CN111177755A - Method and device for processing data permission in report application, computer equipment and computer storage medium - Google Patents

Method and device for processing data permission in report application, computer equipment and computer storage medium Download PDF

Info

Publication number
CN111177755A
CN111177755A CN201911355582.4A CN201911355582A CN111177755A CN 111177755 A CN111177755 A CN 111177755A CN 201911355582 A CN201911355582 A CN 201911355582A CN 111177755 A CN111177755 A CN 111177755A
Authority
CN
China
Prior art keywords
user
application
report
service
service system
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201911355582.4A
Other languages
Chinese (zh)
Inventor
曾庆权
张凯
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Ping An Medical Health Technology Service Co Ltd
Original Assignee
Ping An Medical and Healthcare Management Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ping An Medical and Healthcare Management Co Ltd filed Critical Ping An Medical and Healthcare Management Co Ltd
Priority to CN201911355582.4A priority Critical patent/CN111177755A/en
Publication of CN111177755A publication Critical patent/CN111177755A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3003Monitoring arrangements specially adapted to the computing system or computing system component being monitored
    • G06F11/302Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system component is a software system
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3065Monitoring arrangements determined by the means or processing involved in reporting the monitored data
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3089Monitoring arrangements determined by the means or processing involved in sensing the monitored data, e.g. interfaces, connectors, sensors, probes, agents
    • G06F11/3093Configuration details thereof, e.g. installation, enabling, spatial arrangement of the probes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6227Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2201/00Indexing scheme relating to error detection, to error correction, and to monitoring
    • G06F2201/865Monitoring of software
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Quality & Reliability (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computing Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Mathematical Physics (AREA)
  • Automation & Control Theory (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)

Abstract

The application discloses a method and a device for processing data permission in report application and a computer storage medium, and relates to the technical field of computers, so that the report application can still provide services for a plurality of systems after being separated from a spring boot, and logs of each system can be printed independently, thereby being beneficial to problem troubleshooting. The method comprises the following steps: monitoring and intercepting an access request sent by an unknown source user to a report application through a front-end service, authenticating an application service corresponding to the unknown source user, wherein the front-end service and the report application are packaged in an application container engine together, and the application container engine only exposes a front-end service port; if the service system corresponding to the unknown source user has the access right of the report application, extracting a user identifier from the user information carried by the access request, and calling a user management system to inquire the user data right matched with the user identifier; and acquiring report data of corresponding data authority from the report application based on the user data authority, and sending the report data to a user.

Description

Method and device for processing data permission in report application, computer equipment and computer storage medium
Technical Field
The present invention relates to the field of computer technologies, and in particular, to a method and an apparatus for processing data permissions in report application, a computer device, and a computer storage medium.
Background
In the big data era, it becomes important to extract useful data from mass data and display the data in a more humanized and intuitive manner. The report application can simply apply the data of the multi-service system, and the data is collected in one report, so that more data are applied to operation analysis and service management and control.
The report application has a user management system of its own, which is maintained locally on the host, if the user management system is opened, two identical user management systems need to be maintained at the same time, which is not practical (the user name and password of each user cannot be obtained), so the user management system needs to be closed. And because the report application is a packaged product, the report application cannot interact with other applications by using a routing mechanism, and report data calling can only depend on the report application to connect with a database to inquire according to a user name transmitted when the report is accessed, so that each report has a period of inquiry data authority processing time, the experience of a user using the report application is influenced, and the report can be obtained by external applications through splicing urls in the process of transmitting the user name, thereby causing potential safety hazards.
In the prior art, a war packet formed by a reporting application and a spring boot application is simultaneously placed in a tomcat container, so that the coupling between the reporting application and the spring boot application can be realized. However, two problems exist after the coupling, on one hand, the coupling process needs to combine the report application with the portal to become an independent system, so that the service cannot be provided for a plurality of systems, and the flexibility of the report application docking is reduced; on the other hand, the report application and the spring boot project are two services essentially, and a large number of logs are packaged in one file after being coupled together, so that the problem troubleshooting is not facilitated.
Disclosure of Invention
In view of the above, the present invention provides a method and an apparatus for processing data permissions in a reporting application, a computer device, and a computer storage medium, and mainly aims to solve the problems that at present, after the reporting application is coupled with a springboot, a service cannot be provided to a plurality of systems, and the unified printing of log files is not beneficial to problem troubleshooting.
According to one aspect of the invention, a method for processing data authority in report application is provided, which comprises the following steps:
monitoring and intercepting an access request sent by an unknown source user to a report application through a front-end service, and authenticating a service system corresponding to the unknown source user, wherein the front-end service and the report application are packaged in an application container engine together, and the application container engine only exposes a front-end service port;
if the service system corresponding to the unknown source user has the access right of the report application, extracting the user information in the access request, and calling a user management system to inquire the user data right matched with the user information;
and acquiring report data of corresponding data authority from the report application based on the user data authority, and sending the report data to the user.
Further, the authenticating the service system corresponding to the unknown source user specifically includes:
extracting request header information from an access request sent by the unknown source user to the report application;
if the request header information records an authentication field, judging whether the decrypted authentication field is an expected field or not based on a public configuration file generated in advance in the pre-service, and authenticating the service system corresponding to the unknown source user.
Further, the public configuration file stores a legal field corresponding to each service system access report application, the legal field is an expected field after being decrypted, the public configuration file pre-generated in the pre-service judges whether the authentication field is an expected field after being decrypted, and the service system corresponding to the unknown source user is authenticated, specifically including:
extracting a legal field corresponding to a service system accessing report application from a public configuration file generated in advance in the preposed service;
and decrypting the legal field, judging whether the field decrypted by the authentication field is consistent with the field decrypted by the legal field, and authenticating the service system corresponding to the unknown source user.
Further, after decrypting the legal field, determining whether the field decrypted by the authentication field is consistent with the field decrypted by the legal field, and authenticating the service system corresponding to the unknown source user, the method further includes:
if not, determining that the service system corresponding to the unknown source user does not have the access authority of the report application;
and if so, determining that the service system corresponding to the unknown source user has the access right of the report application.
Further, after extracting the request header information from the access request of the report application sent by the unknown source user, the method also comprises
And if no custom field is recorded in the request header information, determining that the service system corresponding to the unknown source user does not have the access authority of the report application.
Further, before the monitoring and intercepting an access request for a report application sent by an unknown source user through a front-end service and authenticating a service system corresponding to the unknown source user, the method further includes:
the prepositive service is connected with a registration center at regular time, system information of each service system is obtained from the registration center, a public configuration file is generated according to the system information of each service system, and the registration center stores the system information of the service systems when each service system is registered.
Further, the storing, in the user management system, a plurality of association mapping tables between user information and user data permissions, extracting the user information in the access request, and invoking the user management system to query the user data permissions matched with the user information specifically includes:
reading a token identification carried by the access request, and acquiring user information according to the token identification;
and calling a plurality of association mapping tables in the user management system to inquire the user data authority matched with the field description of the user according to the field description of the user in the user information.
According to another aspect of the present invention, there is provided an apparatus for processing data permissions in a reporting application, the apparatus comprising:
the system comprises an authentication unit, a report application management unit and a report application management unit, wherein the authentication unit is used for monitoring and intercepting an access request sent by an unknown source user to the report application through a front-end service, authenticating a service system corresponding to the unknown source user, packaging the front-end service and the report application together in an application container engine, and only exposing a front-end service port by the application container engine;
the query unit is used for extracting the user information in the access request and calling a user management system to query the user data authority matched with the user information if the service system corresponding to the unknown source user has the access authority of the report application;
and the sending unit is used for acquiring report data of corresponding data authority from the report application based on the user data authority, and sending the report data to the user.
Further, the authentication unit includes:
the extraction module is used for extracting request header information from an access request of the report application sent by the unknown source user;
and the authentication module is used for judging whether the decrypted authentication field is an expected field or not based on a public configuration file generated in advance in the pre-service if the authentication field is recorded in the request header information, and authenticating the service system corresponding to the unknown source user.
Further, the public configuration file stores legal fields corresponding to each service system access report application, the legal fields are expected fields after being decrypted, and the authentication module comprises:
the extraction submodule is used for extracting a legal field corresponding to a service system accessing the report application from a public configuration file generated in advance in the preposed service;
and the authentication submodule is used for decrypting the legal field, judging whether the field decrypted by the authentication field is consistent with the field decrypted by the legal field or not, and authenticating the service system corresponding to the unknown source user.
Further, the apparatus further comprises:
a determining unit, configured to determine, after decrypting the valid field, whether a field decrypted by the authentication field is consistent with a field decrypted by the valid field, authenticate the service system corresponding to the unknown source user, and if the field decrypted by the authentication field is inconsistent with the field decrypted by the valid field, determine that the service system corresponding to the unknown source user does not have an access right of the report application; (ii) a
The determining unit is further configured to determine that the service system corresponding to the unknown source user has the access right of the report application if the field decrypted by the authentication field is consistent with the field decrypted by the legal field.
Further, the determining unit is further configured to, after extracting request header information from the access request for the report application sent by the unknown source user, determine that the service system corresponding to the unknown source user does not have the access right of the report application if a custom field is not recorded in the request header information.
Further, the apparatus further comprises:
the acquisition unit is used for connecting the preposed service with a registration center at regular time before monitoring and intercepting an access request of an unknown source user for sending a report application and authenticating a service system corresponding to the unknown source user through the preposed service, acquiring system information of each service system from the registration center, generating a public configuration file according to the system information of each service system, and storing the system information of the service system when each service system is registered by the registration center.
Further, the user management system stores a plurality of association mapping tables between user information and user data rights, and the querying unit includes:
the reading module is used for reading the token identification carried by the access request and acquiring user information according to the token identification;
and the query module is used for calling a plurality of association mapping tables in the user management system to query the user data authority matched with the field description of the user according to the field description of the user in the user information.
According to yet another aspect of the present invention, there is provided a computer device comprising a memory and a processor, the memory storing a computer program, the processor implementing the steps of the method for processing data permissions in a reporting application when executing the computer program.
According to a further aspect of the present invention, there is provided a computer storage medium having stored thereon a computer program which, when executed by a processor, performs the steps of a method of processing data permissions in a reporting application.
By the technical scheme, the invention provides a method and a device for processing data authority in report application, monitoring and intercepting an access request sent by an unknown source user to the report application through a preposed service, the service system corresponding to the unknown source user is authenticated, because the preposed service and the report application are packaged in the application container engine together, and the application engine only exposes the prepositive service port, so that the prepositive service can still be connected with a plurality of systems after being separated from the report application, and the log of each system can be printed independently, which is beneficial to the problem troubleshooting, if the unknown source user has the access right of report application, the user information in the access request is extracted, the user management system is invoked to inquire the user data right matched with the user information, and based on the user data authority, report data of corresponding data authority is obtained from the report application and displayed to the user. Compared with the method for processing the data authority in the report application in the prior art, the method has the advantages that the prepositive service separated from the report application is added, so that the prepositive service can be communicated with the service system accessing the report application, the service system accessing the report application is authenticated, the safety of the access operation of the report application is improved, after the service system is determined to have the access authority of the report application, the report data with the corresponding authority is further acquired from the report application based on the user data authority, and a user cannot acquire the report data which does not belong to the authority of the user in the report application without passing the right.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
fig. 1 is a schematic flowchart illustrating a method for processing data permissions in a report application according to an embodiment of the present invention;
fig. 2 is a flowchart illustrating another method for processing data permissions in a reporting application according to an embodiment of the present invention;
FIG. 3 is a flowchart illustrating a process of data permissions in a reporting application according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram illustrating a device for processing data permissions in a reporting application according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram illustrating a device for processing data permissions in a reporting application according to another embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
The embodiment of the invention provides a method for processing data permission in report application, which can enable the report application to still provide services for a plurality of systems after being separated from a spring boot, and a log of each system can be independently printed, thereby being beneficial to problem troubleshooting, as shown in figure 1, the method comprises the following steps:
101. and monitoring and intercepting an access request sent by an unknown source user to report application through a front-end service, and authenticating a service system corresponding to the unknown source user.
The front-end service can be a spring boot with a monitoring spring application development function, and can be used by a construction system of any project. Due to the adoption of a cluster mode of a plurality of spring boots, each spring boot application can be routed to the report application of the local machine through the designated routing rule, so that the influence of a network environment on an access request is reduced, the routing time is saved, and the user experience is optimized.
It can be understood that the prepositive service is separated from the report application, and the logs can be designated to be printed in different files through the prepositive service without arranging a large number of logs, so that troubleshooting is facilitated when problems occur.
It should be noted that, in order to perform unified management on the service system accessing the report application and the user, the pre-service uses the application container engine to manage the access right of the report application, and the application container engine and the report application are packaged together in the application container engine, and the application container engine only exposes the pre-service port, so that the service system accessing the report application needs to pass through the pre-service in advance, and the service system corresponding to the unknown source user is authenticated through the pre-service, so that the unknown source user cannot directly access the report application by means of concatenating urls.
102. And if the service system corresponding to the unknown source user has the access right of the report application, extracting the user information in the access request, and calling a user management system to inquire the user data right matched with the user information.
For the embodiment of the invention, in the process of starting the preposed service, in order to ensure the safety of the interface calling of the service system, the interface access of each service system is authenticated with authority, so that the service system passing the authentication can access the report application, the authentication of the service system can be carried out through a public configuration file pre-generated by the preposed service in a configuration center, the public configuration file records legal fields carried by each service system for sending the access request, and only the service system authenticated by the legal fields has the access authority of the report application.
The user management system stores a plurality of association mapping tables between the user information and the user data authority, and the user data authority can be obtained by searching the user data authority matched with the user information in the plurality of association mapping tables.
It can be understood that the user data authority is bound to the user and the service system corresponding to the user, and the user data authority can determine which report data in the report service the user has, for example, the service system a can only access the report data in province a, the service system B can access the report data in province B by user m, the service system B can access the report data in province c by user n, and the service system p can access both the report data in province B and the report data in province c.
103. And acquiring report data of corresponding data authority from the report application based on the user data authority, and sending the report data to the user.
It can be understood that, in the process of accessing the report application by the service system, the report application allocates its own report space to each user according to the name of the user and the name of the service system, for example, the report data of the a service system is allocated to the a interval, the report data of the a service system is allocated to the first block, and the report data of the B service system is allocated to the B interval, so that the report data of each service system and the users in each service system are isolated and cannot affect each other, and each user can only see the report data of the service system.
For the embodiment of the invention, after the report data of the corresponding data authority is obtained from the report application, the report data is rendered to be displayed to the user, so that the block of obtaining the data authority forms a black box structure, and even if some users bypass the authentication of the service system, the report data without the authority in the report application can not be obtained.
The embodiment of the invention provides a method for processing data authority in report application, which monitors and intercepts an access request of an unknown source user for the report application through a preposed service, the service system corresponding to the unknown source user is authenticated, because the preposed service and the report application are packaged in the application container engine together, and the application engine only exposes the prepositive service port, so that the prepositive service can still be connected with a plurality of systems after being separated from the report application, and the log of each system can be printed independently, which is beneficial to the problem troubleshooting, if the unknown source user has the access right of report application, the user information in the access request is extracted, the user management system is invoked to inquire the user data right matched with the user information, and based on the user data authority, report data of corresponding data authority is obtained from the report application and displayed to the user. Compared with the method for processing the data authority in the report application in the prior art, the method has the advantages that the prepositive service separated from the report application is added, so that the prepositive service can be communicated with the service system accessing the report application, the service system accessing the report application is authenticated, the safety of the access operation of the report application is improved, after the service system is determined to have the access authority of the report application, the report data with the corresponding authority is further acquired from the report application based on the user data authority, and a user cannot acquire the report data which does not belong to the authority of the user in the report application without passing the right.
An embodiment of the present invention provides another method for processing data permissions in a reporting application, which can enable the reporting application to still provide services to multiple systems after being separated from a spring boot, and a log of each system can be printed separately, which is beneficial to problem troubleshooting, and as shown in fig. 2, the method includes:
201. monitoring and intercepting an access request sent by an unknown source user to the report application through a front-end service, and extracting request header information from the access request sent by the unknown source user to the report application.
It can be understood that, the authentication operation performed on the service system in the pre-posed service is to essentially intercept, by the pre-posed service, an access request of a user with an unknown source to the reporting application on the basis that the user sends the access request to the reporting application, so that the user without access right and the service system corresponding to the user cannot access the reporting service, thereby preventing the user from accessing the pre-posed application to acquire the reporting data by using a browser or a host connected to a deployed application network through a url splicing operation.
For the embodiment of the present invention, in order to authenticate each service system, the front-end service may connect to the registry at regular time, and the registry may store the system information of the service system when each service system registers, further obtain the system information of each service system from the registry, for example, the ip, the port, the start-stop state, and the like of the service system, and further generate the public configuration file according to the system information of each service system. Specifically, in the application process, all service systems register and store system information of the service systems in an Eureka Server registration center in a registration mode, the preposed service interacts with other service systems such as a user management system and the like through zuul and Eureka to acquire the system information of the service systems and generate a public configuration file, and therefore in the report application process of requesting access to the service systems, the preposed service intercepts access requests and authenticates the access requests based on the public configuration file.
Specifically, in the process of authenticating each service system, a plurality of authentication methods may be used, for example, a signature method is used to authenticate the interface and the identity of the requesting user is used to authenticate, since the authentication methods all require the request header information of the access request, the request header information is further extracted from the access request, and each service system is authenticated according to the request header information.
202a, if the request header information records an authentication field, extracting a legal field corresponding to a service system accessing report application from a public configuration file generated in advance in the pre-service.
For the embodiment of the invention, the service system is authenticated through the authentication field recorded in the request header information, if the authentication field is recorded in the request header information, the service system cannot be explained to have the authority of accessing the report form application, and the service system needs to be further authenticated after the legal field of the service system is extracted from the public configuration file.
202b, if no custom field is recorded in the request header information, determining that the service system corresponding to the unknown source user does not have the access authority of the report application.
For the embodiment of the invention, the service system is authenticated through the authentication field recorded in the request header information, and if the authentication field is not recorded in the request header information, the service system does not have the access authority of the report application.
203a, decrypting the legal field, judging whether the field decrypted by the authentication field is consistent with the field decrypted by the legal field, and authenticating the service system corresponding to the unknown source user.
In order to ensure the security of the authentication field and the legal field in the access request, the authentication field in the access request is encrypted, and the legal field in the public configuration file is also encrypted, so that the legal field and the authentication field need to be decrypted and compared in the authentication process of the service system corresponding to the unknown source user, so that the service system without access authority cannot access the report application.
204a, if the access permissions of the report application are consistent, determining that the service system corresponding to the unknown source user has the access permission of the report application.
204 a' and if not, determining that the service system corresponding to the unknown source user does not have the access authority of the report application.
205a, reading the token identification carried by the access request, and obtaining the user information according to the token identification.
For the embodiment of the invention, the front-end service can authenticate the service system corresponding to the unknown source user, and can also determine the authority of the report application corresponding to the user to acquire data after determining that the service system corresponding to the unknown source user has the access authority of the report application, namely the authority of the user to acquire which data in the report application.
Because the access request sent by the user carries a token identifier, the token identifier is an object used for describing a process or thread security context, and information contained in the token identifier is identity and authority information of the process or thread related to the user information, for example, a Security Identifier (SID) of a user account, a SID of a group to which the user belongs, and an authority table stored by the user or a user group. When the user sends an access request, the user information can be obtained through the token identification.
206a, according to the field description of the user in the user information, calling a plurality of association mapping tables in the user management system to inquire the user data authority matched with the field description of the user.
For the embodiment of the present invention, the user information records field descriptions of the user, such as user identification, user personal information, user creation time, user access times, and the like. The user management system stores a plurality of association mapping tables between user information and user data authority, such as role table, group table, user authority table, group authority table, user table, etc., and each association mapping table establishes association relationship through the field description of the user, each user can be attributed to 0-n role, may belong to 0-n groups, and in addition to the user having the right itself, the group in which the user is located also has the right, in order to classify and manage a plurality of users with similar rights, a role is defined for each user, such as system administrators, administration, users, visitors, etc., each group has group data rights, each person has personal data rights, by invoking multiple association maps in the user management system, the user data authority matched with the field description of the user can be inquired, and the user authority can be group data authority or personal data authority.
207a, based on the user data authority, obtaining report data of corresponding data authority from the report application, and sending the report data to a user.
In the embodiment of the invention, the authentication operation of the report access application of the service system and the user data authority management operation are processed by the preposed service through the interaction among the report application, the preposed service, each service system, the registration center and the user management system, so that the problem that the service systems corresponding to the report access application are difficult to unify is solved, and the access request processing speed of the report application is improved to a certain extent.
The specific interaction relationship among the report application, the pre-service, each service system, the registry, and the user management system may be as shown in fig. 3, and the specific steps are as follows: before intercepting an access request sent by each user in a preposed service, interacting with a registration center, acquiring system information of each service system in advance to generate a public configuration file, processing the access requests to obtain the user and the service system from which the access request comes, authenticating the service system, calling a user management system after determining that the service system has the access request of a report application to obtain user data authority (only a certain province, a certain city and the like can be seen), packaging the user data authority and sending the user data authority to the report application, and the report application obtains corresponding report data from a database according to the user data authority and renders the report data into a report to be returned.
Further, as a specific implementation of the method shown in fig. 1, an embodiment of the present invention provides a device for processing data permissions in a report application, and as shown in fig. 4, the device includes: authentication unit 31, inquiry unit 32, and sending unit 33.
The authentication unit 31 may be configured to monitor and intercept an access request sent by an unknown source user to a report application through a pre-service, and authenticate a service system corresponding to the unknown source user, where the pre-service and the report application are packaged in an application container engine together, and the application container engine exposes only a pre-service port;
the query unit 32 may be configured to, if the service system corresponding to the unknown source user has an access right of a report application, extract user information in the access request, and invoke a user management system to query a user data right matched with the user information;
the sending unit 33 may be configured to obtain report data with corresponding data permission from the report application based on the user data permission, and send the report data to the user.
The device for processing the data authority in the report application, provided by the embodiment of the invention, monitors and intercepts the access request of an unknown source user to the report application through the preposed service, the service system corresponding to the unknown source user is authenticated, because the preposed service and the report application are packaged in the application container engine together, and the application engine only exposes the prepositive service port, so that the prepositive service can still be connected with a plurality of systems after being separated from the report application, and the log of each system can be printed independently, which is beneficial to the problem troubleshooting, if the unknown source user has the access right of report application, the user information in the access request is extracted, the user management system is invoked to inquire the user data right matched with the user information, and based on the user data authority, report data of corresponding data authority is obtained from the report application and displayed to the user. Compared with the method for processing the data authority in the report application in the prior art, the method has the advantages that the prepositive service separated from the report application is added, so that the prepositive service can be communicated with the service system accessing the report application, the service system accessing the report application is authenticated, the safety of the access operation of the report application is improved, after the service system is determined to have the access authority of the report application, the report data with the corresponding authority is further acquired from the report application based on the user data authority, and a user cannot acquire the report data which does not belong to the authority of the user in the report application without passing the right.
As a further description of the processing apparatus for processing data authority in the reporting application shown in fig. 4, fig. 5 is a schematic structural diagram of another processing apparatus for processing data authority in the reporting application according to an embodiment of the present invention, and as shown in fig. 5, the authentication unit 31 includes:
the extracting module 311 may be configured to extract request header information from an access request sent by the user with the unknown source to the reporting application;
the authentication module 312 may be configured to, if an authentication field is recorded in the request header information, determine whether the decrypted authentication field is an expected field based on a public configuration file pre-generated in the pre-service, and authenticate the service system corresponding to the unknown source user.
Further, the public configuration file stores a legal field corresponding to each service system access report application, the legal field is an expected field after being decrypted, and the authentication module 312 includes:
the extraction submodule 3121 may be configured to extract, from a public configuration file pre-generated in the pre-service, a legal field corresponding to a service system accessing the report application;
the authentication sub-module 3122 may be configured to decrypt the valid field, determine whether the field decrypted by the authentication field is consistent with the field decrypted by the valid field, and authenticate the service system corresponding to the unknown source user.
Further, the apparatus further comprises:
a determining unit 34, configured to determine, after decrypting the valid field, whether a field decrypted by the authentication field is consistent with a field decrypted by the valid field, authenticate the service system corresponding to the unknown source user, and if the field decrypted by the authentication field is inconsistent with the field decrypted by the valid field, determine that the service system corresponding to the unknown source user does not have an access right of the report application; (ii) a
The determining unit 34 may be further configured to determine that the service system corresponding to the unknown source user has the access right of the report application if the field decrypted by the authentication field is consistent with the field decrypted by the legal field.
Further, the determining unit 34 may be further configured to, after extracting request header information from the access request for the report application sent by the unknown source user, determine that the service system corresponding to the unknown source user does not have the access right of the report application if no custom field is recorded in the request header information.
Further, the apparatus further comprises:
the obtaining unit 35 may be configured to, before the monitoring and intercepting of the access request for the report application sent by the unknown source user through the pre-service and the authentication of the service system corresponding to the unknown source user, obtain, by the pre-service, system information of each service system from the registry through a timed connection with the registry, generate a public configuration file according to the system information of each service system, and store, by the registry, the system information of the service system when each service system is registered.
Further, a plurality of association mapping tables between the user information and the user data authority are stored in the user management system, and the querying unit 32 includes:
the reading module 321 may be configured to read a token identifier carried by the access request, and obtain user information according to the token identifier;
the query module 322 may be configured to invoke, according to the field description of the user in the user information, a plurality of association mapping tables in the user management system to query the user data right matching with the field description of the user.
It should be noted that other corresponding descriptions of the functional units related to the processing apparatus for data permissions in a report application provided in this embodiment may refer to the corresponding descriptions in fig. 1 and fig. 2, and are not described herein again.
Based on the methods shown in fig. 1 and fig. 2, correspondingly, the present embodiment further provides a storage medium, on which a computer program is stored, and when the computer program is executed by a processor, the method for processing the data permissions in the reporting application shown in fig. 1 and fig. 2 is implemented.
Based on such understanding, the technical solution of the present application may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, etc.), and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method according to the implementation scenarios of the present application.
Based on the method shown in fig. 1 and fig. 2 and the virtual device embodiment shown in fig. 4 and fig. 5, in order to achieve the above object, an embodiment of the present application further provides a computer device, which may specifically be a personal computer, a server, a network device, and the like, where the entity device includes a storage medium and a processor; a storage medium for storing a computer program; and a processor, configured to execute a computer program to implement the method for processing data permissions in the reporting application shown in fig. 1 and fig. 2.
Optionally, the computer device may also include a user interface, a network interface, a camera, Radio Frequency (RF) circuitry, sensors, audio circuitry, a WI-FI module, and so forth. The user interface may include a Display screen (Display), an input unit such as a keypad (Keyboard), etc., and the optional user interface may also include a USB interface, a card reader interface, etc. The network interface may optionally include a standard wired interface, a wireless interface (e.g., a bluetooth interface, WI-FI interface), etc.
Those skilled in the art will understand that the physical device structure of the processing apparatus for data authority in the reporting application provided in this embodiment does not constitute a limitation to the physical device, and may include more or fewer components, or combine some components, or arrange different components.
The storage medium may further include an operating system and a network communication module. The operating system is a program that manages the hardware and software resources of the computer device described above, supporting the operation of information handling programs and other software and/or programs. The network communication module is used for realizing communication among components in the storage medium and other hardware and software in the entity device.
Through the above description of the embodiments, those skilled in the art will clearly understand that the present application can be implemented by software plus a necessary general hardware platform, and can also be implemented by hardware. By applying the technical scheme, compared with the prior art, the method and the device have the advantages that the prepositive service separated from the report application is added, so that the prepositive service can be communicated with the service system accessing the report application, the service system accessing the report application is authenticated, the safety of the access operation of the report application is improved, after the service system is determined to have the access authority of the report application, the report data with the corresponding authority is further acquired from the report application based on the user data authority, and a user cannot acquire the report data which does not belong to the authority of the user in the report application without passing the right.
Those skilled in the art will appreciate that the figures are merely schematic representations of one preferred implementation scenario and that the blocks or flow diagrams in the figures are not necessarily required to practice the present application. Those skilled in the art will appreciate that the modules in the devices in the implementation scenario may be distributed in the devices in the implementation scenario according to the description of the implementation scenario, or may be located in one or more devices different from the present implementation scenario with corresponding changes. The modules of the implementation scenario may be combined into one module, or may be further split into a plurality of sub-modules.
The above application serial numbers are for description purposes only and do not represent the superiority or inferiority of the implementation scenarios. The above disclosure is only a few specific implementation scenarios of the present application, but the present application is not limited thereto, and any variations that can be made by those skilled in the art are intended to fall within the scope of the present application.

Claims (10)

1. A method for processing data authority in report application is characterized in that the method comprises the following steps:
monitoring and intercepting an access request sent by an unknown source user to a report application through a front-end service, and authenticating a service system corresponding to the unknown source user, wherein the front-end service and the report application are packaged in an application container engine together, and the application container engine only exposes a front-end service port;
if the service system corresponding to the unknown source user has the access right of the report application, extracting the user information in the access request, and calling a user management system to inquire the user data right matched with the user information;
and acquiring report data of corresponding data authority from the report application based on the user data authority, and sending the report data to the user.
2. The method according to claim 1, wherein authenticating the service system corresponding to the unknown source user specifically comprises:
extracting request header information from an access request sent by the unknown source user to the report application;
if the request header information records an authentication field, judging whether the decrypted authentication field is an expected field or not based on a public configuration file generated in advance in the pre-service, and authenticating the service system corresponding to the unknown source user.
3. The method according to claim 2, wherein the public configuration file stores legal fields corresponding to each service system access report application, the legal fields are expected fields after decryption, and the method determines whether the authentication fields are expected fields after decryption based on the public configuration file pre-generated in the pre-service, and authenticates the service system corresponding to the unknown source user, specifically comprising:
extracting a legal field corresponding to a service system accessing report application from a public configuration file generated in advance in the preposed service;
and decrypting the legal field, judging whether the field decrypted by the authentication field is consistent with the field decrypted by the legal field, and authenticating the service system corresponding to the unknown source user.
4. The method according to claim 2, wherein after decrypting the legal field, determining whether the field decrypted by the authentication field is consistent with the field decrypted by the legal field, and authenticating the service system corresponding to the unknown source user, the method further comprises:
if not, determining that the service system corresponding to the unknown source user does not have the access authority of the report application;
and if so, determining that the service system corresponding to the unknown source user has the access right of the report application.
5. The method of claim 2, wherein after said extracting request header information from said access request to said reporting application sent by said unknown source user, said method further comprises
And if no custom field is recorded in the request header information, determining that the service system corresponding to the unknown source user does not have the access authority of the report application.
6. The method according to any one of claims 1 to 5, wherein before the monitoring and intercepting, by a pre-service, an access request for a reporting application sent by an unknown source user and authenticating a service system corresponding to the unknown source user, the method further comprises:
the prepositive service is connected with a registration center at regular time, system information of each service system is obtained from the registration center, a public configuration file is generated according to the system information of each service system, and the registration center stores the system information of the service systems when each service system is registered.
7. The method according to claim 1, wherein the user management system stores a plurality of association mapping tables between user information and user data permissions, and the extracting the user information in the access request and invoking the user management system to query the user data permissions matching with the user information specifically includes:
reading a token identification carried by the access request, and acquiring user information according to the token identification;
and calling a plurality of association mapping tables in the user management system to inquire the user data authority matched with the field description of the user according to the field description of the user in the user information.
8. An apparatus for processing data permissions in a reporting application, the apparatus comprising:
the system comprises an authentication unit, a report application management unit and a report application management unit, wherein the authentication unit is used for monitoring and intercepting an access request sent by an unknown source user to the report application through a front-end service, authenticating a service system corresponding to the unknown source user, packaging the front-end service and the report application together in an application container engine, and only exposing a front-end service port by the application container engine;
the query unit is used for extracting the user information in the access request and calling a user management system to query the user data authority matched with the user information if the service system corresponding to the unknown source user has the access authority of the report application;
and the sending unit is used for acquiring report data of corresponding data authority from the report application based on the user data authority, and sending the report data to the user.
9. A computer device comprising a memory and a processor, the memory storing a computer program, wherein the processor implements the steps of the method of any one of claims 1 to 7 when executing the computer program.
10. A computer storage medium on which a computer program is stored, characterized in that the computer program, when being executed by a processor, carries out the steps of the method of any one of claims 1 to 7.
CN201911355582.4A 2019-12-25 2019-12-25 Method and device for processing data permission in report application, computer equipment and computer storage medium Pending CN111177755A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911355582.4A CN111177755A (en) 2019-12-25 2019-12-25 Method and device for processing data permission in report application, computer equipment and computer storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911355582.4A CN111177755A (en) 2019-12-25 2019-12-25 Method and device for processing data permission in report application, computer equipment and computer storage medium

Publications (1)

Publication Number Publication Date
CN111177755A true CN111177755A (en) 2020-05-19

Family

ID=70650448

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911355582.4A Pending CN111177755A (en) 2019-12-25 2019-12-25 Method and device for processing data permission in report application, computer equipment and computer storage medium

Country Status (1)

Country Link
CN (1) CN111177755A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113138999A (en) * 2021-05-12 2021-07-20 泰康保险集团股份有限公司 Data processing method and device, computer storage medium and electronic equipment
CN113765876A (en) * 2020-11-30 2021-12-07 北京沃东天骏信息技术有限公司 Report processing software access method and device
CN116663070A (en) * 2023-08-01 2023-08-29 和创(北京)科技股份有限公司 Data authority control method, system, equipment and medium based on AOP engine

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101216817A (en) * 2007-12-29 2008-07-09 中国建设银行股份有限公司 Heterogeneous report form integration and centralized management device and system
CN101345758A (en) * 2008-08-14 2009-01-14 中兴通讯股份有限公司 Report normalization processing method, apparatus and system
CN101753335A (en) * 2008-12-11 2010-06-23 多友科技(北京)有限公司 Implementation method of statistical statement in enterprise instant communication system
CN102509163A (en) * 2011-11-21 2012-06-20 山东浪潮齐鲁软件产业股份有限公司 Realization method for unified management and centralized check of enterprise report
CN108830701A (en) * 2018-06-25 2018-11-16 美味不用等(上海)信息科技股份有限公司 Decentralization financial statement system
CN109325053A (en) * 2018-06-29 2019-02-12 平安科技(深圳)有限公司 Data processing method, device and the computer readable storage medium of reporting system

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101216817A (en) * 2007-12-29 2008-07-09 中国建设银行股份有限公司 Heterogeneous report form integration and centralized management device and system
CN101345758A (en) * 2008-08-14 2009-01-14 中兴通讯股份有限公司 Report normalization processing method, apparatus and system
CN101753335A (en) * 2008-12-11 2010-06-23 多友科技(北京)有限公司 Implementation method of statistical statement in enterprise instant communication system
CN102509163A (en) * 2011-11-21 2012-06-20 山东浪潮齐鲁软件产业股份有限公司 Realization method for unified management and centralized check of enterprise report
CN108830701A (en) * 2018-06-25 2018-11-16 美味不用等(上海)信息科技股份有限公司 Decentralization financial statement system
CN109325053A (en) * 2018-06-29 2019-02-12 平安科技(深圳)有限公司 Data processing method, device and the computer readable storage medium of reporting system

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113765876A (en) * 2020-11-30 2021-12-07 北京沃东天骏信息技术有限公司 Report processing software access method and device
CN113138999A (en) * 2021-05-12 2021-07-20 泰康保险集团股份有限公司 Data processing method and device, computer storage medium and electronic equipment
CN113138999B (en) * 2021-05-12 2023-11-17 泰康保险集团股份有限公司 Data processing method and device, computer storage medium and electronic equipment
CN116663070A (en) * 2023-08-01 2023-08-29 和创(北京)科技股份有限公司 Data authority control method, system, equipment and medium based on AOP engine

Similar Documents

Publication Publication Date Title
AU2017323588B2 (en) Systems and methods for providing identity assurance for decentralized applications
US9992176B2 (en) Systems and methods for encrypted communication in a secure network
US9191384B2 (en) Maintaining privacy in a multi-tenant cloud service participating in a federated identity platform
KR101720160B1 (en) Authenticated database connectivity for unattended applications
US10135623B2 (en) Method and system for checking revocation status of digital certificates in a virtualization environment
CN106657010B (en) Method, device and system for accessing data
CN106657014B (en) Method, device and system for accessing data
CN111177755A (en) Method and device for processing data permission in report application, computer equipment and computer storage medium
US8977857B1 (en) System and method for granting access to protected information on a remote server
CN102404314A (en) Remote resources single-point sign on
US9059987B1 (en) Methods and systems of using single sign-on for identification for a web server not integrated with an enterprise network
US9443067B1 (en) System for the distribution and deployment of applications, with provisions for security and policy conformance
US9087181B2 (en) Method of managing virtual computer, computer system and computer
CN112507320A (en) Access control method, device, system, electronic equipment and storage medium
US8601544B1 (en) Computer system employing dual-band authentication using file operations by trusted and untrusted mechanisms
US10880295B2 (en) Access control in a computer system
JP5485452B1 (en) Key management system, key management method, user terminal, key generation management device, and program
Chen et al. A self-sovereign decentralized identity platform based on blockchain
JP2003345752A (en) Authentication management server and program
CN112416525B (en) Device driver initialization method, direct storage access method and related device
CA3098369C (en) Method and system for implementing a virtual smart card service
US9240988B1 (en) Computer system employing dual-band authentication
JP2002073562A (en) Method and device for accessing plural sites by single user password
CN107612918B (en) The method that rsa encryption storage is carried out to data dictionary information
CN107704775B (en) The method that AES encryption storage is carried out to navigation data information

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right
TA01 Transfer of patent application right

Effective date of registration: 20220530

Address after: 518000 China Aviation Center 2901, No. 1018, Huafu Road, Huahang community, Huaqiang North Street, Futian District, Shenzhen, Guangdong Province

Applicant after: Shenzhen Ping An medical and Health Technology Service Co.,Ltd.

Address before: Room 12G, Area H, 666 Beijing East Road, Huangpu District, Shanghai 200001

Applicant before: PING AN MEDICAL AND HEALTHCARE MANAGEMENT Co.,Ltd.