CN113806724A - Method and device for processing user login request - Google Patents
Method and device for processing user login request Download PDFInfo
- Publication number
- CN113806724A CN113806724A CN202111147392.0A CN202111147392A CN113806724A CN 113806724 A CN113806724 A CN 113806724A CN 202111147392 A CN202111147392 A CN 202111147392A CN 113806724 A CN113806724 A CN 113806724A
- Authority
- CN
- China
- Prior art keywords
- user
- role
- authentication
- login request
- authentication mode
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 50
- 238000012545 processing Methods 0.000 title claims abstract description 44
- 238000003672 processing method Methods 0.000 claims abstract description 17
- 230000008569 process Effects 0.000 claims description 15
- 230000004044 response Effects 0.000 claims description 6
- 240000002033 Tacca leontopetaloides Species 0.000 claims 1
- 238000007726 management method Methods 0.000 description 38
- 238000010586 diagram Methods 0.000 description 10
- 230000006870 function Effects 0.000 description 7
- 241000169093 Tacca Species 0.000 description 5
- 238000013475 authorization Methods 0.000 description 5
- 238000004891 communication Methods 0.000 description 4
- 230000003287 optical effect Effects 0.000 description 4
- 230000007717 exclusion Effects 0.000 description 3
- 239000000243 solution Substances 0.000 description 3
- 238000004590 computer program Methods 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 239000013307 optical fiber Substances 0.000 description 2
- 238000005457 optimization Methods 0.000 description 2
- 230000008520 organization Effects 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 101150012579 ADSL gene Proteins 0.000 description 1
- 102100020775 Adenylosuccinate lyase Human genes 0.000 description 1
- 108700040193 Adenylosuccinate lyases Proteins 0.000 description 1
- 230000003213 activating effect Effects 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 238000012550 audit Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 230000010365 information processing Effects 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 230000003252 repetitive effect Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The disclosure relates to a processing method and device for a user login request, electronic equipment and a computer readable medium. The method comprises the following steps: acquiring a login request of a user; extracting an authentication mode of the user based on the login request; acquiring role identification based on the authentication mode; determining a target resource group according to the role identification; and processing the login request of the user based on the target resource group. The processing method and device for the user login request, the electronic equipment and the computer readable medium can effectively combine level management and authority management, improve user login efficiency, improve network operation efficiency and improve quality of configuration management.
Description
Technical Field
The present disclosure relates to the field of computer information processing, and in particular, to a method and an apparatus for processing a user login request, an electronic device, and a computer-readable medium.
Background
The authority management generally refers to that a user can access and only can access authorized resources, not much, according to security rules or security policies set by a system. Rights management occurs within almost any system, as long as there is a system of users and passwords. A bad authority management system can leave system loopholes, and hackers can be provided with the system loopholes. Many software can easily obtain unauthorized data through URL intrusion, SQL injection, etc. modes without authorization. Even the system data is modified and deleted, which causes huge loss. Many systems, especially those that use hard-coded methods, have privilege logic tightly coupled to the service code and are distributed throughout the system. The system vulnerability is necessarily very much, and the vulnerability is gradually increased along with the continuous modification of the system. In a good system, authority logic should be integrated, and setting and analysis are carried out by a professional security engine. And the service logic calls the security engine to obtain the authority result, and the non-professional mode is not used.
With the increase of the platform user base, the application functions are more abundant, and meanwhile, the use requirements of customers are changed. When there is a high requirement for configuring and managing multiple resource authorities, the original user group-user-resource group structure of the SSL VPN has the problems of repeated and tedious operations in configuration even if the performance is optimized to be better, and the boundary between user management and authority management is fuzzy.
The above information disclosed in this background section is only for enhancement of understanding of the background of the disclosure and therefore it may contain information that does not constitute prior art that is already known to a person of ordinary skill in the art.
Disclosure of Invention
In view of this, the present disclosure provides a method and an apparatus for processing a user login request, an electronic device, and a computer readable medium, which can effectively combine level management and authority management, improve user login efficiency, improve network operation efficiency, and improve quality of configuration management.
Additional features and advantages of the disclosure will be set forth in the detailed description which follows, or in part will be obvious from the description, or may be learned by practice of the disclosure.
According to an aspect of the present disclosure, a method for processing a user login request is provided, where the method includes: acquiring a login request of a user; extracting an authentication mode of the user based on the login request; acquiring role identification based on the authentication mode; determining a target resource group according to the role identification; and processing the login request of the user based on the target resource group.
In an exemplary embodiment of the present disclosure, acquiring a role identifier based on the authentication manner includes: and when the authentication mode of the user is an authentication-free mode, determining the role identification of the user based on the global configuration information.
In an exemplary embodiment of the present disclosure, acquiring a role identifier based on the authentication manner includes: when the authentication mode of the user is a local authentication mode, acquiring local configuration information based on an authentication function; determining a role identification based on the configuration information.
In an exemplary embodiment of the present disclosure, acquiring a role identifier based on the authentication manner includes: when the authentication mode of the user is an RADIUS authentication mode, carrying out RADIUS authentication on the user; and after the RADIUS authentication is passed, extracting the role identification based on a response message of the RADIUS server.
In an exemplary embodiment of the present disclosure, acquiring a role identifier based on the authentication manner includes: when the authentication mode of the user is an LDPA authentication mode, carrying out LDPA authentication on the user; and after the LDPA authentication is passed, extracting the role identification based on the response message of the LDPA server.
In an exemplary embodiment of the present disclosure, acquiring a role identifier based on the authentication manner includes: and when the authentication mode of the user is a taccas authentication mode, a WEB authentication mode or a 4A authentication mode, extracting the role identification according to the configuration information.
In an exemplary embodiment of the present disclosure, determining a target resource group according to the role identifier includes: generating a role set based on the role identifications, wherein the role set comprises at least one role identification; merging and de-duplicating the at least one role identifier in the role set; and extracting the target resource group according to the role set.
In an exemplary embodiment of the present disclosure, extracting the target resource group according to the role set includes: generating a database query statement according to the at least one role identifier in the role set; acquiring the target resource group based on the database query statement; and storing the target resource group into a preset array.
In an exemplary embodiment of the present disclosure, processing a login request of the user based on the target resource group includes: acquiring resource content based on the target resource group; and writing the resource content into the online information of the user so as to facilitate the user to operate.
According to an aspect of the present disclosure, an apparatus for processing a user login request is provided, the apparatus including: the login module is used for acquiring a login request of a user; the authentication module is used for extracting the authentication mode of the user based on the login request; the role module is used for acquiring role identification based on the authentication mode; the resource module is used for determining a target resource group according to the role identifier; and the processing module is used for processing the login request of the user based on the target resource group.
According to an aspect of the present disclosure, an electronic device is provided, the electronic device including: one or more processors; storage means for storing one or more programs; when executed by one or more processors, cause the one or more processors to implement a method as above.
According to an aspect of the disclosure, a computer-readable medium is proposed, on which a computer program is stored, which program, when being executed by a processor, carries out the method as above.
A user login authorization method based on roles is used for a system which adopts SSLVPN to realize remote access; the method comprises the following steps: establishing a corresponding relation among a user, an authentication mode and a role, and establishing a corresponding relation between the role and a resource group; receiving a login request sent by a client; judging whether the login request needs to be authenticated: if the authentication is needed, the authentication is carried out according to the authentication mode of the login request, and the role corresponding to the user is obtained after the authentication is successful; if authentication is not needed, acquiring a role corresponding to the authentication-free user, and then acquiring a corresponding resource group according to the role; and establishing a corresponding relation between the user and the user group, and establishing a corresponding relation between the user group and the role. And when the authentication mode is local authentication, the user selects to inherit the role of the corresponding user group. And when the authentication mode is remote authentication, sending the authentication data in the login request to the authentication server for authentication and receiving an authentication result sent back by the authentication server. And after the authentication is successful, if the user does not have the corresponding role, acquiring the default role configured by the authentication mode. The remote authentication comprises RADIUS authentication and LDAP authentication modes. When the user acquires a plurality of roles, combining the roles and then removing the duplication.
According to the user login authorization method and system based on the role, firstly, a role concept is introduced to bind a resource group and the role, the role can be independently associated with a user or a user group, the user can select to inherit the role of the user group, the association relation between the user group and the user in the authority management is reasonably weakened through the structural configuration, and the boundary of the user level management and the authority management can be clearly defined. Secondly, the hierarchical relationship between the user group and the user can be embodied through the corresponding relationship between the user group and the user, and the hierarchical relationship can be effectively combined with the authority management. Moreover, the default roles are bound by configuring multiple authentication modes, so that the processing requirements of login requests of different types of clients can be met, and the expandability of the system can be enhanced. In addition, the corresponding optimization is performed on the code level based on the existing database query efficiency and role specification, and the database query times are reduced so as to improve the system operation efficiency.
According to the processing method and device for the user login request, the electronic equipment and the computer readable medium, the login request of the user is obtained; extracting an authentication mode of the user based on the login request; acquiring role identification based on the authentication mode; determining a target resource group according to the role identification; the mode of processing the login request of the user based on the target resource group can effectively combine level management and authority management, thereby improving the login efficiency of the user, improving the network operation efficiency and improving the quality of configuration management.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
The above and other objects, features and advantages of the present disclosure will become more apparent by describing in detail exemplary embodiments thereof with reference to the attached drawings. The drawings described below are merely some embodiments of the present disclosure, and other drawings may be derived from those drawings by those of ordinary skill in the art without inventive effort.
Fig. 1 is a system block diagram illustrating a method and an apparatus for processing a user login request according to an exemplary embodiment.
Fig. 2 is a flowchart illustrating a method for processing a user login request according to an exemplary embodiment.
Fig. 3 is a schematic diagram illustrating a method for processing a user login request according to another exemplary embodiment.
Fig. 4 is a flowchart illustrating a method for processing a user login request according to another exemplary embodiment.
Fig. 5 is a block diagram illustrating a device for processing a user login request according to an example embodiment.
FIG. 6 is a block diagram illustrating an electronic device in accordance with an example embodiment.
FIG. 7 is a block diagram illustrating a computer-readable medium in accordance with an example embodiment.
Detailed Description
Example embodiments will now be described more fully with reference to the accompanying drawings. Example embodiments may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of example embodiments to those skilled in the art. The same reference numerals denote the same or similar parts in the drawings, and thus, a repetitive description thereof will be omitted.
Furthermore, the described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided to give a thorough understanding of embodiments of the disclosure. One skilled in the relevant art will recognize, however, that the subject matter of the present disclosure can be practiced without one or more of the specific details, or with other methods, components, devices, steps, and so forth. In other instances, well-known methods, devices, implementations, or operations have not been shown or described in detail to avoid obscuring aspects of the disclosure.
The block diagrams shown in the figures are functional entities only and do not necessarily correspond to physically separate entities. I.e. these functional entities may be implemented in the form of software, or in one or more hardware modules or integrated circuits, or in different networks and/or processor means and/or microcontroller means.
The flow charts shown in the drawings are merely illustrative and do not necessarily include all of the contents and operations/steps, nor do they necessarily have to be performed in the order described. For example, some operations/steps may be decomposed, and some operations/steps may be combined or partially combined, so that the actual execution sequence may be changed according to the actual situation.
It will be understood that, although the terms first, second, third, etc. may be used herein to describe various components, these components should not be limited by these terms. These terms are used to distinguish one element from another. Thus, a first component discussed below may be termed a second component without departing from the teachings of the disclosed concept. As used herein, the term "and/or" includes any and all combinations of one or more of the associated listed items.
It is to be understood by those skilled in the art that the drawings are merely schematic representations of exemplary embodiments, and that the blocks or processes shown in the drawings are not necessarily required to practice the present disclosure and are, therefore, not intended to limit the scope of the present disclosure.
The technical abbreviations involved in this disclosure are explained as follows:
SSL VPN: VPN technology for establishing remote secure access channel based on secure Socket Layer-SSL (secure Socket Layer-SSL).
Resource group: a collection of resources may be accessed.
Role: and the set of resource groups endows corresponding authority to the user by associating the role with the user or the user group.
The user: and the SSL VPN login entity logs in the VPN client and establishes connection with the server through the account and the password.
A user group: the grade division of the SSL VPN users is established, roles, address pools and the like can be set for the users in batches, and unified management is facilitated.
As described above, the original user group-user-resource group structure of the SSL VPN, even if optimized to be better in performance, still has the problems of operation repetition and complexity in configuration, and the boundary between user management and rights management is relatively fuzzy. To solve this problem, the prior art introduces the concept of roles, isolating the rights from the user management.
The original user group-user-resource group structure can only add resource permissions to users by configuring resource groups for user groups, and users are associated with the user groups, and in actual use, users may need to add specific permissions (which are not needed by the user groups). The concept of roles is introduced, a resource group is bound with the roles, the roles can be independently associated with user groups or users, the authority relationship between the user groups and the users is reasonably weakened, and the level management and the authority management are well divided; meanwhile, the user can select to inherit the roles of the user groups, the hierarchical relationship between the user groups and the user groups is reflected, and the authority management is effectively combined. In the aspect of operation efficiency, considering that some time-consuming database operations may be performed when configuring user groups, users and roles, the data structure is applied to perform corresponding optimization at the code level.
In the prior art, after a role concept is introduced, the following three schemes exist:
RBAC0 (user, role, rights):
the simplest user, role and authority model comprises two relations: the users and roles are many-to-one and many-to-many relationships, respectively. If the system function is single, the number of users is small, the authority of the post is relatively clear, and the situation that one person has more posts cannot happen, the first model can be used. In other cases, many-to-many models should be used as much as possible to ensure the expandability of the system.
RBAC1(RBAC0 adds sub-roles):
compared with the RBAC0 model, the child role is added, and the inheritance concept is introduced, so that the child role can inherit all the authority of the parent role. Suppose that a certain department has three posts, namely a manager, a supervisor and a special employee. The authority of the supervisor cannot be greater than that of the manager, and the authority of the special staff cannot be greater than that of the supervisor. If the RBAC0 is used for designing the authority system, the distribution authority is likely to be wrong, and the supervisor has the authority which is not possessed by the manager. The RBAC1 model can then solve this problem, where the hierarchical relationships are embodied by roles.
RBAC2 (introducing constraints on the basis of RBAC 0):
based on the RBAC0 model, role mutual exclusion, cardinality constraints, prerequisite roles, etc. are added. The role mutual exclusion means that the same user cannot be distributed to a plurality of roles in a group of mutually exclusive role sets, and the mutually exclusive roles are two roles with mutually restricted permissions; cardinality constraints refer to the limited number of users assigned to a role, which refers to how many users can own the role; the prerequisite role means that the role wants to obtain higher authority and has lower-level authority firstly; run-time mutual exclusion refers to allowing a user to have multiple roles, but not activating mutually exclusive roles at run-time.
The three schemes are models designed according to users, roles and authorities, and the division of the level management is based on the inheritance of sub-roles. If in the group with the emphasis on organization structure and relatively weakened upper and lower levels, such as the user management of the current SSL VPN, the concept and the effect of the sub-roles are not significant, and the addition of the roles and the inherited parts thereof on the structure based on the user-user group-resource group does not belong to a relatively moderate scheme in design implementation or configuration upgrading.
The processing method of the user login request is based on the authority management scheme of roles, authentication modes and levels, and is just to introduce a role-designed authority control mechanism according to a user-user group-resource group structure. In the aspect of level management, the user-user group structure is embodied, so that the method is concise and clear; in the aspect of authority control, the authority of the resource group is bound to the role, the relationship between the user group and the user is decoupled, the default role is bound in a support of an authentication mode, and the expandability is enhanced; in the aspect of operation efficiency, time delay caused by database operation during configuration and display is optimized; the user can select the role of the inheritance user group and can also configure the role independently, the level management and the authority control are effectively combined, and a scene with high requirement on the authority definition of the user can be supported.
The following is a detailed description with the aid of specific examples.
Fig. 1 is a system block diagram illustrating a method and an apparatus for processing a user login request according to an exemplary embodiment.
As shown in fig. 1, the system architecture 10 may include terminal devices 101, 102, 103, a network 104, and a server 105. The network 104 serves as a medium for providing communication links between the terminal devices 101, 102, 103 and the server 105. Network 104 may include various connection types, such as wired, wireless communication links, or fiber optic cables, to name a few.
The user may use the terminal devices 101, 102, 103 to interact with the server 105 via the network 104 to receive or send messages or the like. The terminal devices 101, 102, 103 may have various communication client applications installed thereon, such as a shopping application, a web browser application, a search application, an instant messaging tool, a mailbox client, social platform software, and the like.
The terminal devices 101, 102, 103 may be various electronic devices having a display screen and supporting web browsing, including but not limited to smart phones, tablet computers, laptop portable computers, desktop computers, and the like.
The server 105 may be a server that provides various services, such as a background management server that provides login support for shopping websites browsed by users using the terminal devices 101, 102, and 103. The background management server can process the received login request and feed back a processing result (whether login is successful or not and user authority) to the terminal equipment.
The server 105 may, for example, obtain a login request of the user; the server 105 may extract the authentication mode of the user, for example, based on the login request; server 105 may obtain a role identification, e.g., based on the authentication means; the server 105 can determine a set of target resources, for example, from the role identification; the server 105 can process the user's login request, for example, based on the set of target resources.
The server 105 may be a server of one entity, or may be composed of a plurality of servers, for example, a part of the server 105 may be used to assist a user to log in; a portion of the server 105 may also be used, for example, to configure the user's rights.
It should be noted that, the processing method of the user login request provided by the embodiment of the present disclosure may be executed by the server 105, and accordingly, a processing device of the user login request may be disposed in the server 105. The requesting end provided for the user to send the login request is generally located in the terminal devices 101, 102, and 103.
Fig. 2 is a flowchart illustrating a method for processing a user login request according to an exemplary embodiment. The processing method 20 of the user login request at least includes steps S202 to S210.
As shown in fig. 2, in S202, a login request of a user is obtained. The user can submit a login request on the preset application, and the background server of the preset application acquires and processes the login request.
The preset application may be various applications such as shopping application, data processing application, office application, etc., and the present application is not limited thereto.
In S204, the authentication method of the user is extracted based on the login request. And determining the authentication mode of the user based on the message information in the login request, wherein the authentication mode of the user can comprise local authentication, RADIUS authentication, LDAP authentication, taccas + authentication, WEB authentication, 4A authentication, authentication-free and the like.
The RADIUS is a protocol of a C/S structure, a client of the RADIUS is an NAS (Net Access Server) server initially, and any computer running RADIUS client software can become a RADIUS client. The RADIUS protocol authentication mechanism is flexible, and can adopt PAP, CHAP or Unix login authentication and other modes. The services include ordinary telephone internet access, ADSL internet access, cell broadband internet access, IP telephone, VPDN (Virtual Private Dial-up network service based on dial-up user), mobile phone prepayment and the like. IEEE proposed the 802.1x standard, which is a port-based standard for access authentication to wireless networks, and also employs the RADIUS protocol for authentication.
LDAP (lightweight Directory Access protocol) refers to a lightweight Directory Access protocol, and LDAP directories store data in a tree-like hierarchical structure.
WEB authentication does not need special client software, and the workload of network maintenance can be reduced; service authentication such as Portal can be provided. Firstly, an address needs to be allocated to a user for accessing a portal website, a user name and a password are typed in a login window, then the Radius server is authenticated through a Radius client, if the authentication is passed, the client is triggered to initiate an address allocation request again, and an address which can access the extranet is allocated to the user. And when the user is offline, an offline request is initiated through the client.
4A means: authentication, Authorization, Account, Audit and Chinese name are the solution of the unified security management platform. Namely identity authentication, authorization, accounting and auditing are defined as four major components of network security, so that the status and the role of the identity authentication in the whole network security system are established.
In S206, the role identifier is obtained based on the authentication method.
In one embodiment, when the authentication mode of the user is an authentication-free mode, the role identification of the user is determined based on the global configuration information.
In one embodiment, when the authentication mode of the user is a local authentication mode, local configuration information is acquired based on an authentication function; determining a role identification based on the configuration information.
In one embodiment, when the authentication mode of a user is a RADIUS authentication mode, RADIUS authentication is carried out on the user; and after the RADIUS authentication is passed, extracting the role identification based on a response message of the RADIUS server.
In one embodiment, when the authentication mode of a user is an LDPA authentication mode, performing LDPA authentication on the user; and after the LDPA authentication is passed, extracting the role identification based on the response message of the LDPA server.
In one embodiment, when the authentication mode of the user is a taccas authentication mode, a WEB authentication mode or a 4A authentication mode, the role identifier is extracted according to the configuration information.
In S208, a target resource group is determined according to the role identifier. A set of roles including at least one role identifier may be generated, for example, based on the role identifiers; merging and de-duplicating the at least one role identifier in the role set; and extracting the target resource group according to the role set.
In S210, the login request of the user is processed based on the target resource group. Resource content can be obtained, for example, based on the set of target resources; and writing the resource content into the online information of the user so as to facilitate the user to operate.
According to the processing method of the user login request, the login request of the user is obtained; extracting an authentication mode of the user based on the login request; acquiring role identification based on the authentication mode; determining a target resource group according to the role identification; the mode of processing the login request of the user based on the target resource group can effectively combine level management and authority management, thereby improving the login efficiency of the user, improving the network operation efficiency and improving the quality of configuration management.
It should be clearly understood that this disclosure describes how to make and use particular examples, but the principles of this disclosure are not limited to any details of these examples. Rather, these principles can be applied to many other embodiments based on the teachings of the present disclosure.
Fig. 3 is a schematic diagram illustrating a method for processing a user login request according to another exemplary embodiment.
According to the method, roles are matched through different processes according to different authentication modes corresponding to users, so that resource permissions corresponding to the roles are obtained; through user group classification, the user realizes the classification of the permission by inheriting the role of the user group.
Role: a role can configure a plurality of resource groups, and the resource types which can correspond to each resource group comprise IP resources, WEB resources, shortcuts and bulletin messages. Role support is tied to users, groups of users, and authentication modalities.
The authentication method comprises the following steps: the authentication modes combining role control in the method comprise local authentication, RADIUS authentication, LDAP authentication, taccas + authentication, WEB authentication, 4A authentication and authentication-free. Wherein the authentication-free is authentication without account password.
A user group: the upper layer of the user organization structure supports the display of the sub-user group and the tree structure, and can configure the direct skip resources, the IP address pool and the default authentication strategy of the user.
The user: the SSL VPN login entity, authentication and resource acquisition are all processes performed around the user. Authentication policies, IP addresses, and roles may be configured separately.
Furthermore, as shown in fig. 3, a user requests to log in from a client, and if the authentication-free mode is adopted, the authentication-free user default role is obtained, and then the corresponding resource group and resource permission are obtained according to the role;
if the local authentication is used, acquiring a set of user and user group configuration roles (optionally not inheriting user group roles) after the authentication is successful, and acquiring a corresponding resource group and permission according to the roles;
after the user requests login, the VPN server sends login information to a RADIUS server (or an LDAP server) for authentication, judges an authentication result and acquires a role name by analyzing corresponding information, and if the authentication is successful but the role name is absent, a default role set by the authentication mode is used, and corresponding authority is acquired through the role;
after the taccas + authentication, the WEB authentication and the 4A authentication are successfully authenticated, the flow is the same as that of the authentication-free authentication. And all authentication processes prompt that the resource is not configured if the user does not traverse the effective resource finally, and return to the login page.
According to the processing method of the user login request, the organizational relationship can be decoupled, the level management is definite, the authority control is increased, and a network administrator is effectively helped to reasonably distribute user resources, so that the efficiency and the quality of network operation are improved.
Fig. 4 is a flowchart illustrating a method for processing a user login request according to another exemplary embodiment. The flow 40 shown in fig. 4 is a detailed description of "determining a target resource group according to the role identifier" in the flow shown in fig. 2.
As shown in fig. 4, in S402, a role set is generated based on the role identifications, and the role set includes at least one role identification. The user and the user group can configure roles independently, the user can select to inherit the roles of the affiliated user groups (8 affiliated user groups can be configured at most), each user group and the corresponding role can be displayed in user information, and an administrator can visually acquire the roles associated with the user, so that the situations of misoperation and the like are avoided.
In S404, merging and de-duplicating the at least one role identifier in the role set. Before the user authority is obtained, the user associated roles are merged and then the duplication is removed, so that the accuracy of the finally obtained authority is guaranteed.
In S406, a database query statement is generated according to the at least one role identifier in the role set. In the configuration process, the elements associated with the authority are in a many-to-many relationship, and the association is established through the element ID. For example, user configuration is issued, the submitted data is a role name, and the background needs to query the role table according to the role name to obtain an ID to establish an association relationship with the user. Each user can set a plurality of roles, and according to the original implementation flow, the query statement is executed once when one role ID is obtained.
According to the database query efficiency and the role specification, the query statements are optimized, and the batch query statements are generated through all the role identifications. The operation efficiency is improved by reducing the query times of the database: when the role ID needs to be acquired for multiple times, the database is queried only once to acquire resource groups corresponding to all roles.
In S408, the target resource group is obtained based on the database query statement.
In S410, the target resource group is stored in a preset array. And acquiring and storing all role information of the current system into a corresponding array, and circularly inquiring required information.
According to the processing method of the user login request, the level management can be made clear, the authority control is added, and a network administrator is effectively helped to reasonably distribute user resources, so that the efficiency and the quality of network operation are improved.
Those skilled in the art will appreciate that all or part of the steps implementing the above embodiments are implemented as computer programs executed by a CPU. When executed by the CPU, performs the functions defined by the above-described methods provided by the present disclosure. The program may be stored in a computer readable storage medium, which may be a read-only memory, a magnetic or optical disk, or the like.
Furthermore, it should be noted that the above-mentioned figures are only schematic illustrations of the processes involved in the methods according to exemplary embodiments of the present disclosure, and are not intended to be limiting. It will be readily understood that the processes shown in the above figures are not intended to indicate or limit the chronological order of the processes. In addition, it is also readily understood that these processes may be performed synchronously or asynchronously, e.g., in multiple modules.
The following are embodiments of the disclosed apparatus that may be used to perform embodiments of the disclosed methods. For details not disclosed in the embodiments of the apparatus of the present disclosure, refer to the embodiments of the method of the present disclosure.
Fig. 5 is a block diagram illustrating a device for processing a user login request according to an example embodiment. As shown in fig. 5, the processing device 50 for user login request includes: a login module 502, an authentication module 504, a role module 506, a resource module 508, and a processing module 510.
The login module 502 is used for acquiring a login request of a user;
the authentication module 504 is configured to extract an authentication manner of the user based on the login request;
the role module 506 is configured to obtain a role identifier based on the authentication manner;
the resource module 508 is configured to determine a target resource group according to the role identifier;
the processing module 510 is configured to process the login request of the user based on the target resource group.
According to the processing device for the user login request, the login request of the user is obtained; extracting an authentication mode of the user based on the login request; acquiring role identification based on the authentication mode; determining a target resource group according to the role identification; the mode of processing the login request of the user based on the target resource group can effectively combine level management and authority management, thereby improving the login efficiency of the user, improving the network operation efficiency and improving the quality of configuration management.
FIG. 6 is a block diagram illustrating an electronic device in accordance with an example embodiment.
An electronic device 600 according to this embodiment of the disclosure is described below with reference to fig. 6. The electronic device 600 shown in fig. 6 is only an example and should not bring any limitations to the function and scope of use of the embodiments of the present disclosure.
As shown in fig. 6, the electronic device 600 is embodied in the form of a general purpose computing device. The components of the electronic device 600 may include, but are not limited to: at least one processing unit 610, at least one storage unit 620, a bus 630 that connects the various system components (including the storage unit 620 and the processing unit 610), a display unit 640, and the like.
Wherein the storage unit stores program code that is executable by the processing unit 610 such that the processing unit 610 performs the steps described in this specification in accordance with various exemplary embodiments of the present disclosure. For example, the processing unit 610 may perform the steps shown in fig. 2 and 4.
The storage unit 620 may include readable media in the form of volatile memory units, such as a random access memory unit (RAM)6201 and/or a cache memory unit 6202, and may further include a read-only memory unit (ROM) 6203.
The memory unit 620 may also include a program/utility 6204 having a set (at least one) of program modules 6205, such program modules 6205 including, but not limited to: an operating system, one or more application programs, other program modules, and program data, each of which, or some combination thereof, may comprise an implementation of a network environment.
The electronic device 600 may also communicate with one or more external devices 600' (e.g., keyboard, pointing device, bluetooth device, etc.), such that a user can communicate with devices with which the electronic device 600 interacts, and/or any device (e.g., router, modem, etc.) with which the electronic device 600 can communicate with one or more other computing devices. Such communication may occur via an input/output (I/O) interface 650. Also, the electronic device 600 may communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network such as the Internet) via the network adapter 660. The network adapter 660 may communicate with other modules of the electronic device 600 via the bus 630. It should be appreciated that although not shown in the figures, other hardware and/or software modules may be used in conjunction with the electronic device 600, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data backup storage systems, among others.
Through the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein may be implemented by software, or by software in combination with necessary hardware. Therefore, as shown in fig. 7, the technical solution according to the embodiment of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, etc.) or on a network, and includes several instructions to enable a computing device (which may be a personal computer, a server, or a network device, etc.) to execute the above method according to the embodiment of the present disclosure.
The software product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium include: an electrical connection having one or more wires, a portable disk, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
The computer readable storage medium may include a propagated data signal with readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A readable storage medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a readable storage medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Program code for carrying out operations for the present disclosure may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device and partly on a remote computing device, or entirely on the remote computing device or server. In the case of a remote computing device, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., through the internet using an internet service provider).
The computer readable medium carries one or more programs which, when executed by a device, cause the computer readable medium to perform the functions of: acquiring a login request of a user; extracting an authentication mode of the user based on the login request; acquiring role identification based on the authentication mode; determining a target resource group according to the role identification; and processing the login request of the user based on the target resource group.
Those skilled in the art will appreciate that the modules described above may be distributed in the apparatus according to the description of the embodiments, or may be modified accordingly in one or more apparatuses unique from the embodiments. The modules of the above embodiments may be combined into one module, or further split into multiple sub-modules.
Through the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein may be implemented by software, or by software in combination with necessary hardware. Therefore, the technical solution according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, etc.) or on a network, and includes several instructions to enable a computing device (which may be a personal computer, a server, a mobile terminal, or a network device, etc.) to execute the method according to the embodiments of the present disclosure.
Exemplary embodiments of the present disclosure are specifically illustrated and described above. It is to be understood that the present disclosure is not limited to the precise arrangements, instrumentalities, or instrumentalities described herein; on the contrary, the disclosure is intended to cover various modifications and equivalent arrangements included within the spirit and scope of the appended claims.
Claims (10)
1. A processing method for a user login request is characterized by comprising the following steps:
acquiring a login request of a user;
extracting an authentication mode of the user based on the login request;
acquiring role identification based on the authentication mode;
determining a target resource group according to the role identification;
and processing the login request of the user based on the target resource group.
2. The processing method of claim 1, wherein obtaining the role identifier based on the authentication manner comprises:
and when the authentication mode of the user is an authentication-free mode, determining the role identification of the user based on the global configuration information.
3. The processing method of claim 1, wherein obtaining the role identifier based on the authentication manner comprises:
when the authentication mode of the user is a local authentication mode, acquiring local configuration information based on an authentication function;
determining a role identification based on the configuration information.
4. The process of claim 1, wherein obtaining a role identification based on the authentication means comprises:
when the authentication mode of the user is an RADIUS authentication mode, carrying out RADIUS authentication on the user;
and after the RADIUS authentication is passed, extracting the role identification based on a response message of the RADIUS server.
5. The processing method of claim 1, wherein obtaining the role identifier based on the authentication manner comprises:
when the authentication mode of the user is an LDPA authentication mode, carrying out LDPA authentication on the user;
and after the LDPA authentication is passed, extracting the role identification based on the response message of the LDPA server.
6. The processing method of claim 1, wherein obtaining the role identifier based on the authentication manner comprises:
and when the authentication mode of the user is a taccas authentication mode, a WEB authentication mode or a 4A authentication mode, extracting the role identification according to the configuration information.
7. The processing method of claim 1, wherein determining a set of target resources based on the role identifier comprises:
generating a role set based on the role identifications, wherein the role set comprises at least one role identification;
merging and de-duplicating the at least one role identifier in the role set;
and extracting the target resource group according to the role set.
8. The process of claim 7, wherein extracting the set of target resources from the set of roles comprises:
generating a database query statement according to the at least one role identifier in the role set;
acquiring the target resource group based on the database query statement;
and storing the target resource group into a preset array.
9. The processing method of claim 1, wherein processing the user's login request based on the set of target resources comprises:
acquiring resource content based on the target resource group;
and writing the resource content into the online information of the user so as to facilitate the user to operate.
10. A processing method for a user login request is characterized by comprising the following steps:
the login module is used for acquiring a login request of a user;
the authentication module is used for extracting the authentication mode of the user based on the login request;
the role module is used for acquiring role identification based on the authentication mode;
the resource module is used for determining a target resource group according to the role identifier;
and the processing module is used for processing the login request of the user based on the target resource group.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111147392.0A CN113806724B (en) | 2021-09-29 | 2021-09-29 | User login request processing method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111147392.0A CN113806724B (en) | 2021-09-29 | 2021-09-29 | User login request processing method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113806724A true CN113806724A (en) | 2021-12-17 |
| CN113806724B CN113806724B (en) | 2024-02-09 |
Family
ID=78897023
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111147392.0A Active CN113806724B (en) | 2021-09-29 | 2021-09-29 | User login request processing method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113806724B (en) |
Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20120331539A1 (en) * | 2011-06-24 | 2012-12-27 | Canon Kabushiki Kaisha | Authentication system, authentication method, and storage medium for realizing a multitenant service |
| CN109598117A (en) * | 2018-10-24 | 2019-04-09 | 平安科技(深圳)有限公司 | Right management method, device, electronic equipment and storage medium |
| US20190332789A1 (en) * | 2018-04-27 | 2019-10-31 | Microsoft Technology Licensing, Llc | Hierarchical access rights and role based access |
| CN110516452A (en) * | 2019-08-07 | 2019-11-29 | 浙江大搜车软件技术有限公司 | RBAC access authorization for resource distribution method, device, electronic equipment and storage medium |
| CN110692223A (en) * | 2017-07-14 | 2020-01-14 | 日立数据管理有限公司 | Method, apparatus and system for controlling user access to a data storage system |
| CN110839014A (en) * | 2019-10-12 | 2020-02-25 | 平安科技(深圳)有限公司 | Authentication method, device, computer system and readable storage medium |
| CN111062028A (en) * | 2019-12-13 | 2020-04-24 | 腾讯科技(深圳)有限公司 | Authority management method and device, storage medium and electronic equipment |
| CN111367573A (en) * | 2020-03-12 | 2020-07-03 | 腾讯科技(深圳)有限公司 | Equipment login method, device, storage medium and computer equipment |
| CN111695156A (en) * | 2020-06-15 | 2020-09-22 | 北京同邦卓益科技有限公司 | Service platform access method, device, equipment and storage medium |
| CN112581257A (en) * | 2020-12-15 | 2021-03-30 | 中国建设银行股份有限公司 | Dispute service management method, system, device and medium supporting different card organizations |
| CN112714123A (en) * | 2020-12-27 | 2021-04-27 | 杭州迪普科技股份有限公司 | Internet surfing method and device and electronic equipment |
| CN113282890A (en) * | 2021-05-25 | 2021-08-20 | 挂号网(杭州)科技有限公司 | Resource authorization method, device, electronic equipment and storage medium |
-
2021
- 2021-09-29 CN CN202111147392.0A patent/CN113806724B/en active Active
Patent Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20120331539A1 (en) * | 2011-06-24 | 2012-12-27 | Canon Kabushiki Kaisha | Authentication system, authentication method, and storage medium for realizing a multitenant service |
| CN110692223A (en) * | 2017-07-14 | 2020-01-14 | 日立数据管理有限公司 | Method, apparatus and system for controlling user access to a data storage system |
| US20190332789A1 (en) * | 2018-04-27 | 2019-10-31 | Microsoft Technology Licensing, Llc | Hierarchical access rights and role based access |
| CN109598117A (en) * | 2018-10-24 | 2019-04-09 | 平安科技(深圳)有限公司 | Right management method, device, electronic equipment and storage medium |
| CN110516452A (en) * | 2019-08-07 | 2019-11-29 | 浙江大搜车软件技术有限公司 | RBAC access authorization for resource distribution method, device, electronic equipment and storage medium |
| CN110839014A (en) * | 2019-10-12 | 2020-02-25 | 平安科技(深圳)有限公司 | Authentication method, device, computer system and readable storage medium |
| CN111062028A (en) * | 2019-12-13 | 2020-04-24 | 腾讯科技(深圳)有限公司 | Authority management method and device, storage medium and electronic equipment |
| CN111367573A (en) * | 2020-03-12 | 2020-07-03 | 腾讯科技(深圳)有限公司 | Equipment login method, device, storage medium and computer equipment |
| CN111695156A (en) * | 2020-06-15 | 2020-09-22 | 北京同邦卓益科技有限公司 | Service platform access method, device, equipment and storage medium |
| CN112581257A (en) * | 2020-12-15 | 2021-03-30 | 中国建设银行股份有限公司 | Dispute service management method, system, device and medium supporting different card organizations |
| CN112714123A (en) * | 2020-12-27 | 2021-04-27 | 杭州迪普科技股份有限公司 | Internet surfing method and device and electronic equipment |
| CN113282890A (en) * | 2021-05-25 | 2021-08-20 | 挂号网(杭州)科技有限公司 | Resource authorization method, device, electronic equipment and storage medium |
Non-Patent Citations (5)
| Title |
|---|
| 一个呆萌の小小程序员: "你知道权限管理的角色授权与认证吗?", Retrieved from the Internet <URL:https://zhuanlan.zhihu.com/p/160175015> * |
| 粟毅等: "SSL VPN技术在移动电子政务***接入中的应用", 《智能城市》, vol. 4, no. 14, pages 45 - 46 * |
| 迟文德: "云计算环境中用户身份认证及访问控制的探索与实践", 《中国新闻技术工作者联合会2016年学术年会论文集》, pages 81 - 85 * |
| 郭威: "企业级信息管理***认证统一管理的设计与实现", 《南方能源建设》, vol. 2, no. 1, pages 242 - 246 * |
| 高龙龙: "基于RBAC模型的通用企业级应用安全框架的研究与实现", 《中国优秀硕士学位论文全文数据库》, pages 138 - 336 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113806724B (en) | 2024-02-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10652235B1 (en) | Assigning policies for accessing multiple computing resource services | |
| US9069979B2 (en) | LDAP-based multi-tenant in-cloud identity management system | |
| US10171455B2 (en) | Protection of application passwords using a secure proxy | |
| US9805209B2 (en) | Systems and methodologies for managing document access permissions | |
| CN113239344B (en) | Access right control method and device | |
| CN109347855B (en) | Data access method, device, system, electronic design and computer readable medium | |
| CN108701175B (en) | Associating user accounts with enterprise workspaces | |
| US11716325B2 (en) | Limiting scopes in token-based authorization systems | |
| JP2002351829A (en) | Providing computing service through online network computer environment | |
| US20230396603A1 (en) | Unified identity and access management (iam) control plane for services associated with a hybrid cloud | |
| US20220255914A1 (en) | Identity information linking | |
| US11343753B2 (en) | Role-based access control system | |
| CN115396229B (en) | Cross-domain resource isolation sharing system based on blockchain | |
| KR20070076342A (en) | User Group Role / Permission Management System and Access Control Methods in a Grid Environment | |
| US12015606B2 (en) | Virtual machine provisioning and directory service management | |
| CN113806724B (en) | User login request processing method and device | |
| US8429718B2 (en) | Control production support access | |
| CN113765866A (en) | Method and device for logging in remote host | |
| CN115834252B (en) | Service access method and system | |
| CN118171251A (en) | Dynamic authority control method and device | |
| CN115242527A (en) | Method and device for logging in Kubernets cluster management panel | |
| Rajpurohit et al. | A Review on Cloud Computing and its Security Issues | |
| CN116015975A (en) | Application management method and device | |
| CN115242526A (en) | Login method and device of Kubernetes cluster management panel | |
| CN115242528A (en) | Log-in method of Kubernets cluster management panel |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |