505:radius server judges whether to inquire the corresponding access authority of this user in rights database, if so,
S506 is executed, if it is not, executing S507.
S506:radius server sends to radius client and is successfully accessed response report with what access permission identified
Text.
Wherein, what radius server can will return to the user right inquired write-in is successfully accessed back message
After send.Radius client can notify the login module of CPE according to corresponding after receiving and being successfully accessed back message
User right, open different login interface give this user, and landfall process ends here.
S507:radius server sends admission reject back message to radius client.
Wherein, radius server is not due to inquiring the corresponding access authority information of this user name, radius server
It is considered that even if this username and password is verified, but since corresponding user's logon rights, the use can not be matched
Family information can not obtain corresponding access authority on CPE, therefore radius server can also return to admission reject to radius
Message.Radius client can notify the login module of CPE that this user name has not been obtained after receiving admission reject message
User right corresponding with password can not open any login interface to this user.Log-in module can refuse stepping on for this user
Record, then landfall process ends here.
S508:CPE reacquires username and password, stops reacquiring if errors number reaches preset times.
Wherein, CPE can pop up web UI window again and prompt to re-enter user using the user of internet-of-things terminal
Name and password.
It in other embodiments of the present invention, is to be verified but not in permissions data in the authentication result of username and password
When library inquiry is to corresponding access authority information, radius server can also send to radius client and carry the domain value
Value be 255 AVP field be successfully accessed back message.
Authority acquiring method provided in an embodiment of the present invention can be applied to the French MF259 project similar with shown in Fig. 5
The network architecture in, the present solution provides safer and convenient centralized rights management modes.In the embodiment of the present invention
Mainly apply the authentication of radius and the function of authorization, i.e., can not also be triggered after being successfully accessed back message with
The relevant accounting request message of the billing function of radius.
The other technologies solution details of the embodiment of the present invention are similar with Figure 1A to Fig. 4 B, specifically refer to Figure 1A to Fig. 4 B
Associated description in shown technical solution.
Authority acquiring method provided in an embodiment of the present invention all has at three safety, storage and degree of load aspects
Preferable technical effect.
In terms of safety, by the way that there is the field specifically realized in the AVP in extension radius agreement, utilize
The scalability of radius standardization agreement is no longer controlled alone privilege feature by each resource apparatus or terminal device,
But be managed collectively, for some using the setting side being stored separately on user right data in each terminal device
Formula, once some terminal device is lost, then all user informations stored in this terminal device all asking there may be leakage
Topic, for example, in certain Internet of Things networks, for example, a certain purpose lora network of France, internet-of-things terminal and home gateway
Foundation has communication connection, since the CPE (i.e. terminal device) as resource apparatus is numerous, if the user that will allow to access CPE
Permissions data is stored in each CPE, the risk revealed safely that entire lora network all suffers from, this is not for Internet of Things
It is acceptable.In order to promote safety, the embodiment of the present invention by the verification process of the available resources requested access on CPE change by
Radius server executes, still, due to that can not be that a username and password is arranged in each CPE in radius server
The process of certification and authority acquiring is carried out, for the enterprise for managing CPE, management data are too many for this, thus can pass through
One group of user name is set, and each user name can be for different permissions, so that can when logging in the terminal device in lora network
To obtain corresponding with user name permission, wherein the identical user name of use log in different terminal equipment can have it is identical
Access authority information, logging in same terminal device using different user names can have different access authority information.Look forward to
Industry only needs to manage the corresponding authentication data of a small amount of user name and a small amount of user and the corresponding permissions data of password, so that enterprise
Industry will be more succinct and flexible to the management of the user data for logging in magnanimity CPE.Also, in embodiments of the present invention, by
In transferring to radius server to store the corresponding authentication data of user information and permissions data, therefore, enterprise only needs really
The safety of radius server is protected, and no longer needs to consider the safety of each terminal device, for enterprise, some end
End equipment loses the safety issue that will not cause whole network.
In terms of storage, for the equipment in cpe device and general Internet of Things, memory space is one non-
Often important problem, if necessary to which, into each home gateway, this will just be occupied by user authentication data and permissions data storage
A part of memory space of equipment, in turn results in equipment cost rising, and the decline of equipment competitiveness is used in embodiments of the present invention
Family certification and permissions data are storages into radius server, i.e., only need that a server is arranged, so that it may by magnanimity
User right information data on terminal device are all stored onto server, thus reduced individual equipment in storing data
The carrying cost for needing to expend.
In terms of complexity, complexity here is directed primarily to the complexity of user right change operation, for core
For net routing device, due to negligible amounts, the complexity issue of user right change is not very serious, but for Internet of Things
Large number of due to home gateway for terminal device, the workload of user right change is very big, also, in object
In networking, for the needs of network management, need to change internet-of-things terminal corresponding accessible resource on home gateway, if
Still user information and corresponding accessible resource are stored on home gateway, need to modify the user stored on home gateway one by one
The data of the corresponding accessible resource of information.Permissions data is stored in radius server using provided in an embodiment of the present invention
The mode being managed collectively, when needing to change the corresponding accessible resource of user information, it is only necessary in the permission of server
It modifies in database, terminal device only needs the AVP field extended according to embodiments of the present invention, obtains user
The corresponding modified access authority information of information, and should to use by the corresponding accessible resource opening of the access authority information
The user that user information logs in.
Example IV
Fig. 6 A is the network architecture schematic diagram three of authority acquiring method in the embodiment of the present invention.As shown in Figure 6A, of the invention
Terminal device in embodiment can be used as a kind of substitution implementation of resource apparatus shown in Figure 1A.On terminal device
Available resources can be preassembled application (Application, APP) on terminal device, then resource requestor can be to ask
Ask the user of the APP in using terminal equipment.In embodiments of the present invention, certificate server can be that Radius server can also
Think other certificate servers.
Based on the network architecture shown in Fig. 6 A, the embodiment of the present invention also provides a kind of authority acquiring method, and Fig. 6 B is this hair
The processing flow schematic diagram three of authority acquiring method in bright embodiment.As shown in Figure 6B, the step of embodiment of the present invention includes:
S601: terminal device operates laggard access customer in the enabling for receiving the APP being used to indicate on starting terminal device
Acquisition of information state.
Wherein, itself can be arranged into user information when detecting that request enables the enabling instruction of APP in terminal device
Acquisition state.For example, terminal device can detect the click on the icon of a certain APP for needing permission to control on the screen
Touch operation.In embodiments of the present invention, illustratively, which, which obtains state, can be pop-up user information acquisition window
Mouthful etc., alternatively, the input equipment on terminal device such as enters at the state of input information to be accessed, input equipment for example can be touching
Screen, microphone etc. are touched, the present invention is without limitation.In embodiments of the present invention, APP can be is existed by Android tool installation kit
The application installed in Android operation system, for example, the clients such as wechat, microblogging, Taobao, are also possible to some operating systems and provide
Tool software, for example, picture library software, software of taking pictures, positioning function be arranged software.
It should be noted that in other embodiments of the present invention, terminal device, which can be pre-configured with, to need to carry out permission control
The APP of system gathers, and terminal device only can enter user information when user requests the APP of starting to be the APP in APP set and obtain
Take state.
S602: terminal device receives user information under user information acquisition state.
Wherein, user information may include username and password, alternatively, user information may include fingerprint, alternatively, user
Information may include sound, iris etc., and the embodiment of the present invention is without limitation.
S603: terminal device sends the authority acquiring request for carrying user information to certificate server, which asks
It asks for obtaining the corresponding access authority of user information.
Wherein, authority acquiring request can be also used for obtaining the corresponding access authority information of the user information;It is then described
It is corresponding to the terminal device transmission carrying user information according to the authority acquiring request to receive the certificate server
Access authority authority acquiring response, comprising: receive that the certificate server sends to carry the user information corresponding
Access authority information authority acquiring response;Correspondingly, described according to the corresponding application for allowing to enable of the access authority
Set determines whether to enable the application, comprising: true according to the corresponding set of applications for allowing to enable of the access authority information
Fixed whether to enable the application, different access authority information corresponds to the different set of applications for allowing to enable.
S604: certificate server sends the authority acquiring sound for carrying the corresponding access authority of user information to terminal device
It answers.
Wherein, the corresponding access authority of user information can be authenticate successfully it is corresponding have access authority or certification lose
Lose it is corresponding do not have access authority, alternatively, the corresponding access authority of user information is also possible to different access authority information.
Different access authority or access authority information can be with the upper different accessible resources of counterpart terminal equipment.
For example, in one example, terminal device, which can configure, above-mentioned has access authority right on the terminal device
The accessible resource answered is all APP in APP set.In another example, terminal device, which can also configure, above-mentioned does not has
Corresponding accessible resource is all APP for not allowing to access in APP set to access authority on the terminal device.Again
In one example, terminal device can also be configured with lower access authority information corresponding accessible resource on the terminal device
It is the part APP in APP set.In another example, terminal device can also configure the letter of the access authority with highest information
Ceasing corresponding accessible resource on the terminal device is all APP in APP set.Terminal device can use any of the above-described kind
Or the combination of a variety of configuration modes configures different accessible resources to different access authority.
S605: terminal device allows the set of applications enabled to determine whether to enable the APP according to access authority is corresponding.
Wherein, terminal device, which may determine that, requests whether the APP enabled belongs to the corresponding access authority of the user information
The set of applications for allowing to enable configured, if so, terminal device enables APP, if it is not, then terminal device can be with output phase
The refusal information answered.Illustratively, terminal device, which can pop up user in display screen, does not have permission to believe using the prompt of the APP
Breath, and forbid enabling APP.After terminal device enables APP, what APP entered APP itself logs in process flow, for example, micro-
Letter APP can authenticate the account information of wechat user according to the Booting sequence of default, and to be certified by rear display, this is micro-
The conversations list page of credit household.
In other embodiments of the present invention, certificate server can be radius server, then can portion on terminal device
There is radius client in administration, and terminal device can be after detecting enabling request, and starting radius client simultaneously will acquire
User information radius certificate server is sent to by radius client.Specific verification process and Figure 1A to Fig. 2 B institute
Show similar.
Authority acquiring method provided in an embodiment of the present invention, which can be applied not only to user, requests to enable on terminal device
The scene of APP applies also for the scene that external equipment request enables the APP on terminal device.It should be noted that outside is set
Standby can be established by software or hardware interface and terminal device communicates to connect.
It takes the mobile phone as an example, " safe mobile phone " application can be installed on mobile phone, it can a built-in radius visitor in the application
Family end.The owner of mobile phone can preset one or more in " safe mobile phone " application and need to carry out permission control
APP, wherein also may include " safe mobile phone " application.These APP no longer individually carry out permission control by mobile phone, but every
Before the secondary login using APP account number, the concentration purview certification of mobile phone itself is first carried out.For example, " safe mobile phone " is applied
The instruction for enabling these APP can be monitored, when monitoring enabling instruction, " safe mobile phone " application can be in the APP to be enabled
Before the account debarkation authentication process of itself, first to using the user of mobile phone to carry out concentration purview certification.It should be noted that should
The account of APP itself, which logs in, usually interacts realization by APP certificate server corresponding with the APP, i.e. " safety
Mobile phone ", which applies the purview certification initiated and the account of the APP for carrying out permission control itself is needed to log in, is independent from each other certification
Process.
In one example, " safe mobile phone " application detection APP1 receives open command and enters operating status, and user is defeated
Before the username and password for entering APP1 itself login, need first to input the user name that " safe mobile phone " application carries out purview certification
And password, then, " safe mobile phone " application sends access request report to radius certificate server as radius client
Text, and receive radius server transmission be successfully accessed back message, wherein access request message and be successfully accessed response report
The AVP field comprising access permission mark can be carried in text." safe mobile phone " application control if not passing through purview certification
APP1 is closed, opens APP1 if through purview certification.
In the application of this scene, for some mobile phone owners high to security requirement, even if APP
Username and password is stolen, since illegal user does not have the rights management password of this mobile phone, such as use of " safe mobile phone " application
Name in an account book and password, illegal user, which can not operate, to be needed to authenticate the APP that could be used.Further, mobile phone owner only needs
It is configured on radius server, so that the rejection of radius server carrys out any purview certification request of mobile phone since then,
So this mobile phone also just fail to open the APP for having demand to permission.As it can be seen that using authority acquiring side provided in an embodiment of the present invention
Method can be very good the safety of the personal information stored in maintenance mobile phone.
In addition, in order to promote the starting speed of APP, mobile phone owner would generally be arranged when APP is logged in it is required use it is silent
Recognize logon information, still, when hand-set from stolen, illegal user can also be carried out using default logon information when clicking and enabling APP
APP is logged in, and the personal information stored in APP may be stolen.Using authority acquiring method provided in an embodiment of the present invention, if
When illegal user or user with lower access authority want to open the APP on mobile phone, mobile phone can be asked receiving
When asking the enabling request for enabling APP, user is authenticated in third-party certificate server by being arranged, i.e., only allows to authenticate
Server authentication passes through or authenticates the user with corresponding access authority using APP, so as to avoid storing in APP
Private data is lost.As it can be seen that authority acquiring method provided in an embodiment of the present invention is able to ascend in the terminal devices such as mobile phone and stores
Data safety.
The other technologies solution details and technical effect of the embodiment of the present invention are similar with Figure 1A to Fig. 3, specifically refer to figure
Associated description in technical solution shown in 1A to Fig. 3.
Embodiment five
The embodiment of the present invention also provides a kind of authority acquiring device, and Fig. 7 is authority acquiring device in the embodiment of the present invention
Structural schematic diagram one, as shown in fig. 7, authority acquiring device 70 includes:
First sending module 701 is configured to send carrying user to remote customer dialing authentication system radius server
The authority acquiring request of information, the authority acquiring request is for obtaining the corresponding access authority information of the user information;
First receiving module 702 is configured to receive the carrying access authority information that the radius server is sent
Authority acquiring response.
Wherein, the access authority information is determined for the corresponding accessible resource of the user information, and different
Access authority information correspond to different accessible resources.
In the above scheme, the authority acquiring device can be located at home gateway side, then:
First receiving module 702, the logging in for user information that carry for being configurable to receive internet-of-things terminal transmission are asked
It asks, the log on request is for obtaining the accessible resource on the home gateway;
First sending module 701 is configurable to send the authority acquiring for carrying the user information to certificate server
Request, the authority acquiring request is for obtaining the corresponding access authority of the user information;
First receiving module 702, the user that carries for being also configured as receiving the certificate server transmission believe
Cease the authority acquiring response of corresponding access authority;And determine the internet-of-things terminal described according to the access authority
Corresponding accessible resource on home gateway.
In the above scheme, the authority acquiring device can be located at terminal equipment side, then:
First receiving module 702 is configurable to receiving the application being used to indicate on the starting terminal device
It enables and operates laggard access customer acquisition of information state;And under the user information acquisition state, user information is received;
First sending module 701 is configurable to send the authority acquiring for carrying the user information to certificate server
Request, the authority acquiring request is for obtaining the corresponding access authority of the user information;
First receiving module 702, the user that carries for being also configured as receiving the certificate server transmission believe
Cease the authority acquiring response of corresponding access authority;And according to the corresponding set of applications for allowing to enable of the access authority
Determine whether to enable the application.
The authority acquiring device of the present embodiment, can be used for executing in embodiment of the method shown in Figure 1A to Fig. 6 and is deployed with
The technical solution that the resource apparatus or radius client or home gateway or terminal device of radius client execute,
Its implementing principle and technical effect can refer to method shown in Figure 1A to Fig. 6.
The embodiment of the present invention also provides a kind of authority acquiring device, and Fig. 8 is authority acquiring device in the embodiment of the present invention
Structural schematic diagram two, as shown in figure 8, authority acquiring device 80 includes:
Second receiving module 801 is configured to receive the carrying that remote customer dialing authentication system radius client is sent
There is the authority acquiring request of the user information, the authority acquiring request is for obtaining the corresponding access right of the user information
Limit information;
Second sending module 802 is configured to carry the corresponding access of the user information to the transmission of radius client
The authority acquiring of authority information responds.
In the above scheme, the authority acquiring request can be the access request message carried with access permission mark
Access-Requst, the authority acquiring response can be to be successfully accessed back message Access-Accept;Wherein, described
Access authority information is for determining the corresponding accessible resource of the user information, and different access authority information is corresponding different
Accessible resource.
The authority acquiring device of the present embodiment can be used for executing the middle radius of embodiment of the method shown in Figure 1A to Fig. 6
The technical solution that server executes, implementing principle and technical effect can refer to method shown in Figure 1A to Fig. 6.
Embodiment six
Fig. 9 is the structural schematic diagram of resource apparatus in the embodiment of the present invention, as shown in figure 9, resource apparatus 11 includes storage
Device 903, processor 904 and it is stored in the authority acquiring program that can be run on memory 903 and on processor 904 (in figure not
Show), wherein the processor performs the steps of when executing described program
The authority acquiring request for carrying user information is sent to remote customer dialing authentication system radius server, it is described
Authority acquiring request is for obtaining the corresponding access authority information of the user information;The radius server is received to send
The carrying access authority information authority acquiring response;Wherein, the access authority information is for determining user's letter
Corresponding accessible resource is ceased, and different access authority information corresponds to different accessible resources.
The resource apparatus 11 can also include interface 901, bus 902, interface 901, memory 903 and processor 904
It is connected by bus 902.Wherein interface 901 can be used for establishing with certificate server and communicate to connect.Wherein, interface can be
Wire transmission interface, wireless transmission interface.Interface 901 can be also used for obtaining the resource access request of resource requestor, interface
It can also be the input equipment that can receive instruction.Illustratively, interface can be transmitting or receiving antenna, be also possible to by collecting
It is realized at the program module in digital circuit processor.
In other embodiments of the present invention, it is furthermore achieved that following steps when which is executed by processor 904: in institute
It states before sending the authority acquiring request for carrying user information to radius server, comprising: reception carries user's letter
The resource access request of breath, for obtaining, the user information is corresponding on resource apparatus to be may have access to the resource access request
Resource;Then it is responded in the authority acquiring for receiving the carrying access authority information that the radius server is sent
Afterwards, comprising: the user information corresponding accessible resource on the resource apparatus is determined according to the access authority information.
In the above scheme, the resource apparatus 11 can be home gateway, terminal device etc..
If the resource apparatus 11 is home gateway, it is furthermore achieved that once when described program is executed by processor 904
Step: home gateway receives the log on request for carrying user information that internet-of-things terminal is sent, and the log on request is for obtaining
Take the accessible resource on the home gateway;The authority acquiring for sending the carrying user information to certificate server is asked
It asks, the authority acquiring request is for obtaining the corresponding access authority of the user information;The certificate server is received to send
Carry the corresponding access authority of the user information authority acquiring response;The Internet of Things are determined according to the access authority
Network termination corresponding accessible resource on the home gateway.
If the resource apparatus 11 is home gateway, it is furthermore achieved that once when described program is executed by processor 904
Step: terminal device operates laggard access customer information in the enabling for receiving the application being used to indicate on the starting terminal device
Acquisition state;Under the user information acquisition state, user information is received;It is sent to certificate server and carries user's letter
The authority acquiring request of breath, the authority acquiring request is for obtaining the corresponding access authority of the user information;Described in reception
The authority acquiring for carrying the corresponding access authority of the user information that certificate server is sent responds;According to the access right
The corresponding set of applications for allowing enabling is limited to determine whether to enable the application.
The authority acquiring device of the present embodiment, the middle resource that can be used for executing embodiment of the method shown in Figure 1A to Fig. 6 are set
The standby technical solution executed, implementing principle and technical effect can refer to method shown in Figure 1A to Fig. 6.
Figure 10 is the structural schematic diagram of radius server in the embodiment of the present invention, as shown in Figure 10, radius server
100 include memory 1003, processor 1004 and are stored in the permission that can be run on memory 1003 and on processor 1004
Obtain program (not shown), wherein the processor performs the steps of when executing described program
What remote customer dialing authentication system radius server reception radius client was sent carries the user
The authority acquiring request of information, the authority acquiring request is for obtaining the corresponding access authority information of the user information;To
Radius client sends the authority acquiring response for carrying the corresponding access authority information of the user information.
The processor can further realize following steps when executing described program:
Radius server receive radius client send carry the user information and access permission mark
Access request message Access-Requst;The corresponding access authority of the user information is carried to the transmission of radius client
Information is successfully accessed back message Access-Accept.
In embodiments of the present invention, it is corresponding addressable to be determined for the user information for the access authority information
Resource, and different access authority information corresponds to different accessible resources.
The radius server 100 can also include interface 1001, bus 1002, interface 1001, memory 1003 with
Processor 1004 is connected by bus 1002.Wherein interface 1001 can be used for and radius client or resource apparatus
11 establish communication connection.Wherein, interface can be wire transmission interface, wireless transmission interface.Illustratively, interface can be hair
It penetrates or receiving antenna, is also possible to be realized by the program module being integrated in digital circuit processor.
The authority acquiring device of the present embodiment can be used for executing the middle radius of embodiment of the method shown in Figure 1A to Fig. 6
The technical solution that server executes, implementing principle and technical effect can refer to method shown in Figure 1A to Fig. 6.
In practical applications, processor can be by central processing unit (the Central Processing in terminal
Unit, CPU), microprocessor (Micro Processor Unit, MPU), digital signal processor (Digital Signal
Processor, DSP) or field programmable gate array (Field Programmable Gate Array, FPGA) etc. realize.
Embodiment seven
The embodiment of the present invention also provides a kind of storage medium, is stored with authority acquiring program, wherein the authority acquiring journey
Sequence is configured to execute:
The authority acquiring request for carrying user information is sent to remote customer dialing authentication system radius server, it is described
Authority acquiring request is for obtaining the corresponding access authority information of the user information;The radius server is received to send
The carrying access authority information authority acquiring response.
In the present invention is implemented, the access authority information is determined for the corresponding addressable money of the user information
Source, and different access authority information corresponds to different accessible resources.
The other technologies solution details and technical effect of the embodiment of the present invention and it is above-mentioned be deployed with radius client
Resource apparatus or radius client related embodiment are similar.
The embodiment of the present invention also provides a kind of storage medium, is stored with authority acquiring program, wherein the authority acquiring journey
Sequence is configured to execute:
What remote customer dialing authentication system radius server reception radius client was sent carries the user
The authority acquiring request of information, the authority acquiring request is for obtaining the corresponding access authority information of the user information;To
Radius client sends the authority acquiring response for carrying the corresponding access authority information of the user information.
The authority acquiring program can be further configured to execute:
Radius server receive radius client send carry the user information and access permission mark
Access request message Access-Requst;The corresponding access authority of the user information is carried to the transmission of radius client
Information is successfully accessed back message Access-Accept.
In the present invention is implemented, the access authority information is determined for the corresponding addressable money of the user information
Source, and different access authority information corresponds to different accessible resources.
The other technologies solution details of the embodiment of the present invention and technical effect related with radius server are implemented to above-mentioned
Example is similar.
The embodiment of the present invention also provides a kind of storage medium, is stored with authority acquiring program, wherein the authority acquiring journey
Sequence is configured to execute:
Home gateway receives the log on request for carrying user information that internet-of-things terminal is sent, and the log on request is used for
Obtain the accessible resource on the home gateway;The authority acquiring for sending the carrying user information to certificate server is asked
It asks, the authority acquiring request is for obtaining the corresponding access authority of the user information;The certificate server is received to send
Carry the corresponding access authority of the user information authority acquiring response;The Internet of Things are determined according to the access authority
Network termination corresponding accessible resource on the home gateway.
The other technologies solution details and technical effect of the embodiment of the present invention and above-mentioned and home gateway related embodiment class
Seemingly.
The embodiment of the present invention also provides a kind of storage medium, is stored with authority acquiring program, wherein the authority acquiring journey
Sequence is configured to execute:
Terminal device operates laggard access customer in the enabling for receiving the application being used to indicate on the starting terminal device
Acquisition of information state;Under the user information acquisition state, user information is received;It is sent to certificate server and carries the use
The authority acquiring request of family information, the authority acquiring request is for obtaining the corresponding access authority of the user information;It receives
The authority acquiring for carrying the corresponding access authority of the user information that the certificate server is sent responds;It is connect according to described
Enter the corresponding set of applications for allowing enabling of permission to determine whether to enable the application.
The other technologies solution details and technical effect of the embodiment of the present invention and above-mentioned and home gateway related embodiment class
Seemingly.
It should be noted that, in this document, the terms "include", "comprise" or its any other variant are intended to non-row
His property includes, so that the process, method, article or the device that include a series of elements not only include those elements, and
And further include other elements that are not explicitly listed, or further include for this kind of process, method, article or device institute it is intrinsic
Element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that including being somebody's turn to do
There is also other identical elements in the process, method of element, article or device.
The serial number of the above embodiments of the invention is only for description, does not represent the advantages or disadvantages of the embodiments.
Through the above description of the embodiments, those skilled in the art can be understood that above-described embodiment side
Method can be realized by means of software and necessary general hardware platform, naturally it is also possible to by hardware, but in many cases
The former is more preferably embodiment.Based on this understanding, technical solution of the present invention substantially in other words does the prior art
The part contributed out can be embodied in the form of software products, which is stored in a storage medium
In (such as ROM/RAM, magnetic disk, CD), including some instructions are used so that a terminal device (can be mobile phone, computer, clothes
Business device, air conditioner or the network equipment etc.) execute method described in each embodiment of the present invention.
The above is only a preferred embodiment of the present invention, is not intended to limit the scope of the invention, all to utilize this hair
Equivalent structure or equivalent flow shift made by bright specification and accompanying drawing content is applied directly or indirectly in other relevant skills
Art field, is included within the scope of the present invention.
Claims (17)
1. a kind of authority acquiring method, which is characterized in that the described method includes:
Remote customer dialing authentication system radius client sends the authority acquiring for carrying user information to radius server
Request, the authority acquiring request is for obtaining the corresponding access authority information of the user information;
Receive the authority acquiring response for the carrying access authority information that the radius server is sent.
2. the method according to claim 1, wherein carrying user information in described send to radius server
Authority acquiring request before, comprising: receive and carry the resource access request of the user information, the resource access request
For obtaining the user information corresponding accessible resource on resource apparatus;
Correspondingly, in the authority acquiring response for receiving the carrying access authority information that the radius server is sent
Later, comprising: the user information corresponding addressable money on the resource apparatus is determined according to the access authority information
Source.
3. according to the method described in claim 2, the reception carries it is characterized in that, the resource apparatus is home gateway
There is the resource access request of the user information, comprising: receive internet-of-things terminal transmission carries stepping on for the user information
Land request;The log on request is for requesting the accessible resource corresponding with the user information on the home gateway;
It is described that the user information corresponding accessible resource on the resource apparatus is determined according to the access authority information,
It include: that the internet-of-things terminal corresponding accessible resource on the home gateway is determined according to the access authority information.
4. according to the method described in claim 3, it is characterized in that, the user information includes the media interviews of internet-of-things terminal
MAC Address and password are controlled, same MAC Address corresponds to identical or different access authority information from the combination of different passwords.
5. according to the method described in claim 2, it is characterized in that, the resource apparatus is terminal device, the addressable money
Source is the set for allowing the application enabled, then in the authority acquiring request for sending carrying user information to radius server
Before, comprising: operate laggard access customer information in the enabling for receiving the application being used to indicate on the starting terminal device and obtain
Take state;Under the user information acquisition state, user information is received;
Then after the authority acquiring response for receiving the carrying access authority information that the radius server is sent,
It include: to determine whether to enable the application according to the corresponding set for allowing the application enabled of the access authority information.
6. the method according to claim 1, wherein the user information includes username and password, same use
Name in an account book corresponds to different access authority information from the combination of different passwords.
7. the method according to claim 1, wherein described service to remote customer dialing authentication system radius
Device send carry user information authority acquiring request, comprising: to radius server transmission carry all user informations and
The access request message Access-Requst of access permission mark access-permission;
The authority acquiring response for receiving the carrying access authority information that the radius server is sent, comprising: connect
That receives the carrying access authority information that the radius server is sent is successfully accessed back message Access-Accept.
8. the method according to the description of claim 7 is characterized in that in the carrying for receiving the radius server and sending
The access authority information is successfully accessed after back message Access-Accept, comprising:
The accounting request message Accounting-Request for carrying the access authority information, institute are sent to radius server
Accounting request message is stated for requesting the radius server to determine the user information pair according to the access authority information
The charging mode and/or charging rate answered.
9. the method according to the description of claim 7 is characterized in that the access request message containing type type characterizes institute
The attribute of access permission mark is stated to AVP field.
10. a kind of authority acquiring method, which is characterized in that the described method includes:
What the reception of remote customer dialing authentication system radius server was sent carries user information authority acquiring request, described
Authority acquiring request is for obtaining the corresponding access authority information of the user information;
The authority acquiring response of the corresponding access authority information of the user information is carried to transmission.
11. according to the method described in claim 10, it is characterized in that, the radius server receives radius client hair
It includes: that the radius server receives the transmission of radius client that send, which carries the authority acquiring request of the user information,
Carry the access request message Access-Requst of user information and access permission mark;
It is described that the authority acquiring response for carrying the corresponding access authority information of the user information is sent to radius client,
Include: sent to radius client carry the corresponding access authority information of the user information be successfully accessed back message
Access-Accept。
12. according to the method for claim 11, which is characterized in that it is described carry to the transmission of radius client it is described
The corresponding access authority information of user information is successfully accessed after back message Access-Accept, comprising: receives raduis
The accounting request message Accounting-Request for the carrying access authority information that client is sent;According to the access
Authority information determines the corresponding charging mode of the user information and/or charging rate.
13. a kind of authority acquiring device, which is characterized in that the authority acquiring device includes:
First sending module is configured to send the power for carrying user information to remote customer dialing authentication system radius server
Acquisition request is limited, the authority acquiring request is for obtaining the corresponding access authority information of the user information;
First receiving module, the permission for being configured to receive the carrying access authority information that the radius server is sent obtain
Take response.
14. a kind of authority acquiring device, which is characterized in that the authority acquiring device includes:
Second receiving module, be configured to reception remote customer dialing authentication system radius client transmission carries the use
Family information authority acquiring request, the authority acquiring request is for obtaining the corresponding access authority information of the user information;
Second sending module is configured to carry the corresponding access authority information of the user information to the transmission of radius client
Authority acquiring response.
15. a kind of resource apparatus, which is characterized in that the resource apparatus includes:
Memory, processor and storage on a memory and the authority acquiring program that can run on a processor,
The processor realizes claim 1 to claim 9 any authority acquiring method when executing described program.
16. a kind of remote customer dialing authentication system authentication server, which is characterized in that the remote customer dialing authentication system
Certificate server includes:
Memory, processor and storage on a memory and the authority acquiring program that can run on a processor,
The processor realizes claim 10 to claim 12 any authority acquiring method when executing described program.
17. a kind of computer readable storage medium is stored with authority acquiring program, wherein the authority acquiring program is processed
The step of authority acquiring method as described in any one of claims 1 to 12 is realized when device executes.
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710444357.2A CN109150787A (en) | 2017-06-13 | 2017-06-13 | A kind of authority acquiring method, apparatus, equipment and storage medium |
PCT/CN2017/102299 WO2018227802A1 (en) | 2017-06-13 | 2017-09-19 | Permission obtaining method, apparatus and device, and storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710444357.2A CN109150787A (en) | 2017-06-13 | 2017-06-13 | A kind of authority acquiring method, apparatus, equipment and storage medium |
Publications (1)
Publication Number | Publication Date |
---|---|
CN109150787A true CN109150787A (en) | 2019-01-04 |
Family
ID=64660049
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710444357.2A Withdrawn CN109150787A (en) | 2017-06-13 | 2017-06-13 | A kind of authority acquiring method, apparatus, equipment and storage medium |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN109150787A (en) |
WO (1) | WO2018227802A1 (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110162982A (en) * | 2019-04-19 | 2019-08-23 | 中国平安人寿保险股份有限公司 | Detect method and device, the storage medium, electronic equipment of illegal permission |
CN112532640A (en) * | 2020-12-02 | 2021-03-19 | 北京天融信网络安全技术有限公司 | Authentication method, authentication device, electronic equipment and computer-readable storage medium |
CN113759883A (en) * | 2021-10-26 | 2021-12-07 | 深圳市元征科技股份有限公司 | Vehicle diagnosis method, vehicle gateway device, server, and storage medium |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112052479B (en) * | 2020-09-04 | 2024-06-14 | 广东小天才科技有限公司 | Terminal application authority management method, system, electronic equipment and storage medium |
CN113239377B (en) * | 2021-05-14 | 2024-05-17 | 北京百度网讯科技有限公司 | Authority control method, device, equipment and storage medium |
CN114157475B (en) * | 2021-11-30 | 2023-09-19 | 迈普通信技术股份有限公司 | Equipment access method and device, authentication equipment and access equipment |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101453460A (en) * | 2007-12-07 | 2009-06-10 | 华为技术有限公司 | Access control method, communication system and related equipment |
CN101582769A (en) * | 2009-07-03 | 2009-11-18 | 杭州华三通信技术有限公司 | Authority setting method of user access network and equipment |
CN101697550A (en) * | 2009-10-30 | 2010-04-21 | 北京星网锐捷网络技术有限公司 | Method and system for controlling access authority of double-protocol-stack network |
US20170041310A1 (en) * | 2014-04-15 | 2017-02-09 | Huawei Technologies Co., Ltd. | Rights control method, client, and server |
Family Cites Families (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101267304B (en) * | 2007-03-13 | 2010-09-08 | 华为技术有限公司 | A network access privilege control method, device and system |
CN101282254B (en) * | 2007-04-02 | 2011-06-01 | 华为技术有限公司 | Method, system and apparatus for managing household network equipment |
CN102143493A (en) * | 2011-01-26 | 2011-08-03 | 惠州Tcl移动通信有限公司 | Mobile communication terminal with user management function and user management method thereof |
US10069827B2 (en) * | 2012-10-31 | 2018-09-04 | International Business Machines Corporation | Extending authentication and authorization capabilities of an application without code changes |
CN105530224B (en) * | 2014-09-30 | 2019-01-25 | 中国电信股份有限公司 | The method and apparatus of terminal authentication |
-
2017
- 2017-06-13 CN CN201710444357.2A patent/CN109150787A/en not_active Withdrawn
- 2017-09-19 WO PCT/CN2017/102299 patent/WO2018227802A1/en active Application Filing
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101453460A (en) * | 2007-12-07 | 2009-06-10 | 华为技术有限公司 | Access control method, communication system and related equipment |
CN101582769A (en) * | 2009-07-03 | 2009-11-18 | 杭州华三通信技术有限公司 | Authority setting method of user access network and equipment |
CN101697550A (en) * | 2009-10-30 | 2010-04-21 | 北京星网锐捷网络技术有限公司 | Method and system for controlling access authority of double-protocol-stack network |
US20170041310A1 (en) * | 2014-04-15 | 2017-02-09 | Huawei Technologies Co., Ltd. | Rights control method, client, and server |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110162982A (en) * | 2019-04-19 | 2019-08-23 | 中国平安人寿保险股份有限公司 | Detect method and device, the storage medium, electronic equipment of illegal permission |
CN110162982B (en) * | 2019-04-19 | 2024-06-04 | 中国平安人寿保险股份有限公司 | Method and device for detecting illegal rights, storage medium and electronic equipment |
CN112532640A (en) * | 2020-12-02 | 2021-03-19 | 北京天融信网络安全技术有限公司 | Authentication method, authentication device, electronic equipment and computer-readable storage medium |
CN113759883A (en) * | 2021-10-26 | 2021-12-07 | 深圳市元征科技股份有限公司 | Vehicle diagnosis method, vehicle gateway device, server, and storage medium |
Also Published As
Publication number | Publication date |
---|---|
WO2018227802A1 (en) | 2018-12-20 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US20230412577A1 (en) | Disposable browsers and authentication techniques for a secure online user environment | |
US11843589B2 (en) | Network connection automation | |
CA3059330C (en) | Systems and methods for dynamic flexible authentication in a cloud service | |
CN109150787A (en) | A kind of authority acquiring method, apparatus, equipment and storage medium | |
US20180332080A1 (en) | Secure Web Container for a Secure Online User Environment | |
US9407615B2 (en) | Single set of credentials for accessing multiple computing resource services | |
CA2868896C (en) | Secure mobile framework | |
US9137228B1 (en) | Augmenting service provider and third party authentication | |
US20140089661A1 (en) | System and method for securing network traffic | |
CN106921636A (en) | Identity identifying method and device | |
CN108881218B (en) | Data security enhancement method and system based on cloud storage management platform | |
Berbecaru et al. | Providing login and Wi-Fi access services with the eIDAS network: A practical approach | |
CN112565209B (en) | Network element equipment access control method and equipment | |
CN104767728A (en) | Identity authentication method and system based on home-based elderly care | |
CAMERONI | Providing Login and Wi-Fi Access Services With the eIDAS Network: A Practical Approach |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WW01 | Invention patent application withdrawn after publication | ||
WW01 | Invention patent application withdrawn after publication |
Application publication date: 20190104 |