CN110708310B - Tenant-level authority management method, device and equipment - Google Patents

Tenant-level authority management method, device and equipment Download PDF

Info

Publication number
CN110708310B
CN110708310B CN201910938470.5A CN201910938470A CN110708310B CN 110708310 B CN110708310 B CN 110708310B CN 201910938470 A CN201910938470 A CN 201910938470A CN 110708310 B CN110708310 B CN 110708310B
Authority
CN
China
Prior art keywords
authorization
application
tenant
deployment environment
license file
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910938470.5A
Other languages
Chinese (zh)
Other versions
CN110708310A (en
Inventor
张军
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Dt Dream Technology Co Ltd
Original Assignee
Hangzhou Dt Dream Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Dt Dream Technology Co Ltd filed Critical Hangzhou Dt Dream Technology Co Ltd
Priority to CN201910938470.5A priority Critical patent/CN110708310B/en
Publication of CN110708310A publication Critical patent/CN110708310A/en
Application granted granted Critical
Publication of CN110708310B publication Critical patent/CN110708310B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/108Network architectures or network communication protocols for network security for controlling access to devices or network resources when the policy decisions are valid for a limited amount of time
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/101Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying security measures for digital rights management

Abstract

The embodiment of the invention provides a tenant-level authority management method and device, which are used for releasing human development resources. In the embodiment of the invention, the PAAS platform generates the deployment environment abstract, the subsequent authorization system authorizes the license file according to the deployment environment abstract generated by the PAAS platform, and the PAAS platform imports the authorization license file into the application under the tenant after uploading the authorization license file to the PAAS platform. In this embodiment, the authorization license file does not need to be generated once for each application, and the parsing of the authorization file and the generation of the deployment environment abstract are completed by the PAAS platform. Therefore, by adopting the scheme provided by the embodiment, each application does not need to develop the same module code to realize the authority control, the cost of accessing the authority control of the service application is reduced, the human resources of the authority control logic developed by each application are released, and developers can concentrate on the service field.

Description

Tenant-level authority management method, device and equipment
Technical Field
The invention relates to the technical field of computers, in particular to a tenant-level authority management method and device.
Background
With the development of cloud computing technology, the option of deploying applications using a Platform As A Service (PAAS) Platform has become a preferred solution. The PAAS platform is a business model that provides the running and development environment of application services as services. The PAAS platform has a plurality of tenants, a software product can be installed in a one-tenant environment (also can be considered as under one tenant), and one software product can be composed of a plurality of applications.
The above-mentioned multiple applications require authority control. The existing application authority control logic mainly comprises the following steps:
1) the authorization system generates an authorization file;
2) the software delivery personnel import the authorization file into the application;
3) analyzing the authorization file by the application to generate a deployment environment abstract;
4) the software delivery personnel imports the deployment environment abstract into an authorization system to generate an authorization license file;
5) and the software delivery personnel imports the authorization license file into the application, and the authorization is successful.
The existing authority control scheme can realize authority control only by applying the operation of analyzing the authorization file, generating the deployment environment abstract and the like. Therefore, each application needs to develop the same module code to implement the right control. When the number of applications is large, the repetitive work is a serious resource waste in the development idea of agile development and rapid delivery, and each application needs to invest corresponding manpower to do the same work, so that software developers cannot concentrate on the business field.
Disclosure of Invention
In view of this, embodiments of the present invention provide a tenant-level authority management method and apparatus to release human development resources.
In order to achieve the above purpose, the embodiments of the present invention provide the following technical solutions:
a tenant-level authority management method is applied to a PASS platform and comprises the following steps:
receiving an authorization file generated by an authorization system;
generating a deployment environment abstract according to the authorization file and the software environment of the tenant;
receiving an authorization license file of a tenant; the authorization license file is generated after the deployment environment abstract is imported into the authorization system;
verifying the authorization license file;
and importing the approved authorized license file into the application under the tenant, and performing unified authority management on the application deployed under the tenant.
Optionally, the unified authority management on the application deployed under the tenant includes: regularly detecting whether each application under the tenant is registered; and when the unregistered application exists, stopping the unregistered application and releasing the resource occupied by the unregistered application.
Optionally, the unified rights management of the application deployed under the tenant further includes: the authorization remaining time of the authorization license file is periodically calculated.
Optionally, an authorization module is embedded in the application under the tenant, and the authorization module is loaded when the application is started; the unified rights management further includes: receiving an authorization information acquisition request sent by the authorization module, wherein the authorization information acquisition request carries a deployment environment abstract; searching an authorization license file and authorization remaining time which are associated with the deployment environment abstract in the authorization information acquisition request; and returning the found authorization license file and the authorization remaining time to the authorization module.
Optionally, the unified rights management further includes: regularly comparing whether the current deployment environment abstract of the tenant is consistent with the deployment environment abstract in the authorization license file; if not, changing the state of the authorization license file into 'unauthorized'; and regularly carrying out signature verification on the authorization license file, and if the verification fails, changing the state of the authorization license file into unauthorized.
Optionally, the verifying the authorization license file includes: carrying out format check on fields in the authorization license file; verifying a signature of contents of the authorized license file; if the format verification is successful and the signature verification is successful, the verification is passed, otherwise, the detection is failed.
Optionally, the method further includes: importing a public key associated with the deployment environment digest and an Identification (ID) of the application to the application under the tenant; the deployment environment abstract imported to the application is a first deployment environment abstract; when the application is started, an authorization module embedded in the application is used for: obtaining an encrypted deployment environment digest from the PAAS platform; decrypting the encrypted deployment environment digest by using the public key to obtain a second deployment environment digest; and comparing the first deployment environment abstract with the second deployment environment abstract, wherein if the comparison fails, the starting of any application fails.
Optionally, the authorization module is further configured to: and if the first deployment environment abstract is successfully compared with the second deployment environment abstract, using the imported ID to register to the PAAS platform.
A tenant-level rights management apparatus comprising:
the uploading unit is used for receiving the authorization file generated by the authorization system, generating a deployment environment abstract according to the authorization file and the software environment of the tenant, and receiving an authorization license file of the tenant; wherein, the authorization license file is generated after the deployment environment abstract is imported into the authorization system; (ii) a
A verification unit for verifying the authorization license file;
and the authority management unit is used for importing the verified authorized license file into the application under the tenant and carrying out unified authority management on the application deployed under the tenant.
Optionally, in the aspect of performing unified rights management on the application deployed under the tenant, the rights management unit is specifically configured to: regularly detecting whether each application under the tenant is registered; and when the unregistered application exists, stopping the unregistered application and releasing the resource occupied by the unregistered application.
Optionally, in the aspect of performing unified rights management on the application deployed under the tenant, the rights management unit is further specifically configured to: the authorization remaining time of the authorization license file is periodically calculated.
Optionally, an authorization module is embedded in the application under the tenant, and the authorization module is loaded when the application is started; in the aspect of performing unified rights management on the application deployed under the tenant, the rights management unit is further specifically configured to: receiving an authorization information acquisition request sent by the authorization module, wherein the authorization information acquisition request carries a deployment environment abstract; searching an authorization license file and authorization remaining time which are associated with the deployment environment abstract in the authorization information acquisition request; and returning the found authorization license file and the authorization remaining time to the authorization module.
Optionally, in the aspect of performing unified rights management on the application deployed under the tenant, the rights management unit is further specifically configured to: regularly comparing whether the current deployment environment abstract of the tenant is consistent with the deployment environment abstract in the authorization license file; if not, changing the state of the authorization license file into 'unauthorized'; and regularly carrying out signature verification on the authorization license file, and if the verification fails, changing the state of the authorization license file into unauthorized.
A tenant-level rights management device comprising at least a processor and a memory; the processor executes the tenant-level authority management method by executing the program stored in the memory and calling other devices.
It can be seen that, in the embodiment of the present invention, the PAAS platform generates the deployment environment digest, the subsequent authorization system generates the authorization license file (including the deployment environment digest) according to the deployment environment digest generated by the PAAS platform, and after the authorization license file is uploaded to the PAAS platform, the PAAS platform imports the authorization license file into the application under the tenant.
Meanwhile, in the embodiment, an authorization license file does not need to be generated once for each application, the analysis of the authorization file and the generation of the deployment environment abstract are completed by the PAAS platform, and each application does not need to analyze and generate the deployment environment abstract as in the prior art. Therefore, by adopting the scheme provided by the embodiment, each application does not need to develop the same module code to realize the authority control, the cost of accessing the authority control of the service application is reduced, the human resources of the authority control logic developed by each application are released, and developers can concentrate on the service field.
Drawings
FIG. 1a is an exemplary architecture of a PAAS platform provided by an embodiment of the present invention;
FIG. 1b is a diagram illustrating another exemplary structure of a PAAS platform according to an embodiment of the present invention;
FIG. 2 is an exemplary application scenario provided by an embodiment of the present invention;
fig. 3 is an exemplary structure of a rights management apparatus according to an embodiment of the present invention;
fig. 4 is an exemplary flow of a tenant-level rights management method according to an embodiment of the present invention;
fig. 5 is another exemplary flow of a tenant-level rights management method according to an embodiment of the present invention;
fig. 6 is another exemplary flow of a tenant-level rights management method according to an embodiment of the present invention;
fig. 7 is another exemplary flow of a tenant-level rights management method according to an embodiment of the present invention;
fig. 8 is another exemplary structure of a rights management device according to an embodiment of the invention.
Detailed Description
For reference and clarity, the terms, abbreviations or abbreviations used hereinafter are summarized as follows:
PAAS: Platform-as-a-Service, Platform as a Service;
ID: identifying;
API: application Programming Interface, Application program Interface;
docker: an open source application container engine;
and (3) SDK: software Development Kit, a collection of Development tools used by Software engineers to build application Software for a particular Software package, Software framework, hardware platform, operating system, etc.;
license: licenses, which are a form of contract that a product vendor authorizes the extent of use, duration, etc. of a product's features, License may dynamically control whether certain features or functions of the product are available.
The embodiment of the invention provides a tenant-level authority management method and device, which are used for realizing authority control on a plurality of applications of the same tenant on a PAAS platform.
Referring to fig. 1a, the PAAS platform may include a web server and a backend server in hardware. It should be noted that fig. 1a only illustrates one web server and one backend server, and those skilled in the art can flexibly design the number of web servers and backend servers according to actual needs.
Fig. 1b shows the software architecture of the PAAS platform: there are multiple tenants on the PAAS platform, a software product can be installed under a tenant (also can be considered as a tenant environment), and one software product can contain a plurality of applications (application 1-application n) to provide services. Rights management for software products includes rights (License) management for each application.
Fig. 2 shows an exemplary application scenario of the PAAS platform: software products installed by a tenant are shopping platform software products, and a series of applications are included in the shopping platform software products, such as a user center, an order center, a commodity center, a logistics center and the like. Rights management for the shopping platform software product includes rights management for each application.
Referring to fig. 1b and fig. 2, the functional modules of the PAAS platform mainly related to the embodiment of the present invention include an item (tenant) management module 1 and a configuration center 2.
The tenant-level authority management device in the embodiment of the present invention may include an item (tenant) management module 1, and may also include the item (tenant) management module 1 and a configuration center 2.
Referring to fig. 3, the item (tenant) management module 1 may further include: an uploading unit 11, a detection unit 12 and a rights management unit 13.
In other embodiments of the present invention, still referring to fig. 3, the item (tenant) management module 1 may further include a registration unit 14. Of course, the rights management unit 13 and the registration unit 14 may also be merged.
The role of the above modules and units will be further described later in this document in connection with a tenant-level rights management method.
The core of the tenant level management method and the device is that the unified authority management is carried out on the application under the tenant environment based on the same authorization license file.
It should be noted that authorization management between different projects (tenants) has no relationship. For example, the authorization license file of tenant a cannot be used for authorization management of tenant B.
In one example, it may be designed to perform unified rights management for applications under each tenant by default;
in another example, referring to fig. 3, the PAAS platform may also provide an authorization control switch, performing unified rights management only for applications under the tenant that has turned on the authorization control switch.
The authorization control switch may be independent of the project management module 1 or may be an integral part of the project management module 1. In particular, the authorization control switch may provide a page function for the PAAS platform.
The following describes embodiments of the present invention in further detail based on the above general description.
Fig. 4 shows an exemplary flow of the tenant-level rights management method executed by the tenant-level rights management apparatus, including:
s1: an authorization file generated by an authorization system is received.
The authorization system may be a third party system or may be an integral part of the PAAS platform.
It should be noted that, in the scenario where the PAAS platform provides the authorization control switch, before step S1, please refer to fig. 5, which may further include step S0: and turning on an authorization control switch of the current tenant. The opening operation is performed by the owner of the software product.
S2: generating a deployment environment abstract according to the authorization file and the software environment of the tenant;
it should be noted that, unlike the prior art, in the prior art, the deployment environment abstract is generated by the application according to its own software environment.
In the embodiment, the deployment environment abstract is generated according to the software environment of the tenant.
The manner of generating the deployment environment summary according to the authorization file and the software environment may refer to the existing manner, and is not described herein.
S3: receiving an authorization license file of a tenant;
all applications under the project are managed using the same authorization license file.
The authorization license file is generated after the deployment environment abstract is imported into an authorization system. The authorized license file may be uploaded to the PAAS platform by the owner of the software product, and the uploading unit 11 provides the uploading function to the owner of the software product.
In particular, the authorized license file may include a deployment environment digest. It should be noted that the deployment environment is a product operating environment, and the deployment environment abstract is a unique value calculated according to the product deployment environment.
In addition, the authorization license file may further include an authorization size, an authorization function, an authorization time, and the like.
In one example, steps S1-S3 may be performed by the aforementioned upload unit 11.
S4: checking the authorization license file; the detection is passed, and the subsequent step S5 may be entered.
After the detection is passed, the authorization license file can be stored to the aforementioned configuration center 2.
Step S4 may be specifically executed by the detection unit 12 described above.
The detection performed by the detection unit 12 may include: format checking is performed on fields in the authorization license file, a signature of the contents of the authorization license file is checked, and the like.
The above-mentioned format check is for the purpose of format unification, and the signature check is for the purpose of verifying whether the authorized license file is modified.
It should be noted that, before uploading the authorized license file, the owner of the software product provides a public key to the PAAS platform, and the authorized content generally uses a hash function to generate a digest, and the digest is encrypted by using the private key of the owner of the software product to obtain a signature.
After the license file is uploaded, the PAAS platform decrypts the signature with the public key to obtain a digest (which may be referred to as a first digest). And generating a digest (which can be called as a second digest) for the contents of the authorized license file by using a hash function, wherein if the first digest is consistent with the second digest, the authorized license file is not modified, and the signature verification is passed.
In other embodiments of the present invention, if any of the format check and the signature check fails, a corresponding failure reason may be prompted so that the owner revises the authorization license file for retransmission.
It should be noted that if the owner wants to update the contents of the authorized license file, a new authorized license file may be uploaded to the PAAS platform, and the tenant-level rights management apparatus also performs steps S3 and S4 on the new authorized license file.
S5: and importing the verified authorized license file into an application under the tenant, and performing unified authority management on the application deployed under the tenant.
In particular, in a containerization scenario, the authorization license file may be injected into a container of the application. In the non-containerization scenario, the authorization license file may be passed to the application, which stores the authorization license file in a database or saves it to a file.
Step S5 may be performed by the aforementioned rights management unit 13.
It can be seen that, in the embodiment of the present invention, the PAAS platform generates the deployment environment digest, the subsequent authorization system generates the authorization license file (including the deployment environment digest) according to the deployment environment digest generated by the PAAS platform, and after the authorization license file is uploaded to the PAAS platform, the PAAS platform imports the authorization license file into the application under the tenant.
Meanwhile, in the embodiment, an authorization license file does not need to be generated once for each application, the analysis of the authorization file and the generation of the deployment environment abstract are completed by the PAAS platform, and each application does not need to analyze and generate the deployment environment abstract as in the prior art. Therefore, by adopting the scheme provided by the embodiment, each application does not need to develop the same module code to realize the authority control, the cost of accessing the authority control of the service application is reduced, the human resources of the authority control logic developed by each application are released, and developers can concentrate on the service field.
The unified authority management of the PAAS platform on the application under the tenant is described in detail below.
Referring to fig. 5, the unified rights management may include:
s50: registration of the application is accomplished using the authorization license file.
The configuration center 2 is configured to maintain the application ID of the application that is successfully registered, or to register the application under the tenant in the configuration center 2.
Step S50 may be specifically executed by the aforementioned registration unit 14 when the application is started.
In one example, the registration operation may be performed each time the application is launched.
Taking the order center as an example, the order center attempts to register with the configuration center 2 through the registration unit 14 every time the order center is started, and if the registration is successful, the order center is a legal application.
It should be noted that steps S3 and S4 are the premise that step S50 is executed, and if the application under the tenant starts, the execution may be started directly from step S50 in the case that the authorization license file has been uploaded and passed the verification.
S51: regularly detecting whether each application under a tenant is registered;
step S51 may be performed by the aforementioned rights management unit 13.
In one example, in a scenario where the PAAS platform provides the authorization control switch, the authority management unit 13 may periodically acquire IDs of all applications under a tenant that has started the authorization control switch, and check whether each acquired application ID is registered in the configuration center.
S52: and when the unregistered application exists, stopping the unregistered application and releasing the resource occupied by the unregistered application.
Step S52 may be performed by the aforementioned rights management unit 13.
Still taking the order center as an example, assuming that the application ID of the order center is 01000, and the ID is not registered in the configuration center 2, the order center is stopped, and the resource occupied by the order center is released.
The PAAS platform checks the unique identifier of the controlled application at regular time, ensures that the applications running in the tenant environment are authorized applications, and improves the utilization rate of tenant resources and the safety of tenant virtual machines.
The following description focuses on how an application is registered, and with reference to fig. 6, an exemplary method may include the following steps:
S601-S602 are the same as S3-S4, and are not described herein.
It should be noted that, for convenience, the present embodiment is described beginning with the authorization license file being uploaded, and in fact, receiving the authorization file and generating the deployment environment abstract are also completed.
S603: and after the verification is passed, the project (tenant) management module stores the authorization license file to the configuration center.
In one example, the configuration center maintains a correspondence of the deployment environment digest to the authorized license file.
Specifically, the configuration center can respectively maintain the corresponding relationship between the deployment environment abstract and each content item.
Step S603 can be specifically executed by the detection unit 12.
In other embodiments of the present invention, the detection unit 12 may also periodically (e.g., daily) calculate the authorization remaining time based on the authorization time.
The authorization time includes: an authorization start time (date) and duration (e.g., 3 months), from which the authorization remaining time can be calculated. For some critical scenarios, the grant start time and grant remaining time may be accurate to minutes or seconds.
For the PAAS platform, the authorization remaining time may be used to determine whether the authorization license file is expired. And if the subsequent time is expired, the PAAS platform can carry out time-out reminding.
In one example, the PAAS platform may also stop the application under the tenant and release the resources occupied by the application after the expiration.
In addition, the PAAS platform may also provide the authorized remaining time to the application at the request of the application. As will be described later herein.
The PAAS platform can call an API interface of the configuration center and write the authorization license file, the authorization remaining time and the like of the project into the configuration center.
S604: the project (tenant) management module assigns an associated key pair to the deployment environment digest in the authorization license file.
The key pair is generated by the item (tenant) management module.
The key pair, which includes a private key and a public key, is also maintained by the aforementioned configuration center 2.
Step S604 may be executed by the aforementioned registration unit 14, or may be executed by the newly added allocation unit.
In one example, the deployment environment digest may be encrypted using a private key, resulting in an encrypted deployment environment digest. In the configuration center, a correspondence between the (unencrypted) deployment environment digest and the encrypted deployment environment digest may also be maintained.
Further, the aforementioned authorization license file includes a plurality of content items (e.g., authorization size, authorization function, authorization time, etc.), and for security reasons, part or all of the security items of the authorization license file may be encrypted using a private key.
For example, assuming that the authorization scale and the authorization function need to be encrypted, the configuration center may maintain the following correspondence:
deploying an authorization size of environment digest < - > encryption;
deploying an authorization function of environment digest < - > encryption;
deployment environment digest < - > unencrypted authorization time;
deployment environment digest < - > encrypted deployment environment digest.
S605: and starting the deployed application under the tenant.
The application is a concept of the PAAS platform, and the application deployed on the PAAS platform corresponds to one record, and also has a unique application ID.
In other embodiments of the present invention, before the application is started, if necessary, a new application can be created and deployed by the application management part (application management unit) of the project (tenant) management module, and the application ID is generated when the application is created.
It should be noted that the application start here refers to generating an instance of an application.
For convenience of description, the present embodiment will be described with an application x as an example, where the application x may be any application under the tenant.
S606: the authorization module embedded in application x is loaded.
In one example, the authorization module is embodied as an SDK embedded in application x, which may be referred to as a License-SDK in this embodiment.
The License-SDK is provided by the PAAS platform, for example, the unified authority management function of the application use platform, the License-SDK needs to be embedded into the application when the application is developed, and the License-SDK is loaded at a program entrance when the application is started.
It should be noted that the License-SDK encapsulates the interaction with the outside, and the interaction between the License-SDK and the PAAS platform is imperceptible to the embedded application.
S607: the project (tenant) management module injects the registration related information into an application container corresponding to the application x;
the application container is a resource environment for running the application, and provides network, operation, storage resources and the like required by running for the application.
In one example, registering the relevant information may include at least: an authorization license file (or a deployment environment digest associated with the tenant), a public key associated with the deployment environment digest, and an application ID.
It should be noted that, in the containerization scenario, data in the application container is not persisted, and once the application is restarted, a new container is regenerated, so that the application ID needs to be injected each time the application is started.
Illustratively, the application container may be a docker container.
Docker uses environment variables to convey relevant information, including the container's daemon options, the container hostname, and other utility information that runs in the container. Therefore, the registration-related information can be injected into the container as an environment variable.
Specifically, the container may obtain the registration-related information by obtaining the environment variable.
Step S607 may be performed by the aforementioned registration unit 14. The registration unit 14 can obtain the deployment environment digest and the public key from the configuration center 2, and inject the deployment environment digest and the public key into the application container together with the application ID.
Generally, the injected deployment environment digest is consistent with an encrypted deployment environment digest stored by the tenant in the PAAS platform; but in special cases (for example, the deployment environment abstract acquired from the PAAS platform is modified), the deployment environment abstract of the injected application is inconsistent with the deployment environment abstract stored by the tenant in the PAAS platform.
For ease of reference, the deployment environment digest injected into the application container may be referred to as a first deployment environment digest.
S608: the authorization module obtains the encrypted deployment environment abstract, and if the encrypted deployment environment abstract is successfully obtained, the step S609 is carried out, otherwise, the step S612 is carried out.
It was mentioned in step S604 that the configuration center maintains a correspondence between the (unencrypted) deployment environment digest and the encrypted deployment environment digest (encrypted digest for short).
In one example, the License-SDK requests the configuration center for an encrypted digest using the first deployment environment digest as a parameter; the configuration center can determine the corresponding encrypted abstract according to the first deployment environment abstract provided by the License-SDK and return the encrypted abstract to the License-SDK.
Of course, if the first deployment environment digest provided by the License-SDK is tampered, the configuration center cannot determine the corresponding encrypted digest, or may determine that the incorrect encrypted digest (the encrypted digest of another software product) is returned to the License-SDK, in which case the returned encrypted digest cannot be decrypted successfully. In either case, the License-SDK fails to obtain the encrypted digest.
S609: and the authorization module decrypts the encrypted deployment environment digest by using the injected public key to obtain a second deployment environment digest.
The public key injected into the application container corresponds to the private key. When decrypting, the public key is used to decrypt the deployment environment digest, so that the real deployment environment digest can be obtained, and for convenience, the deployment environment digest can be referred to as a second deployment environment digest.
Of course, if the decryption fails, the process may proceed to step S612.
S610: the authorization module compares the first deployment environment abstract with the second deployment environment abstract, and if the comparison is successful, the process goes to S611, otherwise, the process goes to S612.
It should be noted that, in the verification deployment environment, in S608-S610, if the acquisition fails or the comparison fails to result in a verification failure, the subsequent application may not be started. The PAAS platform verification is realized by the application, because the comparison fails when the injected deployment environment digest is tampered or the encrypted deployment environment digest is tampered, the application cannot be started, and the application is ensured to run on the safe and reliable platform.
S611: the authorization module registers with the PAAS platform (configuration center) using the injected application ID.
Specifically, the registration process is to write the injected application ID into the configuration center. Taking application x as an example, after the registration is successful, it indicates that application x is a legal application that has been subjected to the authority control.
In one example, the configuration center may maintain a correspondence between the index and the registered application ID, where the index content may include the application ID and the deployment environment digest.
More specifically, each successfully registered application corresponds to a file in the configuration center, the content of the file is an application ID of the successfully registered application, and the index of the file may include the application ID and the deployment environment digest.
Still taking application x as an example, assuming that the application ID of application x is 0010, and the deployment environment digest is denoted by C, 0010 and C may be used to form an index, and a file may be found by using the index, where the content of the file is "0010".
The data relationships maintained by the configuration center include, but are not limited to, one or more of the following:
a, deploying an environment abstract < - > -authorization license file;
further, the deployment environment digest may correspond to each content item in the authorized license file, respectively, with or without encryption of the content item. See the description in step S604 for details.
b, deploying an environment abstract < - > key pair;
c, the deployment environment abstract < - > is encrypted;
d, index (application ID + deployment environment digest) < - > file (registered application ID).
S612: the application fails to start.
Steps S608-S612 are the authentication of the application to the PAAS platform, so that the application is guaranteed to run on the trusted PAAS platform, and the execution of step S611 also guarantees that only the controlled application is allowed to run normally in the tenant environment.
S613: the project (tenant) management module acquires the ID of the application under the tenant which opens the authorization control switch at regular time.
Step S613 may be performed by the aforementioned right management unit 13.
Taking application x under tenant a as an example, the authority management unit 13 may periodically acquire an application ID of application x under tenant a.
S614: the item (tenant) management module detects whether the acquired application ID is registered in the configuration center.
Step S614 may be performed by the aforementioned right management unit 13.
The application ID and the deployment environment digest corresponding to the tenant that can be acquired by the authority management unit 13 are corresponding data in the parameter acquisition configuration center.
As mentioned above, each successfully registered application corresponds to a file in the configuration center, the file content is an application ID of the successfully registered application, and the index content may include the application ID and the deployment environment digest.
Taking an application x under the tenant a as an example, assuming that the application ID of the application x is 0010, the deployment environment abstract is C, and the right management unit 1 may query the configuration center with 0010 and C as parameters.
The configuration center takes 0010 and C as indexes, finds the corresponding file, and returns the file content of '0010'.
Of course, if the application x is not registered successfully, the configuration center cannot find the corresponding file, and a message indicating that the content is empty or that the search fails is returned.
S615: if not, stopping the application corresponding to the application ID and releasing the occupied resource.
Step S615 may be performed by the aforementioned right management unit 13.
Furthermore, the following application scenarios are considered: after the authorization module successfully compares the first deployment environment abstract with the second deployment environment abstract (please refer to the foregoing S610), the application where the authorization module is located may obtain the authorization license file through the authorization module, determine whether the application itself is authorized to be started according to the authorization license file, if the application itself is not authorized to be started, the application ID injected by the authorization module will not be registered to the PAAS platform through the authorization module, and the subsequent application will not be started; and after determining that the device is authorized to start, the step S611 is performed.
As a more specific example, a software product contains 6 applications, the rights of which are categorized into general, professional, etc. Wherein 6 applications can normally run for professional version, while general version may restrict some applications from running.
Assuming that the general version limits the application a to run, after acquiring the authorization license file of the general version, the application a determines that the application a is not authorized to start, and the application a will not register to the PAAS platform through the authorization module using the injected application ID. Thus, the authority control of the application a is realized.
In addition, when the application needs to use the authorization license file to perform authorization verification on the user under the application, the application also obtains the authorization license file from the PAAS platform.
How the application obtains the authorization license file is described below, referring to fig. 7, the method may further include the following steps:
s701: the authorization module sends an authorization information acquisition request.
Wherein, the authorization information acquisition request carries the injected deployment environment abstract.
When the application needs to acquire the authorization License file, the method in the License-SDK is called, and an authorization information acquisition request is sent to the configuration center.
The authorization information acquisition request may specifically be an HTTP request.
S702: the PAAS platform (configuration center) returns the feedback right license file and the authorization remaining time.
As mentioned above, the authorization license file may include a plurality of content items, such as authorization size, authorization function, authorization time, deployment environment digest.
For different security considerations, some or all of the content items in the authorization license file returned by the configuration center may be encrypted using a private key.
Specifically, the configuration center may maintain the correspondence between the deployment environment digest and each content item (encrypted or not) (see the introduction in step S604). After receiving the authorization information acquisition request, each content item and the authorization remaining time can be returned according to the deployment environment abstract in the authorization information acquisition request.
Since the authorization license file is stored in the configuration center and is obtained by the HTTP request, the application can directly obtain the latest authorization license file and the authorization remaining time without any update after the authorization license file is updated.
It should be noted that the authority control logic of the existing software product mainly includes:
periodically checking the status of the authorized license file 1.
Specifically, the software product needs to analyze the authorization license file, extract the deployment environment abstract therein, then calculate the deployment environment abstract according to the current deployment environment, compare the deployment environment abstract with the deployment environment abstract in the authorization license file, and if the deployment environment abstract is inconsistent with the deployment environment abstract, change the state of the authorization license file to 'unauthorized'.
And 2, periodically calculating the authorization remaining time.
Specifically, the software product needs to analyze the authorization license file, extract the authorization time therein, and calculate the authorization remaining time according to the authorization time.
Therefore, the existing authority control scheme can realize the authority control only by realizing operations of analyzing the authorization file, extracting the deployment environment abstract and the like through the software product. Thus, each software product requires the development of the same module code to implement the parsing logic.
Today, the micro-service architecture and containerized deployment are the best way, the increasing number of software products brings new challenges to the authority control:
when the number of software products is large, the repeated work is a waste of resources in the development idea of agile development and rapid delivery, so that software developers cannot concentrate on the business field.
To solve the above problem, in other embodiments of the present invention, the PAAS platform (the right management unit 13 of the tenant management module) may execute the right control logic:
1, periodically calculating the current deployment environment abstract of the tenant by the PAAS platform, comparing the current deployment environment abstract with the deployment environment abstract in the authorization license file, and if the current deployment environment abstract is inconsistent with the deployment environment abstract in the authorization license file, changing the state of the authorization license file into 'unauthorized'.
And 2, regularly carrying out signature verification on the authorized license file, and if the verification fails, changing the state of the authorized license file into unauthorized.
Please refer to the above description for the signature verification, which is not described herein.
And 3, calculating the authorization residual time by the PAAS platform according to the authorization time at regular intervals. And returning when the application sends the authorization information acquisition request.
In this embodiment, the management right of the authority control is handed over from the software product to the PAAS platform, and the unified authority control is performed on each application under the software product in the tenant environment from the PAAS platform level, so that the reuse rate of the authority control logic code is improved to a great extent, the development manpower of the authority control system is released, and application developers can concentrate more on the service field of the application itself.
In summary, the technical scheme provided by the invention has the following advantages:
1, unified software authority control management is carried out on applications under tenants from the PAAS platform tenant level, the cost of application access authority control is reduced, human resources of software authority control logic developed by each application are released, and developers can concentrate on the field.
And 2, the authorization information is provided for the application in a mode of a configuration center, when the authorization license file is updated, the application can acquire the latest authorization information through an HTTP request, and the application and the authorization control are decoupled, so that the stability of the application is ensured.
And 3, the License-SDK which the application depends on ensures that the PAAS platform which the application runs is safe and credible by checking the environment abstract, thereby reducing the risk of application source code leakage.
4, the PAAS platform checks the unique identifier of the controlled application at regular time, so that the applications running in the tenant environment are all authorized applications, and the utilization rate of tenant resources and the safety of the tenant virtual machine are improved.
Fig. 3 shows an exemplary structure of the tenant-level rights management apparatus, including:
the uploading unit 11 is used for receiving the authorization file generated by the authorization system, generating a deployment environment abstract according to the authorization file and the software environment of the tenant, and receiving an authorization license file of the tenant; the authorization license file is generated after the deployment environment abstract is imported into an authorization system; (ii) a
A verification unit 12 for verifying the authorization license file;
and the authority management unit 13 is configured to import the verified authorized license file into an application under the tenant, and perform unified authority management on the application deployed under the tenant.
In other embodiments of the present invention, in terms of performing unified rights management on applications deployed under a tenant, the rights management unit 13 may be specifically configured to:
regularly detecting whether each application under a tenant is registered;
and when the unregistered application exists, stopping the unregistered application and releasing the resource occupied by the unregistered application.
For details, please refer to the above description, which is not repeated herein.
In another embodiment of the present invention, referring to fig. 3, the apparatus may further include a registration unit 13.
Registration unit 14 may obtain the deployment environment digest and the public key from configuration center 2 and inject them into the application along with the application ID. The deployment environment abstract imported to the application is a first deployment environment abstract.
And when the application is started, the authorization module embedded in the application is used for:
acquiring an encrypted deployment environment abstract from a PAAS platform;
decrypting the encrypted deployment environment digest by using the public key to obtain a second deployment environment digest;
and comparing the first deployment environment abstract with the second deployment environment abstract, and if the comparison fails, starting any application fails.
For details, please refer to the above description, which is not repeated herein.
In other embodiments of the present invention, the authorization module is further configured to: and if the first deployment environment abstract is successfully compared with the second deployment environment abstract, using the imported ID to register to the PAAS platform.
For details, please refer to the above description, which is not repeated herein.
In other embodiments of the present invention, in terms of performing unified rights management on applications deployed under a tenant, the rights management unit 13 may be further specifically configured to:
the authorization remaining time for authorizing the license file is calculated periodically.
For details, please refer to the above description, which is not repeated herein.
In other embodiments of the present invention, in terms of performing unified rights management on applications deployed under a tenant, the rights management unit 13 may be further specifically configured to:
receiving an authorization information acquisition request sent by an authorization module, wherein the authorization information acquisition request carries a deployment environment abstract;
searching an authorization license file and authorization remaining time which are associated with the deployment environment abstract in the authorization information acquisition request;
and returning the found authorization license file and the authorization remaining time to the authorization module.
For details, please refer to the above description, which is not repeated herein.
In other embodiments of the present invention, in terms of performing unified rights management on applications deployed under a tenant, the rights management unit 13 may be further specifically configured to:
regularly comparing whether the current deployment environment abstract of the tenant is consistent with the deployment environment abstract in the authorization license file;
if not, the state of the authorized license file is changed into unauthorized;
signature verification is performed on the authorized license file regularly, and if the verification fails, the state of the authorized license file is changed to 'unauthorized'.
For details, please refer to the above description, which is not repeated herein.
In other embodiments of the present invention, in the aspect of checking the authorization license file, the detecting unit 12 may be specifically configured to:
carrying out format check on a field in the authorization license file;
verifying a signature of contents of the authorized license file;
if the format verification is successful and the signature verification is successful, the verification is passed, otherwise, the detection is failed.
For details, please refer to the above description, which is not repeated herein.
Fig. 8 shows a schematic diagram of a possible structure of the tenant-level rights management apparatus in the above embodiment, which includes: a bus, a processor 1, a memory 2, a communication interface 3, an input device 4, and an output device 5. The processor 1, the memory 2, the communication interface 3, the input device 4, and the output device 5 are connected to each other by a bus. Wherein:
a bus may include a path that transfers information between components of a computer system.
The Processor 1 may be a general-purpose Processor, such as a general-purpose Central Processing Unit (CPU), a Network Processor (NP), a microprocessor, etc., or an application-specific integrated circuit (ASIC), or one or more integrated circuits for controlling the execution of the program according to the present invention. But also a Digital Signal Processor (DSP), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components.
The memory 2 stores programs or scripts for executing the technical solution of the present invention, and may also store an operating system and other key services. In particular, the program may include program code including computer operating instructions. Scripts are typically saved as text (e.g., ASCII) and are interpreted or compiled only when called.
The input device 4 may include means for receiving data and information input by a user, such as a keyboard, mouse, camera, voice input means, touch screen, etc.
The output device 5 may comprise means allowing output of information to a user, such as a display screen, a loudspeaker, etc.
The communication interface 3 may comprise means for using any transceiver or the like for communicating with other devices or communication networks, such as ethernet, Radio Access Network (RAN), Wireless Local Area Network (WLAN) or the like.
The processor 1 can implement the tenant-level rights management method provided by the above-described embodiment by executing the program stored in the memory 2 and calling other devices.
The functions of the respective units of the tenant-level authority management device shown in fig. 3 can be realized by the processor 1 executing the program stored in the memory 2 and calling other devices.
Those of skill would further appreciate that the various illustrative components and model steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
The steps of a method or model described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, WD-ROM, or any other form of storage medium known in the art.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (11)

1. A tenant-level authority management method is applied to a PAAS platform and is characterized by comprising the following steps:
receiving an authorization file generated by an authorization system;
generating a deployment environment abstract according to the authorization file and the software environment of the tenant;
receiving an authorization license file of a tenant; the authorization license file is generated after the deployment environment abstract is imported into the authorization system;
verifying the authorization license file;
the authorization permission file after passing the inspection is imported into the application under the tenant, and the unified authority management is carried out on the application deployed under the tenant;
an authorization module is embedded in the application under the tenant, and the authorization module is loaded when the application is started;
the unified rights management further includes:
receiving an authorization information acquisition request sent by the authorization module, wherein the authorization information acquisition request carries a deployment environment abstract; searching an authorization license file and authorization remaining time which are associated with the deployment environment abstract in the authorization information acquisition request; returning the found authorization license file and the authorization remaining time to the authorization module;
importing a public key associated with the deployment environment digest and an Identification (ID) of the application to the application under the tenant; the deployment environment abstract imported to the application is a first deployment environment abstract; when the application is started, an authorization module embedded in the application is used for:
obtaining an encrypted deployment environment digest from the PAAS platform; decrypting the encrypted deployment environment digest by using the public key to obtain a second deployment environment digest; and comparing the first deployment environment abstract with the second deployment environment abstract, and if the comparison fails, the application fails to start.
2. The method of claim 1, wherein the unified rights management of applications deployed under the tenant comprises:
regularly detecting whether each application under the tenant is registered;
and when the unregistered application exists, stopping the unregistered application and releasing the resource occupied by the unregistered application.
3. The method of claim 2, wherein the unified rights management of applications deployed under the tenant further comprises:
the authorization remaining time of the authorization license file is periodically calculated.
4. The method of any of claims 1 to 3, wherein the unified rights management further comprises:
regularly comparing whether the current deployment environment abstract of the tenant is consistent with the deployment environment abstract in the authorization license file;
if not, changing the state of the authorization license file into 'unauthorized';
and regularly carrying out signature verification on the authorization license file, and if the verification fails, changing the state of the authorization license file into unauthorized.
5. The method of claim 1, wherein said verifying the authorization license file comprises:
carrying out format check on fields in the authorization license file;
verifying a signature of contents of the authorized license file;
if the format verification is successful and the signature verification is successful, the verification is passed, otherwise, the detection is failed.
6. The method of claim 1, wherein the authorization module is further to: and if the first deployment environment abstract is successfully compared with the second deployment environment abstract, using the imported ID to register to the PAAS platform.
7. A tenant-level rights management apparatus, comprising:
the uploading unit is used for receiving the authorization file generated by the authorization system, generating a deployment environment abstract according to the authorization file and the software environment of the tenant, and receiving an authorization license file of the tenant; wherein, the authorization license file is generated after the deployment environment abstract is imported into the authorization system;
a verification unit for verifying the authorization license file;
the authority management unit is used for importing the verified authorized license file into the application under the tenant and carrying out unified authority management on the application deployed under the tenant;
an authorization module is embedded in the application under the tenant, and the authorization module is loaded when the application is started;
in the aspect of performing unified rights management on the application deployed under the tenant, the rights management unit is further specifically configured to: receiving an authorization information acquisition request sent by the authorization module, wherein the authorization information acquisition request carries a deployment environment abstract; searching an authorization license file and authorization remaining time which are associated with the deployment environment abstract in the authorization information acquisition request; returning the found authorization license file and the authorization remaining time to the authorization module;
importing a public key associated with the deployment environment digest and an Identification (ID) of the application to the application under the tenant; the deployment environment abstract imported to the application is a first deployment environment abstract; when the application is started, an authorization module embedded in the application is used for:
acquiring an encrypted deployment environment abstract from a PAAS platform; decrypting the encrypted deployment environment digest by using the public key to obtain a second deployment environment digest; and comparing the first deployment environment abstract with the second deployment environment abstract, and if the comparison fails, the application fails to start.
8. The apparatus of claim 7,
in the aspect of performing unified rights management on the application deployed under the tenant, the rights management unit is specifically configured to:
regularly detecting whether each application under the tenant is registered;
and when the unregistered application exists, stopping the unregistered application and releasing the resource occupied by the unregistered application.
9. The apparatus of claim 7, wherein in terms of the unified rights management of applications deployed under the tenant, the rights management unit is further specifically configured to:
the authorization remaining time of the authorization license file is periodically calculated.
10. The apparatus according to any one of claims 7-9, wherein in terms of the unified rights management of applications deployed under the tenant, the rights management unit is further specifically configured to:
regularly comparing whether the current deployment environment abstract of the tenant is consistent with the deployment environment abstract in the authorization license file;
if not, changing the state of the authorization license file into 'unauthorized';
and regularly carrying out signature verification on the authorization license file, and if the verification fails, changing the state of the authorization license file into unauthorized.
11. A tenant-level rights management device comprising at least a processor and a memory; the processor performs the method of any one of claims 1 to 6 by executing a program stored in the memory and invoking other devices.
CN201910938470.5A 2019-09-30 2019-09-30 Tenant-level authority management method, device and equipment Active CN110708310B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910938470.5A CN110708310B (en) 2019-09-30 2019-09-30 Tenant-level authority management method, device and equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910938470.5A CN110708310B (en) 2019-09-30 2019-09-30 Tenant-level authority management method, device and equipment

Publications (2)

Publication Number Publication Date
CN110708310A CN110708310A (en) 2020-01-17
CN110708310B true CN110708310B (en) 2022-02-08

Family

ID=69197991

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910938470.5A Active CN110708310B (en) 2019-09-30 2019-09-30 Tenant-level authority management method, device and equipment

Country Status (1)

Country Link
CN (1) CN110708310B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112596740A (en) * 2020-12-28 2021-04-02 北京千方科技股份有限公司 Program deployment method and device
CN113515726B (en) * 2021-06-23 2022-03-25 北京顶象技术有限公司 Method and device for preventing enterprise product authorization file from leaking
CN114221769B (en) * 2021-11-12 2023-06-02 联奕科技股份有限公司 Method and device for controlling software authorization permission based on container

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102324009A (en) * 2011-09-07 2012-01-18 上海普元信息技术股份有限公司 Software copyright control system based on cloud computing platform and method thereof
CN108667886A (en) * 2017-04-01 2018-10-16 华为技术有限公司 The method, management system and cloud computing service framework of PaaS services are provided
CN109255208A (en) * 2018-09-04 2019-01-22 山东浪潮云投信息科技有限公司 A kind of authorization method and system of software service product
CN109274731A (en) * 2018-09-04 2019-01-25 北京京东金融科技控股有限公司 Deployment, call method and the device of web services based on multi-tenant technology
CN109542403A (en) * 2018-10-12 2019-03-29 浙江托普云农科技股份有限公司 A kind of project integrated system and project integrated approach based on agriculture Internet of Things PaaS cloud platform

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11399025B2 (en) * 2018-01-26 2022-07-26 Vmware, Inc. Role-template-based batch management of tenant-specific roles and rights in a computing system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102324009A (en) * 2011-09-07 2012-01-18 上海普元信息技术股份有限公司 Software copyright control system based on cloud computing platform and method thereof
CN108667886A (en) * 2017-04-01 2018-10-16 华为技术有限公司 The method, management system and cloud computing service framework of PaaS services are provided
CN109255208A (en) * 2018-09-04 2019-01-22 山东浪潮云投信息科技有限公司 A kind of authorization method and system of software service product
CN109274731A (en) * 2018-09-04 2019-01-25 北京京东金融科技控股有限公司 Deployment, call method and the device of web services based on multi-tenant technology
CN109542403A (en) * 2018-10-12 2019-03-29 浙江托普云农科技股份有限公司 A kind of project integrated system and project integrated approach based on agriculture Internet of Things PaaS cloud platform

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于开源平台的云资源管理***的研究与应用;张远;《中国优秀硕士学位论文全文数据库信息科技辑》;20160315;全文 *

Also Published As

Publication number Publication date
CN110708310A (en) 2020-01-17

Similar Documents

Publication Publication Date Title
KR101740256B1 (en) Apparatus for mobile app integrity assurance and method thereof
US9262598B1 (en) Digital rights management for applications
CN110708310B (en) Tenant-level authority management method, device and equipment
CN109274652B (en) Identity information verification system, method and device and computer storage medium
WO2022073264A1 (en) Systems and methods for secure and fast machine learning inference in trusted execution environment
JPH11355264A (en) Host system element for international cryptographic system
US20090089881A1 (en) Methods of licensing software programs and protecting them from unauthorized use
CN111262889A (en) Authority authentication method, device, equipment and medium for cloud service
CN111079091A (en) Software security management method and device, terminal and server
US20140282876A1 (en) Method and system for restricting the operation of applications to authorized domains
CN104202296A (en) Trusted security enhancement method for domestic operating system
BR112018004760B1 (en) METHODS AND DEVICES FOR RECORDING AND AUTHENTICATION OF INFORMATION
WO2014150737A2 (en) Method and system for enabling the federation of unrelated applications
US9129098B2 (en) Methods of protecting software programs from unauthorized use
CN111159657A (en) Application program authentication method and system
CN114448648B (en) Sensitive credential management method and system based on RPA
US20110154436A1 (en) Provider Management Methods and Systems for a Portable Device Running Android Platform
AU2010336503B2 (en) Securing execution of computational resources
KR20190128534A (en) Method for combining trusted execution environments for functional extension and method for applying fido u2f for supporting business process
KR101294866B1 (en) Development environment management system and development environment management method thereof
CN111597577A (en) Function menu loading method, function menu loading device and terminal equipment
Rivera-Dourado DebAuthn: a Relying Party Implementation as a WebAuthn Authenticator Debugging Tool
CN115310105A (en) Resource request processing method and device based on block chain and server
CN113836560A (en) Information processing method, device, equipment and storage medium
CN117574368A (en) Method for combining offline static code analysis and cloud analysis vulnerability scanning report

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant